The ISM 2025 Overhaul: Ditching Faxes, Passwords & the ‘Cybersecurity’ Hyphen

Listen to this Post

Featured Image

Introduction:

The Australian Signals Directorate’s (ASD) December 2025 Information Security Manual (ISM) release marks a pivotal modernization of national cybersecurity policy. By formally retiring legacy technology like fax machines and abandoning counterproductive practices like mandatory password rotation, the framework aligns with contemporary threat models and technical realities. This analysis deciphers the key changes and provides the technical steps for implementation, from hardening systems against AI-powered threats to navigating terminological inconsistencies.

Learning Objectives:

  • Understand the technical rationale behind eliminating fax machines and time-based password changes.
  • Implement actionable steps to comply with new system hardening and AI security controls.
  • Develop a strategy to manage documentation and tooling amidst terminology shifts.

You Should Know:

1. The Official Retirement of the Fax Machine

The ISM’s removal of fax machines from approved communication systems is a landmark decision, citing their inherent insecurity. Fax protocols (like T.30/T.38) lack encryption, are vulnerable to interception, and can be vectors for network intrusion via compromised fax servers or all-in-one printer devices.

Step‑by‑step guide explaining what this does and how to use it.
Network Segmentation & Blocking: Immediately segment any remaining fax servers or multifunction devices onto isolated VLANs. Block all fax-related ports (e.g., TCP 21, 22, 80, 443 for management interfaces, and protocol ports 5060/5061 for SIP, T.38) at the network firewall.
Linux iptables example: `sudo iptables -A FORWARD -p tcp –dport 5060 -j DROP`
Windows Firewall (PowerShell): `New-NetFirewallRule -DisplayName “Block Fax SIP” -Direction Inbound -Protocol TCP -LocalPort 5060 -Action Block`
Physical Audit & Decommissioning: Conduct a physical audit to locate all fax-capable devices. For hybrid devices, disable the fax function via the hardware admin console and physically remove any PSTN telephone lines.
Monitor for Legacy Traffic: Use network monitoring tools (e.g., Wireshark, Zeek) to detect any ongoing fax protocol traffic as a sign of non-compliance or shadow IT.

  1. Password Policy Revolution: Dropping Rotation & Security Questions
    The ISM now advises against time-based password changes, recognizing it leads to predictable, weak passwords (e.g., “Password2025!”). It also deprecates security questions, which are often easily researched or guessed. The focus shifts to strong, unique passwords protected by phishing-resistant Multi-Factor Authentication (MFA).

Step‑by‑step guide explaining what this does and how to use it.
Implement Passwordless or Strong MFA: Where possible, deploy FIDO2/WebAuthn security keys or biometrics. For traditional paths, enforce phishing-resistant MFA (e.g., Microsoft Authenticator number matching, not SMS).

Configure Account Lockout & Breached Password Checks:

Windows Active Directory Fine-Grained Policy (PowerShell):

New-ADFineGrainedPasswordPolicy -Name "NoRotationPolicy" -Precedence 10 -LockoutDuration "00:30:00" -LockoutObservationWindow "00:30:00" -LockoutThreshold 10 -MaxPasswordAge "00:00:00" -EnforcePasswordHistory 24

(Sets no maximum password age but enforces a 24-password history to prevent rapid recycling).

Linux with pam_pwquality & HaveIBeenPwned:

Integrate `libpam-pwquality` and scripts that check new passwords against APIs like HaveIBeenPwned’s Pwned Passwords.
Disable Security Questions: Remove or disable this feature from all self-service password reset (SSPR) portals. Replace with alternative verification methods such as a second MFA factor or verified backup email.

  1. System Hardening: From Random Words to Concrete Configurations
    The ISM has removed the recommendation to use random words for system names, recognizing this provides minimal security benefit (“security through obscurity”). The emphasis is now on tangible hardening measures that reduce attack surface.

