In February of 2017, The Australian Signals Directorate revised their long-standing go-to list of strategies to mitigate cyber security incidents. This list of strategies is a practical set of actions we can use to further safeguard our information systems.
Many organisations struggle with their cybersecurity posture, some have managed to arrive at a state of awareness, but very few have progressed to taking definitive action. The ASD Essential Eight (formerly known as the ASD Top 4) go a long way to bridging the void between awareness and action.
My recommendation is to engage your security team, develop an E8 Strategy, and take action. If you don’t have a dedicated security team, you can put down that paper bag and breathe easy – there are skilled cyber security professionals that can help make sense of it all and help you develop and implement an E8 Strategy.
In brief, your E8 Strategy will include elements that prevent malware from executing and, more importantly, limit the impact of incidents and expedite recovery. While it may feel comfortable to simply focus on prevention (before), one would be foolish to ignore the “during” and “after” of an incident. In cyber security, it’s never “if” but nearly always “when” and how we respond to and recover from incidents is more important.
Consider the following from the revised ASD Essential Eight:
Bear in mind that the ASD mitigation strategies mean different things to different people, but there is a noted consensus on the above E8 and enough to warrant even the ASD themselves deeming these the Essential Eight.
The ASD Top 4 were deemed mandatory for Australian Government organisations from April 2013 and were considered effective in mitigating 85% of adversary techniques. Mandatory or not, developing an E8 Strategy is just good practice for your organisation.
One of the most effective strategies in that it limits or even prevents the execution of malware. By explicitly defining what is allowed, only trusted programs can run in your environment. Known untrusted applications are denied, or at the most isolated.
For a highly bespoke environment with proprietary applications unknown to Whitelisting security products, the option is given (but more likely configured administrators) to choose. Implementing Application Whitelisting may seem daunting, but the threat intelligence is improving daily. The software remains flexible enough to include your in-house apps and exclude apps that contravene your security policy even if trusted.
A fundamental issue with technology is human error. Apps are rushed to market to meet a need, deliver a service, or cash in on the latest internet craze and companies cannot afford to waste time looking for every little bug. Responsible vendors publish their bugs and issue patches to correct them. Responsible administrators apply these patches to keep their systems up-to-date and secure. Unfortunately, the world doesn’t work that way and administrators don’t always get to patching right away.
The double-edged sword to these bugs is that hackers, now aware of publically-available details (on top of the ones they acquire by other means) now look for unpatched systems and it becomes a cat and mouse game. A patching strategy is a must-have.
It’s common sense that you should only ever allow those that absolutely need access to have it and use the principal of least-privilege. Unfortunately, due to staff changes, managers with conflicting agendas that demand access they don’t need, or just in the name of trying to get things working, far too many get access to far too much. While dangerous in the hands of trusted staff that don’t know what they’re doing, in the hands of a hacker or disgruntled insider it can be catastrophic.
The best course of action is to enable account auditing, such as alerts for privilege escalation, perform regular audits of administrator accounts and privileges, and improving your security policies to address changes such as staff turnover for those in the possession of privileged accounts.
Patching operating systems, like patching applications, should be a priority for any organisation. Most of us are familiar with Microsoft “Patch Tuesday” but we should also be aware of patches released for other operating systems. The mindset that Macs are immune or Linux is less likely to be compromised is a false sense of security. This also applies to the operating systems that run on devices other than servers or desktops and laptops.
Tablets, mobile phones, routers, switches, firewalls, and dozens of other appliances must be considered and should also include firmware updates. The operating system controls the appliance and all of the applications; a patching strategy must address these with priority and be included in change management procedures.
Macros exist for a reason, but are increasingly a source of exploits. Blindly turning them off altogether isn’t effective as it creates more overhead. The better strategy is to decide if the macro is actually needed, determine if it has been provided by, tested by, and signed by a trusted party.
It’s worth noting that malicious macros are not exclusively a Microsoft Office problem; it’s just the ubiquity of the product. Regardless of which productivity suite you have, be aware of macro safety.
Often overlooked in the blind faith that the network and endpoint protection will cover off any issues. Unfortunately, issues that arise from using “trusted” applications often bypass third-party protection as they are seen as legitimate traffic from a legitimate user.
Keeping your applications patched to the latest stable version, disabling unused features, and managing user authentication for applications is a great place to start. While many focus on simply hardening the operating system, it’s good to apply the same controls to the applications as well.
Two-Factor Authentication (MFA) has gained considerable momentum over the past several years although single-factor still continues to dominate and be a cause of breaches through poor password management. Multi-factor has been ignored, to some degree, by falsely thinking our passwords are complex enough or refusing to use a cumbersome token generator or carry a smart card.
Modern MFA implementations can use a combination of easy-to-use secondary factors such as apps or SMS codes among others. Biometrics have become more user-friendly and affordable, even being embedded in consumer goods such the iPhone home button and many laptops. Beyond the corporate workspace, even implementing MFA on your personal accounts is a good practice. MFA isn’t the be-all and end-all, but it improves your security posture significantly, even when your passwords are not ideal.
Daily backups have been around as long as we’ve had data to actually back up. From tapes to diskettes to CDs and DVDs to removable storage to Cloud and even secondary data centres, we’ve never been lacking for options to back up our data. Applications have been around just as long to back up your information and even something as simple as a file copy is better than nothing.
Still, many organisations lack an effective backup (and by extension Disaster Recovery / Business Continuity Plan) and find themselves in a world of hurt when things go pear-shaped, such as a ransomware attack. Your strategy must address your Recovery Time Objective (RTO, or how soon you need to be back in business) and Recovery Point Objective (RPO, or how much data you can tolerate losing from the last backup). With many choices and many cost-effective methods available, you really have no excuse to have no backup strategy.
While implementing the above can seem like a monumental task, there is help available to define, develop, and implement an E8 Strategy. There may be some of these you have already completed and many be others that were never considered.
The priority of the above may also be different for your business and may include fewer or more than the above eight strategies, but at the very least these should be discussed. The most important thing to remember is that you are not alone; there are many skilled cyber security professionals ready, willing, and able to assist you and guide your E8 Strategy implementation.
All you have to do is ask to start building those bridges between ignorance, awareness, and action.
Read more from the ASD Essential Eight Explained series.
Go to: Part 1: Application Whitelisting | Part 2: Patching Applications | Part 3: Restricting Administrative Privileges | Part 4: Patching Operating Systems | Part 5: Disabling Untrusted Microsoft Office Macros | Part 6: Using Application Hardening | Part 7: Multi-Factor Authentication | Part 8: Daily Backups