The number of cyber-attacks on companies, government, and individuals continues to grow at an alarming rate. According to the Australian Cyber Security Centre “Cybercrime is one of the most pervasive threats facing Australia, and the most significant threat in terms of overall volume and impact to individuals and businesses”, costing the Australian economy as much as $29 billion annually.
Because of this continually increasing risk, the lead Australian agencies for cybersecurity – the Australian Cyber Security Centre (ACSC) in cooperation with the Australian Signals Directorate (ASD) – have created a guideline of mitigation strategies, called the Strategies to Mitigate Cyber Security Incidents, which aims to assist organisations in mitigating cyber incidents caused by various threats. In this guideline, the ACSC has prioritised the eight most effective strategies that it recommends all businesses implement. These essential strategies are known as the Essential Eight.
What are the Essential Eight Mitigation Strategies?
- Application Whitelisting – to prevent the execution of unauthorised software.
- Patching Applications – to fix known security vulnerabilities in applications.
- Configure Microsoft Office Macro Settings – to prevent untrusted macros from running.
- User application hardening – to protect against vulnerable functionality.
- Restrict Administrative Privileges – to limit access to systems.
- Patch operating systems – to fix known security vulnerabilities in software.
- Use Multi-factor Authentication – to strengthen user authentication. 8. Daily backups- to ensure data can be accessed following an incident.
The ACSC has divided these essential eight strategies into three categories to help businesses understand what each of the strategies help prevent. We’ll go through each of the strategies and explain why these have been recommended.
Mitigation Strategies to Prevent Malware Delivery and Execution
1. Application Whitelisting of Approved & Trusted Programs
To prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Why?
By having an application control system in place, only approved programs will run. This means that any applications that are not approved are prevented from running. The ACSC points out that implementing application control involves the following steps:
- Identifying approved applications
- Developing application control rules to ensure only approved applications are allowed to execute
- Maintaining the application control rules using a change management program.
To ensure application control has been appropriately implemented, testing should be undertaken on a regular basis to check for misconfigurations of file system permissions and other ways of bypassing application control rules.
2. Patch Applications
For example, Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Why?
The developers of these applications constantly keep an eye out for any potential security vulnerabilities that are present in the application. As such, they will release frequent patches to remediate these vulnerabilities, however this will require users to update the software. By doing so, you ensure that the application has the most up-to-date security features.
3. Configure Microsoft Office Macro Settings to Block Macros from the Internet
Only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Microsoft Office macros are a series of instructions (code) that can accomplish a task automatically. However, malicious attackers can use these macros to deliver and execute malicious code on your systems. Therefore, macros in files from the internet should be disabled.
4. User Application Hardening
Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Why?
Flash, pop-up ads and Java are popular ways to deliver and execute malicious code on systems. In addition to this, you should disable any unneeded features for any applications you use, as this will limit the potential access points for attackers.
Mitigation Strategies to Limit the Extent of Cyber Security Incidents
5. Restrict administrative privileges
Restrict operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
- Access to different applications should be dependent on the duties of the employee. Not all employees require access to sensitive information.
- Using admin accounts for reading emails and web browsing exposes this account to hackers online. Since admin accounts have access to sensitive systems within the business, attackers can use these accounts to gain full access.
6. Patch Operating Systems
Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Why?
Similar to applications, operating systems are constantly monitored by developers to identify security risks. By updating the operating system, you protect yourself from known security vulnerabilities within the system.
7. Multi-Factor Authentication
Including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Why?
Multifactor authentication ensures that in the scenario attackers manage to crack your password, there is another layer of authentication they need to pass to gain access. This makes it harder for adversaries to access sensitive information and systems.
Mitigation Strategies to Recover Data and System Availability
8. Daily Back-Ups
Of important new/changed data, software and configuration settings, stored disconnected from your system and retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Why?
Backups ensure that in the event of a cyber-attack, your business has a ‘restoration point’ for its data. This means that critical data remains available for your business even if hackers delete or hold your data ransom.
Things to consider before implementing these strategies:
The ACSC recommends that all businesses take into consideration the following before implementing any of the mitigation strategies:
1. Which Systems require the protection?
In order to determine which systems require the greatest protection, businesses should identify where their business stores, processes or communicates sensitive information. These high-value systems are the ones most likely to be targeted by attackers.
Similarly, systems that have a high availability requirement (i.e., required to be operational consistently) also require greater attention, since attacks on these systems which prevent their use would be highly detrimental to the operation of the business.
2. What adversaries are likely to target their systems?
Who is more likely to target your business? For example, it is unlikely that nation-states will target your small business, but rather opportunistic cyber criminals who launch mass attacks hoping to gain access to unprotected businesses. Or maybe it could be malicious insiders within the business who want to steal customer data or intellectual property? This is another key consideration for small to medium sized businesses, since it will help to determine which mitigation strategies they should focus on.
3. What level of protection is required?
This involves selecting mitigation strategies to implement based on the risks to specific business activities from malicious attackers.
For example, if a business determines that their primary attackers will be opportunistic cyber criminals, and business operations primarily on the internet, the business may prioritize application hardening (which involves configuring web browsers to disable flash, ads and Java) as a key mitigation strategy in order to prevent attackers from delivering and executing malicious code during their internet use.
Why should your business follow these strategies?
Although there is no single mitigation strategy guaranteed to work, the Essential Eight acts as an effective, practical baseline in addressing cyber concerns within an organisation and can help to prevent a large-scale cyber security incident. These mitigation strategies are so important that the Australian Federal government has actually mandated that the first four strategies be implemented in all federal government departments. Similarly, each department in the NSW government must also submit a report detailing how to what degree they have implemented the ACSC’s Essential Eight. Following the Essential Eight mitigation strategies can prove to be an effective way of ensuring your business is capable of defending itself from cyber adversaries. These strategies address the primary cyber security threats that impact numerous Australian businesses and is a holistic approach to cyber safety that your company can begin implementing today.