The Australian Signals Directorate’s (ASD) “Essential 8” techniques to reduce cyber security incidents are a collection of cyber security best practices that, when successfully followed, will provide your organisation with a baseline cyber security posture. The essential 8 extend upon the ‘Top 4’ mitigation methods, which have been compulsory for federal agencies since 2014 as part of the government’s Protective Security Policy Framework. According to ASD, applying the top four mitigation methods will prevent over 85 per cent of unauthorised intrusions. The eight essential mitigation strategies have been established to secure your data, apps, and users by preventing adversaries from introducing malware into your network and minimising the incident’s impact and the likelihood of data loss. Malware, which includes viruses, worms, ransomware, and spyware, can compromise or exfiltrate data, disrupt operations, and propagate across networks. It can result in operational disruptions, the loss of essential or sensitive data, and unwelcome publicity. And that can be costly.
The Essential Eight strategies.
Government agencies in Australia mandate the top four mitigation techniques. Here is a concise summary. First and foremost is application whitelisting. This feature restricts network execution to trusted programmes. For instance, games that are susceptible to virus attacks have no place on a government network. Two of the top 4 strategies concentrate on patching apps and operating systems. New vulnerabilities and exploits are discovered daily, and software companies are constantly releasing updates to address the issue. Keeping your software updated should be one of your most vital jobs. The last four essential eight measures for mitigating risk are not yet required. However, they are crucial for network security. Many government offices rely heavily on Web browsers and Microsoft Office macros as productive tools. Two of the eight essential strategies involve configuring browsers to prohibit the execution of unauthorised applications and strictly regulating the use of macros and user applications. Multi-factor authentication and daily backups round out the eight essential mitigation strategies list. Tokens, biometrics, and two-factor authentication are required to safeguard traffic beyond the firewall. And backups are crucial, especially for mitigating the effects of ransomware. Every agency, business, and home user should perform routine backups and have ‘Fullmetal’ restore and catastrophe recovery policies.
Why the Essential Eight?
Why yet another set of rules? There are numerous techniques for cyber security that can secure networks. These eight essential mitigation strategies were designed to give Australian government agencies a baseline of security operations that, when deployed and coordinated, can protect networks, users, applications, and data from all but the most persistent threats. The following points demonstrate the validity of various mitigating measures.
Defence in Depth
These strategies are intended to complement one another. They are all potent instruments for protecting individual network components and processes. Collectively, they constitute a multilevel approach that provides comprehensive protection, even if enemies can circumvent a single protective mechanism.
These tactics are neither “state of the art” nor “cutting edge.” All of them are tried and true. If these tactics are applied effectively, there is almost no danger involved. Indeed, performing backups of vital data has been a must for IT managers from the beginning. The primary advantage of the ASD essential 8 is that they establish a baseline cyber security posture and a measurable standard for meeting ASD recommendations.
With a very modest financial investment, the eight essential strategies can go a long way towards safeguarding your agencies from security breaches and possibly destructive viruses. While applying these measures may necessitate an investment of staff time and perhaps hardware/software changes, the associated expenses will be significantly less than those associated with cleaning up after a data breach.
While your organisation can apply these mitigation strategies ad hoc, there are numerous advantages to basing your security posture on a single holistic architecture. With a comprehensive security fabric, most security methods, such as whitelisting, patching, and admin rights, may be managed from a centralised panel. In addition, you will be able to apply consistent and appropriate policy enforcement across all users, applications, and devices, regardless of whether they are on-premise, remote, in the cloud, or a hybrid cloud.
Many risk mitigation techniques can be automated to decrease management costs while maintaining compliance. Most security solutions can be configured with thresholds and alerts to monitor network traffic, enabling rapid identification and investigation of any suspicious activity.
Objective: Restriction of trusted application access
Mitigates: Prevent malicious code from entering and executing on your network.
Facilitator: Solutions from vendors, firewall, configurations, permissions, and user training.
Application whitelisting prevents user access to applications permitted explicitly by your organisation’s acceptable usage policy (e.g., programmes, software libraries, scripts, and installers).
Application whitelisting prevents unauthorised or harmful code from executing on a system, regardless of how the software was introduced (download from a website, email attachment, external storage device, etc.). Application whitelisting can also block the installation or usage of unauthorised apps, stopping the execution and distribution of harmful code.
Application whitelisting is governed by the selected vendor product, configuration settings, and permissions governing which folders a user (and thus malware) can write to and execute from. Some anti-malware or endpoint protection software provides application whitelisting features, and Anti-malware software from a different vendor may conflict with application whitelisting products.
An application whitelisting solution mustn’t replace existing antivirus and other internet security tools. Using different security solutions concurrently can contribute to an effective defence-in-depth strategy for preventing system compromise.
It is easier for an organisation to deploy application whitelisting if it has complete visibility into the applications installed on computers. Maintaining an inventory of installed software and executing a comprehensive change management strategy can provide such visibility.
Objective: Updates software to address vulnerabilities not previously identified (exploits)
Mitigates: Prevent malicious code from entering and running on your
Facilitator: Vendor-supplied software and vulnerability updates
Patching programmes and devices (as well as operating systems, approach number 4) is essential for ensuring the security of systems. According to ASD, this is one of the most effective security strategies organisations can implement.
Patching protects networks from vulnerabilities in programmes that were not previously recognised. These vulnerabilities, also known as exploits, allow adversaries to execute malicious code, which can seriously affect the organisation. Exploits are so prevalent that adversaries can buy or trade exploits online via open-source tools like the Metasploit Framework or criminal exploit kits.
Time is crucial. ISM (Australian Government Information Security Manual) suggests that patches should ideally be applied within 48 hours of release. Utilise the most recent version when installing new apps, as they generally include security measures like sandboxing and other anti-exploitation capabilities. For some vendor apps, upgrading to the most current version is the only way to repair a security vulnerability.
For visibility into which software requires patching, maintain an inventory of software installed on every computer, including devices that may only rarely connect to the organisation’s network, such as spare or ageing workstations, field laptops, and handheld data collection devices.
Approximately 37% of global organisations said they were the victim of some form of a ransomware attack in 2021
Source: IDC’s “2021 Ransomware Study.”
Restrict administrative privileges.
Objective: Permits only authorised users to administer systems, instal applications, and apply updates.
Mitigates: Prevent unauthorised users and intruders from performing malicious actions.
Facilitator: System software and application configurations
Restricting administrator privileges makes it harder for an adversary to propagate harmful code throughout your network. According to ASD, administrative accounts are the keys to the empire, and you should never give them up. Suppose malicious malware is activated within your network using an administrator account. In that case, it can escalate its privileges, spread to other hosts, conceal its existence, persists after a reboot, obtains sensitive data, and evade cleanup efforts.
Users having administrator access to operating systems and apps can make substantial modifications to their setup and operation, circumvent crucial security settings, and access sensitive data. Domain administrators have the same capabilities for a complete network domain, which often includes all workstations and servers. If opponents seize control of these capabilities, there is no limit to the devastation they can wreak.
The repercussions of a compromise are mitigated if users (and, by extension, malware acting on the user’s behalf) have insufficient privileges rather than administrative privileges.
Fewer users can make significant modifications to their operating environment, purposefully or unintentionally, in an environment with restricted administrative access, making it more stable, predictable, and straightforward to administer and support. Hint For non-administrative or dangerous tasks, privileged users should use a different unprivileged account and, preferably, a separate physical machine.
According to the survey, 81 per cent of respondents globally who suffered ransomware attacks reported that attackers could gain access to their organisation’s network through phishing emails or social media. Half said the attacker gained access through a drive-by-download caused by clicking on a compromised website, while 40 per cent stated that the attack came through infection via a botnet.
Patching operating systems.
Objective: Updates software to eliminate previously unknown vulnerabilities
Mitigates: Prevent malicious code from entering and executing on your network.
Facilitator: Operating system, firmware, and threat updates
To ensure the security of systems, it is crucial to apply patches (interim software upgrades) to operating systems and firmware (as well as applications, key method number two). According to ASD, this is one of the most effective security strategies organisations can implement.
Patching operating systems and firmware dramatically minimises the threat posed by zero-day attacks that exploit vulnerabilities to instal malware on your networks.
Organisations can respond quickly to security bulletins or patch releases by maintaining a streamlined patch management system. By doing so, organisations can drastically cut the time between discovering new security vulnerabilities, assessing them, and applying patches or interim workarounds as necessary.
Security flaws must be corrected as soon as feasible. Once a vulnerability in an operating system, application or device is made public, it may be assumed that adversaries will produce malicious code within 48 hours. In reality, there are situations in which adversaries have built dangerous code within hours of newly-discovered security vulnerabilities.
Always utilise the most recent version of operating systems, as they generally have additional security technology, such as anti-exploiting capabilities. Do not utilise operating system versions for which the vendor no longer supports patches for security vulnerabilities. In total, 108 zero-day exploits were discovered between July 2014 and June 2019. On average, each year, around 20 zero-day exploits are detected in the wild.
Disable Microsoft Office macro settings.
Objective: Disables or restricts Microsoft Office macro access.
Mitigates: Preventing macro-borne malware from entering the network
Facilitator: Configuration of Microsoft Office
Disabling or limiting Microsoft Office macros can prevent harmful code from entering your organisation’s network. Typically, compromised macros can circumvent standard email content filtering and application whitelisting.
Macros, embedded code written in the Visual Basic for Applications (VBA) programming language, are simple to build and significantly boost productivity. However, attackers can also write and disseminate macros to carry out various harmful actions. Internet-downloaded or out-of-date macros may contain vulnerabilities that can be exploited to get unauthorised access to sensitive data as part of a targeted cyber incursion.
To effectively control the usage of macros within an organisation, all macros developed by users or third parties must be vetted before being permitted for use. Organisations may effectively manage the risk associated with permitting macros in IT environments by understanding the business needs for macro usage and implementing the appropriate mitigation methods.
The optimal strategy is to restrict macros from the internet and only permit macros that have been validated and are either stored in “trusted places” with limited write access or digitally signed with a trusted certificate.
Harden user applications.
Objective: Access to potentially harmful online applications is blocked or restricted.
Mitigates: Prevent malicious software from entering your network.
Facilitator: System software, third-party, firewall and application configurations
Java, Flash, Acrobat, Adobe and some Microsoft Office capabilities (such as OLE), while essential for many corporate tasks, can be used by viruses or attackers to gain access to your network. By disabling these applications and restricting internet advertisements, attackers are prevented from exploiting these potentially disruptive tools. If your organisation employs these applications, you can limit access to these resources to specific users.
This mitigation method reduces the attack surface of user computers by a significant amount. It also helps prevent adversaries from employing harmful content to escape application whitelisting by abusing an application’s legitimate functionality or a security vulnerability for which there is no vendor patch.
Due to the frequent threat of adversaries utilising malicious advertising (malvertising) to compromise the integrity of legitimate websites, online advertisements should be discontinued. You can prevent them using web browser software and web content filtering at the gateway.
Concentrate on strengthening the configuration of web applications. Disallow Adobe Flash (preferably uninstall it), ActiveX, Java, Silverlight, and QuickTime for Windows in web browsers. Whitelist trustworthy websites that require web browser capabilities for a specific business purpose.
Microsoft provided a security update on August 11, 2021. This update included a patch for a vulnerability in the Netlogon protocol (CVE-2020-1472) identified by researchers at Secura. Initially, they did not publish any technical details, so the CVE in the security update did not receive due attention, but later it was given a maximum Common Vulnerability Scoring System (CVSS) score of 10, the highest possible.
Objective: Adds security layer to logins.
Mitigates: Unauthorised network access.
Facilitator: System software, third party, firewall and application configurations.
