Developing a security policy doesn’t require reinvention. Several sets of guidelines are available, such as the CIS security controls, and the OWASP security design principles. The Australian Cyber Security Centre offers the Essential Eight, a set of flexible mitigation strategies to make systems more resistant to being compromised and that can be implemented according to an organisation’s risk appetite. These principles focus primarily on software management, and fundamental measures for securing your organisation.
Data breaches can be disastrous, resulting in high direct costs, and the impact to productivity. A huge portion of breaches are attributable to neglecting the application of otherwise preventive measures, like patching, and following the recommendations of the Essential Eight may well prevent a major incident for your organisation.
In cybersecurity, the term ‘mitigation’ typically refers to methods of reducing or ending the damage caused by a security incident through proactive measures or as part of incident response. The strategies described here are mostly about prevention, not damage reduction. They’re mitigation strategies in the sense that they’ll reduce or eliminate the impact which a security event might cause. If a phishing message tricks an employee into opening a tainted link, or if someone receives and opens a malicious document, following the Essential Eight makes it less likely any issues will follow, or at least a reduced level of harm.
How to Apply the Essential Eight
Every environment is different. The same set of priorities and actions won’t apply in every situation, nor for any company. The Essential Eight is a framework for a security strategy, not a mere checklist of ‘things to do’. A security plan needs to take into account the degree of acceptable risk and the nature of the risk. Some of the strategies are basic needs which are perilous to ignore, but some may not be applicable to every technology environment.
Applying security strategies is an ongoing process. A network keeps changing as devices are added and removed. New threats appear in software, and new defensive measures become necessary. The process is a matter of pursuing an optimal state that doesn’t stand still., It’s not a matter of reaching a static set of measures and claiming victory.
The ACSC defines three maturity levels for the application of the strategies. Which one an organisation should aim for depends on its level of acceptable risk and the available resources. ACSC recommends as a baseline that all organisations aim for Level 3, while some need even higher levels of mitigation.
Preventing Malware from Running
Four of the strategies are aimed at preventing malicious software from being installed and running on an organisation’s systems.
The first one listed, application whitelisting, is the most controversial. Whitelisting allows only approved applications — that is, ones which match particular signatures or are digitally signed by an authority — to be installed and run. There’s no question that it is effective in keeping malicious code out. It also requires resources to manage and can inconvenience users.
Operating systems such as Mac OS and Windows allow setting up a simple form of whitelisting. When enabled, it accepts software that comes with the operating system or from the application store and rejects other software by default. Administrators can approve other installations. Third-party security software is available which lets administrators create custom lists of approved applications.
Companies should test a whitelisting system before deploying it to make sure it works without interfering with normal operations.
Patching applications is straightforward. There are no excuses for ignoring it. All software has flaws, and some of them endanger security. When the risks become publicly known, someone will exploit them.
ACSC recommends using the latest versions of applications and applying “extreme risk” patches within 48 hours of their availability. Patching is necessary not only for applications but for runtime systems. If the currently installed Java or PHP runtime has a critical defect, it needs to be updated as quickly as possible.
Any patch needs testing to make sure it was applied correctly and there are no compatibility problems. If a compatibility issue prevents an application from being updated, it needs to be addressed at the earliest opportunity.
Some applications have features that are more risky than useful. If they aren’t needed, disabling or limiting them can greatly reduce vulnerability to common attacks.
Browsers and email clients directly access the Internet, so they deserve special attention. Flash is obsolete, and it should be removed or disabled. Regular users shouldn’t be able to install unauthorised plug-ins. Other plug-ins improve security and should be installed by default. For example, ad blockers don’t just decrease annoyance; they can block malicious third-party content, known as “malvertising.”
Restricting MS Office Macros
The Essential Eight list breaks out one form of application hardening for special attention. Macros in Microsoft Office documents let the application run embedded code, which is very dangerous if the documents come from an untrusted source. Macros can run arbitrary commands if enabled.
Recent versions of Office disable macros by default, unless they have a signature from a trusted source or were created on the same computer. The important thing is to make sure these settings aren’t changed. The same issue applies to alternative applications, such as LibreOffice, which can open Office files.
Limiting the Impact of Security Incidents
Three of the Essential Eight strategies are closer to mitigation in the usual sense. They provide ways to reduce the chances of damage if an account is compromised or malware gets to run.
Restricting Administrative Privileges
Accounts that allow sensitive operations should be as restricted as possible. Only people who are trusted and need to perform those actions should have access to the accounts. Anyone who breaks into them can do serious damage.
Role-based authorisation limits what a middle-level administrative account can do. For example, an account that needs to modify a database directly may not need the ability to create and alter user accounts. Tailoring roles to employees’ job descriptions will slow down anyone who breaks into their accounts.
Administrators should use privileged accounts only when necessary. They shouldn’t use them for routine tasks such as email and Web access. The less they use the privileged account, the smaller the chance it will be compromised.
Passwords can be guessed or stolen. Adding a second authentication factor means that password theft alone isn’t enough to access an account. Multi-factor authentication is valuable for privileged accounts and for remote access.
The most common forms of Multi-factor Authentication (MFA) are typically Two-factor, or 2FA and include the like of sending a code by SMS or email. Other methods, such as a dedicated application or a hardware dongle, are more secure, though they may be less convenient. Security questions such as “What is your mother’s maiden name?” are not sufficient, since the answers are often easy to guess or discover. Marrying together one or more additional security measures of this type provides an exponentially greater level of protection, without necessarily having to leverage biometric verification.
Operating System Patching
Applying security patches to the operating system goes along with patching applications. If anything, keeping the OS patched is more important, since exploiting a system vulnerability could give an intruder access to everything on the machine.
Most major operating systems allow automatic updating. Administrators need to verify occasionally that updates are actually happening. A configuration error could stop them without being noticed, and indeed this issue has been the catalyst for breaches historically.
ACSC’s advice is to use the latest version of the operating system, but this isn’t always necessary, nor even practical. What is important is to use a version which is still supported by the vendor. If it is approaching end of support, it should be replaced well before the last moment, so that any problems caused by the upgrade can be smoothed out.
Recovering Data and Systems
The last strategy in the Essential Eight concerns being able to recover from an infection or other damage to the system and data. ACSC’s Maturity Model recommends daily backups which are stored offline and retained for at least three months. Backing up once a day is a bare minimum. Incremental backups every hour – or even more often – will reduce the amount of data lost in the event of a disaster, though this will be dependant on the scope and variability of your particular operations.
The ability to restore backups needs periodic testing. The worst time to find out that a backup wasn’t operating properly is when it is needed. Downtime while figuring out how to restore damaged files is inherently very costly to any organisation.
Maintaining cybersecurity requires effort and imposes some inconvenience on users, but the cost of a data breach is typically measurably worse. Each organisation needs to do its own risk analysis and determine what actions will make its systems sufficiently secure. The Essential Eight strategies are a tested and useful framework for formulating a security approach for your business. Be aware though, that much like any valuable framework, or indeed any piece of advice, the fundamentals – in the case ITSM and general Ops Management – are to know the basics and do them well.
To understand how you can roll the Essential Eight into your security strategy, talk with Fort Safe today and secure your tomorrow.