Limitation and Recovery Strategies from the Essential 8

The Essential 8 lists fundamental cyber security strategies developed for Australian organisations to mitigate cyberattacks. Produced by the Australian Cyber Security Centre (ACSC), the Essential 8 protects Australian businesses from the growing risk of cybercrime while protecting both their clients and stakeholders.

The ACSC breaks up the Essential 8 strategies into three key areas – Prevention, Limitation, and Recovery.

Previous articles covered how the Essential 8 protects organisations from cyberattacks and the prevention strategies listed in the Essential 8. In this article, we’ll look closely at the limitation and recovery strategies to help you understand what they’re for, why they’re critical and how you can implement them to protect your business.

These include:

• Restricted admin privileges
• Patched operating systems
• Multi-factor authentication
• Regular backups

What are restricted admin privileges?

This strategy involves identifying the levels of access that staff members need to various IT environments and ensuring that team members only have access to privileges they need to perform their duties.

Restricting admin privileges in this way can help reduce incidences of human error causing problems in an IT environment – as only authorised personnel can access sensitive details. Similarly, it can prevent potentially malicious actions from internal sources. But the main focus of restricting admin privileges is that if an employees credentials are compromised, or a threat actor takes over their account, the account has limited access to settings that the threat actor may abuse. This reduction in access mitigates the harm a threat actor can do with that account.

How can I restrict admin privileges?

The ACSC recommends following the below processes when mapping out and restricting admin privileges:

1. Identify tasks that need admin privileges.
2. Certify staff members that carry out those tasks as part of their duties
3. reate separate accounts for each staff member with admin privileges, ensuring that their accounts have the least amount of privileges needed to undertake their duties
4. Frequently review your account requirements to adjust privileges in line with roles and tasks and when staff members leave your organisation or are involved in a cyber security incident.

Why do I need to patch my operating systems?

Operating systems form the core of many activities that users engage in within your IT environment. They act as the interface between your users and their digital assets. Because of this central nature, it is vital to ensure that you patch out any OS vulnerabilities as soon as possible. Implementing a regular patching schedule aims to create and enforce workflows that ensure your organisation can apply OS patches with minimal downtime.

How to patch operating systems

Once a vendor releases a patch, you should apply the patch in a timeframe that matches your organisation’s exposure to the security vulnerability it prevents, as well as the level of potential cyber threats you are aiming to protect against.

For example, once a security vulnerability in an internet-facing service is made public, evidence shows that adversaries will develop malicious code within 48 hours – although in many cases, adversaries have developed malicious code within hours of newly discovered vulnerabilities.

For internet-facing services, this means applying patches within 48 hours if an exploit exists. Otherwise, organisations must apply patches within two weeks. For services that don’t use a network, the timeframe can range from one month for simple cyber threats to two weeks for more advanced threats.

A patch detector solution may help automate this process.

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) can help control unauthorised access to a vast range of sensitive information. MFA uses two or more authentication factors to authenticate a single claimant.

MFA can be as simple as tapping a button on your smartphone.

It is effective because it relies on a series of requirements that make it significantly more difficult for an adversary to enact malicious activities on a network.

Authentication factors used in MFA requests must consist of two or more of the following:

• something you know (such as a password or answer to a secret question)
• something you have (such as a smartcard or software certificate)
• something you are (such as a biometric fingerprint or iris scan)

How to implement multi-factor authentication?

There is a wide range of ways to use MFA to help secure access to sensitive information. Popular examples include:

U2F Security keys – usually a physical token, card, or smartphone app that uses public-key cryptography to verify the user’s identity. The key contains a code that responds to a challenge-response request from a service. The service passes a challenge through via a web browser or mobile app for the user to respond to, then verifies that the response contains the valid and correct private key for that service.

Smartcards – this method uses a private key stored on a smartcard as a second authentication factor. Software on the user’s device prompts the user to unlock the smartcard by entering a PIN or password. When the smartcard opens, the software on the device verifies the user’s identity by signing an authentication request with the user’s private key.

