The Top 4 has expanded into the Essential Eight. Will this new set of security controls help organisations avoid cyber attacks and stay out of the headlines? Kinetic IT’s Chris Bolan and Tony Campbell take a deeper look.
Response to the ASCS Threat Report
The Australian Cyber Security Centre’s (ACSC) threat report, released late last year, highlighted the evolution of cyber threats across Australia, from the relatively inept ransomware attacks in 2015 to the more evasive and insidious attacks in 2016 and 2017.
This includes the meteoric rise of targeted attacks that leverage the context gained from their target’s openly available social media profile. This new wave of targeted, bespoke attacks has led to a surge in the number of security incidents across every industry sector and government department.
In response, the Australian Signals Directorate (ASD) has published the new ‘Essential Eight’ set of security controls, which has expanded from the original Top 4.
RELATED CONTENT: The Essential Eight Cyber Strategies For An 85% Better Sleep
What are the Top 4?
For several years, the ASD has been promoting four main mitigation strategies to combat targeted cyber intrusions. They assert, by implementing all of the Top 4 controls, that organisations will block as much as 85% of targeted cyber-attacks.
Yet, the ACSC’s report shows that the threat landscape has dramatically changed since ASD first published this guidance in 2010, as has the speed at which cyber threats are monetised and deployed.
The original Top 4 mitigation strategies
1. Application Whitelisting
Application whitelisting has occupied the number one spot for a while now, due to its effectiveness in preventing a range of exploits. The software prevents non-authorised applications from running on a system by actively blocking any application not explicitly allowed.
2. Patch Applications
Most software application companies now release a constant stream of patches to identify vulnerabilities. While there is always a gap between when a vulnerability is identified and when a patch is available, in almost all cases significant breaches still occur long after a patch was released due to failure to maintain and support a regulated patching cycle.
3. Patch Operating Systems
As with applications, there is a constant stream of operating system patches in response to identified vulnerabilities. Such patches often have greater urgency as the wide applicability of the vulnerabilities makes them highly desirable for untargeted attacks.
4. Restrict Administrative Privileges
All too often users and systems administrators request and retain unnecessary privileged access to applications and operating systems. By restricting the privilege level of most accounts we lessen the risk that compromised user credentials will have a significant impact.
RELATED CONTENT: Cyber security awareness: Treat it like OHS
New additions to the Top 4 to form the Essential Eight
While there is no doubt that the Top 4 strategies provide a solid foundation to mitigate cyber-attack, the emergence of the Essential Eight illustrates how our understanding of the risks and modern attack methods are evolving. Therefore, the Essential Eight controls build on the original Top 4, but also seek to address the threats ACSC has seen in recent years.
1. Disable untrusted Microsoft Office macros
While dropping from the radar for a while due to decreased prevalence, macros are once again in vogue as an infection vector for ransomware. Disabling office macros significantly lowers the risk of items such as Word documents leading to a security incident.
2. User application hardening<
One of the largest challenges facing system administrators is the use of legacy internet technologies such as Flash and Java. These are known to have significant vulnerabilities but are difficult to remove due to legacy applications and websites that still rely on such technology to operate. Removing or blocking the use of these legacy items significantly reduces or eliminates the vulnerability to a range of web-based attacks.
3. Multi-factor authentication
News of leaked user credentials (usernames & passwords) is now almost a weekly occurrence with a range of high-profile examples in the last year. A long overdue entrant to the essential list, multi-factor authentication significantly reduces the impact of leaked credentials as the addition of a physical token or biometric control renders stolen credentials unusable.
RELATED CONTENT: What is the most secure Multi-Factor Authentication method?
4. Daily backup of important data
When ransomware or another breach does occur the fastest way to recover is often to restore the system from a recent backup. By ensuring offline daily backs of important data, organisations can minimise the impact of any data loss resulting from such attacks.
Practical steps for a changing world
The expansion of the Top 4 and release of the Essential Eight is a clear acknowledgement of the realities of the current threat landscape. In particular, the recommendation for daily backups as an essential control illustrates that even with the tightest active cyber security countermeasures, preventing every breach is unrealistic.
When viewing these changes it’s important to remember:
- Your security controls need to focus on both prevention and recovery, so you’ll be able to reduce the impact of a successful attack that can cause lasting harm.
- It is essential that common sense and a risk-first approach are adopted. Too often organisations react to risk by jumping into complex technical transformation programmes or buying more security gadgetry.
- Every new technology or change to your enterprise may also have a negative impact on your organisation, so it’s important to analyse each cost (operational and financial) vs benefit before proceeding.