With the continued rise of data breaches and cyber attacks such as ransomware, Australian businesses must actively prioritise their cyber security efforts in order to protect their sensitive information and assets.
To support businesses to improve their cyber security posture, the Australian federal government has invested in and partnered with bodies such as the Australian Cyber Security Centre (ACSC) to provide easy to follow security frameworks, such as the ACSC Essential Eight.
In this blog article, will look at the latest updates from the Australian Signals Directorate (ASD) for the Essential Eight Maturity Model to ensure you are across the facts relevant in helping protect your business from cyber threats.
Refresher - What Is The Essential Eight?
The Essential Eight are Strategies to Mitigate Cyber Security Incidents and act as a baseline to help organisations protect themselves against various cyber threats. This baseline makes it much harder for cybercriminals to compromise systems.
According to the ACSC, they focus on Microsoft-based and Internet-based applications. The controls are divided into eight domains.
For more information on what the domains and security levels are and how they can be a baseline to developing a robust security layer for your business, read our earlier blog on How The Essential Eight Can Protect Your Business.
What's New And Why?
In the month of November, 2023, the ASD made further updates to the Essential Eight Maturity Model and the guidelines and regulations surrounding its use. Below we have provided a simplified version of this update to ensure you are kept up to date with the most recent and relevant information of use.
Patch Applications and Operating Systems
In response to an ASD assessment on malicious actors' average exploit time, critical vulnerabilities now mandate patching, updating, or mitigation within 48 hours. Higher priority patching is emphasised for vulnerabilities facilitating authentication bypass or remote code execution. The timeframe for patching applications interacting with untrusted internet content is reduced from one month to two weeks, accompanied by a shift to at least weekly vulnerability scanning. Conversely, less critical devices' patching is extended from two weeks to one month, impacting Maturity Level's Two and Three.
Multi-Factor Authentication
Maturity Level One now specifies the types of authentication factors for multi-factor authentication (MFA). Requirements include 'something users have' in addition to 'something users know.' Mandatory MFA enforcement for web portals storing sensitive customer data is adopted, removing the easy opt-out option. The adoption of phishing-resistant MFA is emphasised, impacting Maturity Level Two.
Restrict Administrative Privileges
To address the absence of governance processes, requirements are added for privileged access to data banks, aligning with governance processes for system and application access. Changes include
- Governance processes for privileged access to data repositories emphasised.
- Privileged accounts accessing the internet strictly limited and controlled.
- Strengthened requirements for credential management and administrative infrastructure hardening.
These changes impact Maturity Level Three.
Application Control
Changes in application control address the use of living off the land techniques by malicious actors. Annual reviews of application control rulesets and the implementation of Microsoft's recommended blocklist are emphasised, impacting Maturity Level Two.
Restrict Microsoft Office Macros
Changes include adopting V3 digital signatures for macros to address tampering vulnerabilities. Logging of allowed and blocked Microsoft Office macro events is removed. These changes impact Maturity Level Three.
User Application Hardening
Internet Explorer 11 is now required to be disabled or removed. The implementation of ASD and vendor hardening guidance is now mandatory, with stricter requirements taking precedence. Enhanced PowerShell logging and the addition of logging command line process creation events are introduced, impacting Maturity Level Two and Three.
Regular Back ups
While no significant changes are made, organisations are encouraged to consider the business criticality of their data when prioritising backups, impacting all three Maturity Levels.
Other areas
The Essential Eight are Strategies to Mitigate Cyber Security Incidents and act as a baseline to help organisations protect themselves against various cyber threats. This baseline makes it much harder for cybercriminals to compromise systems.
According to the ACSC, they focus on Microsoft-based and Internet-based applications. The controls are divided into eight domains.
For more information on How Essential Eight can protect your business, see our previous blog here.
How Diamond IT Can Support Your Cyber Security Strategy
The Diamond IT team specialise in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations, and include the necessary defences required to best protect your business from malicious threats.
We can support you through establishing your Essential Eight Maturity Level and improve your overall cyber security posture.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cyber security and are ready to speak with you. Contact our team on 1300 307 907 today.