Essential Eight Compliance

Overview

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help organisations of any size protect themselves against various cyber threats.

The most effective of these mitigation strategies is commonly known as the ‘Essential Eight’. The Essential Eight has been designed to protect computer networks connected to the Internet.

The mitigation strategies that constitute the ‘Essential Eight’ are:

  1. Patch applications
  2. Patch operating systems
  3. Multi-factor authentication
  4. Restrict administrative privileges
  5. Application control
  6. Restrict Microsoft Office macros
  7. User application hardening
  8. Regular backups
Implementation

When implementing the ‘Essential Eight’, organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved.

As the mitigation strategies that constitute the ‘Essential Eight’ have been designed to complement each other, and to provide coverage of various cyber threats, organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.

The ‘Essential Eight’ can help to mitigate the majority of cyber threats however it will not mitigate all cyber threats.

An ‘Essential Eight’ implementation may also need to be assessed by an independent party if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements.

Maturity levels

To assist organisations with their implementation of the ‘Essential Eight’, four maturity levels have been defined.

These are Maturity Level Zero through to Maturity Level Three and based on The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) ‘Tier’ system.

The maturity levels are based on mitigating increasing levels of tradecraft (i.e. tools, tactics, techniques and procedures) and targeting by threat actors (cyber attackers) or ‘Bad Guys’.

Organisations need to determine the right target maturity level to implement.

Maturity Level Zero (Ad Hoc)

If your business is currently at a maturity level zero, then there are significant weaknesses in the overall security posture. These weaknesses could expose the organisation to data breaches, exploitation of systems and / or sensitive information.

Maturity Level One (Developing)

At this level, businesses are protected against opportunistic adversaries who leverage commodity tradecraft that is widely available in order to gain access to, and likely control of a system.  Malicious actors are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses.

Maturity Level Two (Managing)

If your business is currently at a maturity level two, then you are protected against more mature adversaries who are selective in their targeting and willing to invest more time and resources into their attack methods.

These malicious actors will likely employ well-known tradecraft in order to better attempt to bypass controls implemented by a target and evade detection. This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.

Maturity Level Three (Embedding)

At this level, businesses are protected against adversaries using highly sophisticated and tailored tradecraft specific to particular targets.

It’s important to understand that achieving ‘Maturity Level Three’ will however not stop malicious actors that are willing and able to invest enough time, money and effort to compromise a target.

Therefore …

Some organisations will need to consider additional mitigation strategies including but not limited to:

  • Automated dynamic analysis of email and web content run in a sandbox
  • Email content filtering
  • Web content filtering
  • Deny corporate computers direct Internet connectivity
  • Operating system generic exploit mitigation
  • Server application hardening
  • Operating system hardening
  • Antivirus software using heuristics and reputation ratings
  • Control removable storage media and connected devices
  • Block spoofed emails

The only way that an organisation can determine their current level of maturity is to conduct a comprehensive Cyber Assurance Risk Rating (CARR) review or standalone ‘Essential Eight Compliance’ review.

Essential Eight Compliance Review

Ensuring your organisation’s cybersecurity strategies align with the Australian Signals Directorate (ASD) Essential Eight provides a robust defence against cyber threats. Our ASD Essential Eight Compliance Review service is designed to help you achieve and maintain compliance, fortifying your security posture and protecting your critical assets.

Key Services:
  1. Initial Assessment:
    1. Comprehensive evaluation of your current cybersecurity measures.
    2. Detailed gap analysis to identify deviations from ASD Essential Eight requirements.
  2. Compliance Plan Development:
    1. Customised roadmap to achieve compliance based on your specific needs.
    2. Prioritised actions to address identified gaps efficiently.
  3. Policy and Procedure Review:
    1. Examination and enhancement of existing policies and procedures.
    2. Alignment with ASD Essential Eight controls and objectives.
  4. Implementation Support:
    1. Hands-on assistance to implement necessary changes.
    2. Guidance on best practices for seamless integration into existing systems.
  5. Documentation and Guidelines:
    1. Provision of clear, actionable documentation.
    2. Templates and guidelines to support ongoing compliance.
  6. Training and Awareness:
    1. Training programs to educate staff on ASD Essential Eight principles.
    2. Continuous awareness initiatives to maintain a high security culture.
  7. Ongoing Monitoring and Improvement:
    1. Regular reviews to ensure continued compliance.
    2. Continuous improvement strategies to adapt to evolving cyber threats.
Focus Areas:
  1. Application Whitelisting:
    1. Ensuring only approved applications can execute.
    2. Reducing the risk of malicious software execution.
  2. Patch Application:
    1. Timely updates of applications, operating systems, and firmware.
    2. Minimising vulnerabilities through prompt patch management.
  3. Configuration Management:
    1. Secure configuration of systems and software.
    2. Preventing exploitation of settings and configurations.
  4. Administrative Privileges:
    1. Restriction and monitoring of administrative privileges.
    2. Minimising the potential impact of compromised accounts.
  5. Office Macros:
    1. Security controls to restrict the execution of untrusted macros.
    2. Protecting against macro-based malware attacks.
  6. User Application Hardening:
    1. Hardening user applications against exploitable vulnerabilities.
    2. Reducing attack surfaces on end-user devices.
  7. Multi-factor Authentication (MFA):
    1. Enforcing MFA for easier identification and access management.
    2. Enhancing login security for critical systems.
  8. Regular Backups:
    1. Ensuring regular, automated backups of important data.
    2. Preparing for data recovery in the event of ransomware attacks or other data loss incidents.
Expert Guidance:

Our team of cyber security specialists has extensive experience in guiding organisations through ASD Essential Eight compliance. By working with us, you’ll benefit from expert insights, tailored recommendations, and practical support to strengthen your cyber security defences and achieve compliance with the ASD.