Is Essential Eight compliance a reasonable security target for SMBs?
In early 2017, the Australian Signals Directorate (ASD) updated its five-year-old security advisory, known as the Top 4, to include an additional four security controls, calling this new guidance The Essential Eight.
ASD claims that businesses who properly operationalise all eight of these security controls, irrespective of whether they have a cyber security programme or an enterprise approach to information risk management, will stop as many as 85% of cyberattacks. In this article, we’ll take a look at the security controls proposed in the Essential Eight and see how applicable they are to your business and discuss any additional controls that we believe should also be considered.
Why the Essential Eight?
One of ASD’s roles is to provide comprehensive advice and guidance on cybersecurity matters to government departments. Their flagship publication is the Information Security Manual (ISM), comprising three levels of documentation, covering strategic, tactical and operational security control advice. This is by far the most comprehensive list of security controls provided by the Australia government, but it’s application is very much aimed at the more security-aware government agencies, where classified information is routinely handled. By implementing the ISM, agencies can secure their environments adequately to handle information that is classified as high as TOP SECRET, so their advice has always been considered sound.
However, the ISM is an onerous document and the plethora of controls can be overkill for smaller government departments and private businesses. This is why they have introduced The Essential Eight as the most fundamental cyber strategies organisations can use to mitigate cyberattacks.
Furthermore, the Essential Eight are not complicated and certainly don’t require special security technology or knowledge to implement them. In fact, they are aligned with many of the principles of good IT service management, focusing on the things that will help prevent malware running on your systems and limiting the extent of incidents that occur, while helping you recover your data.
The eight specific controls of the Essential Eight are as follows:
- Application whitelisting;
- Patching of applications;
- Disable untrusted Microsoft Office macros;
- User application hardening;
- Restrict administrative privileges;
- Patch operating systems;
- Multi-factor authentication; and
- Daily backup of important data.
These controls, except for the first one (application whitelisting) are relatively straightforward to implement and in most cases, they are things that you would already be doing, at least to some degree, if you run a business IT system. For example, most businesses, have some kind of patching regime covering both applications and operating systems, but the measure of success for these two controls should be that both application and operating system patching is comprehensive, and patches are applied quickly, especially if they have a critical or high severity rating.
Disabling untrusted macros in Microsoft Office is also included in this list, since a lot of malware these days uses Microsoft’s Visual Basic for Applications (VBA). VBA is a scripting language that runs within the Microsoft Office suite of applications to help users automate tasks. VBA is incredibly powerful, so you don’t want to switch it off, so rather you can configure it to only permit authorised applications to run – such as those published by Microsoft or written by your own business users. If an unknown author’s script tries to run on your computer, you will be presented with the option as to whether you allow it to execute or not – thus stopping malware contained within these malicious Office documents from infecting your systems.
Application hardening may need some explanation just to explain the context. For example, your browser settings can be modified to restrict the content or application types that can execute when you surf the web, such as making you authorise the use of Java each time it’s called by a site. By limiting the functionality of applications, such as the browser, or adding in authorisation steps where you must grant permission on a case by case basis, you are stopping the malware from running in the background.
The final control we’ll discuss is multi-factor authentication. Many websites and cloud services now use multi-factor authentication, but it’s not new. Banks have been using tokens to protect accountholder logins for years, and they are an incredibly effective security control. The essence of good multi-factor authentication is that it adds a layer of security that a remote attacker could not attack – where you need a physical token, or smartphone app to interact with the authentication challenge. Passwords have become the weakest part of modern security systems, since they are often the target of hacks but even a compromised list of passwords is useless to a hacker if they also need the token to gain access. This is why ASD recommends that all businesses should invest in multi-factor authentication for their systems. These days it’s not an expensive proposition but the increase in security posture is massive.
What’s Missing from the Essential Eight?
None of these mitigation strategies guarantee 100% security (which is impossible) but they do provide a strong foundation to build upon. One additional control that is often missed is security monitoring, which is something that CXO Security offers as a core service to clients.
Gaining visibility of what’s going on within your network and seeing exactly what users are doing when they log in and access your information can help you stay one step ahead of the hackers. If an attacker finds a way to get around some of the Essential Eight security controls andyou have the means to detect the breach, you’ll be able to respond quicker and thus minimise the harm.
Security event monitoring fills in the gaps between other security controls and allows you to detect attack not catered for by your basic defences. The concept of correlation rules allows you to detect any kind of threat scenario you wish to build a model for – in essence, if a system produces an audit record that helps you understand what’s going on, you can build a representation of what normal looks like, then alert your security team when anything peculiar or out of the ordinary happens. By keeping these logs available for several months, investigators can scan through this historical data if a breach occurs to see how the attacker compromised your systems. This intelligence helps you tighten up your security controls in the future.
The Essential Eight is the perfect security target for small to medium business to aim for. These eight security controls, as attested to by ASD, will thwart up to 85% of targeted cyber-attacks, so they certainly uplift your posture and make your systems much more resilient. Implementation of the Essential Eight controls is relatively straightforward, aside from a few nuances that you might need some help with (that’s where we come in). However, ASD doesn’t include monitoring in that list of eight essential controls, which we believe fills in the cracks between these other basic controls. If you want to keep your information safe and your users productive, then a combination of the Essential Eight and a good monitoring service (preferably running 24x7) is the best approach even for small businesses.
CXO Security can help you plan your Essential Eight implementation programme and give you sound advice about what works (and what doesn’t) when you are implementing these controls. Furthermore, CXO Security’s SOC service (Security Operations Centre) allows you to outsource the monitoring to an expert Managed Security Services Provider (MSSP) who has the systems and trained analysts to make sense of the logs pulled from your systems.
If you want more information on how to implement The Essential Eight or how we can help with your monitoring requirements, get in touch via the website.
 A correlation rule is the logic used in security monitoring systems to ask questions of the data and then respond with an alert.