All You Need to Know About the Essential Eight Maturity Model
With Australian organisations encouraged to urgently adopt an enhanced cybersecurity posture, organisations should ensure they have mitigation strategies in place against cyber-attacks and are prepared to identify and respond to cybersecurity incidents. Whilst no mitigation strategy can offer full security against all cyber threats, it is recommended to implement eight essential mitigation strategies from the Australian Cyber Security Centre (ACSC).
The Essential Eight (E8) is an Australian cybersecurity framework by the Australian Signals Directorate (ASD) aimed at protecting Australian businesses. The E8 is a prioritised subset of the ACSC’s Strategies to Mitigate Cyber Security Incidents and outlines the eight most necessary mitigation strategies. As a benchmark and widely used guideline, the Essential Eight helps businesses to mitigate cybersecurity incidents and make it more difficult for cybercriminals to compromise systems.
What are the Mitigation Strategies?
The Essential Eight mitigation strategies are in place to reduce the risk of malware delivery and execution, limit the extent of cybersecurity incidents, and recover data and system availability. The following outlines briefly each of the eight mitigation strategies along with their rationale:
1. Application Control
The first, and arguably most important, of the eight defined strategies aims to prevent the execution of unapproved/malicious programs. Following initial access through methods such as phishing, the execution of programs including .exe, DLL, scripts, and installers is associated with a considerable number of threats. Appropriately configured application control helps to stop the execution of such software, regardless of how it got there.
2. Application Patching
Another common method of initial compromise leverages weaknesses in applications that are accessible to the external internet. That being said, most software vendors provide updates and patches for publicly identified vulnerabilities. Businesses should use the latest versions of applications and patch all applications that are public-facing, including server applications and web server software that store important data. ACSC guidance is available for a risk management approach to applying patches based on the severity of security vulnerabilities. Unpatched security vulnerabilities in software which are considered ‘extreme risk’, can be exploited by cybercriminals through execution of malicious code resulting in significant consequences for any business.
3. Configure Microsoft Office Macro Settings
Adversaries often use Microsoft Office macros in an attempt to run malicious code while avoiding standard email content filtering and application control. To avoid this, businesses should configure Microsoft Office macro settings to block macros from the internet. This way, only vetted macros in trusted locations, with limited write access or with trusted certificates will be allowed. It is strongly recommended to implement the macro security configuration settings through Microsoft Group Policy to prohibit end users from altering them to run a malicious or unapproved macro.
4. User Application Hardening
The ACSC advises hardening end-point systems by locking down, uninstalling, and disabling unrequired features. Web browsers should be configured to block Flash, internet advertisements, and untrusted Java code. Meanwhile, unnecessary features in Microsoft Office, web browser. and PDF viewers should be disabled. As well as reducing the attack surface, application hardening helps to prevent adversaries from using malicious content to evade application control and patching.
5. Restrict Administrative Privileges
Adversaries and cybercriminals use accounts with administrative privileges to gain access to information and systems, so the consequences of a compromise are greatly reduced if users have low privileges. Administrator privileges should be restricted based on user duties, with regular audits to revalidate them. In addition, privileged accounts shouldn’t be used for activities outside their intended purpose, such as reading emails or web browsing.
6. Patch Operating Systems
Security vulnerabilities in operating systems can enable adversaries to elevate their privileges and further compromise systems. The ACSC advises that all computers, including network devices, with ‘extreme risk’ vulnerabilities, should be patched or mitigated within 48 hours. The latest operating system version should be used at all times as they typically incorporate additional security technologies i.e., using a 64-bit version of Microsoft Windows instead of a 32-bit version. You can refer to the implementation guidance used for “Application Patching”
7. Multi-Factor Authentication
Multi-factor authentication (MFA) can make it significantly harder for cybercriminals to gain access by adding more steps to the authorisation process. MFA is essential for VPNs, RDP, SSH and other remote access capabilities as well as for all users when they perform privileged access or access an important data repository. Different types of MFA tools include a physically separate token, smart card, and/or a software-based certificate. It is recommended that you evaluate the most secure option for your organisation depending on its use and implementation.
8. Regular Backups
Regular backups and a proven data restoration process are vital to ensure data can be accessed and recovered after a cybersecurity incident. The ACSC recommends regular backups of important data, software, and configuration settings, with offsite or disconnected storage and retention for at least three months. Having backups stored offline ensures cyber threats such as ransomware can’t encrypt, corrupt, or delete backups as it is not easily accessible. The backup process should also be tested annually and whenever there are significant IT infrastructure changes.
For more in-depth information and mitigation guidance on these strategies, click here.
The Essential Eight Maturity Model
To support the implementation of The Essential Eight, The Essential Eight Maturity Model helps organisations to identify a target maturity level that is suitable for their environment. Businesses should then progressively implement each level across all eight mitigation strategies until that target is achieved. To assist in implementation, four maturity levels have been defined:
- Maturity Level Zero - this level signifies that there are weaknesses in an organisations’ overall cybersecurity posture that could facilitate the compromise of the confidentiality of their data or the integrity or availability of their systems and data.
- Maturity Level One - the main focal point of this level are cybercriminals who opportunistically seek common weakness in multiple targets rather than focusing on one specific target. They employ common techniques to trick users into weakening the security of a system and then launch malicious applications.
- Maturity Level Two - this level focuses on cybercriminals with increased capabilities from level one. Attacks will be more targeted and will use advanced tools to bypass security controls. Tools and techniques in their arsenal include compromising credentials using phishing, implementing technical and social engineering to bypass weak MFA.
- Maturity Level Three - the main objective of this level are cybercriminals who are more sophisticated and do not rely on conventional tools and techniques. They exploit weaknesses in their victim’s security posture to amplify their access, avoid detection, and gain a strong foothold on the system. Generally, cybercriminals will concentrate on particular targets and are willing to invest time and effort into bypassing particular policies and controls.
It’s worth noting that, while the aim should be to reach Maturity Level Three, it does not guarantee that this will not prevent those willing and able to invest enough time, money, and effort to compromise your business. Organisations should still consider the remainder of the mitigation strategies to further bolster their security.
If you like to find out more detail on the requirements for each Maturity Level, click here.
Conducting a Maturity Assessment
The Essential Eight is an excellent resource and framework that all businesses should reference. Whilst it doesn’t guarantee to protect against all threats, it does outline a minimum set of preventative measures, which organisations should build upon to protect their environment. We strongly advise that organisations review the Essential Eight and prioritise closing any lingering gaps in their Essential Eight maturity.
If you would like to conduct a maturity assessment against the Essential Eight, we are providing a discounted session as part of our End Of Financial Year Offer. To find out more information or to receive the offer, click here.
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
During the great cloud rush, many organisations moved to various cloud environments, for the productivity advantages, improved reliability and security compared with running on premise environments. But the naysayers conveyed the risks associated of security concerns and outages, having the potential to bring down a company or even an economy if a there was a massive outage.
Based on InfoTrust analysis at the start of 2019 of over 9000 Australian company domain MX and SPF records, over a third of these organisations rely on Microsoft O365 Productivity suite.
This includes some of Australia’s largest organisations that would undoubtedly disrupt an economy if they were without email for a sustained period of time.
As you may be aware, from July 1 2019, all APRA regulated entities will be required to adhere to a new prudential standard, CPS 234. According to APRA, “this Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyber-attacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
Earlier this month the CrowdStrike® Falcon® Overwatch™ team released their 2018 mid-year review, “Observations from the Front-Lines of Threat Hunting”. InfoTrust discusses the front-line and why security is everyone’s business. A brief precis, some thought provocation, and insight (hopefully) are below.
We're Here To Help