The week in security: Government departments given infosec guidance as cloud threatens security workers

A set of concrete guidelines for government digital service delivery marked the first deliverables from the fledgling Digital Transformation Office (DTO), with mandatory compliance with the 36-element Protective Security Policy Framework among the security-related regulations agencies must now follow.

Such guidelines are designed to help government agencies avoid the kind of dramas that hit Linux promotion body Linux Australia, which was hit by hackers that, the organisation admitted, may have stolen the database used to manage its annual conferences.

Yet some government agencies were doing their own data collection, as revelations emerged that the US Drug Enforcement Administration and Department of Justice had been bulk-archiving records of phone conversations since 1992. That's a world away from the other government news of the week – including a report that said Russian hackers had accessed White House email, and a US FBI warning that Web defacements were using the name of terror group ISIS to raise their profile.

Your smartphone may soon replace your keychain for providing access to secure facilities. It uses a cloud-based security service of the type that has rapidly become popular for configuring remote online devices – and is, the founders of startup Soha Systems believe, is going to make cloud security the next big thing.

Microsoft is doing its best to facilitate the cloud transition, with proactive efforts to sell users on the security and cloud benefits of upgrading aging Windows Server 2003 installations that will reach their end of life in July. As if to remind us of the dangers of relying on out-of-date operating systems, a report revealed that hackers had used malware attacks to steal €1.23 million ($A1.71m) from automatic teller machines that are still running Windows XP.

Even as SingTel threw its hat into the cloud-security ring, some were worrying that the cloud could also put many security workers out of jobs, although Deloitte was posting one for the workers by running a mock cyberattack designed to help staff understand their role in the response; the move was in line with recommendations from HP, which is advising customers to focus on staff security education instead of investing in new security technologies.

With many Internet of Things (IoT) devices found to be insecure by design, however, there may be some who are concerned about the rush to connect home devices of all sorts to the Internet – especially since even one organisation's compromised endpoint can be a conduit for attacks on others.

Little wonder that CISOs argue that security should be viewed as a business enabler rather than an innovation bottleneck. Malware writers certainly aren't stemming their innovation: a report from Websense Security Labs suggested that today's threats are increasingly sophisticated compared with those detected last year.

One analysis blamed the rapidly growing prevalence of Web-exploit kits. Even the police are getting tricked, with one Massachusetts police department forking over $US500 to unlock files that were encrypted in a CryptoLocker infection. French TV broadcaster TV5Monde was taken off the air after Islamist hackers scored a direct hit – then made things worse by broadcasting an internal shot that appeared to reveal social-media logins and passwords – while the police scored a retaliatory strike by disrupting the Beebone malware-distribution botnet.

Firefox's move to encrypt many types of unencrypted data was welcomed by security experts, but encryption has its problems too: Gmail service was interrupted for some users after Google forgot to renew a crucial digital certificate. Also from the Oops! file, a Dell support tool that was previously found to suffer from security vulnerabilities is now being picked up by security scanners as a potentially problematic application.

The UK government's mass-spying practices were challenged at a European human rights court, while German authorities ordered Google to change its privacy practices – over concerns that probably weren't allayed after a mistake by a Bulgarian Google Ad reseller saw users redirected to malicious ads that tried to install malware on users' systems. Meanwhile, encryption startup Vera had its own take on privacy with a service that locks down transferred documents.

This article is brought to you by Enex TestLab, content directors for CSO Australia.