The Australian Signals Directorate (ASD) is an intelligence agency that is currently part of the Government’s Department of Defence. Its two main functions relate to signals intelligence and information security. The ASD is also a member agency of the Australian Cyber Security Centre, which is a multi-government agency initiative to ensure that Australian networks are amongst the hardest in the world to compromise.
The ASD provides a list of strategies to mitigate cyber security incidents. While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline, to increase system security.
The Essential Eight
These Essential Eight strategies to mitigate cyber security incidents are broken down into three sub-classifications: mitigation strategies to prevent malware delivery and execution, mitigation strategies to limit the extent of cyber security incidents, and mitigation strategies to recover data and system availability.
Mitigation strategies to prevent malware delivery and execution
Application whitelisting protects against malware executing on systems, ensuring that only authorised applications (e.g. programs and software) can be executed. It can also help identify attempts to execute malicious code on systems, and generally prevents the installation or use of unauthorised applications.
A ‘patch’ refers to software issued by a company whenever a security flaw is uncovered, designed to prevent exploitation by hackers. Applying patches in a timely manner is critical to ensuring the security of systems.
The following are recommended timeframes for applying and verifying patches based on the outcome of risk assessments for security vulnerabilities:
- extreme risk: within 48 hours of a patch being released
- high risk: within two weeks of a patch being released
- moderate or low risk: within one month of a patch being released
Configure Microsoft Office macro settings
Microsoft Office applications can execute macros to automate routine tasks. However, macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion. Organisations can adopt approaches that allow them to balance both their business and security requirements.
To manage the use of macros within an organisation, all macros created by users or third parties should be reviewed by an independent party to the developer and be assessed to be safe before being approved for use within the organisation.
User application hardening
Workstations are often targeted by adversaries using malicious web pages, malicious email attachments and removable media with malicious content in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.
Java applications are particularly attractive to cyber adversaries seeking unauthorised access to computer networks, as they are widely used and have a history of exploitable security vulnerabilities. It is important that Java applications are secured without impeding important business functions.
Mitigation strategies to limit the extent of cyber security incidents
Restrict administrative privileges
Users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information. Restricting administrative privileges reduces the potential damage of an adversary’s malware, minimising the chances of them gaining the ‘keys to the kingdom’.
Patch operating systems
Relating to the already discussed patch applications, one of the essential eight mitigation strategies is to specifically patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. The latest operating system version should be used, and unsupported versions should be avoided.
Multi-factor authentication helps to prevent a cyber adversary from gaining access to a device or network and accessing sensitive information. This reduces the potential for them to steal legitimate credentials and to facilitate further malicious activities on a network. The Australian Cyber Security Centre (ACSC) recommends that multi-factor authentication is implemented for users using remote access solutions, users performing privileged actions and users accessing sensitive information.
Mitigation strategies to recover data and system availability
There should be daily backups of important new/changed data, software and configuration settings, to ensure that information can be accessed again following a cyber security incident (e.g. after a ransomware attack).
With the increasing prevalence of cybercrime, it is important for organisations to be proactive in mitigating potential cyber threats. The Essential Eight provides a baseline of essential mitigation strategies which can help corporations to secure their systems.
Strategies may be implemented to an initial level, increasing the maturity of their implementation over time. For example, if it were initially too cumbersome to implement application whitelisting across the entire organisation, initial implementation could at least be conducted on workstations of high-risk users, such as senior managers and their staff, system administrators, and staff members from human resources, sales, marketing, finance and legal areas.