Malicious cyber incidents cost businesses time, money, effort and reputational damage. To help guide businesses, the Australian Cyber Security Centre (ACSC) has a set of preventative measures aimed at protecting organisations from cyber incidents. These measures form a framework named the Essential Eight which aim to tackle three main objectives:
- Prevent cyberattacks,
- Limit the impact of cyberattacks, and
- Recover from a cyberattack.
What is the Essential Eight?
Essential Eight is a prioritised set of baseline cyber essential security mitigation strategies recommended for organisations to protect against a range of cyber adversaries.
Designed to protect Microsoft Windows-based internet-connected network, the Essential Eight was created for organisations to focus on improving their security controls.
The ACSC recommends implementing these preventative measures at the very least, to reduce the risk of a cybersecurity incident.
How important is it to implement the Essential Eight?
Depending on the organisation, including government agencies, departments or councils, the Essential Eight may be mandatory with a minimum maturity level rating, so an assessment will be necessary.
On the other side of the spectrum, there are still many businesses that haven’t begun strengthening their cybersecurity armour.
As their managed service provider, you should encourage businesses of any size and industry to review and address their cybersecurity risks. And importantly, work with them to implement some or as many controls as possible to protect against risks of a cyber incident.
It is likely that the time and effort spent on attack remediation will far exceed the efforts required to mitigate a cyber attack.
How should I begin implementing the Essential Eight?
1. Understand the current cyber security maturity level.
Cybersecurity audit tools can assess the status of an organisation’s security and identify its cybersecurity strengths.
Importantly, the results of a cybersecurity audit allows for fact-based recommendations for improvements and guidance on how an organisation can improve its cybersecurity.
2. Determine a target maturity level that’s appropriate to that organisation’s environment.
To help organisations with their implementation of the Essential Eight, four maturity levels have been defined.
The different maturity levels provide a high-level indication of an organisation’s cyber security maturity.
When choosing a maturity level for an organisation, take a risk-based approach and consider how desirable the business is to an adversary, with particular regard for the type of information the business holds and exchanges.
Except for Maturity Level Zero, the maturity levels are based on mitigating increasing levels tools, tactics, techniques, procedures and targeting (or collectively referred to as tradecraft).
Maturity Level Zero
This maturity level indicates that there are weaknesses in an organisation’s overall cyber security posture. Organisations at this cyber security maturity level is considered level zero due to lack of control methods in place, leaving them vulnerable to cyber attacks.
Maturity Level One
Organisations at this level are at basic level maturity and are only partly aligned with the intent of the mitigation strategy. This maturity level mitigates against common online threats and opportunistic adversaries who are looking for any victim, rather than a specific target.
Maturity Level Two
Organisations at this intermediate level are developing their maturity and are mostly aligned with the intent of the mitigation strategy. This maturity level is to mitigate adversaries who use more advanced techniques, invest more effort and who may be better equipped to compromise the systems of their targets.
Maturity Level Three
Organisations at this level exercise a good level of cyber hygiene are managing their risks and are fully aligned with the intent of the mitigation strategy. This maturity level is the highest to deter knowledgeable, experienced and sophisticated adversaries. These types of adversaries are highly targeted and highly invested into navigating an organisation’s security controls.
Requirements for each maturity level
Requirements for Maturity Level One through to Maturity Level Three are outlined in Appendices A to C: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model
3. Understand the Essential Eight strategies to improve an organisation’s security controls.
These are seen as critical to cyber resilience. When proactively implemented, will help prevent attacks, limit impact of attacks, recover data and system availability.
The Essential Eight strategies are:
- Application Control – protect against malicious code executing on systems.
- Application Patching – repairing vulnerabilities in systems and identifying defective patches helps organisations stay updated and secure.
- Configure Microsoft Office Macro Settings – only enabling macros from trusted locations, giving limited access or digitally signed with a trusted certificate to limit opportunities for adversaries to execute malicious code.
- User Application Hardening – the process of determining what an application is allowed to do on system.
- Restrict Administrative Privileges – limiting access based on user duties limits risk and exposure.
- Patch Operation Systems – mitigates risk of attack, but also reduces potential damage.
- Multi-Factor Authentication – offers an additional layer of security by neutralising the risks associated with compromised passwords.
- Regular Backups – backed up copies of data can be restored from an earlier point in time enable businesses to recover from unplanned incidents.
The current model prioritises implementing all eight strategies as a package because they complement each other, and when combined, offers a breadth of coverage.
Will implementing these measures guarantee organisations are safe from cyber security incidents?
No single mitigation strategy is guaranteed to prevent cyber security incidents, but organisations are recommended to implement eight essential mitigation strategies at a minimum. While the Essential Eight can help protect against the majority of cyber threats, it will not mitigate all cyber threats.
As such, additional mitigation strategies and security controls need to be considered, including those from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.