An increase in intrusions using techniques that an educated user would not detect has led Australia's signals intelligence unit to place user education as the 28th most effective strategy for mitigating a cyber-intrusion.
The Australian Signals Directorate (ASD) has re-ranked its Strategies to Mitigate Targeted Cyber Intrusions (PDF) document for 2014, with the top four strategies remaining identical to the 2012 version of the document.
In order, the top four strategies remained as: Application whitelisting; updating to the latest version of applications within two days of release; applying operating system patches within two days; and restricting admin privileges based on user duties, recommending that users with administration privileges use a separate unprivileged account for email and web browsing.
Rising up the rankings were strategies for disabling the running of internet-based Java code, untrusted Microsoft Office macros, and undesired web browser and PDF viewer features; usage of operating system level features, such as address-space randomisation and Microsoft’s free Enhanced Mitigation Experience Toolkit; and behavourial analysis from internet and email filtering, which the agency says should be "run in a sandbox to detect suspicious behaviour, including network traffic, new or modified files, or configuration changes".
Dropping down the list were: User education, down to 28th out of 35 strategies, with ASD citing an increase in intrusions using techniques that an educated user would not detect; signature-based antivirus software, which the ASD said is less effective than heuristic-based antivirus; and multi-factor authentication.
ASD maintains that adopting only the top four strategies will mitigate 85 percent of intrusions, and suggests that organisations start rolling out the top four on the workstations of the likely targeted users, before extending the rollout to all workstations and servers. Once that rollout is completed, it is suggested that organisations cherry pick additional strategies to implement until "an acceptable level of residual risk is achieved".
The agency creates its list by analysing security incidents from across the Australian government.