In an effort to significantly improve the cyber resilience of Australian businesses, the Australian federal government is mandating compliance across all eight cybersecurity controls of the Essential Eight framework. This is an ambitious move that may be burdensome to the many entities still struggling to comply with just the top four controls of the Essential Eight. This post clearly outlines the expectations of all eight security controls and explains how Australian businesses can achieve compliance for each of them.
The Essential Eight is an Australian cybersecurity framework by the Australian Signals Directorate (ASD). This framework, published in 2017, is an upgrade from the original set of 4 security controls by the ASD. The Essential Eight introduced 4 additional strategies to establish the eight control that aim to protect Australian businesses from cyberattacks today.
The eight strategies are divided across three primary objectives – prevent attacks, limit attack impact, and data availability.
Organizations that implement the Essential Eight can track their compliance through the framework’s maturity scale, which is comprised of three levels:
Each level can be customized to suit each business’s unique risk profile. This allows organizations to identify their current state of compliance so that they understand the specific efforts required to progress through each level.
The Australian Signals Directorate (ASD) recommends that all Australian businesses achieve maturity level three for the optimal malware threat and cyberattack protection.
It’s important to understand that the Essential Eight is the minimum baseline of cyber threat protection recommended by the ASD. Organizations are encouraged to augment additional sophisticated data breach prevention solutions to this framework to significantly mitigate the impact of cyberattacks.
The federal government will mandate the Essential Eight framework for all 98 non-corporate Commonwealth entities (NCCEs).
Previously, only the top four security controls in objective 1 of the Essential Eight were mandatory, but now compliance across all eight strategies is expected.
To ensure all security controls are maintained at the highest degree, all entities that must comply with this cybersecurity framework will undergo a comprehensive audit every 5 years commencing on June 2022.
Now, we will explain each of the eight control strategies and how you can achieve compliance for each of them.
All Australian businesses with an annual turnover of $3 million are required to report data breaches to both impacted customers and the Office of the Australian Information Commissioner (OAIC) within 72 hours.
This essential requirement applied to all private and public Australian businesses – whether or not they’ve implemented the Essential Eight framework.
Any breach that is likely to result in serious harm to individuals and customers must be reported. Because it’s difficult to gauge the impact of each breach, to be safe, it’s best to report all breaches to the OAIC.
This regulatory requirement is known as the Notifiable Data Breach Scheme (NDB) and its compliance is also mandatory for the following entities:
Failure to comply with the NDB scheme breaches the Privacy act which could result in enforcement action.
Application whitelisting ensures only permits applications that have been reviewed and approved by an IT administrator. This strategy aims to prevent malware, ransomware or any cyber threats from being injected through unsecure applications.
This process can be represented by a simple Yes / No switch. If a program is whitelisted, it’s permitted to run. Everything else is denied (blacklisted).
The following types of applications should be restricted with whitelisting rules:
To understand the correct use cases for application whitelisting, it’s important to understand the practices that do not fall under this practice
Application whitelisting is not:
Both strategies meet the same security objective from different directions.
Application blacklisting is the process of preventing applications in a specific list from executing, whereas application whitelisting permits the execution of applications in a specific list.
Because both strategies meet the same objective, there’s little difference between them. Whitelisting is arguably a more secure methodology because its establishment is slightly more complex.
Application whitelisting can be implemented in three steps.
This will become your application whitelist, separated into different categories.
The “core” category should list all of the applications that are vital for meeting your business objectives. Because application requirements differ across sectors, each department should be its own category.
If you’re struggling to compile this list. start by identifying all of the necessary tasks in each department then map them to all of the applications required to perform them.
This process will force you to reconsider the necessity of some applications. Be as frugal as possible and only implement solutions that are absolutely vital to your business. Removing unnecessary applications will contract your attack surface which will support the cyber risk mitigation efforts of the Essential Eight framework.
The execution of only whitelisted applications can be controlled through different attributes. There are 6 primary options. Not all of them are recommended as some do not follow best cybersecurity practices.
Being aware of insecure whitelisting attributes will help you identify vulnerabilities in your whitelisting policies.
File path whitelisting only permits applications in a specified path to run. There are two variants:
For example, if the directory C:/Windows/Program Files> is whitelisted, all files and applications in the Program Files folder will be permitted to run.
For example, if the file path C:/Windows/ProgramFiles/UpGuard.exe is whitelisted, only the program UpGuard.exe is permitted to run if its name and location remain unchanged.
For maximum security, complete file path whitelisting is recommended. Only use the directory-based whitelisting if the complete file path attribute is not possible.
As the name suggests, file name whitelisting only permits applications with specific names. This attribute isn’t recommended because compromised applications with whitelisted filenames will still be permitted to run.
If filename whitelisting must be implemented, it should be used in conjunction with the cryptographic hash attribute.
This attribute only permits hashed applications to load, regardless of their filename or location. While this attribute is highly secure it can be difficult to maintain since updated applications also have updated cryptographic hashes.
So whenever a patch is installed, or an application is updated, the whitelist will need to be updated accordingly.
