NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

ACSC Essential Eight Cyber Risk Controls & PAM

October 5, 2021

  • Blog
  • Archive
  1. Home
  2. Blog
  3. ACSC Essential Eight Cyber Risk Controls & PAM

In July 2021, the Australian Cyber Security Centre (ACSC) published revisions to the Essential Eight, its top-line strategy recommendations for mitigating cyber risk within organisations.

The revisions provide updated clarification of the controls and maturity requirements for each level of the Essential Eight.

So, what is the Essential Eight and how does it help organisations?

ACSC Essential Eight Overview

Originally published in February 2010, the Australian Signals Directorate (ASD) developed a list of strategies to mitigate targeted cyber intrusions. The Strategies to Mitigate Cyber Security Incidents includes a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries.

In 2017, four additional recommendations were added, creating the Essential Eight. From time to time the ACSC, part of the ASD, updates the Essential Eight, clarifying or refining the details of the strategies. This guidance promotes the adoption of sound security and operational practices for managing technology used within Australian Government agencies and departments. However, the guidance is also frequently adopted by private sector organisations across the world to improve their security posture and better manage risk.

Maturing with the Essential Eight

To assist organisations in determining the maturity of their implementation of the Essential Eight, as of July 2021, four maturity levels have been defined for each mitigation strategy. The maturity levels are based on mitigating increasing levels of cyber “tradecraft” and are defined as:

  • Level Zero – Signifies weaknesses that could be exploited by attackers
  • Level One – Partly aligned with the intent of the mitigation strategy
  • Level Two – Mostly aligned with the intent of the mitigation strategy
  • Level Three – Fully aligned with the intent of the mitigation strategy

While some organisations may choose to achieve a specific level of maturity, others may want to work their way through the levels. In the past, if this latter path was your approach, you may have picked off higher maturity controls for some of the strategies, while adopting lower levels of maturity for others. However, that is not the intention of the ACSC in creating these maturity levels or best practice. The ACSC strongly advises that organisations working their way through the maturity levels, meet all the capabilities at one level, across all of the strategies, before proceeding to the next level.

So, how does your organisation choose the maturity level that you should adopt?

For Australian federal government agencies and departments, the Essential Eight will be mandatory.

For private sector organisations, selection of the maturity level will be based on your organisation’s risk profile and cybersecurity threats. For a small to medium-sized business, Level One may be enough. For large enterprises, and particularly for industries that handle sensitive data, Level Three could be more appropriate.

You can read the ACSC’s detailed document on the Essential Eight Maturity Model.

An Overview of the Eight Cyber Risk Reduction Strategies

The Essential Eight strategies are divided into three categories: those that prevent malware delivery and execution, those that limit the extent of cyber security incidents and strategies that recover data and assist with system availability. Let’s now take a closer look at each.

Figure 1: The ACSC Essential Eight.


Prevent Malware Delivery and Execution


1. Application Control

This entails use of allow lists, block lists, and other strategies. Application control can be applied to prevent execution of unapproved and malicious programs, including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA), installers, compiled HTML, HTML applications, control panel applets and drivers to an organisation-approved set.

In addition, application control rulesets should be validated on an annual or more frequent basis. Allowed and blocked application executions on workstations and servers are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.

Why: All non-approved applications (including malicious code) are prevented from executing, reducing the risk of malware infection – including ransomware, or inappropriate access or communication of data.


2. Patch Applications

Patch applications like Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers within 48 hours if a vulnerability exists. Use the latest version of applications and remove non-supported applications.

Why: Security vulnerabilities in applications can be used to execute malicious code on systems.


3. Configure Microsoft Office macro settings

Block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. This is configured via application settings within Microsoft Office.

Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.


4. User application hardening

Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Windows Powershell 2.0 should be disabled or removed. In addition, block and centrally log PowerShell script executions. Powershell should be,protected from unauthorised modification and deletion, and actively monitored for signs of compromise.

Why: Flash, ads, Java, and Powershell are popular ways to deliver and execute malicious code on systems.


Limit the Extent of Cyber Security Incidents

5. Restrict administrative privileges

Restrict admin privileges to operating systems and applications based on user duties, consistent with the principle of least privilege. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Additionally, the use of privileged access and changes to privileged accounts or groups should be centrally logged and protected from unauthorised modification and deletion, and actively monitored for signs of compromise.

The Essential Eight also recommends that credentials for local administrator accounts and service accounts are unique, unpredictable, and managed.

Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain elevated access to information and systems, making it easy to expand access further and cause considerable damage.


6. Patch operating systems

Computers (including network devices) with ‘extreme risk’ vulnerabilities should be patched, or otherwise mitigated, within 48 hours. The most-up-to-date operating system should be used. Never use unsupported versions.

Why: Security vulnerabilities in operating systems can be used both to land and expand an attack on systems.


7. Multi-Factor Authentication

Multi-factor authentication (MFA) is used to authenticate privileged users of systems and to authenticate users accessing important data repositories. including VPNs, RDP, SSH, and other remote access.

Why: Extra authentication layers make it harder for adversaries to access sensitive information and systems.


Recover Data and System Availability

8. Daily backups

Backups of important new/changed data, software, and configuration settings should be secured and retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.

Why: To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).

How BeyondTrust can Help your Organisation meet the Essential Eight Requirements

Figure 2: BeyondTrust provides controls around Application Control, User Application Hardening, Restricting Admin Privileges, and Multi-Factor Authentication, along with compensating control or support of Patch Applications, Configure Microsoft Office Macros Settings, and Patch Operating Systems.

The BeyondTrust Privileged Access Management (PAM) portfolio is an integrated solution set that provides visibility and control over the entire universe of privileges—identities, endpoints, and sessions. Our PAM platform is comprised of four integrated solutions-- Privileged Password Management, Endpoint Privilege Management, and Secure Remote Access, and Cloud Privilege Protection.

BeyondTrust is recognised by every major analyst as a leader in Privileged Access Management. Furthermore, unlike traditional PAM approaches, our Universal Privilege Management model allows you to start with the use cases that are most urgent to your organisation, and then seamlessly address remaining use cases over time.

BeyondTrust enables you to address multiple parts of the Essential Eight, including enforcing Application Control, User Application Hardening, Restricting Admin Privileges, and Multi-Factor Authentication, along with some compensating control or support of Patch Applications, Configure Microsoft Office Macros Settings, and Patch Operating Systems.

To learn more about the Essential Eight and how BeyondTrust can support your adoption of these strategies download our whitepaper, Complying with the Australian Cyber Secure Centre (ACSC) Mitigation Strategies, or contact us today.


Photograph of Scott Hesford

Scott Hesford, Director of Solutions Engineering, APJ

Scott Hesford has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant for CA Technologies and other large enterprises in Australia and New Zealand. A trusted cyber security advisor to enterprise customers, his experience spans across several industries such as banking, insurance, energy and utilities, in addition to state and federal governments. At BeyondTrust, Mr Hesford is an essential contributor in the regional security engineering department, helping enterprises and government agencies improve their security posture against internal and external threats.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From September 30, 2021:
TrickBot Attack Chain: Deconstructed & Mitigated
From October 13, 2021:
What Is RDP & How Do You Secure (or Replace) It?

You May Also Be Interested In:

Whitepapers

IDSA Report: 2022 Trends in Securing Digital Identities

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.