Australia’s ‘Essential Eight’ for cyber security
The Australian Cyber Security Centre’s Essential Eight are eight measures the Australian Government recommends all organisations take to safeguard against cyber threats. The Essential Eight cover everything from application patching to multi-factor authentication.
The Essential Eight are eight actions that all Australian organisations should take to protect themselves from cyber threats. They were released by the Australian Cyber Security Centre (ACSC) in 2017 as part of that agency’s mandate to protect Australia from cyber threats.
The Australian Cyber Security Centre is part of the Australian Signals Directorate (ASD) and works across all sectors (business, not-for-profit, government, academia and the general community) to drive national cyber security. Its role encompasses responding to threats and protecting against threats to minimise harm to all Australians. Threats include:
Targeted cyber intrusions
Ransomware and other data destruction
Data theft from insiders
Data destruction from insiders
What are the Essential Eight?
The ACSC’s Essential Eight are eight essential actions organisations should take to protect themselves and their data in the digital age. The ACSC considers these mitigation strategies baseline protection. The Essential Eight are:
“Application whitelisting – to control the execution of unauthorised software
Patching applications – to remediate known security vulnerabilities
Configuring Microsoft Office macro settings – to block untrusted macros
Application hardening – to protect against vulnerable functionality
Restricting administrative privileges – to limit powerful access to systems
Patching operating systems – to remediate known security vulnerabilities
Multi-factor authentication – to protect against risky activities
Daily backups – to maintain the availability of critical data.”
Application whitelisting involves creating a ‘whitelist’ of applications that can run on your computer/system and only allowing those applications to run. This prevents unapproved programs (including malicious programs/malware) from executing on your system. The whitelisting can be set up in your firewall and provides a black and white approach, with only whitelisted applications able to run. If there are genuine programs that you/employees need that aren’t on the whitelist, these can be downloaded via manual administrator approval. The application whitelist ensures employees don’t download unwanted or harmful programs and also stops malware from self-executing in your system.
Implementation: In larger organisations a thorough policy around application whitelisting can be useful. The starting point is creating a list of essential applications across all areas of the organisation.
All applications (e.g. web browsers, Microsoft Office, web content management systems, payroll software, etc.) should be patched within 48 hours of an ‘extreme risk’ patch being released and should be updated regularly outside of extreme risk patches. To ensure optimum protection, you should also use the latest version of all applications. This helps to reduce the risk of malicious code using a security vulnerability in your applications to damage your systems or data.
Implementation: Again, a policy listing all applications and the frequency of regular patching is a good idea. Patching should be carried out by your IT department or administrator. Web content management systems need to be patched by your web team or web vendor (you may like to read more information on open source security patching and updates).
Read more information from the ACSC on assessing security vulnerabilities and applying patches.
Configure Microsoft Office macro settings
A macro is a single command that initiates a group of actions to automate commonly used procedures/sequences. This makes it easier and faster to execute common processes. However, a macro can also be used to deliver malicious code.
Macros are commonly used in the Microsoft Office suite and so configuring Microsoft Office’s macro settings to block macros from the internet and vett other macros is one of the Essential Eight.
Implementation: An IT administrator can set up allowed macros (they’re very handy and can save a lot of time so you don’t want to simply disable all macros). Allowed macros should be set up as ‘trusted’ by creating a digitally signed macros. This can be done for all macros your organisation commonly uses or needs to use.
Read more information from the ACSC on Microsoft Office macro security.
‘Hardening’ applications means looking at your existing applications and making them more secure. For example, in some applications you might disable certain features that your organisation doesn’t use/need or only enable them for some users. This particularly applies to web browsers, because Flash, ads and Java are often used to distribute malicious code. Ensuring Flash, ads and Java are blocked increases your organisation’s cyber security.
Implementation: You should go through all applications and web browsers currently used in the organisation and make sure unused and at-risk features are disabled. Features that only need to be used by some people should only be enabled for them, not the whole organisation.
