20 September 2021

Do you pass the Essential 8 Cybersecurity test?

Do you pass the Essential 8 Cybersecurity test?

[UPDATED 2023] Several recent high-profile cyberattacks have highlighted the growing need for organisations to pay attention to their cybersecurity posture. First there was Optus. The there was Medibank. Now there’s Latitude. All involving sensitive details for literally millions of customers.

The threat actors were monetarily motivated, thoroughly organised, and capable of accessing details that should remain private.

These attacks help cement the trend of specialisation in in cybercriminal. One group might organise phishing attempts, another could specialise in malware or data mining, while a third could offer ransomware as a service. The solutions vary, but the point remains – the people involved are professionals.

The tools they use vary from publicly available hardware and software to bespoke programming that requires specialised skills to deploy effectively. However, an increasing trend seems to be the growth of the copy-paste attack.

Repetition fueling cyberattack growth

The methods observed in modern cyberattacks are not always new or innovative. Instead, they are more often a series of repeated attacks regularly used by cybercriminals. The difference is that these attacks are repeated over and over again, but on a scale rarely seen before by cybersecurity professionals. While it’s tempting to dismiss these cyberattacks as simple re-hashes of older methods and tactics, the fact is that repetition works – and specialisation makes them even more effective.

Given the growth in the rate of attacks, the primary defence strategy is to get the security basics right. After careful analysis, which included active incident response with some of the early victims, the Australian Cyber Security Centre (ACSC) has published a revised version of the Essential Eight Strategies to Mitigate Cyber Security Incidents (Essential 8).

What is the Essential 8?

The Essential Eight was originally developed to promote solid security and operational practices within Australian governmental agencies, departments, local councils, and other businesses in the public sector. Now, many private businesses are now looking at the Essential Eight as a good launching place for measuring security controls and setting a foundation for cyber security. The Australian Cyber Security Centre (ACSC) are the current custodians of the Essential Eight.

The Essential 8 consists of eight essential mitigation strategies designed by the ACSC to help organisations mitigate or prevent cybersecurity incidents. These strategies cover three key areas – prevention, limitation, and recovery – ranked by maturity.

The eight components include:

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict administrative privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Regular backups
How does the Essential 8 measure cybersecurity?

The different strategies that make up the Essential 8 are measured according the level of cybercriminal tradecraft they aim to mitigate.

The strategies are ranked across broad maturity levels:

Maturity Level Zero signifies that there are weaknesses in an organisations overall cyber security posture. So whether you have none of the strategies in place or if you’ve succeeded in implementing a couple of the strategies, your cyber security maturity will be considered level zero because you have those missing control methods in place that leave you open to attack. Adversaries tend to go for the lowest hanging fruit, so even if you have a really solid backup strategy or you use multi-factor authentication, they can and will find other ways to exploit your system. A lot of businesses will be starting off at level zero, and that’s completely fine because they are attesting to the fact that one or more of their security controls may not be covering their organisation’s cyber risks adequately.

Maturity Level One focuses on mitigating the risk of a cyber attack from opportunistic adversaries who are looking for any victim rather than a specific target. For instance, they use normal tools that are available online to identify common exploits or vulnerabilities in software or operating systems that are unpatched. This means you’ll want to mitigate against common threats, and adversaries out there who are opportunistic rather than targeting organisations with any key objectives to get access to specific information. They are still a threat, particularly if they manage to affect the availability of your systems.

Maturity Level Two aims at fighting against adversaries who are better equipped and employ more advanced techniques, so they may be specifically targeting your organisation and not just spamming you with phishing emails, and they might attempt to impersonate users or accounts in your organisation to gain privileges and access your data. These adversaries are happy to invest more time into their targets and are often better at bypassing security controls and evading detection. Rather than casting a wide net, they are more selective with who they target, but are also wary about the time, money, and effort they invest to compromise their targets’ systems.

Maturity Level Three is the highest level, and focuses on deterring adversaries who can exploit opportunities they seek in their targets’ cyber security posture, like old software or inadequate monitoring. They are incredibly knowledgeable and use techniques and tools that are not commonly used by less experienced adversaries. They will make swift use of exploits and will find ways to evade detection and solidify their presence. They focus on very particular targets and are willing to invest a lot of time and effort into completely circumventing all the security controls an organisation may have.

