In 2017, The Australian Cyber Security Center (ACSC) published a set of mitigation strategies that were designed to help organizations to protect themselves against cyber security incidents. These strategies, which became known as the Essential Eight, are designed specifically for use on Windows networks, although variations of these strategies are commonly applied to other platforms.
What is the Essential Eight?
The Essential Eight is essentially a cyber security framework that is made up of objectives and controls (with each objective including multiple controls). Initially, the Australian government only mandated that companies adhere to four of the security controls that were included in the first objective. Starting in June of 2022 however, all 98 non-corporate Commonwealth entities (NCCEs) are going to be required to comply with the entire framework.
Non-Australians take note
Although the Essential Eight is specific to Australia, organizations outside of Australia should take notice. After all, the Essential Eight is "based on the ACSC's experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organizations to implement the Essential Eight" (source). In other words, the Essential Eight could be thought of as a set of best practices that are based on the ACSC's own experience.
Another reason for those outside of Australia to pay attention to the Essential Eight is because most developed nations have cyber security regulations that closely mimic the Essential Eight. While there are inevitably going to be differences in regulations, most sets of cyber security regulations seem to agree on the basic mechanisms that need to be put into place in order to remain secure. Examining Australia's Essential Eight can help organizations abroad to better understand what it takes to keep their systems secure.
The Essential Eight are divided into four maturity levels, with Maturity Level 0 indicating that the organization is not at all secure. Maturity Level 1 provides a very basic level of protection, while Maturity Level 3 has requirements that are far more stringent. Organizations are encouraged to assess their overall risks and IT resources when choosing a target maturity level.
Objective 1: Application Control
The Application Control objective is designed to prevent unauthorized code from running on systems. Maturity Level 1 is primarily intended to prevent users from running unauthorized executables, scripts, tools, and other components on their workstations, while Maturity Level 2 adds protections for Internet facing servers. Maturity Level 3 adds additional controls, such as driver restrictions and adherence to Microsoft's block lists.
Objective 2: Patch Applications
The second objective is focused on applying patches to applications. Software vendors routinely deliver security patches as vulnerabilities are discovered. The Patch Applications objective states (for all maturity levels) that patches for vulnerabilities in Internet facing services should be patched within two weeks, unless an exploit exists, in which case patches should be applied within 48 hours of becoming available. This objective also prescribes guidance for other types of applications and for the use of vulnerability scanners.
Objective 3: Configure Microsoft Office Macro Settings
The third objective is to disable macro use in Microsoft Office for users who do not have a legitimate business need for macro use. Organizations must also ensure that macros are blocked for any Office file originating from the Internet and that the settings cannot be modified by end users. Organizations must also use antivirus software to scan for macros. Higher maturity levels add additional requirements such as running macros in sandboxed locations.
Objective 4: Use Application Hardening
The fourth objective is called Application Hardening, but at a maturity level of 1, this objective mostly relates to locking down the Web browser on user's PCs. More specifically, the browsers must be configured so that they do not process Java, nor can they process Web advertisements. Additionally, Internet Explorer 11 cannot be used to process Internet content (higher maturity levels call for removing or disabling Internet Explorer). Browser settings must be configured so that they cannot be changed by users.
Higher maturity levels focus on hardening other applications beyond just the browser. For instance, Microsoft Office and PDF readers must be prevented from creating child processes.
Objective 5: Restrict Administrative Privileges
Objective 5 is all about keeping privileged accounts save. This objective sets up rules such as privileged accounts not being allowed to access the Internet, email, or Web services. Likewise, unprivileged accounts must be prohibited from logging in to privileged environments.
When an attacker seeks to compromise a network, one of the first things that they will do is to try to gain privileged access. As such, it is extraordinarily important to guard privileged accounts against compromise. One of the best third-party tools for doing so is Specops Secure Service Desk which prevents unauthorized password resets for both privileged and unprivileged accounts. That way, an attacker will be unable to gain access to a privileged account simply by requesting a password reset.
Objective 6: Patch Operating Systems
Just as application vendors periodically release patches to address known vulnerabilities, Microsoft releases Windows patches on a regular basis. These patches normally arrive on "Patch Tuesday", but out of band patches are sometimes deployed when serious vulnerabilities are being patched.
The Patch Operating System objective sets up the basic requirements for keeping Windows patched. In addition, this objective requires organizations to regularly scan for missing patches.
Objective 7: Multifactor Authentication
The seventh objective defines when multifactor authentication must be used. Maturity Level 1 is relatively lenient, requiring multifactor authentication primarily when users access Internet facing, or Web based applications (among other things). Higher maturity levels require multifactor authentication to be used in an ever-increasing number of situations.
Requiring multifactor authentication is one of the most effective things that an organization can do to keep user accounts secure. Specops uReset enables multifactor authentication for password reset requests, helping to keep user accounts secure.
Objective 8: Regular Backups
The eighth's objective is to create regular backups. Besides creating backups, organizations are required to perform test restorations and to prevent unprivileged accounts from deleting or modifying backups, or from accessing any backups that are not their own. Higher maturity levels set additional access restrictions on unprivileged accounts and on privileged accounts (aside from backup admins and break glass accounts).