Software certificates – this method uses a software certificate stored on a user’s device as a second factor. When the user attempts to access sensitive information, the system attempts to access the user’s software certificate. If successful, the software installed on their device verifies their identity by signing an authentication request with the user’s private key.

Physical one-time PIN tokens – this method uses a physical device called a “token”. This token displays a time-limited one-time PIN as a second factor or may require the user to press a button to submit the one-time PIN on their behalf. Both the physical device and the authentication service are synchronised, and the service will only allow access to continue if the PIN matches the timing sequence.

Smartphone apps – similar to the one-time PINs used in the method above, smartphone verification apps also utilise time-limited one-time authentication methods. The user either scans a QR code or receives a one-time PIN or password via email or SMS. This process verifies the smartphone app. During the logon process, the app generates a one-time PIN or password to complete the authentication process.

SMS messages, emails or voice calls – just as with the mobile apps and the physical PIN tokens, this method uses a time-limited one-time PIN or password provided via an SMS message, email, or voice call to a known recipient as a second factor. The authentication service sends a one-time PIN or password to the user via their pre-registered contact details during the login process. The user then provides this information to the authentication service, which verifies that all details are correct for that user and grants or denies access to resources.

Biometrics – this authentication method utilises the user’s biological characteristics as a second factor. When they first apply for access, the user might register a fingerprint, eye scan, or another physical measurement. This measurement then acts as a reference point for the authentication service to compare to. When users attempt to access sensitive information, they supply their biometric data, and the authentication service verifies it against the measurements provided at enrollment.

What are regular backups?

Data security is all about confidentiality, integrity, and availability. Cyber security breaches can knock out all three by stealing, corrupting, or maliciously encrypting your data.

Regular backups help ensure that your organisation can return to standard operations quickly.

While these actions can seriously damage an organisation’s capacity to operate, organisations can use a secure backup to mitigate the risks associated with such malicious activities, replacing lost or corrupt data with fresh backups that allow normal operations.

To effectively mitigate the risks of a data breach, backups need to be:

Regular – older backups will be less useful in the event of a breach

Secure – threat actors may find value in targeting unsecured backups, rendering them useless.

Accessible – a good backup solution minimises the amount of time between a breach and complete data recovery.

How can I implement daily back-ups?

While the processes behind your organisation’s chosen backup solution may vary depending on risk and costs, several common steps are involved.

Identify critical data – aim to identify any information that is critical to your organisation’s daily operations. These files may include software and configuration settings, as well as essential data files.

Find the best way to protect your data – there is a wide range of methods organisations can use to keep their data safe, including cloud backups and tape storage. A risk-based approach to backup and recovery will help you decide what types of critical information gets stored externally, how it gets stored, and the costs associated with the benefits they provide. This kind of risk-based approach can also ensure robust protection from disasters like a fire or flooding of a data centre.

Automate – there’s no point in setting up a regular backup schedule if people aren’t going to use it. Automated scheduling of data backups helps ensure that your organisation regularly backs up the information it needs, reducing the chance of missing a backup due to human error.

Test – for true peace of mind, it’s vital to test your backup solutions regularly. The time taken to restore data after a breach can directly impact an organisation’s costs and reputation, so it’s essential to know of any barriers to a complete restoration in advance.

On the low end, the ACSC recommends that organisations back up critical data every month, store it for at least one month, and test the configuration at least once a year. For organisations that face higher levels of risk, daily backups are recommended, alongside storing backups for three months. The ACSC also suggests that these organisations test for complete restoration at the start of the backup solution rollout and repeat testing once per quarter or whenever there is a technology update.

Need help with the Essential Eight?

As you can see, the Essential 8 covers a lot of ground. The technical strategies offer organisations a prescriptive list of mitigation activities that can help them manage the risks associated with cybersecurity.

This framework is great if your organisation has the technological capacity to implement them and only needs guidance on which activities to perform.

For organisations that do not have the IT staff on hand – or would prefer to keep them involved in more value-adding activities – our Connect & Protect program can help guide organisational change.

To find out more about our managed security services, get in touch with First Focus today!