ACSC Essential Eight Cyber Risk Controls & PAM

In July 2021, the Australian Cyber Security Centre (ACSC) published revisions to the Essential Eight, its top-line strategy recommendations for mitigating cyber risk within organisations.

The revisions provide updated clarification of the controls and maturity requirements for each level of the Essential Eight.

So, what is the Essential Eight and how does it help organisations?

ACSC Essential Eight Overview

Originally published in February 2010, the Australian Signals Directorate (ASD) developed a list of strategies to mitigate targeted cyber intrusions. The Strategies to Mitigate Cyber Security Incidents includes a prioritised list of mitigation strategies to assist organisations in protecting their systems against a range of adversaries.

In 2017, four additional recommendations were added, creating the Essential Eight. From time to time the ACSC, part of the ASD, updates the Essential Eight, clarifying or refining the details of the strategies. This guidance promotes the adoption of sound security and operational practices for managing technology used within Australian Government agencies and departments. However, the guidance is also frequently adopted by private sector organisations across the world to improve their security posture and better manage risk.

Maturing with the Essential Eight

To assist organisations in determining the maturity of their implementation of the Essential Eight, as of July 2021, four maturity levels have been defined for each mitigation strategy. The maturity levels are based on mitigating increasing levels of cyber “tradecraft” and are defined as:

• Level Zero – Signifies weaknesses that could be exploited by attackers
• Level One – Partly aligned with the intent of the mitigation strategy
• Level Two – Mostly aligned with the intent of the mitigation strategy
• Level Three – Fully aligned with the intent of the mitigation strategy

While some organisations may choose to achieve a specific level of maturity, others may want to work their way through the levels. In the past, if this latter path was your approach, you may have picked off higher maturity controls for some of the strategies, while adopting lower levels of maturity for others. However, that is not the intention of the ACSC in creating these maturity levels or best practice. The ACSC strongly advises that organisations working their way through the maturity levels, meet all the capabilities at one level, across all of the strategies, before proceeding to the next level.

So, how does your organisation choose the maturity level that you should adopt?

For Australian federal government agencies and departments, the Essential Eight will be mandatory.

For private sector organisations, selection of the maturity level will be based on your organisation’s risk profile and cybersecurity threats. For a small to medium-sized business, Level One may be enough. For large enterprises, and particularly for industries that handle sensitive data, Level Three could be more appropriate.

You can read the ACSC’s detailed document on the Essential Eight Maturity Model.

An Overview of the Eight Cyber Risk Reduction Strategies

The Essential Eight strategies are divided into three categories: those that prevent malware delivery and execution, those that limit the extent of cyber security incidents and strategies that recover data and assist with system availability. Let’s now take a closer look at each.

Prevent Malware Delivery and Execution

1. Application Control

This entails use of allow lists, block lists, and other strategies. Application control can be applied to prevent execution of unapproved and malicious programs, including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA), installers, compiled HTML, HTML applications, control panel applets and drivers to an organisation-approved set.

In addition, application control rulesets should be validated on an annual or more frequent basis. Allowed and blocked application executions on workstations and servers are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected.

Why: All non-approved applications (including malicious code) are prevented from executing, reducing the risk of malware infection – including ransomware, or inappropriate access or communication of data.

2. Patch Applications

Patch applications like Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers within 48 hours if a vulnerability exists. Use the latest version of applications and remove non-supported applications.

Why: Security vulnerabilities in applications can be used to execute malicious code on systems.

3. Configure Microsoft Office macro settings

Block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. This is configured via application settings within Microsoft Office.

Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.

4. User application hardening

Configure web browsers to block Flash (ideally uninstall it), ads, and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Windows Powershell 2.0 should be disabled or removed. In addition, block and centrally log PowerShell script executions. Powershell should be,protected from unauthorised modification and deletion, and actively monitored for signs of compromise.

Why: Flash, ads, Java, and Powershell are popular ways to deliver and execute malicious code on systems.

Limit the Extent of Cyber Security Incidents

5. Restrict administrative privileges

Restrict admin privileges to operating systems and applications based on user duties, consistent with the principle of least privilege. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Additionally, the use of privileged access and changes to privileged accounts or groups should be centrally logged and protected from unauthorised modification and deletion, and actively monitored for signs of compromise.

The Essential Eight also recommends that credentials for local administrator accounts and service accounts are unique, unpredictable, and managed.

Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain elevated access to information and systems, making it easy to expand access further and cause considerable damage.

6. Patch operating systems

Computers (including network devices) with ‘extreme risk’ vulnerabilities should be patched, or otherwise mitigated, within 48 hours. The most-up-to-date operating system should be used. Never use unsupported versions.

Why: Security vulnerabilities in operating systems can be used both to land and expand an attack on systems.

7. Multi-Factor Authentication

Multi-factor authentication (MFA) is used to authenticate privileged users of systems and to authenticate users accessing important data repositories. including VPNs, RDP, SSH, and other remote access.

Why: Extra authentication layers make it harder for adversaries to access sensitive information and systems.

Recover Data and System Availability

8. Daily backups

Backups of important new/changed data, software, and configuration settings should be secured and retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.

Why: To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).

How BeyondTrust can Help your Organisation meet the Essential Eight Requirements

The BeyondTrust Privileged Access Management (PAM) portfolio is an integrated solution set that provides visibility and control over the entire universe of privileges—identities, endpoints, and sessions. Our PAM platform is comprised of four integrated solutions-- Privileged Password Management, Endpoint Privilege Management, and Secure Remote Access, and Cloud Privilege Protection.

BeyondTrust is recognised by every major analyst as a leader in Privileged Access Management. Furthermore, unlike traditional PAM approaches, our Universal Privilege Management model allows you to start with the use cases that are most urgent to your organisation, and then seamlessly address remaining use cases over time.

BeyondTrust enables you to address multiple parts of the Essential Eight, including enforcing Application Control, User Application Hardening, Restricting Admin Privileges, and Multi-Factor Authentication, along with some compensating control or support of Patch Applications, Configure Microsoft Office Macros Settings, and Patch Operating Systems.

To learn more about the Essential Eight and how BeyondTrust can support your adoption of these strategies download our whitepaper, Complying with the Australian Cyber Secure Centre (ACSC) Mitigation Strategies, or contact us today.