Essential 8: A practical guide
Essential 8 (E8) is a collection of eight cyber security strategies developed by the Australian Signals Directorate (ASD) to assist organisations in defending against cyber threats and is considered the most cost-effective means of protecting against cyber threats and the bare minimum for cyber security.
E8 is ideal for small and medium-sized businesses because it is easier to implement and manage than other standards and compliance requirements. The E8 is relatively inexpensive to implement, and the benefits are substantial, providing an appropriate level of protection against cyber threats and reducing the possibility of a data breach.
When implementing the E8, organisations must establish an environment-appropriate target maturity level. Then, organisations should implement each control progressively until the target is reached. The three stages of maturity are:
- Maturity Level One
- Protect from casual, non-sophisticated attackers
- Maturity Level Two
- Protect from moderate threat actors and adversaries
- Maturity Level Three
- Protect from sophisticated attackers and tradecraft
It is important to note that the following information is focused on achieving a lower E8 maturity level.
The controls for E8 are as follows:
1. Application Allowlisting
Allowlisting for applications to run is a critical security measure that prevents malicious programmes from running on a system. One of the primary advantages of application allowlisting is that it can prevent the execution of malicious programmes unknown to traditional security solutions such as antivirus software. Malware authors are constantly creating new strains of malware, and it may take some time for security solutions to detect and block them. A hacker, for example, may design a malicious programme that masquerades as a legitimate programme, such as a game or a tool.
Cybra can help you achieve this by working with you to:
- Identify all the applications that are necessary for the company’s operations.
- Create an allowlist of approved programs and configure the allowlisting solution to only allow those programs to run
- Test the allowlisting solution to ensure it is not blocking legitimate programs
- Create a schedule for review and update the allowlist regularly.
- Audit Group Policy Objects (GPOs) to create an allowlist of approved programs on Windows systems. This solution is built into the Windows operating system and is easy to set up and manage.
- Determine which Third-Party Allowlisting Solution is right for your organisation. These solutions typically include features such as centralised management, automatic updates, and alerts for when a new program is added to the system.
2. Patching Applications
Application patching is an important security strategy that entails keeping all software up to date with the most recent security patches. One of the main reasons for application patching is that software vendors release security patches that address known vulnerabilities on a regular basis. Attackers can exploit these flaws to gain unauthorised access to a system, steal sensitive information, or spread malware. Organisations can close these vulnerabilities and reduce the risk of a cyber attack by applying the most recent security patches.
Patching applications is also important because it can assist organisations in meeting various regulations and standards. Many regulations and standards, such as HIPAA and PCI-DSS, require organisations to apply security patches in a timely manner in order to protect sensitive information.
There are several approaches that Cybra recommends to satisfy this control. Some solutions include:
- Automated Patch Management Systems: Automated patch management systems can download and install security patches regularly and automatically. This can help ensure that all software is updated with the most recent security patches.
- Manual Patching: This solution necessitates a manual check for updates and the download and installation of patches. It could be helpful for small businesses with a limited number of systems.
- Third-Party Patch Management Solutions: Various third-party software solutions provide patch management capabilities.
- Cloud-based Patch Management: Some cloud-based solutions include patch management capabilities. This can be beneficial for organisations with a large number of systems spread across multiple locations, as the cloud-based solution can be accessed from any location.
3. Patching Operating Systems
Operating system patching is an important security strategy that helps keep the underlying operating system up to date with the most recent security patches. One of the primary reasons for patching operating systems is to help with the repair of known vulnerabilities in the system. Cybercriminals frequently take advantage of these flaws to gain unauthorised access to a system, steal data, or install malware. New threats are constantly being discovered, and updating the operating system ensures that the most up-to-date security features and functionality are in place to protect against new threats.
There are numerous solutions available for patching operating systems; Cybra recommends:
- Windows Update: Windows has a built-in update feature that can patch the operating system and install the software.
- Third-Party Patch Management Systems: Several third-party software solutions provide automated patch management capabilities. These solutions typically include centralised management, automatic updates, and alerts when a new patch is available.
- Cloud-based Solutions: Cloud-based solutions can patch virtual machines and servers in a cloud environment. This can provide an easy way to ensure that systems running in the cloud are up to date with the latest patches without needing manual intervention.
It is important to note that patching applications and operating systems requires proper planning and testing before they can be deployed in a production environment. It’s also critical to review and update the patching schedule on a regular basis to ensure that all systems are up to date and that no disruptions to business operations occur. It is always recommended to work with a professional to design and implement a security plan tailored to your specific needs, including a patching schedule and testing.
