The Australian Cyber Security Centre, working alongside the Australian Signals Directorate (formerly Defence Signals Directorate) created a list of eight essential mitigation strategies to act as a baseline for cybersecurity. These are very much basic and essential measures, and they are an absolute minimum. As a cybersecurity professional, these are very common sense and in some respects almost go without needing to be said, but there are two that are a little strange.

The essential eight

At a high level, they are;

  • Patch applications
  • Patch operating systems
  • Configure Microsoft Office macro settings
  • User application hardening
  • Application control
  • Restrict administrative privileges
  • Multi-factor authentication
  • Regular backups

I expect that by now, if you use a computer, that most of these make perfect sense. There are however two that seem a little unusual to me.

The two essential eight that are different.

One of the mitigation strategies is “Configure Microsoft Office macro settings” – which stands out. This is the only one that mentions a specific product, and it is a very specific task and not an activity that can be applied to other systems. Also, there is another mitigation strategy that is mentioned – “User application hardening” – but Microsoft Office is a user application? In Maturity Level 2 for “User application hardening”, there are references to other Microsoft products, including Office. It seems strange that one product is called out above all others. Why not state “remove Adobe Flash“? Or “configure Java“? These products have [had] more vulnerabilities and are just as worthy of being singled out as Microsoft Office macros.

READ ARTICLE:   Tips for defining your BYOD policy

Some may argue that examples like Java and Flash are obsolete and out of date – but the Essential 8 is not just this year’s recommendations for maturity. Making a more broad and generic approach – even if it is to control the execution of any automation system or tool – would have more longevity than this.

Application control and whitelisting

The second strange control is Application control and whitelisting. The mitigation is very powerful, only allowing authorised applications to execute. However this is where usability and security clash. The work to list every application, driver, tool, patch and package that is allowed to execute is very onerous. The problem with this control is that you cannot run any software that has not been pre-authorised, and this means that it can interfere with normal business operations. When an application or driver is updated or patched, the signature changes and it will not execute unless it is whitelisted. This can mean software is not updated, or the measures are bypassed for convenience, or that too many applications are whitelisted. This is a sledgehammer approach, and even Maturity Level 1 imposes the extreme limits “The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.”. Well, if you can’t run a script to tighten settings, or start an executable to resolve an issue – you are a bit stuck!

So Why is Everyone Not Using Application Whitelisting?
While application whitelisting does a great job of protecting against malicious applications, it can be very restrictive. Every time the user needs to run a legitimate application that is not on the whitelist, they need to contact the admin. This can make a system difficult to use and create operational bottlenecks, inefficiency, and frustration in the workplace, especially in large organizations. In addition, the whitelisting solution can be a massive failure if end users are constantly unable to perform essential business functions on a day-to-day basis. – from Application Whitelisting Guide & Best Whitelisting Tools for 2023 (comparitech.com)

Two new mitigation strategies

Whilst the Microsoft Office Macro Settings mitigation is duplicated, and the Application Whitelisting is too harsh, there are some other strategies that are missing.

  • Educate users, provide support and encouragement
  • Audit and review settings regularly

Firstly, it is well known that most cybersecurity incidents and data leaks come from internal personnel. The weakpoint in security is not a specific piece of hardware, or software (even Microsoft Office Macros), but the wetware of people. The staff, suppliers, and management need to be educated, supported with policies and tools, and encouraged with recognition for reporting incidents and levels of punishment for poor practice. Dealing with people is more important, and more challenging, than any technology or system.

READ ARTICLE:   n-1 is dead, long live N+45

The need to audit and review is important in any environment – not just in regulated industries. Settings can drift, events can happen in logs without being noticed, and advanced persistent threats (APT) can make changes and be used to access other systems. Checking that the security of your environment is as you want it, and that there is no deviation, is a vital mitigation strategy for security.

Share this knowledge