Essential Eight and Legacy Systems

May 6 2024, by James Rabey | Category: Government
Essential Eight and Legacy Systems | Macquarie Government

In the many discussions I’ve had with our agency customers around their efforts to implement Essential Eight security, the most common obstacle encountered is deploying the strategies on the legacy systems remaining in their environments.

By ‘legacy’ I mean those applications and operating systems that are reaching or at ‘End-of-Life’, limiting their ability to be upgraded. Think Windows Server 2008 or 2012 and Java Runtime Environment.

As these systems often still play a vital role in the organisations they support, they can’t be decommissioned and the technical debt makes it difficult to migrate them to newer platforms, including cloud.

The legacy system challenge is not just limited to the people I’ve spoken with. According to the latest Commonwealth Cyber Security Posture Report, 69% of the agencies with legacy technology in their networks indicated that it had impacted their ability to fully implement the Essential Eight.

Though they present obstacles to deploying most of the eight strategies, the most common are application and operating system patching.

Recognising the challenges posed by legacy systems, the ASD advises in the Essential Eight Maturity Model FAQ that ‘It is often difficult to implement the Essential Eight, either in part or in full, on legacy systems. In such cases, ASD strongly encourages organisations to upgrade their legacy systems as a priority so that the Essential Eight can be implemented in full. While a system is in the process of being upgraded, organisations should implement compensating controls where possible to do so.’

Many organisations ‘carve out’ these systems from assessment through an exception process. However, unless these systems operate in a completely ‘air-gapped’ environment, not applying these Essential 8 cyber security strategies mean they remain a weak link in your cyber defences.

The ASD advises organisations to minimise exceptions, recommending instead to manage the residual risk by implementing compensating controls and reducing the number of systems or users impacted.

Compensating controls aim to mitigate the same risk as the Essential Eight mitigation it is replacing. It should not be seen as an alternative to the Essential Eight security controls which reflect the ASD’s expertise and experience.

From an assessor’s perspective, a compensating control that mitigates the specific risk to a similar degree as the original Essential Eight control can be assessed as ‘Implemented’.

To understand what a compensating control looks like, let’s use the Essential Eight Patch Applications strategy as an example. Application Patching mitigates known vulnerabilities being exploited [T1190] by ensuring that the vendor supplied patches are applied as soon as possible after they are released.

When a vulnerability is detected in an End-Of-Life or otherwise unsupported application, there’s not always a patch provided to apply.

For a legacy web application, a suitable compensating control would be to deploy an application protection that includes Virtual Patching. It mitigates the risk of an exploit by analysing all web traffic to identify and block any exploit patterns. As with real patching, the virtual patch is applied as soon as possible after the vulnerability is identified.

If the time between identification and patching is within the applicable Essential Eight Maturity Level metrics (e.g. 48 hours for critical patches on internet facing systems), the legacy platform can be assessed as ‘implemented’ for that control. Not only that, but the threat posture of that platform has been significantly improved.

If we can be of cyber security service assistance we’re always happy to chat. Get in touch with us or by using the form below.


Get in touch.

1800 004 943

Enquiry Sent.

Thank you for contacting us. Our specialists will be in touch with you shortly.

From the Blogs.

Government agencies get SASE on security...

When COVID-19 struck, we quickly became grounded and more restricted in how we could move and travel, with the important exception of moving...

Read More

Demystifying Zero Trust for Government

In Home Affairs recent publication of the 2023-2030 Australian Cyber Security Strategy, they have stated “We will also draw on internation...

Read More

PSPF Direction on cyber threat visibilit...

In July, the Home Affairs Secretary issued a Direction under the Protective Security Policy Framework (PSPF), supporting visibility of the c...

Read More