March 20, 2017  |  Roger Temple

The Australian Signals Directorate (ASD) has recently modified its original top four strategies, increasing what is considered to be the core security controls to now encompass eight – the Essential Eight. ASD first published their guidance in 2010 naming it Strategies to Mitigate Targeted Cyber Intrusions, stating the Top 4 controls mitigate over 85 percent of techniques used in targeted cyber intrusions and has been compulsory for Australian government agencies since April 2013. 

This most recent update (with a minor name change to Strategies to Mitigate Cyber Security Incidents), expands coverage across two categories;

To prevent malware delivery and execution:

  • Application whitelisting (Top 4)
  • Patch Applications (Top 4)
  • Disable untrusted Microsoft Office macros [Editior's note: This is where SSS' StripIt can help]
  • User application hardening (for instance, Block web browser access to Adobe Flash Player web ads and untrusted Java code on the Internet.)

To limit the extent of incidents and recover data;

  • Restrict administrative privileges (Top 4)
  • Patch operating systems (Top 4)
  • Multi-factor authentication
  • Daily backup of important data

The Essential Eight are now considered to be a baseline for effective security controls; "While no single mitigation strategy is guaranteed to prevent cyber security incidents, ASD recommends organisations implement a package of eight essential strategies as a baseline," it said in official guidance. "This baseline makes it much harder for adversaries to compromise systems."

It is clear from this update that this targets the ability to secure systems from unwanted application execution such as Ransomware and more sophisticated command and control malware that is being overlooked by traditional AV solutions, as well as recover from these in the event of a security incident. The effectiveness and benefits of two-factor authentication is also acknowledged by its inclusion in the Essential Eight. Removing the reliance on traditional passwords provides a reliable and robust ability to ensure authentication is less susceptible to theft of credentials through social engineering as well as more direct threats such as brute force or rainbow attacks. Advances in this area have made implementations easier with the move away from traditional token based systems where a separate dongle or card was required, to software systems where mobile device clients can provide all the required functionality.

Although not compulsory for New Zealand Government agencies, the ASD 37 (as it now is) is considered to be an accepted industry standard and an effective framework for risk reduction and is used extensively across enterprise organisations. SSS uses the ASD 37 in all our gap analysis and risk assessment reporting, as it is useful in prioritising remediation efforts both in the context of coverage and effectiveness.

Contact us if you would like to talk with one of our security consultants.