Three security habits could prevent 85% of hacks: Defence minister

The severity of cyber-security incidents investigated by Department of Defence-backed security teams has increase dramatically over the past year, Defence Minister Stephen Smith said while launching an education campaign he hopes will encourage organisations to adopt three effective anti-security habits.

In a speech to the Defence Signals Directorate (DSD) Cyber Security Conference today, Smith – providing an update on the DSD's Cyber Security Operations Centre (CSOC) – said the team had escalated 470 of the 1250 cyber incidents reported to it in the period through the end of September.

By contrast, the team escalated just 310 of the 1260 incidents identified last year – and there are still three more months to go before 2012's figures are finalised.

Noting ongoing collaboration with US and UK security authorities – under the auspices of the 2009 and 2011 Australia United States Australia Ministerial Consultations (AUSMIN), and the 2011 Australia United Kingdom Ministerial Consultations (AUKMIN) – Smith said cyber security had become "a global challenge, which we can only combat by working together...a cyber attack could in certain circumstances trigger the consultation mechanisms of the [AUSMIN] Alliance."

The growing financial impact of security compromises had heightened the importance of effective countermeasures, Smith added, noting Symantec figures that had put the cost to Australia from cyber crime at $4.5 billion – more than the cost of burglary and assault combined.

"This issue is one that impacts adversely upon our economic interests and national well-being, not just our national security interests," he continued. "The dangers come not just from nation states, but also from non-state actors….More than 65% of intrusions observed by CSOC are economically motivated."

Aiming to transform CSOC's experiences in its first three years into actionable education, Smith launched an educational video – called Catch, Patch, Match – "to draw attention to the need to prevent cyber intrusions."

"The [CSOC] team escalated 470 of the 1250 cyber incidents reported through the end of September. By contrast, the team escalated just 310 of the 1260 incidents identified last year – and there are still three more months to go before 2012's figures are finalised.

"The cyber-threat has now reached an unprecedented level," the video's voiceover warns. Government and industry are being threatened on a daily basis – and the effects can be catastrophic."

The three instructions refer to:

• Catch malware by application whitelisting
• Patch software and operating systems; and
• Match administrator rights to the right people.

There's no telling if it will have the same impact as the Cancer Council's iconic 'Slip, Slop, Slap' sun-protection campaign, but Smith believes the campaign and the "sensible precautions" it promotes, will increase awareness of the need for government and private-sector organisations to be more proactive about their security approaches.

Drawing on CSOC's experiences, Smith cited estimates that 85% of the security attacks to which the organisation had responded, could have been avoided if organisations adopted just four of the 35 security strategies it outlined in early 2010.

These include:

1. Application whitelisting to ensure that only software that is specified and authorised can run on a system;
2. Patching third party applications;
3. Patching operating systems; and
4. Restricting administrative privileges.

CSOC is a multi-faceted security response team created in January 2010, and brings together security specialists from the Australian Security Intelligence Organisation (ASIO), Australian Federal Police (AFP), and the Computer Emergency Response Team Australia (CERT Australia)