News

The Australian Cyber Security Centre (ACSC) advises all Australian organisations to prioritise cybersecurity and enhance their security posture. A key recommendation from the ACSC is the implementation of the Essential Eight cybersecurity controls, which are designed to assist organisations in defending their systems and data more effectively against cyber threats. Here’s more about it explained below:

What are the Essential Eight Controls?

The Essential Eight are a set of eight mitigation strategies that organisations should implement to reduce the risk of cyber-attacks and safeguard their data. These controls focus on preventing and detecting malicious activities. The eight strategies are:

1. Application Control: This measure aims to prevent the execution of malicious code by identifying and allowing only approved applications to run. This involves understanding all applications and processes used by users and monitoring for unusual activity.
2. Patch Applications: This strategy involves the timely application of new patches and conducting vulnerability scans to identify new weaknesses. It requires assigning responsibility for these actions and analysing scan data to take prompt action against identified threats.
3. Restrict Microsoft Office Macros: This control outlines measures to mitigate the risk of malicious macros, such as disabling macros for users who do not need them, enabling macros only from trusted sources, and checking for digital signatures. Organisations should also monitor for unusual activities that could indicate an attack.
4. User Application Hardening: This strategy focuses on limiting and securing user applications that regularly interact with web content. This is achieved by hardening configurations, such as blocking Flash and advertisements on web browsers or disabling JavaScript on specific websites.
5. Restrict Administrative Privileges: This involves identifying tasks requiring privileged access, creating separate accounts for these users, and limiting administrative rights to a select few individuals. This helps prevent malicious actors from gaining control over critical security settings.
6. Patch Operating Systems: Similar to application patching, this involves regularly checking for and applying new operating system patches and analysing vulnerability management data for timely remediation. It’s important to verify the necessity and safety of patches and test them before deployment.
7. Multi-Factor Authentication (MFA): Beyond standard MFA implementations, the ACSC recommends hardening devices, ensuring a visual notification for every authentication request, and storing software certificates in the device’s trusted platform module.
8. Regular Backups: Implementing regular offline and online backups is highly recommended. These backups should include mechanisms to alert users of a breach and specify appropriate incident response procedures.

Why did the Essential Eight Come into Place?

In 2010, the ACSC, which is part of the Australian Signals Directorate (ASD), released a document that listed 37 security controls ordered by their effectiveness in addressing cyberattacks. The top four of these controls were made mandatory for Australian Federal organisations in 2014. In 2011, the ACSC reported that implementing these “Top Four” helped organisations effectively address 85% of targeted cyberattacks.

In 2017, the ASD expanded the “Top Four” to the Essential Eight in an update to their mitigation strategies. While the initial four primarily aimed at preventing malware attacks, the subsequent four were intended to mitigate a broader range of cyber threats. Due to a growing number of cyberattacks, the ASD has recently recommended that all Australian organisations implement the Essential Eight to strengthen their cybersecurity posture.

What is the Essential Eight Maturity Model?

The Essential Eight includes a maturity model that defines four levels based on an organisation’s capacity to mitigate risks from threat actors and their evolving tactics. This model assists organisations in identifying their cyber risk areas and focusing their mitigation efforts. The four maturity levels are:

• Maturity Level 0: Characterised by weak cybersecurity postures, where data is easily compromised using common threat techniques.
• Maturity Level 1: Focuses on mitigating risks from opportunistic threat actors who use readily available tools and frequently employed techniques, such as malicious macros in social engineering attacks.
• Maturity Level 2: Aims to block more sophisticated adversaries who are well-equipped and use slightly more advanced techniques, like impersonating users to gain privileges and are better at bypassing security controls.
• Maturity Level 3: Addresses resourceful adversaries who use advanced tools and techniques, often targeting specific organisations, spending time researching vulnerabilities like outdated software or weak security monitoring to gain entry and access privileged controls or confidential data.

Who Should Comply?

While the original “Top Four” are mandatory for all Australian Federal government agencies, it is anticipated that the full “Essential Eight” will soon be mandatory for all 98 Commonwealth entities. However, the ACSC recommends that all Australian organisations implement the Essential Eight to improve their cybersecurity.

Furthermore, demonstrating a proactive approach by implementing the Essential Eight can potentially lower cyber insurance premiums. Cyber insurance companies utilise this framework to assess risk levels and determine premiums based on the extent to which an organisation implements these eight key security controls. The Essential Eight Security Strategies provide a crucial framework for organisations to enhance their cyber defences. Get in touch with the experts at Tech Engine if you have any questions.