Past iterations of the Essential Eight sought to have an organisation reach Maturity Level 3. However, in the latest release, the Essential 8 aims to get an organisation to achieve a homogenous maturity level across the prevention, limitation, and recovery sections before moving to the next level. Additionally, organisations are encouraged to focus on achieving a maturity level that makes sense for their risk management level.

When choosing a maturity level to target, you should consider how desirable your company is to an adversary and the type of information your organisation holds and transmits, so if you house a lot of sensitive or confidential data, you should consider targeting level three. Try to take a risk-based approach to the essential eight and consider the implications and the costs to your business if a data breach or a malware attack were to occur.

The Essential 8 cybersecurity strategies

Here is a brief overview of the 8 mitigation strategies:

Application Control – This refers to the level of control and constraints you have over users’ applications. It involves stopping software libraries, scripts, installers, and other executables from running on workstations.

Patch Applications – This guideline refers explicitly to updating third-party applications. It focuses on applying security updates and patches as quickly as feasible. The strategies require frequent usage of vulnerability scanners to detect missing patches and updates, as well as removing solutions that are no longer supported by their vendors.

Configure Microsoft Office Macro Settings – This refers to the amount of freedom your users have to run macros in Microsoft Office applications. Most users would have macros blocked as default – unless they have a demonstrated business requirement.

User Application Hardening – This refers to the limitations in place on users’ applications. At its most basic, web browsers should not be able to process ads or Java content from the internet, Internet Explorer 11 should be disabled, and users should not be able to change these settings.

Restrict Administrative Privileges – This strategy involves managing users with administrative privileges. It involves validating requests for privileged access to systems and applications, blocking privileged accounts from accessing the internet, and using separate operating environments for privileged and unprivileged users.

Patch Operating Systems – this strategy focuses on keeping operating systems up to date. The main outcome is to ensure that OS patches, updates, and security mitigations for internet-facing services are applied within two weeks of release – or within 48 hours if an exploit exists. Vulnerability scanners should be used to identify any missing patches, and any OS that is no longer vendor supported should be replaced.

Multi-Factor Authentication (MFA) – This section involves enforcing MFA for all privileged access. Maturity starts by enforcing MFA for all user before they access internet-facing services and third-party providers.

Daily Backups – this strategy involves ensuring critical systems and information is securely backed up and readily available. This flexible strategy requires organisations to back up important data, software, and configuration settings “in accordance with business continuity requirements”. All backup and restoration systems are tested, and unprivileged accounts restricted to their own backup environments.

Do my organisation’s cybersecurity strategies already comply with the Essential 8?

Given the specific technical nature of the Essential 8 requirements, it is highly unlikely that organisations will reach their appropriate maturity level without dedicated effort.

The new strategies are aimed at getting organisations to achieve a blanket level of maturity across all sections. If your organisation already has these strategies in place in some areas and not in others, the focus should be on improving the maturity in those areas that are lagging.

The ACSC says:

While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the essential eight, makes it much harder for adversaries to compromise systems.

Organisations are also encouraged to focus on achieving a maturity level that makes sense for the organisation’s risk management level. This usually means performing a risk audit in tandem with a cybersecurity audit.

Before advancing to the next maturity level, organisations need to understand the risks they face, the costs of addressing these risks, and the likely outcomes that could befall them should they fail.

If you are unsure if you currently meet the Essential 8 requirements for your risk profile, the answer is almost certainly no.

Which maturity level matches your risk management needs?

Different companies will require different solutions and strategies, so the best way to determine your path to compliance is to receive an IT security assessment. We can conduct one and help you evaluate your current maturity level in each strategy, then implement the practices that will help you remain in full accordance with the guidelines.

It’s also important to note that, although the Essential 8 are a set of critical technical controls that organisations should maintain, they aren’t the only cybersecurity measures that businesses should take. For example, they don’t include provisions for risk assessments or risk management methodology.

Complying with the Essential 8 is a good starting point for a business looking to protect its digital assets better, and we can help you on the journey to compliance. In addition, First Focus can also assist with more holistic cybersecurity strategies and offer packaged security suites with advanced threat protection and detection features.

Contact First Focus today to see how prepared your business is for the Essential 8 and how we can help you improve your cybersecurity.