The Australian Cyber Security Centre’s – ACSC’s – Essential 8 risk management framework is a prioritized list of eight mitigation strategies for organizations to address cyber security concerns. These essentials strategies protect the organisation’s information security system against a range of adversaries in the digital landscape, and keep the data of your customers secure.
The following blog provides mitigation strategies in line with the ACSC’s essential 8 principles which cover:
- Targeted cyber intrusions and other external adversaries who steal data
- Ransomware denying access to data for monetary gain, and external adversaries who destroy data and prevent computers/networks from functioning
- Malicious insiders who steal data such as customer details or intellectual property
- Malicious insiders who destroy data and prevent computers/networks from functioning.
Why should your organisation implement the security controls?
The Australian Cyber Security Centre (ACSC) has developed prioritized mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organizations mitigate cybersecurity incidents caused by various cyber threats. The most effective of these are known as the Essential Eight.
Federal Government Mandatory Requirements
The Essential 8 were first published in February 2017. In 2014, the Australian Federal Government had mandated the Top 4 of these mitigation strategies for federal government departments. Whereas, the other Top 4 are mandated by the Attorney-General’s Department’s PSPF (Protective Security Policy Framework). The Australian Signals Directorate considers the Essential 8 to be the most effective cyber resilience ‘baseline’ for all organizations. The December 2019 release of the Australian Government Information Security Manual (ISM) states that organizations should:
This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise an organisation’s information security system.
NSW Government Mandatory Requirements
The current NSW Government Cyber Security Policy became effective in February 2019. The policy (section 1.5) requires, by 31 August each year, that each department submits a report detailing a maturity assessment against the ACSC Essential 8.
Alongside the essential strategies, the ASD outlines three levels of maturity to help companies determine their current status and how they can improve. The maturity levels are defined as:
- Maturity Level One: Partly aligned with intent of mitigation strategy.
- Maturity Level Two: Mostly aligned with intent of mitigation strategy.
- Maturity Level Three: Fully aligned with intent of mitigation strategy.
Each of the Maturity levels have essential security controls and strategies that mitigate to prevent malware delivery and execution; let’s discuss these 8 Essential controls as below.
The following is a summarized version of the Essential Eight strategies (Australian Cyber Security Centre):-
- Application whitelisting – to control the execution of unauthorized software
- Patching applications – to remediate known security vulnerabilities
- Configuring Microsoft Office macro settings – to block untrusted macros
- Application hardening – to protect against vulnerable functionality
- Restricting administrative privileges – to limit powerful access to systems
- Patching operating systems – to remediate known security vulnerabilities
- Multi-factor authentication – to protect against risky activities
- Daily backups – to maintain the availability of critical data.
What maturity level to aim for organisations:
As a baseline organisations should aim to reach Maturity Level Three for each mitigation strategy. Where the ACSC believes an organization requires a maturity level above that of Maturity Level Three, the ACSC will provide tailored advice to meet the specific needs of the organization
Essential Eight Maturity Model for Cyber Security
1. Application control:
To prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell, and HTA), and installers.
Why? This control is for all non-approved applications (including malicious code) are prevented from executing.
2. Patch applications
Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Why? Security vulnerabilities in applications can be used to execute malicious code on systems.
3. Configure Microsoft Office macro settings
To block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Why? Microsoft Office macros, for example, can be used to deliver and execute malicious code on systems.
4. User application hardening.
Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unnecessary features in Microsoft Office (e.g. OLE), web browsers, and PDF viewers.
Why? Flash, ads, and Java are popular ways to deliver and execute malicious code on systems.
5. Restrict administrative privileges
Operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Why? Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
6. Patch operating systems.
Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why? Security vulnerabilities in operating systems can be used to further the compromise of systems.
7. Multi-factor authentication
It includes VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why? Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
8. Daily backups
Daily back-ups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.
Why? To ensure information can be accessed following a cybersecurity incident (e.g. a ransomware incident).
The Center for Internet Security (CIS) publishes alternative guidance titled the CIS Critical Security Controls for Effective Cyber Defense which is available here.