In February 2017, the Australian Signals Directorate (ASD) expanded its Top Four cyber threat mitigation measures to the “Essential Eight”. What are the measures, what has changed, what is new and what do they all mean?
The Australian Signals Directorate
The ASD is responsible for providing cyber security guidance and setting policies for all Australian government departments and agencies. The ASD released the third and newly named version of their guide Strategies to Mitigate Cyber Security Incidents along with Strategies to Mitigate Cyber Security Incidents – Mitigation Details and the Essential Eight Explained.
ASD first published its list of 35 controls as “Strategies to Mitigate Targeted Cyber Intrusions” in 2010 based on its experience in responding to cyber security incidents. The strategies were updated in 2012 and 2014. In 2011, the ASD found that the Top Four controls, when properly implemented, effectively mitigates 85% of targeted cyber attacks.
The revised documents present 37 controls as mitigation strategies against a list of six threats and expands the Top Four controls to the Essential Eight. The strategies have been updated to address changes to the threat landscape, current attack patterns and defensive technologies and capabilities to cover a wider threat range than just “targeted attacks”.
The six threats are:
- Targeted cyber attacks;
- Ransomware and other external adversaries;
- Malicious insiders who steal data;
- Malicious insiders who destroy data and prevent computers/networks from functioning;
- Business email compromise; and
- Threats to industrial control systems.
The Essential Eight
The Top 4 Mitigation Strategies to Protect Your ICT System remain the same and are mandatory for Australian Federal Government agencies.
The Essential Eight are the existing Top Four, plus four new ASD recommendations. These are presented as a “baseline” for all organisations. The Essential Eight are classified into two categories, the first focuses on prevention and the second on minimising impact.
The Essential Eight are:
Prevention – To prevent malware running:
- Application whitelisting of selected trusted programs to prevent execution of malicious or unapproved programs. (Top Four)
- Patch applications to fix security vulnerabilities in software applications. (Top Four)
- Disable untrusted Microsoft Office Macros so malware cannot run unauthorised routines.
- User application hardening such as blocking web browser access to Adobe Flash Player, web advertisements and untrusted Java code on the Internet.
Mitigation – To limit the extent of incidents and recover data
- Restrict administrative privileges to managing systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. (Top Four)
- Patch operating system to fix security vulnerabilities in operating systems. (Top Four)
- Multi-factor authentication for all systems when possible to make it harder for an adversary to access a system and information.
- Daily backup of important data securely and offline to ensure even if data is compromised, protected versions are available for recovery.
New Mitigation Strategies
The ASD has also revised its listing of mitigation strategies – five strategies comprising 37 mitigation controls. These are not just technical steps but involve the whole organization in modifying behaviour.
- Prevention of malware delivery and execution;
- Limiting the extent of cyber security incidents;
- Detecting cyber security incidents;
- Recovering data and system availability; and
- Preventing malicious insiders.
The new notable mitigation controls are:
- Hunt to discover incidents;
- Personnel management;
- Daily backups;
- Business continuity and disaster recovery plans; and
- System recovery capacities.
These new mitigation controls underline a change in thinking to align with the US National Institute of Standards and Technology’s “Prevent – Detect – Respond – Recover” Cyber security Framework.
ASD advises organisations to identify their data assets and perform a risk assessment to identify the level of protection required against various threats, before implementing the mitigation controls. It underlines the need for motivators, such as a detected cyber security incident, penetration testing, or mandatory data breach reporting to improve the organisation’s cyber security profiles, as well as the importance of informed, supportive executives, access to skilled cyber security professionals and adequate financial resources.
Whatever the state of your cyber security preparation, advice from experts, distilled from the Essential Eight, which all organisations can implement immediately is to ensure systems and applications are patched and that offsite backups are up to date.