The Essential Eight

You’ve no doubt heard of The Magnificent Seven, and perhaps the Hateful Eight, but what’s all the noise about the Essential Eight?

To quote directly from the Australian Cyber Security Centre’s website:

“While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.”

The Essential Eight expands on the ‘Top Four’ mitigation strategies - part of the Australian Government’s Protective Security Policy Framework - mandatory for all federal agencies since 2014.

Australian Signals Directorate (ASD) cyber security advice is published on their Australian Cyber Security Centre website, cyber.gov.au.

The Essential 8, when implemented as an integral component of an organisation’s security framework, provides assurances that cybersecurity protection is optimised to the level the ACSC deems a minimum to ensure adequate protection from cyber-attack. The guidelines provide the opportunity for SMB’s to review network infrastructure, configuration, access levels and ascertain where and whether strengthening is required.

Whilst not mentioned in the Essential 8 - staff training in cybersecurity awareness should be mandatory for all SMB’s.

The ASD’s Essential 8 mitigation strategies provide clear guidelines for SMBs, firstly to confirm if they comply currently and secondly, where they might be lacking. If an organisation’s security framework falls short, there really needs to be a high urgency put on planning and investing in ensuring cybersecurity is improved. If it’s not on the agenda - make it so! There really is no excuse any longer not to put cyber-security front and centre, it can no longer only exists within the realms if the IT team - cybersecurity needs be be a main discussion point in boardrooms across Australia.

The Essential 8 strategies

Listed below are the eight strategies as documented by the Australian Signals Directorate on their ACSC website. We’ve only listed the high level details for each, and recommend downloading the ACSC’s Essential Eight Maturity Model last updated in October, 2021.

Application control

• Application control is implemented on workstations and servers to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets and drivers to an organisation-approved set.

Patch applications

• Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.

Configure Microsoft Office macro settings

• Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

User application hardening

• Web browsers do not process Java from the internet.

• Web browsers do not process web advertisements from the internet.

• Internet Explorer 11 is disabled or removed.

Restrict administrative privileges

• Requests for privileged access to systems and applications are validated when first requested.

• Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.

• Privileged users use separate privileged and unprivileged operating environments.

Patch operating systems

• Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.

Multi-factor authentication

• Multi-factor authentication is used by an organisation's users if they authenticate to their organisation’s internet-facing services.

• Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.

Regular backups

• Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.

• Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.

• Unprivileged accounts, and privileged accounts (excluding backup administrators), cannot access backups.

Contact Cyberlorian if you think you’ve been hacked or want to start a conversation about improving your cybersecurity.

Raph Tripp has worked in numerous technology roles including IT management, Operations, MSP, PMO, and as both systems and business analyst. Since 2000 he has worked in a range of industries including gaming, hospitality, managed services, healthcare, NFP and education.