Essential 8 Cyber Security Guidelines

What are the Essential 8?

The Essential Eight are key cyber security strategies developed by the federal government’s Australian Cyber Security Centre (ACSC) and help mitigate against cyber security threats.

The ACSC Essential Eight is designed to protect Windows-based, internet-connected networks. The ACSC also offers guidance to strengthen cyber security for non-Windows operating systems, cloud and mobile environments.

Essential Eight Maturity Model.

To help organisations implement the Essential Eight, the ACSC 2017 released the Essential Eight Maturity Model. Updated regularly the model has four maturity levels for each of the eight strategies.

Through a risk-based approach, the ACSC recommends organisations aim to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.

Organisations should seek to minimise the number and scope of any exceptions to the strategies, and if necessary then exceptions should be documented, approved via an appropriate internal process, monitored and periodically reviewed.

The maturity model encourages organisations to implement the ASD Essential 8 cyber security strategies in the following ways:

Application control.

This approach prevents malicious code that’s found its way into a network from functioning by ensuring only approved applications can operate. To implement, approved applications must be identified, then control rules are put in place to ensure only approved applications can execute. The control rules must be maintained within a change management program, reviewed and validated annually, or more frequently.

Similarly, cloud applications can be controlled via a Cloud Access Security Broker (CASB) – an on-premises or cloud-based security policy enforcement point placed between organisations and their cloud service providers.

Vulnerabilities and patching.

Flaws are found in operating systems and applications periodically, so upon release, patches from application vendors should be applied in a timeframe commensurate with an organisation’s level of exposure, and the level of risk they’re aiming to protect against.

The ASD Essential Eight recommended timeframes to apply released patches for applications and operating systems ranging from 48 hours if an exploit already exists, to within a month for applications not commonly targeted.

One of the biggest challenges is the lack of visibility of patch status across a network, so the Essential Eight recommends organisations to scan for vulnerabilities of missing patches daily or fortnightly depending on whether the patch is for an internet-facing service or if it’s a commonly-targeted application.

Configure Microsoft Office macros.

Microsoft Office files can contain embedded code known as macros. Although macros can be powerful tools for greater productivity, they can contain malicious code and are easily transmitted within a Microsoft file via email or web download.

To protect against macros that contain malicious code the ACSC Essential Eight recommend disabling macros for users who do not have a demonstrated business requirement, only enable macros from a trusted location and are digitally signed by a trusted publisher. The ASD Essential Eight also recommends macro execution logging to verify that only approved macros are used.

Application hardening.

Hardening applications on workstations helps reduce the risk of adversaries using malicious websites, emails and removable media to extract sensitive information.

The ACSC Essential Eight recommends hardening Microsoft 365 and Office applications, and Microsoft provides various tools and capabilities to manage and control application configuration, changes and use.

Firstly, the Group Policy Administrative Templates should be obtained from Microsoft and loaded into the Group Policy Management Editor. As group policy settings are routinely updated by Microsoft, checks must be made to ensure the latest version is used.

High priority recommendations include Attack Surface Reduction (ASR), which is a Microsoft security feature designed to prevent malware from exploiting legitimate Microsoft applications’ functionality.

Another high-priority recommendation by the ACSC Essential Eight cyber security strategies is blocking Flash content, Object Linking and Embedding (OLE) images within Microsoft application files from activating, thereby reducing the risk of spear-phishing and the execution of malicious code.

Other priority measures include patching application security vulnerabilities soon after patches are released, and updating to the latest Microsoft Office version to take advantage of any cyber security improvements.

Restricting Administrative privileges.

System users with administrative or domain privileges can make significant configuration changes to operating systems and applications, bypass security settings and access sensitive information.

One of the most effective of the ACSC Essential Eight strategies is to restrict administrative privileges which can make a network more stable, and easier to administer and support as fewer users can make changes, either intentionally or unintentionally.

The correct approach is to first identify tasks that require administrative privileges, authorise appropriate staff to do those tasks and create separate, administrative accounts with restricted privileges to just perform those tasks. Privileges must be revalidated on a frequent basis, and when administrative staff change duties or leave the organisation.

Multi-factor authentication.

Multi-factor authentication can make it significantly more difficult for an adversary to steal legitimate credentials, and is therefore included in the ASD Essential 8 cyber security strategies.

This authentication method uses two or more authentication factors to authenticate a claimant to an authentication verifier. The factors can be something the claimant knows (password, PIN), something they have (smartcard, physical token) or something personally unique (fingerprint, iris scan).

Multi-factor authentication should be implemented for remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories.

Backups.

The final (but by no means the least) ACSC Essential 8 cyber security strategy is backups. Important data, software and configuration settings need to be regularly backed up, and restoration of systems from backed up data must be tested as part of disaster recovery exercises.

Air gapping, the logical or physical separation of backup files from the production environment further reduces risks to backup files is also recommended.

All users except backup administrators must be excluded from accessing backups, and all users except backup ‘break glass’ accounts are prevented from modifying or deleting backup files.

How Macquarie Government can help.

When it comes to the ACSC Essential Eight, Macquarie Government is all over it. As a part of ASX listed Macquarie Technology Group (ASX: MAQ), Macquarie Government is an Australian specialist in cyber security, secure cloud and data centres solutions. Currently, 42% of Federal Government agencies trust and use Macquarie Government’s security and cloud services.

Our Macquarie Government consultants are standing by to show you how our government cloud, colocation and security solutions can work for you – call us on 1800 004 943.