Restrict administrative privileges
Administrator logins should be restricted to users whose jobs clearly require them to have administrator access, and administrator accounts shouldn’t be used for reading email or browsing the web. Administrative access also needs to be re-evaluated regularly. Administrative privileges bring power and access to your internal system, so guard your admin accounts!
Implementation: Review all your user accounts to make sure administrative privileges are only assigned to users who need administrative access. You should also review user account settings for all network devices like routers, any IoT devices, etc.
Set up a policy for admin accounts and any user accounts with different privileges (you may have some people who need access to some extra systems, but they shouldn't automatically get full admin access). At the same time, you can also check your password settings and policy.
Patch operating systems
Use the latest operating system version available (and certainly don’t use unsupported versions). When ‘extreme risk’ vulnerabilities are identified and patches released, patch within 48 hours. Just like applications, out-of-date and unpatched operating systems make a system more vulnerable to malicious activities.
Implementation: Set up a policy for operating system patches that includes how often operating systems should be reviewed and patches applied (for the regular patches as opposed to the extreme risk ones, which should be applied within 48 hours). Set up organisation-wide patching implementation so you’re not individually patching every machine. And don’t forget other operating systems, such as anything on your network (e.g. printers), IoT devices and smartphones.
Read more information from the ACSC on assessing security vulnerabilities and applying patches.
Multi-factor authentication means users need to provide another form of identification to access systems. The first ‘factor’ is your username and password, and multi-factor authentication adds another layer of security. This type of authentication can be achieved by additional SMS codes, mobile apps, smart cards, etc. Multi-factor authentication should be used for remote access and when users are doing certain actions or accessing sensitive data.
Implementation: Once you’ve implemented a strong username and password system, you can look at adding in the next layer of security. At this stage, you should think about which systems need multi-factor authentication (e.g. all remote access) and investigate your options before deciding on the type of multi-factor authentication to use.
Read more information from the ACSC on multi-factor authentication.
Daily backups for all important (or perhaps all new/altered) data ensures your data is still available in the event of a cyber incident. Of course, you probably already have a system in place for data backups (to protect against technical issues), but with the Essential Eight in mind it’s a good idea to review that backup feature.
Implementation: First of all, work out who’s responsible for your data and whether it’s stored on-premises, hosted or in the cloud. Next, decide if you’ll update all data daily, or at specific intervals (e.g. you might do a weekly full backup with a backup of only essential items daily).
If you haven’t already got one, write a disaster recovery plan that sets out what happens in the event of a cyber incident or other disaster.
Essential Eight and Information Security Registered Assessors Program (IRAP) certification
IRAP provides security assessment services to government, to ensure government ICT meets required security levels. An IRAP assessment, and accreditation, may be part of a new digital solution. For example, the new GovCMS solution that Salsa is building with the Department of Finance (GovCMS Announcement) will be IRAP certified to UNCLASSIFIED level initially and ultimately to UNCLASSIFIED-DLM.
There is a logical mapping of IRAP ISM controls to the Essential Eight. Moreover the Essential Eight applicable controls are an important small subset of the IRAP controls. Compliance to the Essential Eight does not ensure IRAP certification however it covers an important core set of controls which are more broadly part of IRAP.
The Australian Government Information Security Manual (ISM) contains a table that maps the Essential Eight to the Controls (on page 123 of the Manual). The Essential Eight and the Controls they map to are:
Application whitelisting – Controls 0845, 0957, 1413
Patch applications – Controls 0297, 0298, 1467
Configure Microsoft Office macro settings – Controls 1411
Application hardening – Controls 1409, 1411, 1412
Restrict administrative privileges – Controls 0407, 0446, 0447, 0448
Patch operating systems – Controls 0297, 0298, 1407
Multi-factor authentication – Controls 0974, 1039, 1173, 1357, 1384, 1401
Daily backups – Controls 0118, 0119
You can find out more about each control in the ISM.
In addition to the Australian Government Information Security Manual (ISM) and the links to further information above, you may also be interested in the ACSC’s Strategies to Mitigate Cyber Security Incidents.