Explaining the Essential Eight

A few years ago, the Australian Signals Directorate (ASD) along with the Australian Cyber Security Centre (ACSC) developed the Essential Eight, a set of eight strategies that form a baseline for Australian organisations to mitigate cyber attacks.

A recent survey by the Australian Cyber Security Centre found that nearly 70% of Australian SMBs are only implementing four or fewer of the strategies outlined in the Essential Eight (ACSC Small Business Survey Report, 2020), which is a pretty scary stat!

While these eight actions aren’t guaranteed to protect you from 100% of cyber incidents, they’re useful for benchmarking your cyber posture against that of other Australian SMBs. Implementing the Essential Eight not only makes it harder for cyber crooks to compromise systems and do damage, but for the majority of businesses it’s WAY more cost-effective in terms of time, money and effort than having to respond to a cyber security incident – prevention is better than cure after all.

Read on for an overview of what each strategy is, and how you can put it into place.

Mitigation strategies to prevent malware delivery and execution

Actions that can prevent malicious code getting into your systems and doing damage.

1. Application control

What does this mean?

Application control means restricting applications (such as executables, software libraries, scripts and installers) that can run on your systems to only those that you approve. This helps to protect against malicious codes or malware running on your systems, but also helps to prevent the installation and use of unapproved applications.

How do I do this?

This is best managed at a system administrator level, so talk to your IT company or team about how to put application controls in place. You’ll need to identify approved applications and work to block all non-approved ones from being able to run, with this enforced at a high level.

2. Configure Microsoft Office macro settings

What does this mean?

A macro is a shortcut that enables a whole lot of commands to run with a single click, automatically completing a task. This creates a security concern as documents from an external source can contain malicious macros, that when run, can install ransomware and other malicious files on your computer in seconds. By adjusting your organisation’s macro settings, you can reduce the risk of undesirable macros running and causing grief.

How do I do this?

Instructions can be found via Microsoft’s guide – it’s important to note that these settings should only be accessible to administrators. Update your organisation’s Office settings to block macros in documents originating from the internet, and only allow macros to execute when they are signed, or permission is granted on a document-by-document basis.

3. Patch applications

What does this mean?
Patching means fixing any security flaws that have the potential to be exploited or are actively being exploited by cyber criminals. Applications are patched by installing updates and security fixes. Best practice for these is to install them within 48 hours of release, and replace or update any applications which aren’t supported any more.

How do I do this?
Set up automatic updates whenever possible and keep up to date with the latest versions. There are tools available to confirm and record the successful deployment of application and driver patches/updates.

4. User application hardening

What does this mean?

User application hardening means changing settings on individual programs such as web browsers, Microsoft Office and PDF viewers to improve security. Flash, ads and Java are popular ways for cyber criminals to install and run malicious codes, so by restricting access to these you can help mitigate the risks. Many of these changes will also help to improve productivity and computer speeds too, so it’s a win-win!

How do I do this?

Update your settings in your web browser (Chrome, Firefox, Safari, Internet Explorer etc) to block ads, Java and Flash on the internet – and ideally uninstall Flash, as it’s reaching end of support. Disable any non-essential features in Microsoft Office, your web browser, and PDF viewers such as Adobe Acrobat.

Mitigation strategies to limit the extent of cyber security incidents

Actions that, should an incident occur, will help to lessen the damage.

5. Restrict administrative privileges

What does this mean?

Access to systems, applications and files is limited to only those who require it to carry out their work. Treat it like you would physical security – you wouldn’t share alarm codes and house keys with all of your friends, would you?

How do I do this?

Approval for access for individual users should granted by management when first requested and reviewed on a frequent basis (at least once a year). Don’t use admin accounts to read email and browse webpages – these could lead to malware running with administrator privileges.

6. Multi-factor authentication

What does this mean?

These days it is no longer enough to use a single password to protect your online accounts. Using 2-factor or multi-factor authentication means that you need a second piece of information beyond a password to access an account – often a verification code sent via SMS or accessed via an app. Having this in place means that if a hacker gains access to an account password they will not be able to login to the account, as they will be unable to access the extra verification code. This is one of the most effective security controls you can implement to prevent unauthorised access to computers, applications and online services.

For more info, check out our blog post here.

How do I do it?

Many of the big web service providers allow you to enable MFA for your accounts, and often encourage it. A quick search will give you instructions to enable MFA for Microsoft, Google, Apple, Yahoo, Facebook, Instagram, LinkedIn and many other services out there; alternatively view our quick guide to MFA.

7. Patch operating systems

What does this mean?

Just like patching applications before, this means fixing any security vulnerabilities and improving the operating system your device runs on (ie Windows, MacOS, iOS or Android) by installing updates.

How do I do this?

Don’t fall into the “remind me tomorrow” cycle – set up automatic updates where possible. Best practice is to install updates within 48 hours of release, or at an absolute maximum, one month. If you’re running an OS that is no longer supported (Windows 7 & 8 and earlier or MacOS 10.13 High Sierra) then look to update or replace the machine with a vendor-supported version ASAP.

To check your current OS:

• Windows: Start button > Settings > System > About
• Mac: Apple icon in top left corner > About This Mac
• iOS: Settings > General > About > Version
• Android: Settings > About Device/About Phone > Android Version/Software Information

Mitigation strategies to recover data and system availability

Actions that, should an attack happen, will help you to get back to business ASAP.

8. Daily backups

What does this mean?

Performing daily backups mean you have a copy of all data from every single day – so if anything did happen, from a cyber attack to a physical disaster such as a fire, you’d be able to go back and retrieve your information and minimise your losses.

How do I do this?
Unless you’re really tech savvy or running a super simple setup, the best way to do this is to talk to an outsourced IT provider. The best practice checklist involves backups of important information, software and configuration settings at least once daily. with these stored offline, or online in a non-rewritable and non-erasable manner. You can store backups in multiple locations, to give you layers of fallbacks.
These should be stored for at least three months, with restoration of backups tested frequently.

Apply the 3-2-1 rule to backups:

• Have at least three copies of your data
• Store the copies on two different media
• Keep one backup copy offsite

Once you have these in place as a baseline, we recommend you work to improve the level strategy to reach best practice.

If you want to learn more, further information is available via the Australian Cyber Security Centre.

Need help implementing the Essential Eight? Talk to our team today.