Step‑by‑step guide explaining what this does and how to use it.
Implement a Consistent, Maintainable Naming Convention: Use a logical, site-function-identifier scheme (e.g., SYD-WEB-001). This aids in automation and inventory management.
Prioritize Hardening Benchmarks: Apply configuration baselines from the Australian Cyber Security Centre (ACSC) or CIS Benchmarks.
Windows (PowerShell – Sample): `AuditPol /set /subcategory:”Process Creation” /success:enable /failure:enable`
Linux (SSH Hardening in /etc/ssh/sshd_config): PermitRootLogin no, PasswordAuthentication no, Protocol 2.

  1. AI Security Controls: Integrating Governance into the SDLC
    The ISM’s expanded software development guidelines now include explicit controls for AI/ML systems, addressing risks like data poisoning, model theft, and adversarial attacks.

Step‑by‑step guide explaining what this does and how to use it.
Secure the AI/ML Pipeline: Isolate training environments. Encrypt sensitive training data at rest and in transit. Use version control for both code and model weights (e.g., with DVC – Data Version Control).
Implement Model Governance: Log all access and queries to production models. Use tools like Microsoft Counterfit or IBM Adversarial Robustness Toolbox to test models for robustness against evasion techniques.
Sample Command (Model Query Logging – Python Snippet):

import logging
def predict_with_logging(input_data, model):
prediction = model.predict(input_data)
logging.info(f"Model inference - Input hash: {hash(str(input_data))[:10]}, Prediction: {prediction}, User: {current_user}, Timestamp: {datetime.now()}")
return prediction
  1. The “Cyber Security” vs. “Cybersecurity” Backflip: A Documentation Challenge
    The ASD’s reversion to the two-word “cyber security” creates a compliance overhead, requiring updates to policy documents, automated scanners, and governance, risk, and compliance (GRC) platform rule sets.

Step‑by‑step guide explaining what this does and how to use it.
Conduct a Document Corpus Search & Replace: Use command-line tools to find all instances.

Linux/macOS (grep & sed):

grep -r -i "cybersecurity" /path/to/policies/ --include=".docx" --include=".md" --include=".txt"
sed -i 's/cybersecurity/cyber security/gI' .md

Windows (PowerShell): `Get-ChildItem -Recurse -Include .md,.txt | Select-String -Pattern “cybersecurity” | ForEach-Object { (Get-Content $_.Path) -replace ‘cybersecurity’, ‘cyber security’ | Set-Content $_.Path }`
Update GRC Tooling: Modify compliance checklists and automated policy auditors (e.g., in ServiceNow or custom scripts) to reflect the updated terminology in control descriptions.

What Undercode Say:

  • Policy Catches Up with Practice: The ISM changes validate what leading security practitioners have advocated for years: removing friction that doesn’t improve security (password resets) and eliminating truly vulnerable legacy systems (fax).
  • The Real Work is Technical Implementation: The policy shift is the starting gun, not the finish line. Lasting security improvement depends on the meticulous technical execution of hardening, MFA rollout, and AI pipeline security outlined above.

The move from prescriptive, periodic checklists towards a principles-based, risk-focused model is clear. The retirement of the fax machine is symbolic of a necessary purge of technological debt, while the password policy change embraces a human-centric security model. The addition of AI controls is reactive but critical, acknowledging that AI is now a core component of the software stack requiring specialized governance. The terminology flip-flop, while frustrating, highlights the importance of agile, automated documentation systems in modern compliance.

Prediction:

The 2025 ISM updates foreshadow a future where cybersecurity frameworks become increasingly dynamic and integrated directly into development and operations toolchains. We will see the rise of “Compliance as Code” platforms that automatically translate policy changes (like dropping password rotation) into immediate technical enforcement across cloud environments and CI/CD pipelines. Furthermore, the explicit AI controls will accelerate the development of specialized AI Security Posture Management (AI-SPM) tools, creating a new niche in the cybersecurity market focused on model hardening, lineage tracking, and adversarial attack simulation. The framework’s evolution signals that reactive, manual compliance is untenable, mandating a shift towards automated, continuous technical assurance.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Enterprisesecurity The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky