[UPDATED 2021] Several recent high-profile cyberattacks have highlighted the growing need for organisations to pay attention to their cybersecurity posture. One in the USA saw a major oil pipeline shut down, causing a nation-wide shortage and an increase in fuel prices. Another attack targeted a global meatpacking firm, closing factories around the world and causing employment concern for around 11,000 Australian workers.
Research into these occurrence shows that neither of these attacks were political in nature. Instead, these threat actors were monetarily motivated – and thoroughly organised.
The current trend in cybercriminal activity is specialisation. One group might organise phishing attempts, another could specialise in malware or data mining, while a third could offer ransomware as a service. The solutions vary, but the point remains – the people involved are professionals.
The tools they use vary from publicly available hardware and software to bespoke programming that requires specialised skills to deploy effectively. However, an increasing trend seems to be the growth of the copy-paste attack.
Repetition fueling cyberattack growth
The methods observed in modern cyberattacks are not always new or innovative. Instead, they are more often a series of repeated attacks regularly used by cybercriminals. The difference is that these attacks are repeated over and over again, but on a scale rarely seen before by cybersecurity professionals. While it’s tempting to dismiss these cyberattacks as simple re-hashes of older methods and tactics, the fact is that repetition works – and specialisation makes them even more effective.
Given the growth in the rate of attacks, the primary defence strategy is to get the security basics right. After careful analysis, which included active incident response with some of the early victims, the Australian Cyber Security Centre (ACSC) has published a revised version of the Essential Eight Strategies to Mitigate Cyber Security Incidents (Essential 8).
What is the Essential 8?
The Essential 8 consists of eight essential mitigation strategies designed by the ACSC to help organisations mitigate or prevent cybersecurity incidents. These strategies cover three key areas – prevention, limitation, and recovery – ranked by maturity.
The eight components include:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
How does the Essential 8 measure cybersecurity?
The different strategies that make up the Essential 8 are measured according the level of cybercriminal tradecraft they aim to mitigate.
The strategies are ranked across four maturity levels:
Level 0 – indicates weaknesses in an organisation’s overall cybersecurity posture.
Level 1 – mitigates commodity tradecraft with publicly available tools.
Level 2 –mitigates adversaries who invest more time in a target with more effective techniques.
Level 3 – focused on adversaries who are more adaptive and less reliant on public tools and methods.
Past iterations of the Essential 8 sought to have an organisation reach Maturity Level 3. However, in the latest release, the Essential 8 aims to get an organisation to achieve a homogenous maturity level across the prevention, limitation, and recovery sections before moving to the next level. Additionally, organisations are encouraged to focus on achieving a maturity level that makes sense for their risk management level.
The Essential 8 cybersecurity strategies
Here is a brief overview of the 8 mitigation strategies:
Application Control – This refers to the level of control and constraints you have over users’ applications. It involves stopping software libraries, scripts, installers, and other executables from running on workstations.
Patch Applications – This guideline refers explicitly to updating third-party applications. It focuses on applying security updates and patches as quickly as feasible. The strategies require frequent usage of vulnerability scanners to detect missing patches and updates, as well as removing solutions that are no longer supported by their vendors.
Configure Microsoft Office Macro Settings – This refers to the amount of freedom your users have to run macros in Microsoft Office applications. Most users would have macros blocked as default – unless they have a demonstrated business requirement.
User Application Hardening – This refers to the limitations in place on users’ applications. At its most basic, web browsers should not be able to process ads or Java content from the internet, Internet Explorer 11 should be disabled, and users should not be able to change these settings.
Restrict Administrative Privileges – This strategy involves managing users with administrative privileges. It involves validating requests for privileged access to systems and applications, blocking privileged accounts from accessing the internet, and using separate operating environments for privileged and unprivileged users.
Patch Operating Systems – this strategy focuses on keeping operating systems up to date. The main outcome is to ensure that OS patches, updates, and security mitigations for internet-facing services are applied within two weeks of release – or within 48 hours if an exploit exists. Vulnerability scanners should be used to identify any missing patches, and any OS that is no longer vendor supported should be replaced.
Multi-Factor Authentication (MFA) – This section involves enforcing MFA for all privileged access. Maturity starts by enforcing MFA for all user before they access internet-facing services and third-party providers.
Daily Backups – this strategy involves ensuring critical systems and information is securely backed up and readily available. This flexible strategy requires organisations to back up important data, software, and configuration settings “in accordance with business continuity requirements”. All backup and restoration systems are tested, and unprivileged accounts restricted to their own backup environments.
Do my organisation’s cybersecurity strategies already comply with the Essential 8?
Given the specific technical nature of the Essential 8 requirements, it is highly unlikely that organisations will reach their appropriate maturity level without dedicated effort.
The new strategies are aimed at getting organisations to achieve a blanket level of maturity across all sections. If your organisation already has these strategies in place in some areas and not in others, the focus should be on improving the maturity in those areas that are lagging.
Organisations are also encouraged to focus on achieving a maturity level that makes sense for the organisation’s risk management level. This usually means performing a risk audit in tandem with a cybersecurity audit.
Before advancing to the next maturity level, organisations need to understand the risks they face, the costs of addressing these risks, and the likely outcomes that could befall them should they fail.
If you are unsure if you currently meet the Essential 8 requirements for your risk profile, the answer is almost certainly no.
Which maturity level matches your risk management needs?
Different companies will require different solutions and strategies, so the best way to determine your path to compliance is to receive an IT security assessment. We can conduct one and help you evaluate your current maturity level in each strategy, then implement the practices that will help you remain in full accordance with the guidelines.
It’s also important to note that, although the Essential 8 are a set of critical technical controls that organisations should maintain, they aren’t the only cybersecurity measures that businesses should take. For example, they don’t include provisions for risk assessments or risk management methodology.
Complying with the Essential 8 is a good starting point for a business looking to protect its digital assets better, and we can help you on the journey to compliance. In addition, First Focus can also assist with more holistic cybersecurity strategies and offer packaged security suites with advanced threat protection and detection features.
Contact First Focus today to see how prepared your business is for the Essential 8 and how we can help you improve your cybersecurity.
Time for a Cybersecurity Assessment?
Talk with our security experts for a review of your cybersecurity profile.