It’s also important to continuously audit the application whitelist to ensure cryptographic hashes for applications with known vulnerabilities are immediately removed.
File size whitelisting is predicated on the assumption that a malicious application will have a different file size to the original version. This is a false assumption as attackers can readily create malicious duplicates that seem identical in every way, including file size.
This is a very weak attribute that should be never be used alone. Other whitelisting attributes should be used alongside it.
A digital signature is a unique identifier that’s integrated into an application’s coding. They represent the authenticity of an application and verify that a malicious duplicate is not attempting to load.
Another form of signature is a publisher identity. This is when application distributors brand their software to indicate that it was developed by them.
There are, however, two downfalls to this whitelisting strategy.
To be reliable, applications with an identity attribute from a trusted publisher are not necessarily safe. Many third-party breaches happen through reputable software, as evidenced by the SolarWinds supply chain attack.
The other reason to be cautious of using this attribute alone is that legacy software with known vulnerabilities will still be permitted to run.
This attribute only permits processes that are necessary to run approved applications. All other processes are denied. This whitelisting control prevents malicious processes from compromising applications.
However, this control should not be used alone since approved processes could be compromised to gain access to applications.
This attribute should be coupled with context-based authorization capabilities. This combination is the most secure whitelisting control.
Step 3 is an ongoing effort to ensure all specified whitelisting rules are maintained. This is best achieved with a change management program.
The Australian Signals Directorate (ASD) makes it very clear that application whitelisting should never be used as a replacement to antivirus software. The Essential 8 is a minimum baseline for cybersecurity and should be implemented alongside other sophisticated cybersecurity solutions
For more details about application whitelisting, read this guide by the National Institute of Standards and Technology (NIST).
To simplify compliance, the Essential Eight framework should be broken down into different categories and addressed individually. The compliance requirements of each category are outlined below.
To achieve compliance for all security controls, you must constantly be aware of your position in the Essential Eight maturity scale. Refer to this compliance roadmap to understand the different maturity levels.
After identifying your current maturity level, cybersecurity solutions should be implemented to achieve and maintain a maturity level 3 status – remember, the Essential Eight is just the baseline for cybersecurity.
The Australian Signals Directorate (ASD) recommends the following controls to achieve application security compliance:
To further strengthen application security, attack surface reduction rules should be implemented in parallel with whitelisting policies.
UpGuard helps Australian businesses achieve application control compliance by identifying vulnerabilities for both internal and third-party vendor applications. This data can be used to establish an application whitelist and audit existing whitelisting choices.
This strategy involves two controls of the essential eight:
To identify the specific patches you need to install, you first need to identify all of the vulnerabilities that require remediation in your digital landscape.
There are several options for discovering vulnerabilities both internally and throughout the vendor network. Some are outlined below.
But don’t solely focus on digital vulnerabilities. Analogue vulnerabilities are prevalent, and if they’re exploited, your digital patching efforts will be nullified.
An example of an analogue vulnerability is unrestricted access to the network server room.
Vulnerability discovery becomes difficult when the threat landscape extends to the vendor network. To overcome this barrier third-party risk assessments should be used.
All discovered vulnerabilities should be assigned a level of criticality. The Australian Signals Directorate (ASD) recommends four categories:
Patches need to be applied to all discovered vulnerabilities in a timely manner. Remediation efforts should correspond to the criticality of each vulnerability, higher risk exposures need to be addressed first. This will result in the most efficient distribution of response efforts.
The Australian Signals Directorate (ASD) recommends the following response time frames for each category of risk:
Ironically, some patch installations may cause system disruptions. Though these occurrences are rare, they should be accounted for in your Incident Response Plan to minimize service disruptions.
For the most up-to-date patch releases, refer to the National Institute for Standards and Technology (NIST) vulnerability database.
It is the responsibility of all vendors to ensure their software is always updated with the latest patches. Unfortunately, not all your vendors may take cybersecurity as seriously as you do, so this responsibility should be supported by vendor security software.
The Australian Signals Directorate recommends the following strategies for achieving application and OS patching compliance:
GRC360helps Australian businesses achieve compliance with the patch application strategy by detecting and remediating data leaks and software vulnerabilities throughout the vendor network.
To facilitate vendor risk assessments, the GRC360platform maps to popular assessment frameworks and also offers a custom questionnaire builder to contextualize each vulnerability audit.
Application hardening (also known as application shielding) is the practice of increasing the cyber threat resilience of online applications. This could involve keeping applications updated with the latest patches and implementing specialized security solutions.
The goal is to obfuscate access to internal networks from public-facing applications to prevent malware injection. Legacy applications are usually targeted in such attacks because they lack the necessary security sophistication to identify and block breach attempts.
This method of intrusion is achieved with exploit kits – a set of hacking tools used by cybercriminals to compromise system vulnerabilities.
Exploits kits (or exploit packs) are commonly used to compromise the following applications:
Application hardening controls should be implemented at the cyber attack prevention phase of a cybersecurity framework. Their job is to effectively defend internal systems from all unauthorized access.
