Cyberattacks are becoming more frequent and damaging, and this drives organisations to take proactive measures to enhance their cybersecurity strategies.
In May 2019, the Australian start-up, Canva suffered a data breach impacting 137 million of its users. ProctorU, an online supervising and monitoring service for remote students, had its database of 444,000 records compromised, impacting user records from prestigious Australian universities. On a global scale, Ubiquity Networks, one of the world’s largest vendors of Internet-of-Things devices, suffered a breach in December 2020 when an intruder compromised the company’s third-party provider and accessed customer account credentials.
These attacks were financially motivated and well organised. Cybercriminals have specialisation where roles are differentiated by types of activity – phishing, scamming, malware, data mining, ransomware, network infiltration, and more. They are professionals in each specialised area.
As the threat of cybersecurity grows, the strategy is to incorporate and elevate security measures. The Australian Cyber Security Centre (ACSC) published the Essential Eight Techniques to Mitigate Cyber Incidents in June 2017 to help Australian businesses strengthen their resilience against threats. However, Australian businesses cannot solely rely on these initiatives. Each business should continue to raise baseline security measures with additional prevention controls.
The Essential Eight Techniques
The Essential Eight consists of eight essential mitigation strategies designed by the ACSC to assist organisations to mitigate or prevent cybersecurity incidents. These strategies concentrate on three key areas of prevention, interruption, and recovery from least complex to most complex, as ranked by the ASCC.
The mitigation strategies are outlined by the below 8 components:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication (MFA)
- Regular backups
Measuring Cybersecurity using Maturity Levels
The Essential 8 components are measured according to the tradecraft technique they intend to mitigate. There are 4 maturity levels:
- Maturity Level 0 – signifies weaknesses in an organisation’s overall cybersecurity posture.
- Maturity Level 1 – adversaries who are content to simply leverage tools, tactics, techniques, and procedures that are publicly available.
- Maturity Level 2 – adversaries that are willing to invest more time in a target, employ well-known tools, tactics, techniques, and procedures to bypass security controls and evade detection.
- Maturity Level 3 – adversaries who are more adaptive and less reliant on public tools and techniques. They can exploit the weakness in the target’s cybersecurity posture and are willing to invest more time and effort.
Organisations should begin with the Essential Eight by identifying a target maturity level that is suitable for their environment. The next step is to progressively implement the maturity to establish that target.
The Essential Eight components complement each other to provide comprehensive coverage against various threats. An organisation should achieve the same maturity level across all components before moving on to higher maturity levels.
The Essential Eight Cybersecurity Strategies
The Essential Eight Maturity Model is updated regularly based on the ACSC’s experience in producing cyber threat intelligence, responding to cybersecurity incidents, conducting penetration testing, and assisting organisations to implement the Essential Eight.
- Application Control – An appropriately configured implementation of application control helps prevent undesired execution of software or programs (including .exe, DLL, scripts, and installers) whether it is downloaded from a website, clicked on an email attachment or from a removable storage media.
- Patch Application – This guideline refers explicitly to updating third-party applications. It focuses on applying security updates and patches as quickly as possible. The strategies require frequent usage of vulnerability scanners to detect missing patches and updates, as well as removing solutions that are no longer supported by their vendors.
- Configure Microsoft Office Macro Settings – Configure Microsoft Office macro settings to block all macros for general users. Only allow vetted macros to be used by approved users in trusted locations with limited write access or digitally signed with a trusted certificate. This addresses adversaries using Microsoft Office macros to run malicious codes while evading basic email content filtering and application control.
- User Application Hardening – This mitigation strategy helps reduce the attack on user computers. Focus on limiting or blocking the use of Flash, ActiveX, Java, Silverlight, and QuickTime for Windows. Users should not have the ability to change these settings.
- Restrict Administrative Privilege – Restrict administrative privileges to operating systems and applications based on user duties. Validate all requirements for users to be granted administrative rights and revalidate these monthly. Privileged users should also use a separate unprivileged account for non-administrative activities such as reading email, browsing the internet, downloading documents, using instant messaging, or when using social networks. It is also advisable to have technical controls to block all privileged users from performing such activities.
- Patch Operating Systems – Ensure your operating systems are always up to date. Patches must be applied within 48 hours of a security vulnerability being identified. Vulnerability scanners should also be used to identify missing patches and to flag operating system versions that are no longer vendor supported.
- Multi-Factor Authentication (MFA) – Multi-factor authentication requires users to verify their identity by using more than one type of authentication. Privileged actions including system administration and access to important data repositories should require multi-factor authentication, especially for VPNs (Virtual Private Network), RDP, SSH and other remote access capabilities. Once implemented correctly, MFA makes it significantly more difficult for adversaries to use stolen user credentials to facilitate further malicious activities.
- Daily Backups – Regular backup exercise is vital to mitigate data being encrypted, corrupted, or deleted by ransomware or destructive malware, malicious insiders, accidental mistakes by users, or failure of hardware due to faulty equipment, power outage, fire, or flood. Back up important new/changed data, software, and configuration settings and store them in a disconnected facility for at least 3 months. Be sure to also test the restoration process periodically and whenever an IT infrastructure changes.
Are you in compliance with Essential 8?
The Essential Eight Techniques outlines eight comprehensive areas in cybersecurity. If your organisation has some of these strategies but not all, the focus should be on improving the maturity in areas that are lagging.
An audit should be performed to understand the risk, the cost of addressing the risk, and the outcomes if these areas are breached. Every organisation will have a different tolerance to risk in each strategy.
If you are unsure, that you meet the Essential 8 requirements, it is time to give us a call for a thorough review.
What maturity level matches your risk?
Every organisation has diverse needs and risk profiles, and thus the solution and strategies will also differ for each. We can help you evaluate your current maturity level in each strategy according to the Essential Eight Maturity Model published by the Australian Cyber Security Centre (ACSC).
It is also important to note that the Essential Eight may not be conclusive to all components and are not the only cybersecurity measures for Australian businesses. Complying with Essential 8 is the first step toward protecting your assets better, and we can assist you on the journey of compliance.
Contact us to understand how to be in full compliance with Essential 8 and how we can help you improve your cybersecurity.