In an effort to significantly improve the cyber resilience of Australian businesses, the Australian federal government is mandating compliance across all eight cybersecurity controls of the Essential Eight framework. This is an ambitious move that may be burdensome to the many entities still struggling to comply with just the top four controls of the Essential Eight. This post clearly outlines the expectations of all eight security controls and explains how Australian businesses can achieve compliance for each of them.

What is the Essential Eight?

The Essential Eight is an Australian cybersecurity framework by the Australian Signals Directorate (ASD). This framework, published in 2017, is an upgrade from the original set of 4 security controls by the ASD. The Essential Eight introduced 4 additional strategies to establish the eight control that aim to protect Australian businesses from cyberattacks today.

The eight strategies are divided across three primary objectives – prevent attacks, limit attack impact, and data availability.

Objective 1: Prevent Cyberattacks

• Patch application vulnerabilities
• Application control
• User application hardening
• Configuring MS Office Macro settings

Objective 2: Limit the Impact of Cyberattacks

• Patch operating system vulnerabilities
• Restrict Admin access
• Implement Multi-Factor Authentication (MFA)

Objective 3: Data Recovery and System Availability

• Daily backups.

Organizations that implement the Essential Eight can track their compliance through the framework’s maturity scale, which is comprised of three levels:

• Maturity Level One – Partially aligned with mitigation strategy objectives
• Maturity Level Two – Mostly aligned with mitigation strategy objectives
• Maturity Level Three – Fully aligned with mitigation strategy objectives

Each level can be customized to suit each business’s unique risk profile. This allows organizations to identify their current state of compliance so that they understand the specific efforts required to progress through each level.

The Australian Signals Directorate (ASD) recommends that all Australian businesses achieve maturity level three for the optimal malware threat and cyberattack protection.

It’s important to understand that the Essential Eight is the minimum baseline of cyber threat protection recommended by the ASD. Organizations are encouraged to augment additional sophisticated data breach prevention solutions to this framework to significantly mitigate the impact of cyberattacks.

Is the Essential Eight Mandatory?

The federal government will mandate the Essential Eight framework for all 98 non-corporate Commonwealth entities (NCCEs).

Previously, only the top four security controls in objective 1 of the Essential Eight were mandatory, but now compliance across all eight strategies is expected.

To ensure all security controls are maintained at the highest degree, all entities that must comply with this cybersecurity framework will undergo a comprehensive audit every 5 years commencing on June 2022.

Now, we will explain each of the eight control strategies and how you can achieve compliance for each of them.

Do Australian Businesses Need to Report Data Breaches?

All Australian businesses with an annual turnover of $3 million are required to report data breaches to both impacted customers and the Office of the Australian Information Commissioner (OAIC) within 72 hours.

This essential requirement applied to all private and public Australian businesses – whether or not they’ve implemented the Essential Eight framework.

Any breach that is likely to result in serious harm to individuals and customers must be reported. Because it’s difficult to gauge the impact of each breach, to be safe, it’s best to report all breaches to the OAIC.

This regulatory requirement is known as the Notifiable Data Breach Scheme (NDB) and its compliance is also mandatory for the following entities:

• Health service providers
• Credit reporting bodies
• Credit providers that process credit eligibility information
• Tax File Number (TFN) recipients
• All entities regulated under the Privacy Act 1988

Failure to comply with the NDB scheme breaches the Privacy act which could result in enforcement action.

Application Whitelisting

Application whitelisting ensures only permits applications that have been reviewed and approved by an IT administrator. This strategy aims to prevent malware, ransomware or any cyber threats from being injected through unsecure applications.

This process can be represented by a simple Yes / No switch. If a program is whitelisted, it’s permitted to run. Everything else is denied (blacklisted).

The following types of applications should be restricted with whitelisting rules:

• Software libraries
• Installers
• Scripts
• DLL files
• PowerShell’s
• .exe files

To understand the correct use cases for application whitelisting, it’s important to understand the practices that do not fall under this practice

Application whitelisting is not:

• The use of a specialized portal that permits the installation of approved applications.
• Using cloud-based solutions to confirm the reputation of prospective applications before executing them.
• Implementing Filters (either within web browsers or email clients) that deny certain applications from being downloaded.
• The practice of detecting whether network traffic is stemming from blacklisted application requests.

Difference Between Application Whitelisting and Application Blacklisting

Both strategies meet the same security objective from different directions.

Application blacklisting is the process of preventing applications in a specific list from executing, whereas application whitelisting permits the execution of applications in a specific list.

