Feeds

back to article Want to be more secure? Don’t be stupid

The best way to defend against most network vulnerabilities is to deal with the simplest attack vectors, according to Australia’s Defence Signals Directorate (DSD). The DSD’s analysis has credibility and clout, because it’s based on analysis of real attacks launched against Australian government networks. And according to its …

COMMENTS

This topic is closed for new posts.
Gold badge

It's not convenience..

"Attackers, it seems, can be just as interested in convenience as those they attack"

Not quite. In Australia they are probably behind the curve because there is not much effort involved in getting return on effort. You will only see the "quality" of attacks go up when the easy route in is no longer available. You could call it "convenience", but IMHO the correct word is "efficiency"..

0
0
FAIL

Security

Why wheel out the fancy new 0-day when MS06-062 will do just fine?

0
0
Anonymous Coward

I thought Australian digital security...

...meant locking yourself in the shed with a Bible and a blow-up kangaroo.

I'm sure I read that somewhere Our Glorious Government's website.

0
0
WTF?

They're serious(ly insane)

Probably the same website that suggest sleeping with a pet to stay warm while "saving the planet".

http://www.livinggreener.gov.au/site-information/whats-new/?a=61710

And PLEASE no jokes about cuddling up with your pet python!

0
0
Silver badge
FAIL

I keep telling grandma about no.23...

...but she insists that 12 months is long enough to keep server logs.

1
0
Anonymous Coward

-why not uninstall acroread and flash

I got fed up with the weekly flash and acrobat updates, and the fact that as soon as an update goes out, the next 0-day exploit goes live. I uninstalled the binaries. Flash you can live without, PDF viewers still handy. But you don't need the full adobe javascript+3d+multimedia thing, that's meant to compete feature for feature with HTML5, but is only ever used by most people for sharing documents that print well

0
0
Go

Yes, uninstall the targets, if you can!

AC has got a point. If you can live without the "most targetted applications" (which maybe also means "the motu buggy applications") just uninstall them. And before yelling "I can't live without flash/adobe/office/windows" just think twice. You *REALLY* can't, or you just don't want to try?

I have tried, and I can. I run Linux, and I suggest my customers that need windows to run openoffice, some other pdf viewer, some other browser, no flash, no silverlight, and so on.

1
0
Anonymous Coward

Other PDF Viewer

Check out the history of vulnerabilities in other PDF viewers. Sure most of them haven't had as many vulnerabilities at Acrobat Reader, but most of them have shared some of the vulnerabilities of Adobe's product. The reason for this presumably being that the format itself is vulnerable.

And then there's the matter of security by obscurity. A friend of mine used to advocate a particular popular alternative to Acrobat Reader until I showed him how many vulnerabilities that had experienced (about half as many as Adobe over the period we were looking at). Thereafter he changed his allegience to a less popular alternative which had suffered fewer vulnerabilities. Or had it? Could it be that this reader was so obscure that nobody had actually checked whether the vulnerabilities were exploitable in that application.

The problem is that it's difficult to do without some sort of PDF reader. Even something that converts PDF documents into another format could suffer some of the vulnerabilties. From a corporate point a view a good IPS will protect against a lot of vulnerabilities. Sure, you can't be complacent just because you have one, but you'd be foolish to think you can do without one.

0
0

Being stupid.

The underlying problem is that a large proportion of people don't take responsibility for their actions and inactions. Apathy is a "perfect" excuse.

So when you show people that they've done a stupid thing, they simply shrug their shoulders and say "nobody told me". Even AFTER they were told several times and signed a piece of paper saying that they understood not to do it.

1
0
Boffin

selinux

personally I use all four of the DSD recommended procedures - except 'whitelisting applications' for which I have no idea what they mean.

I also run mail but not web countermeasures/cleaning.

The biggest defence is the right-royal pain in the bum selinux from NSA ( kind of the US equivalent to the DSD only bigger)

sever-side this is extremely effective but annoying as hell as app after app gets blocked, or even minor config changes break apps. This is 'easily' fixed but tiresome.

For non-linux clients, WIndows 7 is pretty good at defending itself. It's just the soggyware that causes problems by bypassing the OS - sort of understandable though.

0
0
Bronze badge

Whitelisting

"personally I use all four of the DSD recommended procedures - except 'whitelisting applications' for which I have no idea what they mean."

If you don't know what "whitelisting applications" means then there's probably a whole lot else you don't know about security. Whitelisting applications simply means creating a list of known safe applications and not allowing anything to execute that isn't on that list. If you're going to do this then always make sure you're actually checking the file's contents rather than just it's name. I knew one organisation that did the latter and users quickly learned they could run other applications by changing the filename to something that was on the whitelist.

0
0
This topic is closed for new posts.