Evidence-based opinions

I came across a couple of interesting web-sites over the last couple of weeks that I think are worth sharing. The first of these relates to work conducted by the Australian governments Defence Signals Directorate (DSD). Through analysis of the vulnerabilities and exploit attempts reported to them, the DSD has drawn up a set of 35 mitigations that would have helped to prevent exploitation. In fact, just implementing the top 4 strategies would have "prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010". What are these top four strategies?

 patching third party applications;
 patching operating systems;
 minimising administrative privileges; and
 application whitelisting.

The first 3 should be just good practice. The 4th one can be more difficult to get past by the business. In any case, it's nice to see a set of mitigation strategies based off real analysis rather than simple reliance on 'best practice'. The DSD documents can be found over at:

http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

Definitely worth a read.

What else has caught my eye? Well, I have no choice but to give a shout-out to the competition. PwC have released their 2012 Global State of Information Security Survey and have provided a nifty way of exploring the underlying data - available over at:

http://www.pwc.com/gx/en/information-security-survey/giss.jhtml

As ever, the GISS is a worthwhile read and the highlights for me relate to the cloud security aspects:

 It's tight, but there are now more respondants saying that they use cloud services than there are saying that they do not. The Do Not Knows could still tip the balance either way though!
 SaaS still holds a hefty lead as the most commonly implemented service model, followed by IaaS and then PaaS.
 Of those who have implemented cloud services, over half believe that the move to cloud has improved their security. Less than a quarter believe that the move has weakened their security.

I've been blathering on for a while that a move towards cloud services can have security benefits as well as the more often documented downsides. It's re-assuring to see that a majority of those moving towards the cloud believe that the positives actually outweigh the negatives.