What is the Essential 8

In the recent years, the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD) have developed several cyber security initiatives to help organisations improve their cyber security. One of these initiatives is the Essential 8, published in 2017.

The Essential 8 are defined as a series of strategies to mitigate cyber security incidents. They focus on Microsoft-based and Internet-based applications. More specifically, they are a set of cyber security controls an organization can apply to protect itself against cyber-attacks. These controls cover mostly technical infrastructure but also require, to a lesser degree, governance oversight such as regular reviews of the efficacy of the control and overview of their performance.

The controls are divided into 8 domains:

1. Application controls
2. Patch applications
3. Configure Microsoft Office Macro Settings
4. User application Hardening
5. Restrict administrative privileges
6. Patch Operating Systems
7. Multi-factor Authentication
8. Regular back-ups

There are four Maturity Levels for the above controls:

1. Maturity Level 0
2. Maturity Level 1
3. Maturity Level 2
4. Maturity Level 3

An assessment is conducted to assess the Maturity Level of each domain. If a business has not implemented any of the controls in the Essential 8 and it may be vulnerable to common and unsophisticated attacks. This is an example of Maturity Level 0. On the other hand, if a business has fully implemented all of the controls of the Essential 8, then it would achieve a Maturity Level 3 and be seriously more prepared for a cyber-attack.

It is worth noting here that a business doesn’t necessarily have to reach highest maturity level to become fully compliant with the Essential 8. The maturity levels are more of a guidance and they work as a benchmark for assessing the overall information security framework. Each set of controls would need to be adjusted to the businesses’ own requirements and cyber risk profile.

Essential 8 Domains

Application Control

This control domain looks whether system set up on workstations allows the execution of applications or scripts. If users are allowed to run executables on their devices there is a chance that they accidentally run malicious software that can compromise the whole system. Therefore, it’s important that that the organization and its users understand this risk and know the possible dangers.

Patch Applications

All major applications from reputable vendors publish regular updates for their software. The updates may improve the features of the application and at the same time remediate vulnerabilities that may be present in the code. If malicious actors discover a previously unknown vulnerability within a program code, then it can be exploited by hackers to cause damage and gain monetary benefit.

Reputable vendors regularly review their software packages to promptly identify those vulnerabilities and release patches for them. This can also be conducted by the organization by utilizing a vulnerability scanner. Released patches should be installed as soon as possible and the organization should review its patching processes across all functions.

Configure Microsoft Office Macros

Macros are essentially customizable executable programs embedded in MS Office. As discussed above, any executable code from an unverified source can potentially cause damages and compromise systems. The Essential 8 strategy requires an organization to properly configure Macros to further solidify its own system from random executables.

User Application Hardening

This domain stipulates controls around internet-facing applications and native processes in application systems. Organisations are asked to block specific functions on their web browsers as well as child processes in Microsoft Office and PDF software. Moreover, to achieve a higher level of maturity the business IT system should be able to regulate and review what users can and cannot do with specific applications and be able to keep logs of certain user activity.

Restrict Administrative Privileges

This control domain ties the above into a single framework. An organization should be able to regulate and review not only common user activity but also privileged accounts. The controls require ask for an organization to implement a process by which privileged access can be granted and rules around the management of credentials and administrative activities.

If admin or super admin accounts are compromised, then this can possibly pose a severe risk to the business that can impede not only the organization’s data but to the operational environment as a whole. Forming robust and secure rules for the management of user accounts is critical for securing the organisation’s infrastructure and databases.

Patch Operating Systems

Closely tied with the above controls, this domain stipulates processes on how an organization should manage patching on its systems. If an organization has reached a high level of maturity with the above domains it would easy and effortless to achieve a Maturity Level 3 with Patching of Operating Systems.

Multi-Factor Authenticator

From all the controls is the Essential 8 these are the easiest to implement and arguably one of the most crucial. Implementing MFA drastically reduces the probability of a cyber attack aimed at compromising accounts. Even if an admin’s or user’s credentials are leaked or disclosed to malicious actors, MFA will be able to stop most attempts to gain access to systems and databases. Most applications from reputable vendors, include MFA as a feature yet it’s seldomly used by many businesses. The controls around MFA add a very robust layer of protection    

Backups

Along with MFA this control domain is arguably one of the most important aspects of the Essential 8, not just for compliance with the strategy but also for the organization’s operational Integrity. Having secure and effective backup procedures and processes is essential for mitigating the most harmful cyber-attacks such as ransomware. The strategy here is to conduct daily backups, test those backups and ensure that only authorized personnel can access them. Moreover, to reach the higher maturity level organizations should consider creating “break glass accounts” that can be used in case of an emergency.  

Compliance Council has partnered with the ACSC to help organisations in Australia improve their cyber security and information security.

Get in touch to find out how you can evaluate your cyber risks and optimize your cyber security to help your business achieve its strategic goals.