‘Top 4’ strategies to mitigate targeted cyber intrusions: mandatory requirement explained

Introduction The Top 4 Strategies to Mitigate Targeted Cyber Intrusions (the Strategies) are the most effective security controls an organisation can implement at this point in time based on the our current visibility of the cyber threat environment. The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate (DSD), assesses that implementing the Top 4 will mitigate at least 85% of the intrusion techniques that the Cyber Security Operations Centre (CSOC) responds to. For this reason, the Attorney‐General\u27s Department has updated the Australian Government Protective Security Policy Framework (PSPF) to require Australian government agencies to implement ICT protective security controls as detailed in the Australian Government Information Security Manual (ISM) to meet ASD\u27s Top 4 Strategies. Document scope This document provides specific implementation information on the Top 4 Strategies, including: information on the scope of and steps to manage the mandatory requirement; and some technical guidance for IT system administrators to planning and implementing the Top 4 Strategies in a typical Windows environment. This document focusses on implementing the Top 4 in a Windows environment, as the majority of government business is currently conducted using Windows operating systems. For agencies seeking implementation advice for systems that use other operating environments, ASD recommends seeking advice from your agency systems integrator or vendor in the first instance. Additionally, ASD recommends conducting research using open source publications, forums and resources available on the operating system and how each of the Top 4 could be implemented. If your agency finds it is not possible or feasible to implement the Top 4 in a non‐windows environment, you should follow appropriate risk‐management practices as outlined in the ISM

Increased security through open source

In this paper we discuss the impact of open source on both the security and transparency of a software system. We focus on the more technical aspects of this issue, combining and extending arguments developed over the years. We stress that our discussion of the problem only applies to software for general purpose computing systems. For embedded systems, where the software usually cannot easily be patched or upgraded, different considerations may apply

A Critical Review of "Automatic Patch Generation Learned from Human-Written Patches": Essay on the Problem Statement and the Evaluation of Automatic Software Repair

At ICSE'2013, there was the first session ever dedicated to automatic program repair. In this session, Kim et al. presented PAR, a novel template-based approach for fixing Java bugs. We strongly disagree with key points of this paper. Our critical review has two goals. First, we aim at explaining why we disagree with Kim and colleagues and why the reasons behind this disagreement are important for research on automatic software repair in general. Second, we aim at contributing to the field with a clarification of the essential ideas behind automatic software repair. In particular we discuss the main evaluation criteria of automatic software repair: understandability, correctness and completeness. We show that depending on how one sets up the repair scenario, the evaluation goals may be contradictory. Eventually, we discuss the nature of fix acceptability and its relation to the notion of software correctness.Comment: ICSE 2014, India (2014

CONTAINER PATCHING AUTOMATION

The present disclosure relates to a method and an automation system for automatically patching a software container. In an embodiment, the present disclosure discloses the aspect of performing pre-validations from Operating System (OS) perspective, and pre-validating cluster/node from Kubernetes perspective and a drain node. Further, the present disclosure discloses patching the node and rebooting the node and performing post-validation from the OS perspective. Additionally, the present disclosure discloses the aspect of post-validating the cluster/node and re-establishing the cluster

Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting

Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. {\em Shared} hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10\% and 19\% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10\% to the best-performing 10\%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels

Automatic Software Repair: a Bibliography

This article presents a survey on automatic software repair. Automatic software repair consists of automatically finding a solution to software bugs without human intervention. This article considers all kinds of repairs. First, it discusses behavioral repair where test suites, contracts, models, and crashing inputs are taken as oracle. Second, it discusses state repair, also known as runtime repair or runtime recovery, with techniques such as checkpoint and restart, reconfiguration, and invariant restoration. The uniqueness of this article is that it spans the research communities that contribute to this body of knowledge: software engineering, dependability, operating systems, programming languages, and security. It provides a novel and structured overview of the diversity of bug oracles and repair operators used in the literature