The Australian Cyber Essential Eight is a general framework targeted at Australian enterprise and government and is largely considered one of the better frameworks for hardening, and limiting the damage from the most common kind of attacks:
- Inside Threat Actor
- Ransomeware
- Advanced Persistent Threat (APT)
Most Australian government entities must implement the Essential Eight strategy, developed by the Australian Cyber Security Centre and Australian Signals Directorate (Australia’s equivalent to the American NSA and the UK GCHQ) to help reduce the impact of a cyber incident.
The strategy has been implemented as a four stage maturity model starting from level zero through to three.
What are the Essential Eight?
- Application Control
- Patch Applications
- Configure Microsoft Office macro settings
- User Application Hardening
- Restrict Administrative Privileges
- Patch Operating Systems
- Multi-Factor Authentication
- Regular Backups
Hopefully most of these are common sense for any organisation with information or systems they need to protect. Additionally, this list of strategies shouldn’t be the only thing an organisation does to protect their data.
Application Control
Application control is the process of controlling which applications and application types are allowed to run on a workstation or server and protecting audit trails and logs from unauthorised deletion. This could include applications a user downloads from the Internet or even an application that the user has built themselves. For most users, they use the same set of applications regularly, and seldom need to run something different.
This is control largely painful for knowledge workers who use uncommon applications to perform their duties such downloading a terminal emulator to configure a firewall or other network appliance. Having an approved software catalog or processes in place to allow ensure these workers are able to run the software they need should help reduce the pain.
Patch Applications
Patch applications includes the discovery and patching of applications installed on workstation and servers. Even in the strictest environments I’ve seen many different versions of the same application running across an estate. This can include various builds of Microsoft Office, Browsers, and other notorious applications that constantly require updates.
This strategy also recommends using vulnerability scanning applications like to search for vulnerable applications.
Configure Microsoft Office macro settings
Microsoft Office Macros have been discouraged by everyone including Microsoft who in February of 2022 announced they would disable Macros by default. Macros are used to automate repetitive tasks within the Office suite of applications, however there has been a push away from them as they can be used to create malicious applications that infect your machines. Microsoft recommend using other tools like the Power BI suite instead.
If your organisation does need macros make sure that they are sandboxed and scanned by anti-virus software. Additionally, block execution from Macros that have been downloaded by from the Internet and only enable Macros for those who need it.
User Application Hardening
User application hardening is the process of following hardening guides provided by ASD, vendors, or STIGs (Secure Technical Implementation Guide). This strategy ensures that the applications are not given free reign on your machine and that they have been configured in a secure manner.
Restrict Administrative Privileges
Gone are the days where everyone had administrator access (which is a good thing). Controlling who has administrative privileges and to what has become the norm for most organisations. This strategy recommends the use of targeted administrative accounts that have limited access without being able to access services such as email and internet.
The use of Jump servers, SCIM (Secure Cross-domain Identity Management), and access management portals make it easier to log and record events performed with administrative privileges.
Patch Operating Systems
Similar to the Patching applications strategy the Essential Eight recommends the patching of operating systems in the same way using vulnerability scanners to identify and catalog assets.
Multi-Factor Authentication
Multi-factor is using more than one type of authentication to gain access to a system. This can include the use of OTP (One Time Pass), and Biometrics, Authenticator applications. This strategy mostly targets Internet accessible services, but also sensitive data repositories and administrative access.
Regular Backups
Backups are targeting important data, application configuration, and settings so that they can be recovered in the event of a disaster or ransomware event. This strategy also includes requirements to limit access to backups to administrative users.
I would add that backups be disconnected from production systems so that an ATP with administrative privileges cannot delete or otherwise corrupt the backup repository.
How does the Essential Eight compare to the ISM?
The ISM (Information Security Manual) is an ASD document that includes thousands of controls with specific requirements for different classifications of data. While this mostly applies to government organisations and private organisations that interact with government data, the Essential Eight calls out specific ISM controls that can be used to build out Essential Eight implementations.
Is it enough to only employ the Essential Eight strategies?
In a word, No. The ACSC also calls out many other strategies that can be used in conjunction with the Essential Eight to improve the Cyber posture of an organisation. The Essential Eight are a minimal guideline that organisations (both government and non-government) can deploy to reduce risk.
What Next?
There are many other frameworks that can be used to improve an organisations security posture including (and definitely not limited to):
- MITRE D3FEND Framework
- Zero Trust Architectures (NIST 800-207)
- NIST SP800
- Centre for Information Security Benchamarks
Observability is key to Cyber success. You cannot secure what you cannot see.
Leave a Reply