CeBIT 2013 - User education not a cyber security starting point: DSD

Should only be used to underpin existing technical controls
Defence Signals Directorate (DSD) assistant secretary cyber security, Joe Franzi

Defence Signals Directorate (DSD) assistant secretary cyber security, Joe Franzi

While user education is obviously significant when it comes to cyber security, it should be used to underpin technical controls rather than as a starting point for a security strategy, according to Defence Signals Directorate (DSD) assistant secretary cyber security, Joe Franzi.

Speaking at CeBIT 2013, Franzi said user education should be utilised to value-add to security mitigation after as many security controls as possible are automated.

"If you look at DSD's top 35 strategies to mitigate against targeted cyber intrusions, in the early days around 2010, we had user education at about number eight," he said.

"As we became more experience and knowledgeable as to what was happening in the public and private sector, we realised there are other things that were and should be a higher priority; these have much more affectiveness that what we actually thought about user education."

This is because malicious attackers understand how organisations operate in the contemporary cyber environment, and therefore previously innocent things - like travel itineraries, for example - are becoming a rich ground for attacks.

Franzi claims there are four key questions which organisations must ask in order to strengthen networks and mitigate threats:

  • How much time do you take to ensure your networks are secure?
  • Do you need to educate your staff in terms of risks in the cyber environment?
  • Are you confident you can recover from a critical incident?
  • Are you confident your contractors and service providers have their house in order in terms of protecting your information on their networks?

The catch, patch and match

'Catch, patch, match' is a campaign which DSD launched in 2012. It involves an assessment of the top four priorities in its list of 35 mitigation strategies, and reordering them in terms of priorities.

'Catch' is about identifying malicious software with a white list. According to Franzi, an application white list is the number one priority for businesses, and in terms of effectiveness, provides organisations with a significant threat mitigation component.

The next phase is patching apps and operating systems so they remain up to date, at which point matching is introduced. Matching is concerned with pairing the right authorities and accesses with the right people. Franzi said it is about reducing administrative privileges to a bare minimum and ensuring those particular employees do not use those same accounts to access the Internet.

More about: CeBIT

Comments

Bill Caelli

1

Yes, indeed.
As in the car industry, a 4 cylinder baby car is NOT the same as a top class Mercedes or BMW. All computer systems are NOT the same as is clearly acknowledged by the "Common Criteria" to which Australia subscribes. BUT too often that is what managers think!

So - it is the responsibility of those responsible for purchasing to ensure that the system obtained, e.g. for a criticial infrastructure system, database of highly sensitive personal information, etc. is FIT FOR THE PURPOSE. This simply means that a commodity, old "discretionary access control (DAC)" operating system base may NOT be suitable at all and a "mandatory/profile access control system (MAC/FMAC)" should be chosen. Crypto may need to fully integrated and key management clearly defined. This is really so if a virtual machine / cloud scheme is contemplated.

So - yes - STOP BLAMING THE END-USER. We have known for over 30 years that the underlying security functionality incorporated into the system must first exist and be easy for the user to understand and manage. This is a major consideration for any server system.

In particular, "software quality" must not be confused with basic cybersecurity architecture and associated mechanisms and services. The MULTICS system of over 45 years ago was clearly designed to allow for application failure and, as a B2 system, to even protect users against rogue programs / malware. Today, a new approach is needed and MANDATORY security structures must be specified and implemented in today's server systems.

Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Joe Franzi, threat mitigation, CeBIT 2013, user education, cyber security, Defence Signals Directorate (DSD)
Get exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
ARN Vendor Directory
Microsites

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

 

Latest News

03:39PM
Cloud an alternative to growing IT complexity: Schneider Electric
02:49PM
Telstra partners New Zealand firm Mako Networks
02:33PM
Fujitsu and Panasonic join forces in new semi-conductor business
Apr 24
HP unveils its flash-driven XP7 storage
More News
05 May
CeBIT Australia 2014
06 May
Oracle Day 2014 - Across 2 Cities
06 May
Oracle Day 2014 - Across 2 Cities
06 May
IM Experience
View all events