Computer security is unlikely to get any easier during 2013.
From outright human stupidity to ransomware and social engineering attacks, to full-scale cyber warfare instigated by state-sponsored belligerents, the outlook is one of more, not fewer security threats to data and computer systems the world over.
So how do you find the right information to help protect your company in 2013?
National defence strength
While it is a question that has many answers – many a PhD thesis and multibillion-dollar business model rely on them – most security commentators agree that the Australian Government's Defence Signals Directorate's (DSD) Top 35 Mitigation Strategies is a good start.
"This document provides a wide range of technical recommendations, based on DSD's experience of assisting organisations that have been compromised. In particular, the top four strategies are considered to be key in addressing many of the cyber threats that are faced by Australian enterprises and in our work we often see the absence of these as a route cause behind compromises," said BAE Systems Detica Australasian region director Peter Lilley.
Of the DSD's suggested mitigation strategies, the document claims the first four could prevent up to 85 per cent of the intrusions the organisation responds to yearly. They are:
● "use application whitelisting to help prevent malicious software and other unapproved programs from running
● "patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers
● "patch operating system vulnerabilities
● "minimise the number of users with administrative privileges."
DSD's advice was updated in October 2012 and shows in order of effectiveness a range of actions organisations can take. It also complements the Australian Government Information Security Manual (ISM), or what is essentially the bible for federal government agencies.
Although the ISM can be used as a guide for other industries, each will have its own standards and compliance requirements.
"There are a significant number of good resources out there, but many of them are specific to the industry or activities of an organisation for example, PCI-DSS - Payment Card Industry Data Security Service is relevant for companies who process payment cards," Lilley said.
For healthcare practitioners, Australian National University lecturer Tom Worthington points to the computer and information security standards of the Royal Australian College of General Practitioners as one guide.
However, he also notes that the "most important resource you can have is a professional trained in infosec".
"This not something you can just do from a checklist," he said.
For those banking, financial services and insurance organisations covered by the Australian Prudential Regulation Authority (APRA), the watchdog also has a practice guide for security of information technology and systems.
Many other industries have similar resources and many Australian universities run security-minded courses. Of course most IT vendors have some form of certification for their field whilst also providing routine and ad hoc security advisory notices and software patches.
Other non-profit groups such as the Centre for Internet Security provide benchmark documents, metrics and configuration guides.
Make use of CERTs
AusCERT, which is run out of the University of Queensland and was formerly the official national body tasked with acting as Australia's computer emergency response team, also provides regular bulletins, ad hoc training and conferences for security professionals.
A spokesperson for the organisation also pointed to ISO/IEC standard 27001 as one long-standing framework for overarching management and governance for IT systems.
"This standard is pragmatic in that it recognises that most organisations have finite resources for information security, and it links the selection and prioritisation of security controls to actual business risks," BAE's Lilley said. "It also includes the ongoing monitoring and improvement activities which makes the process systemic."
This list, is of course just a starting point and only a reference. A spokesperson for the new CERT Australia run by the Attorney-General's department encouraged businesses to be prepared prior to incidents occurring by having operational relationships in place with law enforcement agencies and itself.
"CERT Australia encourages business to understand what constitutes normal behaviour on its network. By knowing this, a business is more likely to detect unusual behaviour. This includes having a good understanding of the software and devices it uses, as well as a good relationship with the relevant producers, so it can receive important information and updates as they become available."