Multi-factor authentication is one of the most effective measures a company can instal to prevent an attacker from gaining access to a device or network and gaining access to sensitive data. Multi-factor authentication can make it substantially more difficult for an adversary to obtain genuine credentials and use them to support additional hostile activity on a network when adequately implemented.
All users who access equipment and sensitive information repositories, perform privileged actions, or access networks remotely should employ multi-factor authentication. Multi-factor authentication provides a secure mechanism less vulnerable to brute-force attacks than standard single-factor authentication methods such as passwords. Multi-factor authentication makes it much more difficult for an enemy to steal an entire set of credentials. They need physical access to a second factor that they either possess (e.g., a physical token, smartcard, or software-based certificate) or are in possession of (e.g., a physical token, smartcard, or software-based certificate) (e.g., a fingerprint or iris scan). Without the second variable, they are unable to continue.
Multi-factor authentication should ideally be implemented for all user logins, including workplace PCs. Occasionally, though, this is impractical. In these instances, ensure that passwords for remote access are distinct from office computer passwords. If a user with access to the organisation’s business network has been remotely compromised, attackers could use a stolen password to access the network drives.
Implement required multi-factor authentication for all administrative service accounts; for all other accounts that cannot use multi-factor authentication, use strong passwords with at least four random words, numbers, and special characters.
Microsoft has found that multi-factor authentication blocks 99.9 per cent of automated cyberattacks on Microsoft platforms, websites, and other online services. The latest Microsoft stats show that 99.9 per cent of compromised accounts did not use multi. And just 11 per cent of organisations use MFA overall.
Objective: Offers an accurate, current, and recoverable copy of your data and customisations
Mitigates: Data corruption or loss resulting from ransomware.
Facilitator: Third-party vendors
Your data is your most valuable digital asset. Ensure the safety of your data with daily backups. Backup your software and set up settings whenever they are modified. If possible, store backups offsite and retain them for three months, as recommended by the ISM. Test as necessary.
Since ransomware, destructive software, and hostile insiders can encrypt, damage, or wipe easily accessible backups, they should be stored offline or otherwise separated from machines and the network.
Retain backups for at least three months or for as long as necessary to assure the availability of undamaged copies of files in the event of a cyber security incident. Implement a backup technique that minimises or, if possible, removes dependencies such that a file version can be restored even if others have been encrypted, corrupted, or deleted. Lastly, ensure that the organisation’s incident response procedure identifies and restores all deliberately modified or destroyed files.
Encourage or prevent users from keeping data on local storage media such as their computer’s hard disc or USB storage media, which are unlikely to be backed up; instead, encourage them to utilise corporate file servers and ASD-certified cloud services.
In Australia, it has been said that ransomware incidents cost the Australian economy as much as $2.59 billion annually, with organisations reportedly paying, on average, $250,000 per incident.
Source: Parliament of Australia
The ASD Essential 8 mitigation strategies, if implemented correctly as an integral part of your entire security fabric, offer a baseline cyber security posture for your agency, ensuring that your security defences function in concert to give baseline protection. You owe it to your stakeholders, users, and the general public to reassure them that you are doing everything possible to protect sensitive data and essential applications from prying eyes, leaks, and disruptions.
These guidelines offer you an excellent opportunity to carefully analyse your whole network architecture and ensure that each component is correctly configured and that you have implemented the fundamental security features and procedures to ensure business continuity.
The ASD’s eight essential mitigation strategies and its other twenty-nine provide an excellent guide for best security practices.
While the whole set of 37 techniques is not yet required, failure to embrace these principles could cause problems if your network is compromised due to not following ASD advice. Especially governing boards should be aware of these rules and check that they are being implemented or planned.
The Australian Signals Directorate has identified cyber security concerns and developed eight mitigation strategies. Are you taking every precaution to safeguard your organisation, personnel, data, and applications? You owe it to your stakeholders and the general public to establish and maintain these mitigation techniques.
If you’d like to discuss how implementing a framework like the ASD’s Essential Eight can benefit your organisation contact us here to discuss the benefit.