20 July 2021

Essential Eight Overhaul: Cybersecurity Update

Essential Eight Overhaul: Cybersecurity Update

The Australian Cyber Security Centre (ACSC) has updated the Essential Eight cybersecurity controls following lengthy consultation with government and industry partners.

The revamped security models now focus on achieving a maturity level across all eight controls before moving to achieve a higher level.

According to the ACSC, the changes reflect its experience in “producing cyber threat intelligence, responding to cybersecurity incidents, conducting penetration testing, and assisting organisations to implement the Essential Eight.”

  1. Changes reflect evolving cybersecurity measures and ease of implementation.
  2. Prioritises implementing mitigation strategies as a package.
  3. Focuses on risk-based approach to cybersecurity.
  4. Reinstated level zero security rating.

The ACSC says that the changes to the Essential Eight helps organisations actively manage risk rather than implement ad-hoc mitigation strategies.

A baseline approach to cybersecurity

In the past, organisations could grade the maturity levels in isolation, allowing organisations to feel protected when their overall stance was flawed or incomplete. Conversely, some organisations may have achieved a strong baseline of cybersecurity practices and mature risk management processes, but been unfairly criticised for not strictly complying with the Essential Eight.

This shift to a staggered baseline approach will enable organisations to reach levels of cybersecurity that make sense for their levels of risk. Organisations are encouraged to plan their implementation to reach a single maturity level across all eight mitigation strategies before moving on.

The ACSC says this baseline approach reflects how the mitigation strategies that constitute the Essential Eight work in combination to provide coverage across various cyber threats – while also letting organisations better manage the risks associated with legacy systems.

“The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats’” states the ACSC.

Implementation based on risk management

The new guidelines confirm that organisations should implement the Essential Eight using an approach that makes sense for their level of risk. In practice this means seeking to minimise any exceptions faced during mitigation rollouts, as well as and their scope. All exceptions and related security controls should be documented, monitored, and reviewed on a regular basis.

The maturity levels are based on mitigating increasing levels of adversary tradecraft and targeting.

The ACSC continues: “Depending on an adversary’s overall capability, they may exhibit different levels of tradecraft for different operations against different targets.”

“For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another.”

Reintroducing Level Zero

Another fundamental change to the mitigation model is the reintroduction of ‘Maturity Level Zero’, which signifies that there may be “weaknesses in an organisation’s overall cybersecurity posture.”

While the Essential Eight is now focused on appropriate risk management rather than strict compliance, this inclusion makes it easier to recognise where an organisation has failed to reach Maturity Level One.

When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data.

The ACSC has explained that the Essential Eight focuses on protecting “Microsoft Windows-based networks” that are connected to the internet, stating that the Essential Eight: “are the most effective mitigation strategies organisations can adopt to protect themselves against cyber threats.”

The ACSC also says that organisations can apply the maturity model to “cloud services and enterprise mobility” and other operating systems. However, the ACSC warns that they did not design the Essential Eight for these environments. As such, they suggest, “alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments.”