What are the Eight Essentials (and why should non-Australians care)?

In 2017, the Australian Cyber ​​Security Center (ACSC) published a set of mitigation strategies designed to help organizations protect against cyber security incidents. These strategies, which became known as the eight essentialsthey are specifically designed for use on Windows networks, although variations of these strategies are commonly applied to other platforms.

What is the Eight Essential?

The Essential Eight is essentially a cybersecurity framework that is made up of objectives and controls (each objective includes multiple controls). Initially, the Australian government only mandated that businesses adhere to four of the security checks that were included in the first target. However, from June 2022, the 98 Commonwealth Non-Corporate Entities (NCCE) will be required to comply with the entire framework.

Non-Australians take note

Although Essential Eight is specific to Australia, organizations outside of Australia should take note. After all, Essential Eight is “based on ACSC’s experience in producing cyber threat intelligence, responding to cybersecurity incidents, conducting penetration tests, and helping organizations implement Essential Eight” (font). In other words, the Eight Essentials could be thought of as a set of best practices that are based on the ACSC’s own experience.

Another reason for those outside of Australia to pay attention to the Eight Essentials is because most developed nations have cybersecurity regulations that closely mimic the Eight Essentials. While there will inevitably be differences in regulations, most sets of cybersecurity regulations seem to agree on the basic mechanisms that need to be in place to remain secure. Examining Australia’s Eight Essentials can help organizations abroad better understand what it takes to keep their systems secure.

The Eight Essentials are divided into four maturity levels, with Maturity Level 0 indicating that the organization is not entirely secure. Maturity level 1 provides a very basic level of protection, while maturity level 3 has requirements that are much more stringent. Organizations are encouraged to assess their overall risks and IT resources when choosing a target maturity level.

Goal 1: Application Control

The purpose of Application Control is designed to prevent unauthorized code from running on systems. Maturity Level 1 is designed primarily to prevent users from running unauthorized executables, scripts, tools, and other components on their workstations, while Maturity Level 2 adds protections for servers with Internet access. Maturity level 3 adds additional controls, such as driver restrictions and compliance with Microsoft block lists.

Objective 2: Patch Applications

The second objective focuses on applying patches to applications. Software vendors routinely release security patches as vulnerabilities are discovered. The patching goal states (for all maturity levels) that patches for vulnerabilities in Internet services must be patched within two weeks, unless an exploit exists, in which case patches must be applied within weeks. 48 hours after availability. This goal also prescribes guidance for other types of applications and for the use of vulnerability scanners.

Objective 3: Configure Microsoft Office macro settings

The third goal is to disable the use of macros in Microsoft Office for users who do not have a legitimate business need for the use of macros. Organizations should also ensure that macros are blocked for any Office files that originate from the Internet and that settings cannot be modified by end users. Organizations should also use antivirus software to check for macros. Higher maturity levels add additional requirements, such as running macros in sandboxed locations.

Objective 4: Use application hardening

The fourth goal is called Application Hardening, but at a maturity level of 1, this goal is primarily related to blocking the web browser on users’ PCs. More specifically, browsers must be configured so that they do not render Java, nor can they render web advertisements. Also, Internet Explorer 11 cannot be used to render Internet content (higher maturity levels require removing or disabling Internet Explorer). Browser settings should be configured so that users cannot change them.

The higher maturity levels focus on hardening other applications beyond the browser. For example, Microsoft Office and PDF readers should be prevented from creating child processes.

Goal 5: Restrict Administrative Privileges

Goal 5 is about keeping privileged accounts safe. This goal sets rules such as privileged accounts that cannot access the Internet, email, or web services. Also, non-privileged accounts should be prohibited from logging into privileged environments.

When an attacker seeks to compromise a network, one of the first things they will do is try to gain privileged access. As such, it is extremely important to protect privileged accounts from compromise. One of the best third-party tools to do this is Specops Secure Service Desk, which prevents unauthorized password resets for both privileged and non-privileged accounts. That way, an attacker won’t be able to gain access to a privileged account simply by requesting a password reset.

Objective 6: Patch Operating Systems

Just as application vendors regularly release patches to fix known vulnerabilities, Microsoft regularly releases Windows patches. These patches usually arrive on “Patch Tuesday”, but patches are sometimes deployed out of band when serious vulnerabilities are fixed.

The Patch the operating system goal lays out the basic requirements for keeping Windows patched. Additionally, this goal requires organizations to check for missing patches on a regular basis.

Goal 7: Multifactor Authentication

The seventh goal defines when multi-factor authentication should be used. Maturity level 1 is relatively lenient and requires multi-factor authentication primarily when users access Internet-based or web-based applications (among other things). Higher maturity levels require multi-factor authentication to be used in an increasing number of situations.

Requiring multi-factor authentication is one of the most effective things an organization can do to keep user accounts secure. Specops uReset enables multi-factor authentication for password reset requests, helping to keep user accounts secure.

Objective 8: Regular backups

The goal of the eighth is to create regular backups. In addition to creating backups, organizations should perform test restores and prevent non-privileged accounts from deleting or modifying backups, or accessing backups they don’t own. Higher maturity levels place additional access restrictions on non-privileged accounts and privileged accounts (other than backup administrators and emergency accounts).

Leave a Comment