Essential 8 cyber security mitigation strategies introduced by Australian Cyber Security Centre (ACSC) represents an extensive set of cyber security best practices and threat mitigation strategies for businesses of all sizes and types to tackle today’s modern and ever-evolving cyber threats. ACSC’s essential eight strategies focus on helping organisations protect their business assets and overall infrastructure from a range of threats.
Essential 8 strategies are an extension of the top 4 mitigation strategies released by the Australian Signals Directorate’s (ASD) back in 2014. According to ASD, when implemented effectively, the top 4 strategies can help businesses to thwart over 85% of unauthorised access attempts. As an extension of top 4 strategies – Essential 8 strategies were first introduced in 2017, containing further 37 risk and threat mitigation strategies to further help organisations to strengthen their overall business security posture.
Why should your organisation implement essential 8 security strategies?
ACSC’s essential eight cyber security strategies offer extensive guidelines for organisations to protect their business infrastructures from different types of traditional and modern security threats. These security strategies can help organisations improve security and productivity in various business aspects – ultimately protecting businesses from devastating consequences of cyber attacks and security breaches.
The Australian Signals Directorate considers the Essential 8 to be the most effective cyber resilience ‘baseline’ for all organizations. ACSC has specifically developed essential 8 security mitigation strategies for organisations to effectively mitigate cyber security incidents caused by various types of threats and bad actors.
Additionally, the current NSW Government Cyber Security Policy became effective in February 2019. The policy (section 1.5) requires, by 31 August each year, that each department submits a report detailing a maturity assessment against the ACSC Essential 8.
Essential 8 Maturity levels:
Alongside the essential 8 strategies, the ASD outlines three levels of maturity to help companies determine their current status and how they can improve. The maturity levels are defined as:
- Maturity Level One: Partly aligned with the intent of mitigation strategy.
- Maturity Level Two: Mostly aligned with the intent of mitigation strategy.
- Maturity Level Three: Fully aligned with intent of mitigation strategy.
Each of the Maturity levels have essential security controls and strategies that help businesses to mitigate and prevent malware delivery and execution.
ACSC Essential 8 Security Framework and strategies
The ACSC’s essential 8 security framework and strategies include eight major security controls that address diverse threats and mitigation procedures. These eight security controls are listed below.
- Application Control: Application control regulates and prevents the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell, and HTA), and malicious installers.
- Application Patching: Security vulnerabilities in applications installed on organisational systems can pose serious security risks. This strategy requires organisations to patch and mitigate all the organisational systems and IoT devices with potential security vulnerabilities within 48 hours while ensuring to keep all the applications up-to-date.
- Configuration of Microsoft Office Macro Settings: Despite having practical value and benefits, Macros are increasingly becoming a source of exploits. Turning them off without a strategy is not advised as it resulted in the germination of more overheads. ACSC recommends configuring your Microsoft Office macros settings based on the origin, trust, and users of macros. This will help you block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
- User Application Hardening: Maximizing security by removing unnecessary features and settings in applications to strengthen the security of specific applications installed in organisational systems and devices. Essential 8 also recommends configuring web browsers to block Flash (ideally, uninstall it), ads, and Java on the Internet. Also disable unneeded features in Microsoft Office (e.g. OLE), web browsers, and PDF viewers to prevent malware from entering your organisational network.
- Restricting Administrative Privileges: Restricting administrative privileges reduce the chances of unauthorized access and privilege abuse. This security control addresses the principals of zero-trust and least-privilege, that means access will be granted only upon verification of an actor based on a set verification criteria.
- Patching Operating Systems: Outdated or pirated operating systems can pose security risks and should not be installed in organisational systems. This essential security control requires businesses to install the latest operating systems in workplace systems to avoid security incidents originating due to outdated and unsecure OS. Not only limited to computers, OS must be regularly updated in different devices such as tablets, mobile phones, printers, routers, switches and firewalls.
- Multi-Factor Authentication: Using multi-factor authentication features is a must which includes VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Multi-Factor Authentication adds an extra layer of assurance and security to access and identity management by using a combination of easy-to-use secondary identification systems such as apps, SMS codes or even biometrics.
- Regular Backups: All the organisational data must be backed up regularly to ensure swift recovery in case of a disaster or a breach. The stored data should be encrypted to ensure data security, integrity and availability.
Protecting your organisation from cyber threats in today’s hostile cyberspace is a significant challenge. At the very least, implementing some of the security controls from essential eight security strategies can significantly reduce security risks and can potentially add to your organisational security, productivity and digital resiliency.
For more information on our ACSC Essential Eight services, contact us here today.