Because both strategies meet the same objective, there’s little difference between them. Whitelisting is arguably a more secure methodology because its establishment is slightly more complex.

How to Implement Application Whitelisting

Application whitelisting can be implemented in three steps.

Step 1: Identify All Approved Applications

This will become your application whitelist, separated into different categories.

The “core” category should list all of the applications that are vital for meeting your business objectives. Because application requirements differ across sectors, each department should be its own category.

If you’re struggling to compile this list. start by identifying all of the necessary tasks in each department then map them to all of the applications required to perform them.

This process will force you to reconsider the necessity of some applications. Be as frugal as possible and only implement solutions that are absolutely vital to your business. Removing unnecessary applications will contract your attack surface which will support the cyber risk mitigation efforts of the Essential Eight framework.

Step 2: Specify Application Whitelisting Rules

The execution of only whitelisted applications can be controlled through different attributes. There are 6 primary options. Not all of them are recommended as some do not follow best cybersecurity practices.

Being aware of insecure whitelisting attributes will help you identify vulnerabilities in your whitelisting policies.

1. File Path Whitelisting

File path whitelisting only permits applications in a specified path to run. There are two variants:

• Directory-based whitelisting – Only files in specified directories and subdirectories are permitted.

For example, if the directory C:/Windows/Program Files> is whitelisted, all files and applications in the Program Files folder will be permitted to run.

• Complete file path whitelisting – Only files in a specified path are permitted.

For example, if the file path C:/Windows/ProgramFiles/UpGuard.exe is whitelisted,  only the program UpGuard.exe is permitted to run if its name and location remain unchanged.

For maximum security, complete file path whitelisting is recommended. Only use the directory-based whitelisting if the complete file path attribute is not possible.

2. Filename Whitelisting

As the name suggests, file name whitelisting only permits applications with specific names. This attribute isn’t recommended because compromised applications with whitelisted filenames will still be permitted to run.

If filename whitelisting must be implemented, it should be used in conjunction with the cryptographic hash attribute.

3. Cryptographic Hash Whitelisting

This attribute only permits hashed applications to load, regardless of their filename or location. While this attribute is highly secure it can be difficult to maintain since updated applications also have updated cryptographic hashes.

So whenever a patch is installed, or an application is updated, the whitelist will need to be updated accordingly.

It’s also important to continuously audit the application whitelist to ensure cryptographic hashes for applications with known vulnerabilities are immediately removed.

4. File Size Whitelisting

File size whitelisting is predicated on the assumption that a malicious application will have a different file size to the original version. This is a false assumption as attackers can readily create malicious duplicates that seem identical in every way, including file size.

This is a very weak attribute that should be never be used alone. Other whitelisting attributes should be used alongside it.

5. Digital Signature Whitelisting

A digital signature is a unique identifier that’s integrated into an application’s coding. They represent the authenticity of an application and verify that a malicious duplicate is not attempting to load.

Another form of signature is a publisher identity. This is when application distributors brand their software to indicate that it was developed by them.

There are, however, two downfalls to this whitelisting strategy.

To be reliable, applications with an identity attribute from a trusted publisher are not necessarily safe. Many third-party breaches happen through reputable software, as evidenced by the SolarWinds supply chain attack.

The other reason to be cautious of using this attribute alone is that legacy software with known vulnerabilities will still be permitted to run.

6. Process Whitelisting

This attribute only permits processes that are necessary to run approved applications. All other processes are denied. This whitelisting control prevents malicious processes from compromising applications.

However, this control should not be used alone since approved processes could be compromised to gain access to applications.

This attribute should be coupled with context-based authorization capabilities. This combination is the most secure whitelisting control.

Step 3: Maintain Application Whitelisting Rules

Step 3 is an ongoing effort to ensure all specified whitelisting rules are maintained. This is best achieved with a change management program.

Important Note about Application Control

The Australian Signals Directorate (ASD) makes it very clear that application whitelisting should never be used as a replacement to antivirus software. The Essential 8 is a minimum baseline for cybersecurity and should be implemented alongside other sophisticated cybersecurity solutions

For more details about application whitelisting, read this guide by the National Institute of Standards and Technology (NIST).

How to be Compliant with the Essential Eight

To simplify compliance, the Essential Eight framework should be broken down into different categories and addressed individually. The compliance requirements of each category are outlined below.

How to be Compliant with the Essential Eight Application Control

To achieve compliance for all security controls, you must constantly be aware of your position in the Essential Eight maturity scale. Refer to this compliance roadmap to understand the different maturity levels.