4. Configuring Microsoft Office Macro Settings
Setting up Microsoft Office macros is an important security strategy for preventing malware from spreading through malicious macros. Macros are small programmes that allow Microsoft Office applications to perform tasks automatically. However, they can be used to spread malware. Malware authors frequently employ macros to disseminate malware by embedding malicious code and disguising it as a legitimate programme. You can greatly reduce the risk of malware infections and other cyber threats by disabling macros in Microsoft Office or configuring them to only run from trusted sources.
To satisfy this control, Cybra recommends:
- Disable macros in Microsoft Office: This can be done by going to the Trust Center in Microsoft Office and disabling the option to run macros. This will prevent any macro from running, even legitimate ones.
- Configure macros to only run from trusted sources: This can be done by going to the Trust Center in Microsoft Office and configuring the macro settings to only run macros from trusted sources. This will only allow macros signed by a trusted publisher or located in a trusted location to run.
- Use Group Policy Objects (GPOs) to configure macro settings: GPOs can configure macro settings across multiple systems in an organisation. This can be useful for organisations with multiple users or systems needing the same macro settings.
- Third-Party Macro Security Solutions: Several third-party software solutions are available that provide macro security capabilities. These solutions typically include features such as automated macro scanning and blocking, centralised management, and alerts for when a new macro is added to the system.
5. User Application Hardening
Many applications contain known flaws that attackers can exploit to gain unauthorised system access. Application hardening can help prevent these attacks by making it more difficult for the attacker to exploit vulnerabilities and use features or protocols that the organisation does not require or use.
Cybra recommends the following solutions for implementing user application hardening:
- Application Hardening Frameworks: A number of frameworks are available that provide application hardening capabilities. These frameworks typically include features such as disabling unnecessary features and protocols and configuring software settings to make them more secure.
- Security Configuration Management: There are software solutions that can help you identify and remediate vulnerabilities in your applications. It will also help you implement a security configuration management process.
- Penetration Testing: Regularly performing penetration testing can help identify vulnerabilities in your applications and provide recommendations for how to harden them. This can help ensure that your applications are as secure as possible and that known vulnerabilities are addressed.
- Code Review: Reviewing the code of your applications can help identify vulnerabilities and provide recommendations for how to harden the applications. This can help ensure that the applications are as secure as possible and that known vulnerabilities are addressed.
6. Restricting Administrative Privileges
Restriction of administrative privileges is an important security strategy for reducing the risk of unauthorised user account escalation. Implementing this control will help to prevent a privilege escalation attack, which occurs when a malicious actor gains limited access to a system and then uses that access to gain higher-level privileges. Limiting the number of users with administrative access to a system can prevent unauthorised access to sensitive data and ensure that only trusted individuals can perform privileged actions.
Cybra recommends the following solutions for implementing restrictions on administrative privileges:
- Group Policy Objects (GPOs): GPOs can limit the number of users with administrative access to Windows systems. This solution is built into the Windows operating system and is easy to set up and manage.
- Role-Based Access Control (RBAC): RBAC is a method of restricting access to a system based on the roles of users. This can be used to limit the number of users who have administrative access by assigning roles with different levels of privileges. This solution can be implemented through software such as Active Directory or other identity management systems.
- Third-Party Privilege Management Solutions: Several third-party software solutions are available that provide privilege management capabilities. These solutions typically include features such as centralised management, automatic updates, and alerts for when a new user is added to the system. Some popular third-party privilege management solutions include BeyondTrust, CyberArk, and Thycotic.
7. Multi-factor Authentication
MFA is a critical security strategy for preventing unauthorised access to sensitive information and systems. MFA requires users to provide multiple forms of authentication, such as a password, fingerprint, or token, to gain access. This reduces the risk of unauthorised access by making it more difficult for attackers to gain access with a single type of authentication, such as a password. Passwords are easily guessable or stolen, and attackers can access sensitive data using stolen credentials. MFA helps to prevent this by requiring additional forms of authentication, such as fingerprints or tokens, to gain access.
Another advantage of multi-factor authentication is that it aids in the prevention of phishing attacks. Phishing attacks trick users into providing attackers with sensitive information, such as passwords. MFA can help prevent these attacks by requiring more secure forms of employee authentication.
