back to article Want to be more secure? Don’t be stupid

The best way to defend against most network vulnerabilities is to deal with the simplest attack vectors, according to Australia’s Defence Signals Directorate (DSD). The DSD’s analysis has credibility and clout, because it’s based on analysis of real attacks launched against Australian government networks. And according to its …

COMMENTS

This topic is closed for new posts.
  1. Fred Flintstone Gold badge

    It's not convenience..

    "Attackers, it seems, can be just as interested in convenience as those they attack"

    Not quite. In Australia they are probably behind the curve because there is not much effort involved in getting return on effort. You will only see the "quality" of attacks go up when the easy route in is no longer available. You could call it "convenience", but IMHO the correct word is "efficiency"..

  2. Anonymous Coward
    FAIL

    Security

    Why wheel out the fancy new 0-day when MS06-062 will do just fine?

  3. Anonymous Coward
    Anonymous Coward

    I thought Australian digital security...

    ...meant locking yourself in the shed with a Bible and a blow-up kangaroo.

    I'm sure I read that somewhere Our Glorious Government's website.

    1. Anonymous Coward
      WTF?

      They're serious(ly insane)

      Probably the same website that suggest sleeping with a pet to stay warm while "saving the planet".

      http://www.livinggreener.gov.au/site-information/whats-new/?a=61710

      And PLEASE no jokes about cuddling up with your pet python!

  4. Anonymous Coward
    FAIL

    I keep telling grandma about no.23...

    ...but she insists that 12 months is long enough to keep server logs.

  5. Anonymous Coward
    Anonymous Coward

    -why not uninstall acroread and flash

    I got fed up with the weekly flash and acrobat updates, and the fact that as soon as an update goes out, the next 0-day exploit goes live. I uninstalled the binaries. Flash you can live without, PDF viewers still handy. But you don't need the full adobe javascript+3d+multimedia thing, that's meant to compete feature for feature with HTML5, but is only ever used by most people for sharing documents that print well

  6. Kurgan
    Go

    Yes, uninstall the targets, if you can!

    AC has got a point. If you can live without the "most targetted applications" (which maybe also means "the motu buggy applications") just uninstall them. And before yelling "I can't live without flash/adobe/office/windows" just think twice. You *REALLY* can't, or you just don't want to try?

    I have tried, and I can. I run Linux, and I suggest my customers that need windows to run openoffice, some other pdf viewer, some other browser, no flash, no silverlight, and so on.

    1. Anonymous Coward
      Anonymous Coward

      Other PDF Viewer

      Check out the history of vulnerabilities in other PDF viewers. Sure most of them haven't had as many vulnerabilities at Acrobat Reader, but most of them have shared some of the vulnerabilities of Adobe's product. The reason for this presumably being that the format itself is vulnerable.

      And then there's the matter of security by obscurity. A friend of mine used to advocate a particular popular alternative to Acrobat Reader until I showed him how many vulnerabilities that had experienced (about half as many as Adobe over the period we were looking at). Thereafter he changed his allegience to a less popular alternative which had suffered fewer vulnerabilities. Or had it? Could it be that this reader was so obscure that nobody had actually checked whether the vulnerabilities were exploitable in that application.

      The problem is that it's difficult to do without some sort of PDF reader. Even something that converts PDF documents into another format could suffer some of the vulnerabilties. From a corporate point a view a good IPS will protect against a lot of vulnerabilities. Sure, you can't be complacent just because you have one, but you'd be foolish to think you can do without one.

  7. Bernd Felsche

    Being stupid.

    The underlying problem is that a large proportion of people don't take responsibility for their actions and inactions. Apathy is a "perfect" excuse.

    So when you show people that they've done a stupid thing, they simply shrug their shoulders and say "nobody told me". Even AFTER they were told several times and signed a piece of paper saying that they understood not to do it.

  8. Jerry
    Boffin

    selinux

    personally I use all four of the DSD recommended procedures - except 'whitelisting applications' for which I have no idea what they mean.

    I also run mail but not web countermeasures/cleaning.

    The biggest defence is the right-royal pain in the bum selinux from NSA ( kind of the US equivalent to the DSD only bigger)

    sever-side this is extremely effective but annoying as hell as app after app gets blocked, or even minor config changes break apps. This is 'easily' fixed but tiresome.

    For non-linux clients, WIndows 7 is pretty good at defending itself. It's just the soggyware that causes problems by bypassing the OS - sort of understandable though.

    1. Grease Monkey Silver badge

      Whitelisting

      "personally I use all four of the DSD recommended procedures - except 'whitelisting applications' for which I have no idea what they mean."

      If you don't know what "whitelisting applications" means then there's probably a whole lot else you don't know about security. Whitelisting applications simply means creating a list of known safe applications and not allowing anything to execute that isn't on that list. If you're going to do this then always make sure you're actually checking the file's contents rather than just it's name. I knew one organisation that did the latter and users quickly learned they could run other applications by changing the filename to something that was on the whitelist.

This topic is closed for new posts.

Other stories you might like