After identifying your current maturity level, cybersecurity solutions should be implemented to achieve and maintain a maturity level 3 status – remember, the Essential Eight is just the baseline for cybersecurity.

The Australian Signals Directorate (ASD) recommends the following controls to achieve application security compliance:

• The implementation of a whitelisting solution across all workstations and endpoints including remote endpoints.
• The implementation of a whitelisting solution across all servers.
• The implementation of Microsoft’s latest block rules.  

To further strengthen application security, attack surface reduction rules should be implemented in parallel with whitelisting policies.

UpGuard helps Australian businesses achieve application control compliance by identifying vulnerabilities for both internal and third-party vendor applications. This data can be used to establish an application whitelist and audit existing whitelisting choices.

Patching Applications (Operating Systems and Applications)

This strategy involves two controls of the essential eight:

• Patch applications for Operating Systems
• General patch applications – applications and devices

To identify the specific patches you need to install, you first need to identify all of the vulnerabilities that require remediation in your digital landscape.

There are several options for discovering vulnerabilities both internally and throughout the vendor network. Some are outlined below.

• Self-assessments – Such as the Consensus Assessments Initiative Questionnaire (CAIQ)
• Audit reports
• The National Institute for Standards and Technology (NIST) vulnerability database – This database lists Common Vulnerability Exposures (CVEs) for popular software and the necessary patches for remediating them.
• Incident response teams
• Attack surface management solutions

But don’t solely focus on digital vulnerabilities. Analogue vulnerabilities are prevalent, and if they’re exploited, your digital patching efforts will be nullified.

An example of an analogue vulnerability is unrestricted access to the network server room.

Vulnerability discovery becomes difficult when the threat landscape extends to the vendor network. To overcome this barrier third-party risk assessments should be used.

All discovered vulnerabilities should be assigned a level of criticality. The Australian Signals Directorate (ASD) recommends four categories:

Extreme Risk

• Vulnerabilities that facilitate unauthorized remote access
• Vulnerabilities that impact critical business solutions and systems.
• Vulnerabilities in the public domain
• Vulnerabilities have no mitigation controls and they’re public-facing (connected to the internet)

High Risk

• Vulnerabilities that facilitate unauthorized remote access
• Vulnerabilities that impact critical business solutions and systems.
• Vulnerabilities in the public domain
• Vulnerabilities are protected by security controls within a strong enclave.

Moderate Risk

• Vulnerabilities that allow remote access to threat actors posing as legitimate users
• Vulnerabilities that expose remote access controls to untrusted users.
• The exposed remote access gateway is guarded by two-factor authentication
• The exposed remote access gateway does not facilitate elevated privileges

Low Risk

• Vulnerabilities that can be exploited through SQL injection attacks performed by authenticated users
• Public-facing resources do not contain sensitive data
• Mitigation controls are in place that make exploitation either unlikely or very difficult.

Applying Patches

Patches need to be applied to all discovered vulnerabilities in a timely manner. Remediation efforts should correspond to the criticality of each vulnerability, higher risk exposures need to be addressed first. This will result in the most efficient distribution of response efforts.

The Australian Signals Directorate (ASD) recommends the following response time frames for each category of risk:

• Extreme risk – Within 48 hours of a patch release
• High risk – Within 2 weeks of a patch release
• Moderate / Low risk – Within 1 month of a patch release

Ironically, some patch installations may cause system disruptions. Though these occurrences are rare, they should be accounted for in your Incident Response Plan to minimize service disruptions.

For the most up-to-date patch releases, refer to the National Institute for Standards and Technology (NIST) vulnerability database.

It is the responsibility of all vendors to ensure their software is always updated with the latest patches. Unfortunately, not all your vendors may take cybersecurity as seriously as you do, so this responsibility should be supported by vendor security software.

How to be Compliant with the Essential Eight Patch Application Control

The Australian Signals Directorate recommends the following strategies for achieving application and OS patching compliance:

• The implementation of security patches across all extreme risk vulnerabilities within 48 hours.
• The implementation of solutions that confirm all necessary patches have been installed.
• Ensuring all internal applications are compatible with patched vendor software.

GRC360helps Australian businesses achieve compliance with the patch application strategy by detecting and remediating data leaks and software vulnerabilities throughout the vendor network.

To facilitate vendor risk assessments, the GRC360platform maps to popular assessment frameworks and also offers a custom questionnaire builder to contextualize each vulnerability audit.

