The ‘Essential 8’ is a baseline mitigation strategy devised by the Australian Cyber Security Centre (ACSC). By implementing the measures outlined in this strategy, organisations will benefit from hardening their environments and protecting against, and allowing mitigation of, cyber threats.
Area A: Mitigation strategies to prevent malware delivery and execution
| Detail | Why | How (controls that can assist) | |
| Application control | Prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. | All non-approved applications (including malicious code) are prevented from executing. |
Remove administrator rights from the primary user account. Have a separate login for admin and only use this for application installations when required and advanced configuration work. Regularly scan the system for installed apps, and remove any that are unnecessary or appear suspicious. Example: CrowdStrike Falcon will prevent malicious applications from running.
|
| Configure Microsoft Office macro settings |
Block macros in files downloaded from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
|
Microsoft Office macros can be used to deliver and execute malicious code on systems. |
Some macros provide useful functionality, and blocking them may lead to productivity loss. Configure macros to only run from trusted locations. Example: CrowdStrike Falcon will intercept any untoward macros that execute commands with malicious intent. |
| Patch applications | e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. | Security vulnerabilities in applications can be used to execute malicious code on systems. |
Ensure installed applications are set to update on a regular schedule, e.g. monthly. Example: CrowdStrike Spotlight will identify patch levels for applications, especially if they are out of date. Look for critical alerts. |
| User application hardening | Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. | Flash, ads and Java are popular ways to deliver and execute malicious code on systems. |
Remove Adobe Flash. Install ad and pop up blockers. Disable unwanted features in office or other tools. Ensure browsers are updated regularly.
|
Area B: Mitigation strategies to limit the extent of cyber security incidents
| Restrict administrative privileges |
Operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. |
Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems. |
(As above) no user account should have admin privileges. Login separately when needing special functionality, including application installations. Example: CyberArk Privileged Access Manager solution to vault and manage credentials on privileged accounts. |
| Patch operating systems |
Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don't use unsupported versions. |
Security vulnerabilities in operating systems can be used to further the compromise of systems. |
Set Windows to be updated regularly – monthly. Example: CrowdStrike Spotlight or Tenable will provide insight as to out of date software versions that have known vulnerabilities. |
| Multi-factor authentication |
Including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. |
Stronger user authentication makes it harder for adversaries to access sensitive information and systems. |
Consider 3 points for identity: 1. Something you know (e.g. a username, password, PIN code, etc). 2. Something you have (e.g. an ID card or security token). 3. Something you are (e.g. fingerprint and other biometrics).
|
Area C: Mitigation strategies to recover data and system availability
| Daily backups |
Important for new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. |
To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident). |
Backups should be taken daily and stored in an air-gapped facility. Example: Commvault Metallic is a cloud-based solution that is very easy to use, providing off-site, ransomware-protected backups. |
“Some of these strategies may be new for many organisation,” says Lumen IT General Manager Craig Tamlin.
“The implementation of a robust cyber security strategy is a journey; over time increasing the maturity of the controls in each area.”
Tamlin says cybersecurity culture starts with using the Essential 8 tips at home.
"Updating all of these obvious things when required — your browser and your operating system; setting up your Windows to do updates. That's actually really important.
“But guess what? Some people go, ‘that's really annoying, I'm just going to disable that feature’. That’s the worst thing you can do.”
For more information on how to set up your organisation’s cyber security, or for a tailored training package, contact Lumen IT.
The ‘Essential 8’ is a baseline mitigation strategy devised by the Australian Cyber Security Centre (ACSC). By implementing the measures outlined in this strategy, organisations will benefit from hardening their environments and protecting against, and allowing mitigation of, cyber threats.
