ASD’s Top 4 Mitigation Strategies

The Basics: adapted from ASD (Australian Signals Directorate Australia’s Top 4 Mitigation Strategies and Catch, Patch, Match campaign)

ASD’s award winning top 4 mitigation strategies, also known as Catch-Patch-Match, have been touted to have the potential to prevent 80-85% of targeted cyber attacks directly to the machine or device in the current state of play.


Patch everything – this means: 

  • run the latest version of your software on all your devices and machines (including programs such as antivirus, Windows, Word, any applications on your mobile)

  • when you are prompted to ‘update’ a program, click ‘update’ 

  • Note that not all patches are provided to you as an automatic update so your IT Security supplier will need to have a patching process in place that:

    • lists all the software you use, and

    • searches for updates or new software versions

  • If you’re a larger organisation implement a, or review your, patching regime.


Because the vulnerabilities these updates are fixing are on sale to criminals within 2 days. It’s like a flu shot – the virus may get to you but it will be less likely to be effective

Questions for your IT security supplier

  1. Do we have a list of all software we run? How can we put in place and keep this list update to date in a secure location?

  2. Is all the software we use needed? What is your risk assessment of uninstalling this software?

  3. Is all of the software we do use licensed?

  4. Which of the software programs we use don’t provide automatic updates?

  5. Of the software that doesn’t provide automatic updates, do we regularly search for patches and latest versions? If not, how can we put this in place?


Match the user privileges on any machines, servers, devices to the things the user or users of those devices need to do to perform their role.



It’s like providing access to only one room in your home, in effect locking off the rest of your house. Malware can change things on your system and spread to others’ systems because they access your rights to do things. If the only rights are to use office and adobe for example, then it will be difficult to delete all contents of your hard drive or change rights on the system to bar you from accessing your own information or use your rights to go an infect another machine without you knowing. 


Questions for your IT security supplier

  • Does every device, machine, server, have a separate user login from the system administrator login?

  • Are user logins locked down to ensure they can only have access to the things they need to do to perform their work?

  • How many people have system administrator access?

  • Do all those people need system administrator access?

  • Of those who do need system administrator access, are their privileges limited to the minimum required to perform their role?

  • Are user logins locked down to ensure they can only have access to the things they need to do to perform their work?


Catch malware before it can run. To infect your machine, malware like any other software has to ‘run’ and install.



If you limit what programs are allowed to run on your machine to only approved applications (eg office, adobe, CAD etc) then anything else will be much harder (not impossible but much harder) to run. This is called ‘application whitelisting’.


Questions for your IT security supplier

  • Do we have an approved list of all software we run? How can we put in place and keep this list update to date in a secure location?

  • Do we lock down all user machines and devices to allow only this software to run (application whitelisting)?


A little more advanced ….

1/ Put in place an incident response team – a supplier who can periodically test your personal, home and corporate networks for vulnerabilities (words you may hear meaning this are ‘pen test’ short for penetration testing or ‘ethical hack’). They can also respond if there is an incident. Seek out a CREST approved supplier.

2/ Put in place Monitoring – your incident response team will have a recommendation. The key thing, however is that the alerts are analysed and responded to. This will increase your chances of catching bad things, given there is no silver bullet to protecting you and your organisation.



  • Avoid putting USB sticks and CDs into any of your devices

  • Don’t allow people to charge their phone’s from your machines or devices

  • Don’t charge your mobile on other people’s machine’s or devices

  • Don’t download things such as free music or movies – these are prime candidates for malware (malicious software)

  • Avoid personally identifying information about your or others on social media (eg facebook/ linked in, press releases) and make others aware that you don’t want this done to you

  • Avoid using the same devices for personal and work – Separate your personal and work devices where possible

  • Avoid public wifi (eg coffee shops, clubs etc)

  • Avoid clicking on untrusted links and attachments

If you can’t do these things at any time, the key question to ask yourself, what is my risk? So if, for example, you need to download a program to view an important document but it’s not on the ‘approved applications list’ you could ask yourself what the risk of this is to you? Do you trust the document, do you trust the program? Do you really need the application or can the information be provided to you in an alternative way. Can the application wait to be vetted before installing? Does the need to view it now, outweigh the increased risk of potentially allowing a virus to be able to run on your machine?

Leave a Reply

Your email address will not be published. Required fields are marked *