The essential 8 aims to maximize threat resilience at all phases of a cyberattack – penetration attempts and successful breaches. If each defense layer is equipped with the most effective cyber threat controls, threat actors will struggle to burrow through to sensitive resources at each stage of an attack.
That being said, the chances of avoiding a data breach are much higher if the fight starts and ends outside of the IT ecosystem. This is why it’s so important to deploy sophisticated cybersecurity solutions at this threat landscape boundary.
Application hardening is a two-pronged approach. Applications must be protected from reverse engineering and tampering. Some mechanisms that could help achieve these two objectives are outlined below.
Hackers use debuggers to map application structures to discover vulnerabilities that could be exploited. These reconnaissance campaigns can be disrupted by anti-debugging code. These functions detect common debugging methods and block them.
Here’s an example of a very simple anti-debugging function called the IsDebuggerPresent function:
Code obfuscation involves strategic additions, modifications, and encryptions to coding to confuse hackers.
Static code analysis is a method of analyzing source code before a program is executed. This is a debugging method that reveals vulnerabilities in the source code. Binary packing prevents static analysis by encrypting applications when they’re downloaded. The coding is only unpacked when the applications are running and during this process, static analysis is exceeding difficult.
White-Box Cryptography is the practice of always concealing secret keys. These functions can be integrated into any application.
This anti-tampering mechanism for iOS applications detects and reports root access attempts.
This is the android version of IOS jailbreak detection.
Integrity checkers continuously check whether any segments of code have been modified without authorization. This mechanism is helpful to security teams because of the range of actions that can be triggered when malicious modifications are detected.
The Australian Signals Directorate recommends the following strategies for achieving application hardening control compliance:
GRC360 helps Australian businesses comply with application hardening expectations by identifying critical vulnerabilities across all third-party vendor applications that fail security best practices.
Administrative accounts with the highest privileges have unmitigated access to the company’s most sensitive resources. This is why cybercriminals instantly hunt for these accounts after penetrating an ecosystem.
These accounts can reside either at a local, domain, or enterprise level.
Privileged Access Management (PAM) is supported by a 4 pillar framework:
To secure Privileged Access Management, these accounts need to be kept to a minimum, to compress this attack vector. The first step, therefore, is a vicious audit of all current privileged accounts with the goal of deleting as many as possible.
Some restrictions then need to be implemented on the accounts that survive the culling process. This will minimize the impact of a data breach if a privileged account is compromised.
The Australian Signals Directorate recommends the following strategies for achieving administrative privilege restriction control compliance:
GRC360 helps Australian businesses comply with administrative privilege restriction expectations by facilitating user role and responsibility specifications.
Microsoft Office Macros are designed to make workflows more efficient by automating routine tasks. Unfortunately, if a macro is compromised, it could grant threat actors access to sensitive resources.
The most secure response is to disable all Microsoft Office macros but this may not be a practical solution for everyone as some may be vital for business objectives.
A balance must, therefore, be achieved between enabling necessary macros and minimal while minimizing security impact.
The following questions will facilitate this filtration process:
After completing this audit, group policy setting can be implemented for the following use-cases:
The Australian Signals Directorate recommends that all Microsoft Office macros are disabled for maximum security and for user to be prevented from changing macro settings.
For all necessary macros the following controls should be implemented:
GRC360 helps Australian businesses achieved compliance with the Essential Eight’s MS office macro controls by continuously evaluating the security postures of vendors that develop the macros being implemented.
These risk profiles reveal whether a vendor can be trusted and if their security practices lapse in the future.
Multi-Factor Authentication introduces additional security prompts after users submit their login credentials. The goal is to confirm the legitimacy of each login attempt and make it significantly harder for cybercriminals to access internal networks.
Though Multi-Factor Authentication (MFA) is one of the simplest security controls to implement, it’s one of the most effective methods of preventing data breaches. This is because each authentication layer requires a separate set of credentials, which compounds the difficulty of compromising networking access.
Multi-Factor Authentication is also one of the best methods of defending against brute force attacks.
But not all MFA controls are created equal. Some are more secure than others. The most secure authentication methods are those that are physically separate to the device being used to log into a network.
Here’s a list of different MFA methodologies:
All remote devices must be secured with multiple layers of authentication. This is especially important in the current workforce model which has been forced to conform to remote work.
For maximum security, at least two of the following authentication later must be used:
In addition to this, the Australian Signals Directorate also recommends the following MFA controls:
GRC360 helps Australian businesses secure all use account by notifying employers of any staff credentials that have been impacted by third-party breaches
This is the final control of the Essential Eight and also the final line of defense in a cyberattack lifecycle. If an attacker penetrates all other 7 controls, the impact could still be reduced if all compromised files can be replaced with a clean backup in a timely manner.
Australian businesses should implement a digital preservation policy that involves daily. backups and controls that prevent backups from unauthorized modifications.
The Australian Signals Directorate recommends the following controls to help Australian businesses maintain a consistent and untainted backup of all essential data in the event of a cyber threat penetrating all other 7 controls: