The Australian Cyber Security Centre’s (ACSC) risk management framework is a prioritised list of eight mitigation strategies (security controls) organisations can implement to protect their systems against a range of adversaries. The Australian Signals Directorate (ASD) found that when operating effectively, the Essential 8 mitigates 85% of targeted cyber-attacks.
The Essential Eight
While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.
There is a suggested implementation order for each adversary to assist organisations in building a strong cyber security posture for their systems. Once organisations have implemented their desired mitigation strategies to an initial level, they should focus on increasing the maturity of their implementation such that they eventually reach full alignment with the intent of each mitigation strategy.
Mitigation Strategies to Prevent Attacks
1 Application whitelisting of approved/trusted programs to prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Why: All non-approved applications (including malicious code) are prevented from executing.
2 Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.
3 Patch applications e.g. Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Why: Security vulnerabilities in applications can be used to execute malicious code on systems.
4 User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Mitigation Strategies to Limit the Extent of Attacks
5 Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
6 Multi-factor authentication including for VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
7 Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why: Security vulnerabilities in operating systems can be used to further the compromise of systems.
Mitigation Strategies to Recover Data and System Availability
8 Daily backups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.
Why: To ensure information can be accessed following a cybersecurity incident (e.g. a ransomware incident).
Why should your Organisation implement these Security Controls?
Federal Government Mandatory Requirements – The Essential 8 was published in February 2017; Australian Federal Government had previously mandated the Top 4 of these mitigation strategies for federal government departments back in 2014. The Top 4 are also mandated by the Attorney-General’s Department’s Protective Security Policy Framework (PSPF). The Australian Signals Directorate considers the Essential 8 to be the most effective cyber resilience ‘baseline’ for all organisations.
The December 2019 release of the Australian Government Information Security Manual (ISM) states that organisations should:
- Assess security controls for the system and its environment to determine if they have been implemented correctly and are operating as intended.
- Monitor the system, and associated cyber threats, security risks and security controls, on an ongoing basis.
The ACSC Essential 8 complements the advice in the ISM.
Read more about the Essential Eight here: https://www.cyber.gov.au/publications/essential-eight-maturity-model
Read more about Cyber Security solutions here: https://www.xarigroup.com.au/it-security-for-your-business