Application Hardening

Application hardening (also known as application shielding) is the practice of increasing the cyber threat resilience of online applications. This could involve keeping applications updated with the latest patches and implementing specialized security solutions.

The goal is to obfuscate access to internal networks from public-facing applications to prevent malware injection. Legacy applications are usually targeted in such attacks because they lack the necessary security sophistication to identify and block breach attempts.

This method of intrusion is achieved with exploit kits – a set of hacking tools used by cybercriminals to compromise system vulnerabilities.

Exploits kits (or exploit packs) are commonly used to compromise the following applications:

• Adobe Flash
• Java
• Microsoft Silverlight
• Microsoft Office
• PDF Viewers
• Legacy web browsers

Application hardening controls should be implemented at the cyber attack prevention phase of a cybersecurity framework. Their job is to effectively defend internal systems from all unauthorized access.

The essential 8 aims to maximize threat resilience at all phases of a cyberattack – penetration attempts and successful breaches. If each defense layer is equipped with the most effective cyber threat controls, threat actors will struggle to burrow through to sensitive resources at each stage of an attack.

That being said, the chances of avoiding a data breach are much higher if the fight starts and ends outside of the IT ecosystem. This is why it’s so important to deploy sophisticated cybersecurity solutions at this threat landscape boundary.

Application Hardening Methods

Application hardening is a two-pronged approach. Applications must be protected from reverse engineering and tampering. Some mechanisms that could help achieve these two objectives are outlined below.

Methods of Preventing Application Reverse Engineering

1. Anti-Debugging

Hackers use debuggers to map application structures to discover vulnerabilities that could be exploited. These reconnaissance campaigns can be disrupted by anti-debugging code. These functions detect common debugging methods and block them.

Here’s an example of a very simple anti-debugging function called the IsDebuggerPresent function:

‍

2. Code Obfuscation

Code obfuscation involves strategic additions, modifications, and encryptions to coding to confuse hackers.

3. Binary Packing

Static code analysis is a method of analyzing source code before a program is executed. This is a debugging method that reveals vulnerabilities in the source code. Binary packing prevents static analysis by encrypting applications when they’re downloaded. The coding is only unpacked when the applications are running and during this process, static analysis is exceeding difficult.

4. White-Box Cryptography

White-Box Cryptography is the practice of always concealing secret keys. These functions can be integrated into any application.

Methods of Application Tampering Protection

1. iOS Jailbreak Detection

This anti-tampering mechanism for iOS applications detects and reports root access attempts.

2. Android Rooting Detection

This is the android version of IOS jailbreak detection.

Integrity checkers continuously check whether any segments of code have been modified without authorization. This mechanism is helpful to security teams because of the range of actions that can be triggered when malicious modifications are detected.

These include:

• User notifications
• Log message generation
• Custom response functions
• Instant application shutdown

How to be Compliant with the Essential Eight Application Hardening Control

The Australian Signals Directorate recommends the following strategies for achieving application hardening control compliance:

• Configure all web browsers to block or disable Flash content support. Fortunately, Adobe announced its discontinuation of Flash support in 2020.
• Disable Flash content support in Microsoft Office.
• Configure Microsoft Office to prevent Object Linking and Embedding packages from activating.
• Configure all web browsers to block web advertisements.
• Configure all web browsers to block Java on accessed websites.

GRC360 helps Australian businesses comply with application hardening expectations by identifying critical vulnerabilities across all third-party vendor applications that fail security best practices.

Restrict Administrative Privileges

Administrative accounts with the highest privileges have unmitigated access to the company’s most sensitive resources. This is why cybercriminals instantly hunt for these accounts after penetrating an ecosystem.

These accounts can reside either at a local, domain, or enterprise level.

Privileged Access Management (PAM) is supported by a 4 pillar framework:

• Discover and monitor all privileged accounts
• Secure all privileged accounts
• Track and monitor all privileged access activity
• Automate privileged management

To secure Privileged Access Management, these accounts need to be kept to a minimum, to compress this attack vector. The first step, therefore, is a vicious audit of all current privileged accounts with the goal of deleting as many as possible.

Some restrictions then need to be implemented on the accounts that survive the culling process. This will minimize the impact of a data breach if a privileged account is compromised.

How to be Compliant with the Essential Eight Administrative Privilege Restriction Control

The Australian Signals Directorate recommends the following strategies for achieving administrative privilege restriction control compliance:

• The validation of privileged access to applications and systems upon first request and then cyclically at a given frequency (annually, or ideally, more often).
• Limit privileged access to those that absolutely need it.
• Implement technical controls that prevent privileged users from reading emails, browsing the internet, and obtaining files via online services.

