Understanding the ACSC's Essential Eight

For organisations to protect themselves against ever-growing cyber security threats, the ACSC has developed some strategies. These are the Essential Eight.

To help organisations protect themselves against cyber security threats, the Australian Cyber Security Centre (ACSC) has developed Strategies to Mitigate Cyber Security Incidents. The most effective among these are the Essential Eight, according to the ACSC.

In this two-part series, we will walk you through the essentials of the Essentials, starting with the first four strategies.

Before we begin, you should identify the maturity level suitable for your organisation. To keep things simple, we will only discuss the Maturity Level One* requirements.

It’s important to note that while the Essential Eight could be applied to securing cloud services, enterprise mobility and other operating systems, alternative mitigation strategies may be more appropriate for your business.

1. Patch Applications

The ACSC defines security vulnerabilities as “flaws in an application or operating system rather than a misconfiguration or deployment flaw”. Much like a real band-aid, a patch is “a piece of software designed to remedy security vulnerabilities or improve the usability or performance of software and ICT equipment”.

Alongside performing patching, regular vulnerability scans of your assets are important to identify where the patch strategy is failing.

For internet-facing services, including websites, VPN and Remote Desktop Services, organisations at all maturity levels must apply updates within two weeks of release or within 48 hours if an exploit exists, and undertake vulnerability scanning daily.

In addition, Maturity Level One organisations must patch vulnerabilities within one month of release and use a vulnerability scanner fortnightly on office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, or security products.

Make sure to remove internet- facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, or security products on any assets that are no longer supported by the vendor.

2. Patch Operating Systems

Operating Systems are highly complex. Windows, macOS and Linux contain millions of lines of code, thousands of packages, and hundreds of services.

To correct potentially disastrous breaches, organisations need to implement the Patch Operating Systems strategy.

As with Patch Applications, there are two main activities to undertake: patches and vulnerability scans. Additionally, no organisation should use an operating system that is no longer supported by the vendor. Continued use of End-of-Life operating systems can negate almost every other defence in place.

Organisations at any maturity level need to update operating systems of internet-facing services within two weeks of release, or within 48 hours if an exploit exists, and remove all unsupported operating systems.

Maturity Level One Organisations need to establish a central policy to control the patching of operating systems and install patches at least monthly. Network infrastructure including switches, wireless access points, and routers, should also be manually or automatically patched monthly.

Use an external vulnerability scan of internet-facing services at least daily, or fortnightly for workstations, servers and network devices. Ensure that alerting is established and actioned.

All operating systems, network infrastructure operating systems/firmware and other device operating systems should be decommissioned when they are no longer supported by the vendor.

3. Restrict Administrative Privileges

In every organisation, some users need to hold a higher level of access than standard users. However, if an adversary gets access to privileged accounts, they could use this to execute damaging attacks.

Restricting administrative privileges makes it more difficult for malicious adversaries to elevate privileges, spread to other hosts, hide its existence, persist after reboot, obtain sensitive information, or resist removal efforts.

Organisations at Maturity Level One must establish a request validation policy and procedure. Organisations must also prevent administrative accounts (excluding service accounts) from accessing the internet, email and web services.

To maintain appropriate separation between privileged and unprivileged environments, provide your administrators with a separate environment (such as an Azure Virtual Desktop workstation) to perform administrative functions.

4. Regular Backups

One of the simpler strategies of the Essential Eight, backups can be the last line of defence for an organisation that falls victim to a cyber-attack. Without a backup, restoring operations may be impossible – potentially ending an organisation.

Consider your Maximum Tolerable Downtime when designing the backup system for critical data and services. Secondary copies stored offline or with sufficient segregation can help counter adversary attempts to disable backups before executing their primary attacks.

However, making copies and shipping data off site or into a third party service also carries risks. To prevent unauthorised access, encrypt your backup data and apply the same or better access restrictions as to production systems.

Maturity Level One organisations should regularly backup all servers and cloud services (at least daily) or document reasoning for an asset not requiring backup.

Retain backups for at least ninety days in lieu of regulatory or other guidance with a more specific retention period. Alternatively, organisations can determine and document another period through an assessment of all applicable risks.

As part of your disaster recovery exercises, conduct regular restoration tests from backup sets at least annually.

How can we help

Implementing the Essential Eight can help organisations proactively protect their customers, employees, and reputation from the ever-changing threat landscape.

AC3’s Essential Eight Security Control Assessment can review and benchmark your technical environment to make sure the foundations are properly laid.

Organisations targeting Maturity Level One are looking to protect themselves from adversaries that are seeking any victim, rather than a specific victim. These adversaries opportunistically seek common weaknesses in many targets, rather than investing heavily to gain access to a specific target.