A Guide to the Essential 8 Cybersecurity Assessments
The increasing incidence of cyber attacks targeting organisations of all sizes in all sectors has highlighted the growing need to have the right cybersecurity measures in place. The methods behind many cyberattacks today are not new or innovative. Instead, the main trend is an increased rate and repetition of attacks.
Given the growth in the rate of attacks, the primary defence strategy is to get the security basics right. We base our assessments on the principals of the Essential 8 which are outlined by the Australian Cyber Security Centre (ACSC), making it a good foundation point for every organisation to commence assessing its security posture.
What is the Essential 8?
After careful analysis of cybersecurity incidents, the Australian Cyber Security Centre (ACSC) created a series of baseline strategies called The Essential 8 to help organisations mitigate or prevent cybersecurity incidents. Implementing these strategies as a minimum makes it much harder for bad actors to compromise IT systems. By prioritising the following 8 most basic mitigation strategies, the ACSC hopes organisations can better protect themselves and avoid disastrous outcomes caused by hacking and cyber attacks.
1. Application Control
This relates to the level of control and constraints you have over user applications and the ability for staff to execute unapproved and malicious programs on workstations. This includes .exe, DLL, scripts and installers.
2. Application Patching
Updating third-party applications quickly is essential for ensuring the latest security updates and patches are in place. For example, using the latest version of applications and patches of web browsers, Microsoft Office, Java and PDF viewers. This requires frequent use of vulnerability scanners to detect missing patches and updates as well as removing solutions that are no longer supported by their vendors.
3. Microsoft Office Macro Settings
This is the amount of freedom your users have to run macros in Microsoft Office applications. Most users should have macros blocked as default unless they have a specific organisational requirement. Only allow vetted macros, either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
4. User Application Hardening
Limitations should be placed on user applications. At its most basic, web browsers should block Flash, ads and Java, with users unable to change these settings. Disable unneeded features in Microsoft Office (such as OLE), and in web browsers and PDF viewers. Internet Explorer 11 should also be disabled.
5. Restrict Administrative Privileges
Tightly manage privileges and access to operating systems and applications based on user duties. This includes regularly revalidating requests for privileged access to systems and applications, blocking privileged accounts from accessing the internet and using separate operating environments for privileged and unprivileged users. Privileged accounts should not be used for reading email and browsing the web.
6. Operating System Patching
This focuses on keeping operating systems up to date to ensure that OS patches, updates, and security mitigations for internet-facing services are applied within two weeks of release. All computers and network devices with ‘extreme risk’ vulnerabilities should be patched within 48 hours. Vulnerability scanners should also be used to identify any missing patches, and any OS that is no longer vendor supported should be replaced.
7. Multi-Factor Authentication
Enforce MFA for all privileged access. Turn on MFA for VPNs, RDP, SSH and other remote access, and for all users when they access an important data repository. Maturity starts by enforcing MFA for all users before they access internet-facing services and third-party providers.
8. Daily Backup and Recovery Strategy
Perform daily backups of important new or changed data, software and configuration settings. All unprivileged accounts should be restricted to their own backup environments. Store backups disconnected from the Internet and retain them for at least three months. Test restoration initially, annually and whenever IT infrastructure changes.
Essential 8 Compliance Requirements
Organisations of all types and sizes can store sensitive data online. Cyberattacks can impact not just individual organisations that become compromised but customers, other organisations and members of the public. For this reason, organisations in Australia will likely soon be required to disclose their Essential 8 Maturity Level and demonstrate compliance with these basic preventative measures.
Your Essential 8 Maturity Level is measured based on how well defended you are against cyberattacks and how likely you are to be targeted:
The organisation has critical weaknesses in their overall cyber security, lacking dedicated cyber security defences and internal expertise or outside partners to protect themselves. Hackers can easily steal data or shut down business operations using widely available tools
The organisation has basic protection in place to guard against non targeted attacks using widely available tools. Level One organisations often have no reason to expect to be targeted by hackers and tend to get swept up in large-scale opportunistic attacks targeting a group of organisations using publicly-available exploits to gain control of internal systems.
The organisation has more sophisticated internal capabilities and external vendor and partner support due to their awareness of potential cyberthreats. These organisations are specific targets to hackers, who invest time and money into phishing and social engineering to bypass multi-factor authentication. Users with elevated privileges are often singled out and targeted by hackers who trick them into launching malicious applications that weaken an organisation’s cyber defences or allow full access to internal systems.
These organisations tend to be larger and more mature, with a robust internal IT security team as well as external vendors and partners logging, monitoring and patching security systems regularly. Hackers invest significant time and money to compromise these organisations and often use custom tools that make them much harder to detect and guard against through simple patching.
Different organisations ultimately require different strategies and solutions to ensure adequate cybersecurity. The best way to determine your path to compliance is to arrange an IT security assessment.
IT Security Assessments from Technetics
The IT security experts at Technetics can evaluate your current Essential 8 maturity level and help you implement the practices that ensure compliance with the guidelines. The Essential 8 are a set of critical controls organisations should maintain. However, they aren’t the only cybersecurity measures you should take. For example, the Essential 8 doesn’t include provisions for risk assessments or risk management.
Complying with the Essential 8 is a good starting point. But the best approach is to engage the team at Technetics to help you implement tailored, holistic cybersecurity strategies. Our initial security assessment enables us to identify any gaps in your existing security operations and devise a strategy for defending against cyber attacks before they occur.
Find out more about our IT security services or contact our team today to find out more about how to get started,