The Australian Cyber Security Centre (ACSC) has updated its Essential Eight (8) Maturity Model in July 2021 to counter the sophistication of different levels of adversaries rather than just being aligned to the intent of a mitigation strategy.
The ACSC asserts that the maturity model is focused on "Windows-based internet-connected networks", and while it could be applied to other environments, other "mitigation strategies may be more appropriate".
Essential 8 Key Governance Changes:
- Moving to a stronger risk-based approach to implementation.
- Implementing the mitigation strategies as a package. Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level.
- Redefining the number of maturity levels and what they represent.
The following are the key high-level changes made within the updated Essential 8.
1. Maturity model moving to a stronger risk-based approach to implementation.
- The ACSC acknowledged that organisations can be unfairly criticised for not strictly complying with the Essential Eight, even though they have strong cyber security practices and mature risk management processes.
- The ACSC has updated the supporting guidance for the maturity model to note that while full implementation is ideal, there will be circumstances (such as legacy systems and technical debt) that may prevent this, and in such cases, risk management processes may adequately address this.
2. How can the mitigation strategies be implemented as a package?
- Organisations have traditionally been assessed on each of the eight mitigation strategies individually. This resulted in eight maturity level ratings for each organisation. The previous approach was seen as potentially leading to a false sense of security. This was most noticeable when resources were used implementing Maturity Level Three for a few mitigation strategies (such as the Top Four) while other mitigation strategies were not addressed or addressed at a lower maturity level.
- Organisations are now advised to achieve a consistent maturity level across all eight mitigation strategies before moving onto a higher maturity level.
- Achieving a maturity level as a package will provide a more secure baseline than achieving higher maturity levels in a few mitigation strategies to the detriment of others. This is due to the Essential Eight being designed to complement each other and to provide broad coverage of various cyber threats.
3. Redefining the number of maturity levels and what they represent
Many of the details have changed, becoming more definite while also reducing timeframe recommendations. The following are the key technical changes:
- Maturity level zero has been reintroduced, as organisations may fail to achieve Maturity Level One.
- Under application control, maturity level one calls for "execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets" to be prevented on workstations within user-profiles and temp folders. The next level up sees this extended to internet-facing servers and the executables white-listed. At level three, the restrictions include all servers as well as whitelisting drivers, using Microsoft's block rules, and validating the whitelist.
- For patching applications, the level one recommendation now drops the patching of apps on internet-facing servers down to two weeks, or 48 hours if exploitation exists -- for workstation software, the deadline is a month. The ACSC is also recommending the use of vulnerability scanners daily on internet-facing servers, and fortnightly otherwise. “Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed," the level one recommendation states. At level two, the workstation application patch deadline drops to two weeks, while all other updates get a month-long deadline. Also at level two, vulnerability scanning should occur at least weekly on workstations, and fortnightly for all other parts of the network. Any unsupported application is removed at the highest level, and workstation patching drops to 48 hours if an exploit exists.
- Patching for operating systems has the same timelines and recommendations for vulnerability scanning, with the inclusion at level three of only using the latest, or immediately previous release, of a supported operating system.
- For the MS Office macro, the ACSC has also recommended for macros to be disabled for users without a business case, macros in downloaded files to be blocked, antivirus solutions to scan macros, and macro security to not be allowed to be changed by users. Level two sees macros blocked from Win32 API calls, and attempted macro executions logged. For level three, macros need to run from within a sandbox or trusted location and need to be validated and digitally signed by trusted publishers that occupy a list that is reviewed at least annually.
- Under application hardening and previous recommendations to block ads and Java in browsers, the ACSC adds that users cannot change security settings and IE 11 cannot process content from the net. Level two introduced the use of three attack surface reduction rules related to Microsoft Office and one attack surface reduction rule related to PDF software, while also being blocked from creating executables, injecting code into other processes, or activating OLE packages. Any blocked PowerShell scripts executions need to be centrally logged, and Office and PDF software security settings cannot be changed. Internet Explorer 11, NET Framework 3.5 and lower, and PowerShell 2.0 are disabled or removed at level three. PowerShell could also be configured to use Constrained Language Mode, ACSC states.
- Under restrict administrative privileges, the guide now says privileged accounts, except for privileged service accounts, should be prevented from accessing the internet and run only in a privileged environment that does not allow unprivileged logging on. At level two, access to privileged systems is disabled after a year unless reauthorised and is removed after 45 days of inactivity. The ACSC added that privileged environments cannot be visualised on unprivileged systems, admin activities should use jump servers, use and changes to privileged accounts should be logged, and credentials are unique and managed. At level three, the privileged service accounts exception is removed, just-in-time administration is used, privilege access is restricted only to what users need, and Windows Defender Credential Guard and Windows Defender Remote Credential Guard are used.
- Multi-factor authentication (MFA) is recommended on third-party services that use an organisation's data, and on an entity's internet-facing servers. This increases to recommending MFA for privileged users and logging all MFA interactions at level two; for level three, it is expanded to include "important data repositories" and ensuring MFA is "verifier impersonation resistant ".
- Regarding backups, the prior monthly recommendation is dropped in favour of "a coordinated and resilient manner in accordance with business continuity requirements", and timeframes for testing recovery from backup and holding backup data are dropped. Added as a recommendation is ensuring unprivileged users have read-only access to their own backups. At level two, the read-only access is extended to privileged users. At level three, only backup administrators can read backups, and only "backup break glass accounts" can modify or delete backups.
To know more about the ACSC Essential Eight requirements, please visit the ACSC website.
How can Centium help you?
We have a team of ISMS experts and cybersecurity specialists who have worked with dozens of State Government agencies across the NSW. We have also mapped out all related processes and requirements across Essential 8 and have developed a suite of (fully compliant) shortcuts and helpful “lessons learnt” to share with our clients. We can help you with the following:
- Undertaking an Essential 8 maturity assessment
- Reviewing/updating your ISMS so that it is risk-based, fit for purpose and aligned with the CSP
- Undertaking an ISMS independent internal audit per CSP requirements
- Conducting mock audits to identify any gaps that may prevent you from demonstrating CSP and Essential 8 improvement
- Testing your Cyber Security Incident Response Plan
- Testing your Business Continuity and ICT Recovery Plans
- Reviewing your third-party supplier arrangements
- Facilitating face-to-face and e-Learning cybersecurity sessions for staff and contractors.
For more information, please contact Dr Edward Phelps, Director Cyber Security & Resilience on 0402 111 226 or email@example.com, or Vipan Chauhan, Cyber Security Manager on 0434 896 764 or firstname.lastname@example.org.
Explore Centium's robust and proven Cyber Security and Resilience Services for small and medium Government organisations.
Our thanks to the ACSC for proactively updating Essential 8 requirements and providing us with a supporting guidance document to understand the context of these changes.