What is ACSC Essential Eight ?
The Australian Cyber Security Centre (ACSC) has developed prioritized mitigation strategies to help cyber security professionals in all organizations mitigate cyber security incidents caused by various cyber threats. This guidance addresses targeted cyber intrusions (i.e. those executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, ‘business email compromise’, and industrial control systems.
The Essential Eight (E8) is a prioritized subset of ‘Strategies to Mitigate Cyber Security Incidents’, outlining the eight most essential mitigation strategies.
ACSC Essential Eight Controls and Importance:
|Mitigation Strategies to Prevent Malware Delivery and Execution:|
|Essential 1||Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g., Windows Script Host, PowerShell and HTA) and installers.
Why: All non-approved applications (including malicious code) are prevented from executing.
|Essential 2||Patch applications (e.g., Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications.
Why: Security vulnerabilities in applications can be used to execute malicious code on systems.
|Essential 3||Configure Microsoft Office Macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.
|Essential 4||User application hardening: Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
|Mitigation Strategies to Limit the Extent of Cyber Security Incidents:|
|Essential 5||Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Why: Admin accounts are ‘key to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
|Essential 6||Patch operating systems: Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why: Security vulnerabilities in operating systems can be used to further compromise the systems.
|Essential 7||Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
|Mitigation Strategies to Recover Data and System Availability:|
Regular backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Why: To ensure information can be accessed following a cyber security incident (e.g. ransomware attack)
ACSC has defined four maturity levels to assist organizations in determining the maturity of their implementation. The maturity criteria defined in ACSC Maturity Model includes:
|Level 0||It indicates weaknesses in an organization’s overall cybersecurity posture.|
|Level 1||adversaries who are content to simply leverage commodity tradecraft that is widely available to gain access and control of systems.|
|Level 2||adversaries are willing to invest more time in a target and in the effectiveness of their tools.|
|Level 3||focused on adversaries who are more adaptive and less reliant on public tools and methods.|
Cybernetic Global Intelligence Essential Eight Compliance Specialist:
Cybernetic Global Intelligence has a team of qualified PCI DSS QSA & ISO 27001/2013 lead auditors and assessors that can assist in all aspects of ACSC Essential Eight implementation consulting. We can take the stress out of becoming Essential Eight compliant by assessing and validating adherence to ACSC Essential Eight and work with you to develop Diagnostic gap analysis, Risk treatment and Ongoing monitoring and assurance with remediation strategies to help you meet the Essential Eight Controls. Our team of experts have worked with organizations across all industry types implementing and Auditing Essential Eight.
No business can afford to be complacent with the current rise in Cyber Attacks because becoming the victim of a cyber-attack today is a serious loss for many organizations and not forgetting how costly security breach has become, regardless of your business size and Industry. Having implementation Essential Eight largely reduces major risks for any organization.