News came out in 2021 about the Australian Government mandating the essential 8 Cyber Security controls for all non-corporate Commonwealth entities. This is scheduled to be put into practice starting June 2022 with a compliance audit every 5-years.
What are the essential 8?
The essential 8 is a list of strategies recommended by the Australian Cyber Security Centre (ACSC) to mitigate targeted attacks. These 8 strategies are suggested to be implemented in organizations to reduce their attack surface, prevent malware execution and delivery. It is important to note that this list is only the baseline recommendation, and much more can be done to further secure your organization. The aim of the essential 8 is to take that first step in securing your system and limit the fatality if you are exposed to a cyber security incident.
- Application Control
- Application Patching
- Restriction of admin privileges
- Operating system patching
- Configuration of office macros
- User application hardening
- Multi-factor authentication
- Review backups
We will discuss each recommendation:
1. Application control
Application control is the process of managing application connections within an organizations network and managing the access these applications have on your device. Many applications connect to places outside of the internal network, exposing the network to security risks. A method to filter applications accessing your network is to implement application listing. There are two types of these listings:
Blacklisting - in the past this was a more common strategy. As malicious sources were Identified they would be put on a blacklist. Think of this as a blocklist, anyone on this list is blocked from accessing the network.
Whitelisting - A better strategy that has become more common in today's time is application whitelisting. It uses the same concept of blacklisting however instead of the list containing blocked sources it contains allowed sources. So, to get access your IP must be on the list. If it is not you are blocked. Whitelisting is also easier to manage and keep track of as the list of allowed sources is considerably shorter than a list of disallowed sources.
2. Application patching
Patching applications is the process of updating applications regularly. Providers release updates that fix security issues and bugs. If the application is left unpatched, you’re exposing your application to these vulnerabilities that have been discovered. It is recommended to patch applications within 48hours of the update release. It can sometimes be difficult to identify what versions your applications are running. Organizations can run a vulnerability scanner to identify outdated applications where patching is required. Tenable Nessus is one of the most well-known and reliable vulnerability scanners however there are many other options.
3. Operation system (OS) patching
Similarly, to patching the applications on your device you should also be regularly patching your OS. It is essential for the security of your device that you are always using the latest OS version and not using outdated or unsupported ones. Microsoft releases its system updates on the second Tuesday of every month. You can enable automatic updates on your device or manually check what updates are available in windows by searching “check for updates” in the windows search bar.
4. Configure Microsoft office macros
The fourth recommendation is to change Microsoft office packages' default setting to block non-trusted macros from running. We want to block not only what users can run these but also what pogroms on your device. Hackers can embed code into macros that can be executed on your device when opened.
5. User application hardening
On top of patching applications, the essential 8 also recommends ensuring user application hardening is in place. User application hardening is about further protecting and securing applications by implementing more techniques than just updating the software. It is one step above application control, by managing and setting restrictions on what the whitelisted applications can run and do on your device. So, while an application might be whitelisted it doesn’t have access to everything on your computer. By practicing least privilege, applications will only be granted access to what is essential and has been approved. If further access is required, you will need to be approved by an admin.
6. Restrictions on administrative privileges
It is best practice to run stuff at the lowest permission level required. If your account is compromised and your user has admin privileges, they will have access to everything on your computer. Admin rights have full control over the system and can be damaging if in adversaries’ hands. Restricting admin privileges mitigates the risk of adversaries being able to run malicious code, traverse to other devices and compromise or change sensitive data.
7. Multi-factor authentication (MFA)
MFA is a security strategy implemented to further secure systems and strengthen the authentication process. MFA requires two or more different pieces of evidence to log into a system. As a result, if one MFA token gets compromised the adversary will not get access without the other. Examples of MFA tokens are passwords, email/SMS confirmation, fingerprints, etc.
8. Regular backups
It is essential to have backups in incase you need to recover lost data. Having a data recovery plan in place means that when these unexpected situations occur, you’ll still have all your data. By regularly backing up your system you are ensuring that when needed you have an up to data backup file with all the latest versions of your files and applications. Situations, where you may need to recover your data, are in case of updates or test breaking things, ransomware attacks, or if files are deleted.
Before implementation organizations should identify a priority list of what systems need protection. Systems that store, process, or communicate sensitive information should be at the top of this list. Another factor to consider is what are adversaries most likely to target. By implementing these 8 recommendations in both your organization and your personal systems you will significantly mitigate your risk of being subject to an attack, limit likelihood of malware delivery and limit the damage of malicious code execution.