The Australian Cyber Security Centre’s – ACSC’s – Essential 8 risk management framework is a prioritized list of eight mitigation strategies for organizations to address cyber security concerns. These essentials strategies protect the organisation’s information security system against a range of adversaries in the digital landscape, and keep the data of your customers secure.
The following blog provides mitigation strategies in line with the ACSC’s essential 8 principles which cover:
- Targeted cyber intrusions and other external adversaries who steal data
- Ransomware denying access to data for monetary gain, and external adversaries who destroy data and prevent computers/networks from functioning
- Malicious insiders who steal data such as customer details or intellectual property
- Malicious insiders who destroy data and prevent computers/networks from functioning.
WHY SHOULD YOUR ORGANISATION IMPLEMENT THE SECURITY CONTROLS?
The Australian Cyber Security Centre (ACSC) has developed prioritized mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organizations mitigate cybersecurity incidents caused by various cyber threats. The most effective of these are known as the Essential Eight.
Alongside the essential strategies, the ASD outlines three levels of maturity to help companies determine their status and how they can improve. The maturity levels are defined as:
- Maturity Level One: Partly aligned with intent of mitigation strategy.
- Maturity Level Two: Mostly aligned with intent of mitigation strategy.
- Maturity Level Three: Fully aligned with intent of mitigation strategy.
Each of the Maturity levels have essential security controls and strategies that mitigate to prevent malware delivery and execution; let’s discuss these 8 Essential controls as below.
The following is a summarized version of the Essential Eight strategies (Australian Cyber Security Centre):-
- Application whitelisting – to control the execution of unauthorized software
- Patching applications – to remediate known security vulnerabilities
- Configuring Microsoft Office macro settings – to block untrusted macros
- Application hardening – to protect against vulnerable functionality
- Restricting administrative privileges – to limit powerful access to systems
- Patching operating systems – to remediate known security vulnerabilities
- Multi-factor authentication – to protect against risky activities
- Daily backups – to maintain the availability of critical data.
WHAT MATURITY LEVEL TO AIM FOR ORGANISATIONS:
As a baseline, organisations should aim to reach Maturity Level Three for each mitigation strategy. Where the ACSC believes an organization requires a maturity level above that of Maturity Level Three, the ACSC will provide tailored advice to meet the specific needs of the organization
ESSENTIAL EIGHT MATURITY MODEL FOR CYBER SECURITY
1. APPLICATION CONTROL:
To prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell, and HTA), and installers.
Why? This control is for all non-approved applications (including malicious code) are prevented from executing.
2. PATCH APPLICATIONS
Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Why? Security vulnerabilities in applications can be used to execute malicious code on systems.
3. CONFIGURE MICROSOFT OFFICE MACRO SETTINGS
To block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Why? Microsoft Office macros, for example, can be used to deliver and execute malicious code on systems.
4. USER APPLICATION HARDENING.
Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unnecessary features in Microsoft Office (e.g. OLE), web browsers, and PDF viewers.
Why? Flash, ads, and Java are popular ways to deliver and execute malicious code on systems.
5. RESTRICT ADMINISTRATIVE PRIVILEGES
Operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Why? Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
6. PATCH OPERATING SYSTEMS.
Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why? Security vulnerabilities in operating systems can be used to further the compromise of systems.
7. MULTI-FACTOR AUTHENTICATION
It includes VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high availability) data repository.
Why? Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
8. DAILY BACKUPS
Daily back-ups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.
Why? To ensure information can be accessed following a cybersecurity incident (e.g. a ransomware incident).
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organizations’ systems. More info can be found here.
The Centre for Internet Security (CIS) publishes alternative guidance titled the CIS Critical Security Controls for Effective Cyber defence which is available here.