GRC360 helps Australian businesses comply with administrative privilege restriction expectations by facilitating user role and responsibility specifications.

Configure Microsoft Office Macros

Microsoft Office Macros are designed to make workflows more efficient by automating routine tasks. Unfortunately, if a macro is compromised, it could grant threat actors access to sensitive resources.

The most secure response is to disable all Microsoft Office macros but this may not be a practical solution for everyone as some may be vital for business objectives.

A balance must, therefore, be achieved between enabling necessary macros and minimal while minimizing security impact.

The following questions will facilitate this filtration process:

• Is this macro necessary for meeting business objectives?
• Can these objectives be met in other ways?
• Was this macro developed by a trusted party?
• Has this macro passed security validation by a trustworthy and qualified party?

After completing this audit, group policy setting can be implemented for the following use-cases:

• All macros disabled
• Only Macros from trusted locations enabled
• Only Macros Digitally Signed by trusted publishers enabled

How to be Compliant with the Essential Eight MS Office Macro Restriction Control

The Australian Signals Directorate recommends that all Microsoft Office macros are disabled for maximum security and for user to be prevented from changing macro settings.

For all necessary macros the following controls should be implemented:

• MS Office macros should only be permitted in documents from Trusted Locations.
• Macro write access should be limited to users with macro approval jurisdiction.
• All MS office macros within documents that were accessed from the internet must be blocked.

GRC360 helps Australian businesses achieved compliance with the Essential Eight’s MS office macro controls by continuously evaluating the security postures of vendors that develop the macros being implemented.

These risk profiles reveal whether a vendor can be trusted and if their security practices lapse in the future.

Multi-Factor Authentication

Multi-Factor Authentication introduces additional security prompts after users submit their login credentials. The goal is to confirm the legitimacy of each login attempt and make it significantly harder for cybercriminals to access internal networks.

Though Multi-Factor Authentication (MFA) is one of the simplest security controls to implement, it’s one of the most effective methods of preventing data breaches. This is because each authentication layer requires a separate set of credentials, which compounds the difficulty of compromising networking access.

Multi-Factor Authentication is also one of the best methods of defending against brute force attacks.

But not all MFA controls are created equal. Some are more secure than others. The most secure authentication methods are those that are physically separate to the device being used to log into a network.

Here’s a list of different MFA methodologies:

• U2F security keys
• Physical one-time PIN tokens
• Biometrics
• Smartcards
• Mobile apps
• SMS messages, emails, or voice calls
• Software certificates

How to be Compliant with the Essential Eight Multi-Factor Authentication control

All remote devices must be secured with multiple layers of authentication. This is especially important in the current workforce model which has been forced to conform to remote work.

For maximum security, at least two of the following authentication later must be used:

• Passwords with at least 6 characters
• Universal 2nd Factor (U2F) security keys
• Physical one-time password (OTP) tokens
• Biometrics
• Smartcards

In addition to this, the Australian Signals Directorate also recommends the following MFA controls:

• Enforce MFA on all privileged accounts
• Enforce MFA for all sensitive resource access requests
• Implement at least TWO of the following authentication layers –

GRC360 helps Australian businesses secure all use account by notifying employers of any staff credentials that have been impacted by third-party breaches

Daily Backups

This is the final control of the Essential Eight and also the final line of defense in a cyberattack lifecycle. If an attacker penetrates all other 7 controls, the impact could still be reduced if all compromised files can be replaced with a clean backup in a timely manner.

Australian businesses should implement a digital preservation policy that involves daily. backups and controls that prevent backups from unauthorized modifications.

How to be Compliant with the Essential Eight Daily Backups Control

The Australian Signals Directorate recommends the following controls to help Australian businesses maintain a consistent and untainted backup of all essential data in the event of a cyber threat penetrating all other 7 controls:

• Digital preservation policies are to be designed and implemented.
• Multiple data backup processes are to be implemented – a primary process and a supporting process.
• Multiple data restoration processes are to be implemented – a primary process and a secondary process.
• Data restoration processes should be tested at least once during initial implementation and then every time fundamental information technology infrastructure changes occur.
• All partial backup restoration process should be tested at least every 3 months.
• Backup processes must occur on a daily basis – for critical data and configuration settings
• Backups should be dispersed across multiple geographical locations to minimize the chances of all versions being compromised.
• Backups should store data for at least 3 months.