In 2017, the Australian Cyber Security Center (ACSC) released a set of mitigation strategies designed to help organizations protect against cybersecurity incidents. These policies, known as the Essential Eight, are designed specifically for use on Windows networks, although variations of these policies are commonly applied to other platforms.
What is the Essential Eight?
The Essential Eight is essentially a cybersecurity framework made up of objectives and controls (each objective comprising several controls). Initially, the Australian government only required companies to comply with four of the security checks included in the first objective. However, from June 2022, all 98 Unincorporated Commonwealth Entities (NCCEs) will be required to comply with the entire framework.
Non-Australians take note
Although the Essential Eight is specific to Australia, organizations outside of Australia should take this into account. After all, the Essential Eight is “based on ACSC’s experience in generating cyber threat intelligence, responding to cybersecurity incidents, performing penetration testing, and assisting organizations to implement works the Essential Eight” (source). In other words, the Essential Eight could be considered a set of best practices based on the ACSC’s own experience.
Another reason those outside Australia pay attention to the Eight Essentials is that most developed countries have cybersecurity regulations that closely mimic the Eight Essentials. While there are inevitably differences in regulations, most sets of cybersecurity regulations seem to agree on the basic mechanisms that need to be in place to stay secure. Reviewing Australia’s Essential Eight can help organizations overseas better understand what it takes to keep their systems secure.
The eight essentials are divided into four maturity levels, with maturity level 0 indicating that the organization is not secure at all. Maturity Level 1 offers a very basic level of protection, while Maturity Level 3 has much stricter requirements. Organizations are encouraged to assess their overall risks and IT resources when choosing a target maturity level.
Goal 1: Application Control
The Application Control objective is designed to prevent the execution of unauthorized code on systems. Maturity Level 1 is primarily intended to prevent users from running unauthorized executables, scripts, tools, and other components on their workstations, while Maturity Level 2 adds protections for connected servers to internet. Maturity Level 3 adds additional controls, such as driver restrictions and adherence to Microsoft blocklists.
Objective 2: Patch applications
The second objective focuses on patching applications. Software vendors regularly release security patches as vulnerabilities are discovered. The Patch Applications objective states (for all maturity levels) that patches for Internet Services vulnerabilities must be patched within two weeks, unless an exploit exists, in which case patches must be applied within 48 hours following their availability. This objective also prescribes guidance for other types of applications and for the use of vulnerability scanners.
Objective 3: Configure Microsoft Office macro settings
The third goal is to disable the use of macros in Microsoft Office for users who do not have a legitimate business need to use macros. Organizations should also ensure that macros are blocked for any Office file that originates from the Internet and that settings cannot be changed by end users. Organizations should also use anti-virus software to scan for macros. Higher maturity levels add additional requirements such as running macros in sandboxed locations.
Goal 4: Use application hardening
The fourth goal is called Application Hardening, but at a maturity level of 1, this goal is primarily about locking down the web browser on user PCs. Specifically, browsers should be configured not to process Java, nor to process web advertisements. Also, Internet Explorer 11 cannot be used to process Internet content (higher maturity levels require Internet Explorer to be removed or disabled). Browser settings must be configured in such a way that they cannot be changed by users.
Higher maturity levels focus on hardening other apps beyond the browser. For example, Microsoft Office and PDF readers should be prevented from creating child processes.
Objective 5: Restrict Administrative Privileges
Objective 5 concerns safeguarding privileged accounts. This goal establishes rules such that privileged accounts are not allowed to access the Internet, email, or web services. Similarly, unprivileged accounts should be prohibited from logging into privileged environments.
When an attacker is looking to compromise a network, one of the first things they will do is try to gain privileged access. As such, it is extremely important to protect privileged accounts from compromise. One of the best third-party tools to do this is Specops Secure Service Desk which prevents unauthorized password resets for privileged and non-privileged accounts. This way, an attacker will not be able to access a privileged account simply by requesting a password reset.
Objective 6: Patch operating systems
Just as application vendors periodically release patches to resolve known vulnerabilities, Microsoft regularly releases Windows patches. These patches normally arrive on “Patch Tuesday”, but out-of-band patches are sometimes deployed when serious vulnerabilities are fixed.
The Patch Operating System objective defines the baseline requirements to keep Windows patched. Additionally, this objective requires organizations to regularly check for missing patches.
Objective 7: Multi-factor authentication
The seventh objective defines when multi-factor authentication should be used. Maturity level 1 is relatively lenient, requiring multi-factor authentication primarily when users access the internet or web applications (among other things). Higher levels of maturity require the use of multi-factor authentication in an ever-increasing number of situations.
Requiring multi-factor authentication is one of the most effective things an organization can do to keep user accounts secure. Specops uReset enables multi-factor authentication for password reset requests, helping secure user accounts.
Goal 8: Regular backups
The eighth goal is to create regular backups. In addition to creating backups, organizations are required to perform test restores and prevent unprivileged accounts from deleting or modifying backups, or accessing backups that do not belong to them. Higher maturity levels define additional access restrictions on non-privileged accounts and on privileged accounts (except backup administrators and icebreaker accounts).