In recent years, cyber-attacks have been on the rise and are now becoming a major concern for organisations around the world and Australia, particularly with the increased attacks on critical infrastructure and supply chains. From the shutting down of oil pipelines in the US that lead to fuel shortages, to the targeted attack on a global meatpacking firm that led to mass employment instability in Australia, cybercrime is threatening organisations and governments everywhere.
Given the growth in the rate of cyber-attacks, it is imperative to get security strategies right from the start. This is where the Australian Cyber Security Centre (ACSC) Essential Eight Strategies to Mitigate Cyber Security Incidents can help businesses to get their primary defence strategy right from the beginning.
What is the ACSC Essential Eight?
The ACSC developed the Essential Eight Maturity Model to help organisations to mitigate or prevent cyber security incidents. These strategies cover three key areas – prevention, limitation, and recovery – ranked by maturity (immature to mature).
Originally published as an evolution of the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents, it was later introduced into federal government agencies and has now been adopted by state governments. The Essential Eight is an established foundation that defines how organisations should prioritise their cyber security defences to prevent compromise from occurring.
How does the Essential Eight measure cybersecurity?
The different strategies that make up the Essential Eight are categorised according to their aims of mitigating cybercrime by various levels of tradecraft. The ASD outlines four levels of maturity to support businesses in determining their current security status and how that can be improved. The maturity levels are:
- Level 0 – signifies that there are weaknesses in an organisation’s overall cyber security posture. These could lead to the breach of their information, or even the destruction of their systems and data, which is described in Level 1 below.
- Level 1 – The focus of this maturity level is adversaries who are content to leverage commodity tradecraft that is widely available to gain access and control over systems.
- Level 2 – The focus of this maturity level is adversaries escalating their capabilities more than the previous maturity level. These adversaries are willing to invest plenty of time into a target, as well as in increasing the effectiveness of their tools.
- Level 3 – focused on adversaries who are more adaptive and less reliant on public tools and methods, skilled in exploiting weaknesses in their target’s cyber security posture, and make use of publicly available exploits to improve chances for success.
Each of the Maturity levels has essential security controls and strategies that are implemented to prevent malware delivery and execution. As a baseline, organisations should aim for reaching level 3 in each mitigation strategy. Where an organisation feels it needs a higher maturity than Level 3, the ACSC will provide tailored advice to meet the specific needs of the company.
Essential Eight strategies
The following is a brief overview of the Essential Eight strategies and why they matter:
Application whitelisting – prevents an application from running on a computer, usually to prevent malicious software. It is accomplished by limiting what process entry points the application can use and which system calls it can make. This prevents any unauthorised code or data from being run by the program that would cause harm to its host operating system or other applications installed on it.
Patching applications – focuses on third-party applications by applying patches and security updates as soon as possible, and requires frequent scanning to detect missing patches and updates, to remediate known vulnerabilities.
Configuring Microsoft Office macro settings – this blocks untrusted macros which have the potential to deliver and execute malicious code on systems
Application hardening – locks down features in applications that no longer enhance security, reducing vulnerabilities.
Restricting administrative privileges – prevents users from making changes to security settings, operating systems and more. This reduces the chances of data being accessed without authorisation or malware spreading.
Patching operating systems – keep operating systems up to date by applying patches, updates, and security mitigations for internet-facing services within two week after release or 48 hour window if an exploit exists. Any OS no longer vendor-supported should be replaced.
Multi-factor authentication – MFA and strong passwords are effective ways to ensure secure login and access to data, and should be enforced for all users before access to internet-facing services and third-party providers, to prevent risky activity.
Daily backups – ensures critical systems are backed up and readily available, with tiered security backups appropriate for specific business needs. All backup/restore strategies are tested, including unprivileged accounts restricted to their own environments.
Does my business comply with the Essential Eight strategies?
The technical nature of the Essential Eight requirements means your organisation will need dedicated effort to achieve them. It is important to understand your company’s current maturity level in each IT security strategy so that you can know what practices will help you stay compliant. The cyber security experts at Itopia can evaluate your IT environment and help your business meet the Essential Eight guidelines, with comprehensive cyber security strategies to protect your company from advanced threats.