The Australian Cyber Security Centre (ACSC) developed prioritised mitigation strategies and published them in February 2017, to help organisations mitigate cybersecurity incidents caused by various cyber threats. The Essential 8 are to be considered a baseline of the minimum standards that any business should follow to protect themselves and their data.

The Essential Eight

The Essential 8 are outlined as;

1. Application whitelisting – to control the execution of unauthorized software
2. Patching applications – to remediate known security vulnerabilities
3. Configuring Microsoft Office macro settings – to block untrusted macros
4. Application hardening – to protect against vulnerable functionality
5. Restricting administrative privileges – to limit powerful access to systems
6. Patching operating systems – to remediate known security vulnerabilities
7. Multi-factor authentication – to protect against risky activities
8. Daily backups – to maintain the availability of critical data.

The Essential 8 Maturity Model

Maturity of an organisation’s compliance with the Essential Eight can be evaluated against a framework published by the ACSC, to rate how well a business is implementing the controls and measures.

Within the maturity model, there are four levels. The first, maturity level zero, represents that a business is not prepared and there are known weaknesses in the security posture of an organisation. The highest level of maturity, level three, indicates that an organisation is more ready for adversaries and hackers who are more targeted and capable than just script kiddies or random probes, and hackers are using their own tools and techniques (instead of publicly available hacking tools). Going beyond the Essential 8 maturity level 3 is also possible.

The Essential 8 in more detail

1. APPLICATION CONTROL: 

To prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell, and HTA), and installers.

Why? This control is for all non-approved applications (including malicious code) are prevented from executing. The problem is that this can be very hard to follow in a BYOD and non-SOE environment, particularly with software that is frequently updated.

2. PATCH APPLICATIONS 

Flash (if you still have it), web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.

Why? Security vulnerabilities in applications can be used to execute malicious code on systems. In the past, the biggest risks were Flash and Java – which has resulted in the industry moving away from those models.

3. CONFIGURE MICROSOFT OFFICE MACRO SETTINGS 

To block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. This is default in Office 365, but may still need to be controlled.

Why? Microsoft Office macros, have in the past been used to deliver and execute malicious code on systems.

4. USER APPLICATION HARDENING. 

Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unnecessary features in Microsoft Office (e.g. OLE), web browsers, and PDF viewers. Any application that is a platform and can run arbitary code can be a weak vector.

Why? Flash, ads, and Java used to be popular ways to deliver and execute malicious code on systems.

The first four of the Essential 8 are considered to be mandatory.

The next 4 are measures that also should be followed.

5. RESTRICT ADMINISTRATIVE PRIVILEGES

Operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing – don’t even mail-enable admin accounts.

Why? Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.

6. PATCH OPERATING SYSTEMS.

An obvious one here, but patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Don’t leave systems unpatched where there are known vulnerabilities

Why? Security vulnerabilities in operating systems can be used to further the compromise of systems, and vulnerabilities are normally well-known and have exploits.

7. MULTI-FACTOR AUTHENTICATION

It includes VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.

Why? Stronger user authentication makes it harder for adversaries to access sensitive information and systems.

8. DAILY BACKUPS

Daily back-ups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.

Why? To ensure information can be accessed following a cybersecurity incident (e.g. a ransomware incident).