Multi-factor authentication solutions are compatible with a wide range of systems, including remote access, email, and cloud-based services. It is critical to consider your organisation’s requirements and the type of MFA solution that would be the best fit.
There are several approaches that Cybras recommends to satisfy this control. Some solutions include:
- Two-Factor Authentication (2FA): This is the most common form of MFA, and it involves using something the user knows (e.g. a password) and something the user has (e.g. a token or a smartphone) to authenticate.
- Smartcard: Smartcard is a form of MFA that uses a physical card with a chip or a magnetic strip to authenticate. This card can either be inserted into a card reader or held in front of a card reader to gain access.
- Biometric Authentication: Biometric authentication involves using a user’s unique physical characteristics, such as fingerprints or facial recognition, to authenticate. This can be done through a fingerprint scanner or a webcam.
- One-Time Passwords (OTP): OTP involves generating a temporary password, usually through an app or a hardware token, that can only be used once. This password can be used in addition to a standard password to authenticate.
8. Daily Backups
Keeping daily backups of critical data is an important defence strategy against malicious actors. This strategy allows businesses to recover their data in the event of a cyber attack, such as ransomware or data breaches, which can severely harm and disrupt business operations. Organisations that maintain regular backups of their data can restore it to its pre-attack state, minimising the impact of the attack.
Another reason that daily backups are important is that they provide a way to recover data in the event of other types of data loss, such as hardware failure or human error. Companies that keep regular backups of their data can restore it to its pre-loss state, minimising the impact of the loss.
To satisfy this control, Cybra recommends
- Cloud Backup Services: Cloud backup services, such as Amazon Web Services (AWS) or Microsoft Azure, can be used to create regular backups of sensitive data. These services provide an off-site location for storing the backups, which can help protect against physical damage to the primary data location.
- On-Premise Backup Software: There are a number of backup software solutions that can be installed on-premise to create regular backups of confidential data. These solutions typically include scheduling, compression, and encryption features to help protect the backups.
- Tape Backup: Tape backup is a traditional method of creating backups of important data. This method is still widely used, especially by organisations with large amounts of data to back up. Tape backups are cost-effective, reliable and have a long shelf life.
- Hybrid Backup: Hybrid Backup is a method that combines on-premise and cloud backup solutions. This method allows organisations to keep a copy of the backup on-premise for quick recovery while also keeping a copy in the cloud for long-term storage and off-site protection.
Conducting an E8 review with Cybra is a method of assessing an organisation’s cyber security posture against the Australian Signals Directorate’s (ASD) E8 strategies. This review aims to identify any vulnerabilities or gaps in the company’s cyber security defences and make recommendations for improvement.
The following steps are typically taken when conducting an E8 review with Cybra:
- In Preparation to undertake an audit, Cybra will:
- Distribute a pre-review questionnaire to gather information about its current cyber security practices and controls. Identify interviewees, their area of responsibility and their location.
- Arrange and conduct interviews and workshops
- Collect and review documentation
- Evaluation: A team of Cybra security experts will evaluate the organisation’s cyber security defences. This evaluation will include testing, analysing the collected information and assessing the control implementation maturity against the E8 model.
- Report and Recommendations: After the assessment, Cybra will provide the organisation with a detailed report outlining any vulnerabilities or gaps in its cyber security defences and suggestions for improvement.
- Follow-up and Implementation: The organisation will then have the opportunity to put the recommendations in the report into action and work with Cybra to address any issues discovered during the assessment.
- Annual E8 Post Implementation Review:
- Once-off or annual follow-up review for each mitigating control based on the chosen maturity level
- Review of any environmental changes and alignment with baseline E8
- Produce an updated E8 Maturity Assessment Report
The organisation must regularly review and update its cyber security defences to remain compliant with the E8 strategies until the following year’s audit. This includes:
- Regularly updating software
- Keeping a list of approved software
- Keeping an eye on the network for any strange activity
Furthermore, it is always recommended to have an incident response plan, which includes a team, processes and procedures for quickly responding to and recovering from any cyber incident.
Finally, conducting an E8 review compares an organisation’s cyber security posture to the ACSC’s E8 strategies. This includes patching software regularly, keeping an allowlist of authorised software on hand, and monitoring the network for suspicious activity. It is also essential to have an incident response plan and train employees on identifying and responding to cyber threats regularly. Organisations can better protect themselves from cyber-attacks and ensure compliance with E8 controls by remaining vigilant and proactive in their cyber-security efforts.
Click here to learn more about Cybra’s Essential 8 consulting services.