All You Need to Know About the Essential Eight Maturity Model
With Australian organisations encouraged to urgently adopt an enhanced cybersecurity posture, organisations should ensure regulatory compliance and put in place mitigation strategies against cyber-attacks, as well as be prepared to identify and respond to cybersecurity incidents. Whilst no mitigation strategy can offer full security against all cyber threats, it is recommended to implement eight essential mitigation strategies from the Australian Cyber Security Centre (ACSC).
The Essential Eight (E8) is an Australian cybersecurity framework by the Australian Signals Directorate (ASD) aimed at protecting Australian businesses. The E8 is a prioritised subset of the ACSC’s Strategies to Mitigate Cyber Security Incidents and outlines the eight most necessary mitigation strategies. As a benchmark and widely used guideline, the Essential Eight helps businesses to mitigate cybersecurity incidents and make it more difficult for cybercriminals to compromise systems.
WHAT ARE THE MITIGATION STRATEGIES?
Compliance with the Essential Eight mitigation strategies helps reduce the risk of malware delivery and execution, limit the extent of cybersecurity incidents, and recover data and system availability. The following outlines briefly each of the eight mitigation strategies along with their rationale:
- Application Control
The first, and arguably most important, of the eight defined strategies aims to prevent the execution of unapproved/malicious programs. Following initial access through methods such as phishing, the execution of programs including .exe, DLL, scripts, and installers is associated with a considerable number of threats. Appropriately configured application control helps to stop the execution of such software, regardless of how it got there.
- Application Patching
Another common method of initial compromise leverages weaknesses in applications that are accessible to the external internet. That being said, most software vendors provide updates and patches for publicly identified vulnerabilities. Businesses should use the latest versions of applications and patch all applications that are public-facing, including server applications and web server software that store important data. ACSC guidance is available for a risk management approach to applying patches based on the severity of security vulnerabilities. Unpatched security vulnerabilities in software which are considered ‘extreme risk’, can be exploited by cybercriminals through execution of malicious code resulting in significant consequences for any business.
- Configure Microsoft Office Macro Settings
Adversaries often use Microsoft Office macros in an attempt to run malicious code while avoiding standard email content filtering and application control. To avoid this, businesses should configure Microsoft Office macro settings to block macros from the internet. This way, only vetted macros in trusted locations, with limited write access or with trusted certificates will be allowed. It is strongly recommended to implement the macro security configuration settings through Microsoft Group Policy to prohibit end users from altering them to run a malicious or unapproved macro.
- User Application Hardening
The ACSC advises hardening end-point systems by locking down, uninstalling, and disabling unrequired features. Web browsers should be configured to block Flash, internet advertisements, and untrusted Java code. Meanwhile, unnecessary features in Microsoft Office, web browser, and PDF viewers should be disabled. As well as reducing the attack surface, application hardening helps to prevent adversaries from using malicious content to evade application control and patching.
- Restrict Administrative Privileges
Adversaries and cybercriminals use accounts with administrative privileges to gain access to information and systems, so the consequences of a compromise are greatly reduced if users have low privileges. Administrator privileges should be restricted based on user duties, with regular audits to revalidate them. In addition, privileged accounts shouldn’t be used for activities outside their intended purpose, such as reading emails or web browsing.
- Patch Operating Systems
Security vulnerabilities in operating systems can enable adversaries to elevate their privileges and further compromise systems. The ACSC advises that all computers, including network devices, with ‘extreme risk’ vulnerabilities, should be patched or mitigated within 48 hours. The latest operating system version should be used at all times as they typically incorporate additional security technologies i.e., using a 64-bit version of Microsoft Windows instead of a 32-bit version. You can refer to the implementation guidance used for “Application Patching”
- Multi-Factor Authentication
Multi-factor authentication (MFA) can make it significantly harder for cybercriminals to gain access by adding more steps to the authorisation process. MFA is essential for VPNs, RDP, SSH and other remote access capabilities as well as for all users when they perform privileged access or access an important data repository. Different types of MFA tools include a physically separate token, smart card, and/or a software-based certificate. It is recommended that you evaluate the most secure option for your organisation depending on its use and implementation.
- Regular Backups
Regular backups and a proven data restoration process are vital to ensure data can be accessed and recovered after a cybersecurity incident. The ACSC recommends regular backups of important data, software, and configuration settings, with offsite or disconnected storage and retention for at least three months. Having backups stored offline ensures cyber threats such as ransomware can’t encrypt, corrupt, or delete backups as it is not easily accessible. The backup process should also be tested annually and whenever there are significant IT infrastructure changes.
For more in-depth information and mitigation guidance on these strategies, click here.
THE ESSENTIAL EIGHT MATURITY MODEL
To support the implementation of The Essential Eight, The Essential Eight Maturity Model helps organisations to identify a target maturity level that is suitable for their environment. Businesses should then progressively implement each level across all eight mitigation strategies until that target is achieved. To assist in implementation, four maturity levels have been defined:
Maturity Level Zero - this level signifies that there are weaknesses in an organisations’ overall cybersecurity posture that could facilitate the compromise of the confidentiality of their data or the integrity or availability of their systems and data.
Maturity Level One - the main focal point of this level are cybercriminals who opportunistically seek common weakness in multiple targets rather than focusing on one specific target. They employ common techniques to trick users into weakening the security of a system and then launch malicious applications.
Maturity Level Two - this level focuses on cybercriminals with increased capabilities from level one. Attacks will be more targeted and will use advanced tools to bypass security controls. Tools and techniques in their arsenal include compromising credentials using phishing, implementing technical and social engineering to bypass weak MFA.
Maturity Level Three - this level are cybercriminals who are more sophisticated and do not rely on conventional tools and techniques. They exploit weaknesses in their victim’s security posture to amplify their access, avoid detection, and gain a strong foothold on the system. Generally, cybercriminals will concentrate on particular targets and are willing to invest time and effort into bypassing particular policies and controls.
It’s worth noting that, while the aim should be to reach Maturity Level Three, it does not guarantee that this will not prevent those willing and able to invest enough time, money, and effort to compromise your business. Organisations should still consider the remainder of the mitigation strategies to further bolster their security.
If you like to find out more detail on the requirements for each Maturity Level, click here.
CONDUCTING A MATURITY ASSESSMENT
The Essential Eight is an excellent resource and framework that all businesses should reference. Whilst it doesn’t guarantee to protect against all threats, it does outline a minimum set of preventative measures, which organisations should build upon to protect their environment. We strongly advise that organisations review the Essential Eight and prioritise closing any lingering gaps in their Essential Eight maturity. Cybersecurity awareness is an essential part of maturity level development. If your staff need training in cybersecurity awareness, our passionate experts can help.
If you would like to conduct a maturity assessment against the Essential Eight, contact the InfoTrust team today.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help