Essential Eight: Compliance Guide

The Australian federal government is mandating all businesses to comply with the Essential Eight framework to improve the cyber resilience of Australian organisations significantly. This may seem too ambitious and burdensome to many entities still needing help to comply with just the top four controls of the Essential Eight.

This blog outlines the expectations of all eight security controls to help Australian businesses understand the need and benefits of achieving compliance across all eight cybersecurity controls.

What is the Essential Eight?

The Essential Eight is an Australian cybersecurity framework created by the Australian Signals Directorate (ASD). This framework, which was first published in 2017, is an upgrade from the original set of 4 security controls by the ASD. Four additional strategies have been introduced to establish the eight controls to protect Australian businesses from cyberattacks.

The eight strategies are divided into three main objectives – prevent attacks, limit attack impacts, and data availability.

Objective 1: Prevent Cyberattacks
1. Patch application vulnerabilities

Applying patches to operating systems and applications is critical to ensuring the security of your systems. Once a vendor releases a patch, it should be applied in a timeframe relative to an organisation’s exposure to a security vulnerability and the level of threat the organisation is aiming to protect itself against. For instance, once a security threat vulnerability in an internet-facing service is made public, you can expect that adversaries will develop malicious code within 48 hours. There are a lot of cases when adversaries have created malicious code within hours of newly discovered security vulnerabilities.

2. Application control

Application control is one of the best strategies to protect against malicious code execution on systems. When vigorously implemented, it ensures that only approved applications can be executed. While application control is primarily intended to prevent malicious code from executing and running, it can also prevent them from getting installed or used without approval.

3. User application hardening

User application hardening is for securing applications that frequently interact with the web (like browsers, Microsoft Office and other software). This relies on tools, techniques and best practices to reduce an organisation’s attack surface and vulnerability.

4. Configuring MS Office Macro settings

Microsoft Office applications can execute macros to run routine tasks automatically. However, macros can contain malicious code that can lead to unauthorised access to valuable information as part of a targeted data intrusion.

Objective 2: Limit the Impact of Cyberattacks
5. Patch operating system vulnerabilities

Patch operating systems take care of frequent checks for patch updates and then analyse data to study your systems’ vulnerability. Testing new patches before installing is essential to ensure they are both required and safe.

6. Restrict Admin Access

Adversaries often use malicious code to exploit security weaknesses in workstations and servers. Restricting admin privileges makes it more difficult for a criminal’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after a reboot, obtain sensitive information or resist removal efforts. An environment where administrative rights are restricted is more stable, predictable, and easier to administer and support, as fewer users can make significant changes to their operating environment, either intentionally or unintentionally.

7. Implement Multi-Factor Authentication (MFA)

Adversaries frequently attempt to steal legitimate user or administrative credentials when they compromise a network. These credentials allow them to propagate quickly on a network and conduct malicious activities without additional exploits, thereby reducing the likelihood of detection. Adversaries will also try to gain credentials for remote access solutions, including Virtual Private Networks (VPNs), as these accesses can further mask their activities and reduce the likelihood of being detected.

Objective 3: Data Recovery and System Availability
8. Daily backups

The Essential Eight mandates regular backups for critical data, software and configuration setup. It also captures requirements for access, modification and deletion of backups.

Aside from these eight mitigation strategies, the Essential Eight scheme is defined by four maturity levels that help organisations measure where they are within the framework.

What is the Essential Eight maturity model?

Four maturity levels have been defined to assist organisations with implementing the Essential Eight. Each Maturity Level builds on the previous one, and – except Maturity Level Zero – the Maturity Levels are built around preventing increasing levels of adversary tradecraft and targeting.

To reach a Maturity Level for a given mitigation plan, your organisation must meet specific criteria. These guidelines are known as “Security Controls” and are carried out by the Information Security Manual (ISM).

However, as authoritarian as the Maturity Levels are, their accomplishment is a commercial decision that business leaders must make in each organisation – where the cost to achieve a Maturity Level is balanced against several risk factors.

Maturity Level Zero

Maturity Level Zero signals that the organisation’s overarching cybersecurity posture is weak. This means that, if infiltrated, sensitive data, business systems and files could be at significant risk, and the business is exposed to data breaches or exploitation of information.

Maturity Level One

This level signified weaknesses within a security system. Malicious adversaries will often target organisations, or systems, in general rather than identify specific victims. Adversaries use techniques to deceive users into weakening their security systems, which leaves them vulnerable to an attack. This Maturity Level suggests that an organisation is susceptible to threats, even if they are not specifically targeted as an organisation.

Maturity Level Two

Maturity Level Two means businesses are protected against more sophisticated adversaries, who are more selective in their targeting and willing to invest more time and resources into their attack methods.

Maturity Level Three

Maturity Level Three signifies businesses are protected against adversaries using highly sophisticated and tailored tradecraft specific to particular targets.

Why does your business need the Essential Eight?

The Australian government has recommended that all organisations, regardless of location or size, adhere to the Essential Eight framework to protect Australian businesses. This is not simply a precautionary measure, but as the benefits are aplenty and so wide-reaching, you should do so. Some of the critical benefits for your organisation are:

  • Protection against common cyber attacks
  • Minimise the impact of security incidents
  • Framework to measure security risks
  • Sound guidance for implementing highly effective, yet cost-effective security measures

Partner with Qamba, your trusted cyber security expert with years of experience providing our customers with managed security services and boasting teams of cyber security experts. Qamba is the ideal partner for your business. We can help you achieve the highest Essential Eight maturity level and reinforce your business with the protective posture it needs.

Get in touch with the experts to book an Essential Eight Assessment and review your security posture today.

More Articles