Home>Blog>The Hacker News Headlines>What is the Essential Eight (And Why Non-Aussies Should Care)
The Hacker News Headlines

What is the Essential Eight (And Why Non-Aussies Should Care)

In 2017, The Australian Cyber Security Center (ACSC) published a
set of mitigation strategies that were designed to help
organizations to protect themselves against cyber security
incidents. These strategies, which became known as the Essential Eight[1], are designed
specifically for use on Windows networks, although variations of
these strategies are commonly applied to other platforms.

What is the Essential Eight?

The Essential Eight is essentially a cyber security framework
that is made up of objectives and controls (with each objective
including multiple controls). Initially, the Australian government
only mandated that companies adhere to four of the security
controls that were included in the first objective. Starting in
June of 2022 however, all 98 non-corporate Commonwealth entities
(NCCEs) are going to be required to comply with the entire
framework[2].

Non-Australians take note

Although the Essential Eight is specific to Australia,
organizations outside of Australia should take notice. After all,
the Essential Eight is “based on the ACSC’s experience in producing
cyber threat intelligence, responding to cyber security incidents,
conducting penetration testing and assisting organizations to
implement the Essential Eight” (source[3]). In other words, the
Essential Eight could be thought of as a set of best practices that
are based on the ACSC’s own experience.

Another reason for those outside of Australia to pay attention
to the Essential Eight is because most developed nations have cyber
security regulations that closely mimic the Essential Eight. While
there are inevitably going to be differences in regulations, most
sets of cyber security regulations seem to agree on the basic
mechanisms that need to be put into place in order to remain
secure. Examining Australia’s Essential Eight can help
organizations abroad to better understand what it takes to keep
their systems secure.

The Essential Eight are divided into four maturity levels, with
Maturity Level 0 indicating that the organization is not at all
secure. Maturity Level 1 provides a very basic level of protection,
while Maturity Level 3 has requirements that are far more
stringent. Organizations are encouraged to assess their overall
risks and IT resources when choosing a target maturity level.

Objective 1: Application Control

The Application Control objective is designed to prevent
unauthorized code from running on systems. Maturity Level 1 is
primarily intended to prevent users from running unauthorized
executables, scripts, tools, and other components on their
workstations, while Maturity Level 2 adds protections for Internet
facing servers. Maturity Level 3 adds additional controls, such as
driver restrictions and adherence to Microsoft’s block lists.

Objective 2: Patch Applications

The second objective is focused on applying patches to
applications. Software vendors routinely deliver security patches
as vulnerabilities are discovered. The Patch Applications objective
states (for all maturity levels) that patches for vulnerabilities
in Internet facing services should be patched within two weeks,
unless an exploit exists, in which case patches should be applied
within 48 hours of becoming available. This objective also
prescribes guidance for other types of applications and for the use
of vulnerability scanners.

Objective 3: Configure Microsoft Office Macro Settings

The third objective is to disable macro use in Microsoft Office
for users who do not have a legitimate business need for macro use.
Organizations must also ensure that macros are blocked for any
Office file originating from the Internet and that the settings
cannot be modified by end users. Organizations must also use
antivirus software to scan for macros. Higher maturity levels add
additional requirements such as running macros in sandboxed
locations.

Objective 4: Use Application Hardening

The fourth objective is called Application Hardening, but at a
maturity level of 1, this objective mostly relates to locking down
the Web browser on user’s PCs. More specifically, the browsers must
be configured so that they do not process Java, nor can they
process Web advertisements. Additionally, Internet Explorer 11
cannot be used to process Internet content (higher maturity levels
call for removing or disabling Internet Explorer). Browser settings
must be configured so that they cannot be changed by users.

Higher maturity levels focus on hardening other applications
beyond just the browser. For instance, Microsoft Office and PDF
readers must be prevented from creating child processes.

Objective 5: Restrict Administrative Privileges

Objective 5 is all about keeping privileged accounts save. This
objective sets up rules such as privileged accounts not being
allowed to access the Internet, email, or Web services. Likewise,
unprivileged accounts must be prohibited from logging in to
privileged environments.

When an attacker seeks to compromise a network, one of the first
things that they will do is to try to gain privileged access. As
such, it is extraordinarily important to guard privileged accounts
against compromise. One of the best third-party tools for doing so
is Specops Secure Service Desk[4] which prevents
unauthorized password resets for both privileged and unprivileged
accounts. That way, an attacker will be unable to gain access to a
privileged account simply by requesting a password reset.

Objective 6: Patch Operating Systems

Just as application vendors periodically release patches to
address known vulnerabilities, Microsoft releases Windows patches
on a regular basis. These patches normally arrive on “Patch
Tuesday”, but out of band patches are sometimes deployed when
serious vulnerabilities are being patched.

The Patch Operating System objective sets up the basic
requirements for keeping Windows patched. In addition, this
objective requires organizations to regularly scan for missing
patches.

Objective 7: Multifactor Authentication

The seventh objective defines when multifactor authentication
must be used. Maturity Level 1 is relatively lenient, requiring
multifactor authentication primarily when users access Internet
facing, or Web based applications (among other things). Higher
maturity levels require multifactor authentication to be used in an
ever-increasing number of situations.

Requiring multifactor authentication is one of the most
effective things that an organization can do to keep user accounts
secure. Specops uReset[5]
enables multifactor authentication for password reset requests,
helping to keep user accounts secure.

Objective 8: Regular Backups

The eighth’s objective is to create regular backups. Besides
creating backups, organizations are required to perform test
restorations and to prevent unprivileged accounts from deleting or
modifying backups, or from accessing any backups that are not their
own. Higher maturity levels set additional access restrictions on
unprivileged accounts and on privileged accounts (aside from backup
admins and break glass accounts).

References

  1. ^
    the
    Essential Eight     (www.cyber.gov.au)
  2. ^
    required
    to comply with the entire framework
    (www.upguard.com)
  3. ^
    source
    (www.cyber.gov.au)
  4. ^
    Specops
    Secure Service Desk     (specopssoft.com)
  5. ^
    Specops
    uReset     (specopssoft.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.