Joint Cybersecurity Advisory Fails To Capture Non-Technical Aspects Of Attacks


Staff Writer

The Australian Government joined forces with two other countries last week and released a joint cybersecurity advisory. The advisory highlighted the top Common Vulnerabilities and Exposures (CVEs) cyber actors are currently exploiting. But there are concerns the advisory fails to address the role human error plays in helping facilitate cyberattacks.

The Australian Cyber Security Centre (ACSC) teamed up with the Cybersecurity and Infrastructure Security Agency (CISA) from the United States, the United Kingdom’s National Cyber Security Centre, and the Federal Bureau of Investigation (FBI) to release the advisory.

“This advisory complements our advice available through and underscores the determination of the ACSC and our partner agencies to collaboratively combat malicious cyber activity,” said the ACSC’s Head, Abigail Bradshaw.

The advisory listed 30 key vulnerabilities. Also listed were the vendors, products, and CVEs associated with these vulnerabilities. Ms Bradshaw noted patches were available for all 30 vulnerabilities. The ACSC Head urged entities big and small to implement a centralized patch management system.

“This guidance will be valuable for enabling network defenders and organisations to lift collective defences against cyber threats,” Ms Bradshaw said.

Jacqueline Jayne, Security Awareness Advocate at KnowBe4, called last week’s advisory a “step in the right direction.” But she says the advisory only addresses technical aspects of cyber risks and therefore only half the problem.

“In addition to attending to the list of 30 exploits, organisations across all sectors should step their employees through security awareness training and education to ensure that they are making better decisions when it comes to keeping your systems safe from a cyberattack. Patch the people as well as the technology!”

The advisory noted four of the most targeted vulnerabilities in 2020 involved remote work, VPNs, or cloud-based technologies. The rapid growth in working from home is challenging the ability of entities to conduct rigorous patch management and leaving perimeter-type devices open to attack.

“Stark changes in societal and economic circumstances, such as the current lockdowns and tightening restrictions across Australia, are common lures for bad actors,” said Roger Carvosso, Strategy Director at FirstWave Cloud Technology.

The ACSC says vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet software are presently top targets by bad actors.

“We are committed to working with allies to raise awareness of global cyber weaknesses – and present easily actionable solutions to mitigate them,” said NCSC Director of Operations, Paul Chichester.

While broadly supportive of the advisory, Jacqueline Jayne suggests it fails to address the role human error plays in facilitating cyberattacks.

“Vulnerabilities are both technical and non-technical in nature,” she says. “It is well reported that the majority of successful breaches into systems are due to human error. Cybercriminals know this and have success targeting employees in organisations, usually via phishing emails.”

The Australian Government and its relevant agencies are currently raising awareness of cyberattacks and how to mitigate against them. Abigail Bradshaw notes unless existing widespread weaknesses are fixed, bad actors will continue to focus on known vulnerabilities.