Eight years on, half of Australian companies still haven’t implemented ASD’s Top 4 mitigations

Poor patching, upgrading, and privilege control exposing businesses to escalating cybercrime

Application whitelisting has been one of four key recommended protection methods for more than five years, but half of Australian businesses in one recent survey said they still aren’t using the security technique at all.

Whitelisting was part of the Australian Signals Directorate’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions – which also included application patching, operating system patching, and tightening control over administrative privileges – when they were introduced in 2010 and, in 2013, mandated for all government departments.

It has been regularly cited as a baseline target for information-security policy – with claims that the four mitigations can address 85 percent of security vulnerabilities – and were last year expanded to the ‘Essential Eight’ that has since supplanted the Top 4.

Despite the purported authority of the guidelines, however, a poll of executives at Ivanti’s recent ANZ user conference found that 49.2 percent still had not implemented application whitelisting – and that even more had implemented only basic operating-system patching mechanisms.

Fully 13.1 percent of respondents were taking longer than a month to patch extreme-risk operating-system vulnerabilities, while 36.1 percent were equally laggard in patching extreme-risk application vulnerabilities.

“With third party application being responsible for such a large proportion of identified vulnerabilities,” Ivanti director of pre-sales Andrew Souter said, “this highlights a real risk and a door organisations are leaving wide open to be exploited.”

Not to be outdone, 24.6 percent of respondents said they had no validation or controls over their administrative privileges – and an additional 34.4 percent had just rudimentary protections.

This last figure was of particular concern, Ivanti director of pre-sales Andrew Souter said, because recent analysis of cybersecurity breaches suggest that abuse of compromised credentials was a factor in 77 percent of notified data breaches.

“This highlights a concern,” Souter said, “and a real driver to run a least-privilege model.”

The findings are particularly concerning given a growing body of research that suggests many still just do not understand the importance of even basic security protections.

This, in a growing climate of scams and cybersecurity attacks – as evidenced by a recent warning from the Australian Competition & Consumer Commission’s ScamWatch that this year’s losses to remote-access scams are already double the total for all of 2017. And recent

Efforts to raise the ride of cybersecurity defences weren’t helped, either, by findings such as a recent SwitchFast Technologies survey that found 51 percent of small-business leaders believe their business is not a target for cybercriminals.

“Virtually no firm is immune from severe exploits,” security firm Fortinet warned with the recent release of its latest Threat Landscape Report, which found that 96 percent of monitored firms had experienced at least one such exploit.

Tags cybercrimerisk assessment

Show Comments