Through the Australian Cyber Security Centre(ACSC), the Australian Government has delivered a cyber risk mitigation framework.
Known as The Essential 8, the framework prioritises a list of eight mitigation strategies for organisations to address cyber security concerns.
Why should your organisation implement the security controls?
With 64% of Australian organisations experiencing disruptions at the hands of cyber-criminals and 54% of those affected by ransomware paying the ransom, the costs to organisations for not enacting a security strategy is costly. Of those who paid a ransom, only 76% received their data back, meaning 24% did not.
ACSC has developed prioritised mitigation controls, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cybersecurity incidents caused by various cyber threats. The most effective of these are known as The Essential 8.
Alongside the essential strategies, the ASD outlines three levels of maturity to help companies determine their current security posture and how they can improve. The maturity levels are:
• Maturity Level One: Partly aligned with intent of mitigation strategy.
• Maturity Level Two: Mostly aligned with intent of mitigation strategy.
• Maturity Level Three: Fully aligned with intent of mitigation strategy.
Each of the maturity levels have essential security controls and strategies that mitigate to prevent malware delivery and execution.
The Essential 8 were first published in February 2017 and the Australian Signals Directorate considers the Essential 8 to be the most effective cyber resilience 'baseline' for all organisations.
The Essential 8 includes:
1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privileges
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups
Essential 8 maturity model for cyber security
1. Application Control
Preventing the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell, and HTA), and installers.
Why? This control is for all non-approved applications (including malicious code) are prevented from executing.
2. Path Applications
Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with 'extreme risk' vulnerabilities within 48 hours. Use the latest version of applications.
Why? Security vulnerabilities in applications can be used to execute malicious code on systems.
3. Configure Microsoft office macro settings
To block macros from the internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate.
Why? Microsoft Office macros, for example, can be used to deliver and execute malicious code on systems.
4. User application hardening
Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unnecessary features in Microsoft Office (e.g. OLE), web browsers, and PDF viewers. Why? Flash, ads, and Java are popular ways to deliver and execute malicious code on systems.
5. Restrict administrative privileges
Operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing.
Why? Admin accounts are the 'keys to the kingdom'. Adversaries use these accounts to gain full access to information and systems.
6. Patch operating systems
Patch/mitigate computers (including network devices) with 'extreme risk' vulnerabilities within 48 hours. Use the latest operating system version. Don't use unsupported versions.
Why? Security vulnerabilities in operating systems can be used to further the compromise of systems.
7. Multi-factor authentication
It includes VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why? Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
8. Daily Backups
Daily back-ups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.
Why? To ensure information can be accessed following a cybersecurity incident (e.g. a ransomware incident).
Not all security journeys are the same. Companies require different solutions and strategies, so the best way to determine your path to compliance is to work through a security and threat detection assessment. If you'd like to know more about The Essential 8 or discuss your security journey, then click here.
Dive behind the scenes and keep up to date on the latest people centred tech.