“Prevention is better than cure.”
This is a mantra that holds true throughout the world of medicine. In a previous life, when I was a registered pharmacist under the Australia Health Practitioner Regulation Agency (AHPRA), this was very much the approach and belief instilled into us from day one.
Making a few lifestyle changes and taking sensible precautions go a long way in preventing and reducing the risks of deadly illnesses like heart disease and diabetes. Adopting healthy habits early on also greatly reduces the cost of treatment if and when these illnesses do strike.
So why am I here talking to you about preventing heart disease when the title clearly mentions the Essential Eight? Much like the medical principle of reducing health risks, the Essential Eight is the cybersecurity equivalent of preventative medicine.
Published in February 2017 by the Australian Cyber Security Centre (ACSC) in conjunction with Australian Signals Directorate (ASD), the Essential Eight is a recommended guideline for businesses, providing them with baseline standards to mitigate security risks.
In a nutshell, the Essential Eight is there to help guide organisations in building up their cyber resilience. Not only will putting these 8 risk mitigation strategies into practice help in preventing breaches and keeping malware at bay but they can also help in limiting the spread if the worse was to happen.
‘...implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cybersecurity incident.’ - ACSC
It’s no hard and fast rule but the Essential Eight gives a direction for different businesses about what to consider in terms of cybersecurity. More importantly, it’s also not mandatory for all businesses to align with all of the Essential Eight strategies; the government will only require compliance with the top 4 out of 8 strategies listed.
The idea behind these strategies is to help prioritise the cyber initiatives Australian businesses need to take to ensure their safety. Cybercrime is on the rise, and in my previous article, I explored how scammers rely heavily on exploiting human behaviour to sneak their way into a company’s systems.
It can be a bit overwhelming to understand what it all means and understand exactly what is expected of you as a business owner, CISO, or IT manager. I’m hoping I can simplify matters by exploring the first 4 of the Essential Eight and the rationale behind them. Let’s jump right into it.
As a business, there are going to be applications that you use to run daily operations e.g. CRMs, marketing platforms, payroll, etc. Then there are applications that only some of your people use, which you have no idea about until someone mentions them in passing. In my experience, I find that everyone is there to do their job, and they will use whatever tools they need to make that job easier and more convenient. If that happens to be an app or device that isn’t officially whitelisted by your IT department, this can be risky.
Known as ‘shadow IT’, these technologies can introduce vulnerabilities that may go unnoticed until it's too late. Application Control is a way to manage that risk. By specifying which applications can be executed and blocking everything else, this security approach is designed to protect against any malicious code that may try to access your systems.
Patching your applications
Applications are built to perform a specific function. However, just because it’s in the market, it doesn’t mean it’s immune from hackers exploiting its flaws and vulnerabilities. You don’t have to look far to find an example of technology being misused.
When email was first introduced in the ’70s, no one could have predicted how big of an attack vector it would become in the next 30-40 years. Nowadays if you’re using email, you need to set up DNS authentication (SPF, DKIM, DMARC) as well as an email filtering system to stop phishing, ransomware, or Business Email Compromise (BEC) attacks.
Patching is a way to implement security updates and fixes to the applications sitting in your network. These updates are absolutely critical to ensuring the security of your applications, including commercial applications, like your internet browser or custom-developed applications (even ones that are made-to-order specifically for your business). Keeping your apps and software up-to-date with security patches is one of the most important cybersecurity measures you must take.
Patching your operating system
For those who think I’ve accidentally mentioned patching applications again, that’s not an oversight. Patching operating systems is similar to patching applications, except instead of patching individual apps, we’re patching the underlying operating system (OS) all your apps run on. Since we tend not to think much about OS’s (and keep swiping away that annoying ‘install updates now’ message), it’s easy to fall victim to hackers who exploit their security gaps. An oldie but a goodie is the Conficker worm that was discovered in November 2008, which took advantage of unpatched versions of Microsoft Windows (vulnerability MS08-067). I know for a fact there are machines out there still running Windows XP, even though official support for XP ended in 2014.
The ACSC recommends patching computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Not only will patches protect against security flaws, but they can also help stabilise performance.
Restricting administrative privileges
Administrator privileges are like the keys to the castle: in the wrong hands, your business can risk confidential information being exfiltrated or hackers gaining unfettered access to your network and systems. The ACSC’s recommendation in restricting access to systems and applications based on user duties makes absolute sense. For a person to have unnecessary access to a critical system that doesn't need any special permissions to use is just poor security practice.
By locking down and restricting accounts, we can limit the ways an attacker might try to infiltrate your network. Even if an account is compromised through, say, a credential harvesting phishing attack, the compromised account would still be restricted in what it can access. For administrator accounts that deal solely with internal systems, it’s also a good idea to remove access to common applications like Outlook which are known for malware spread via email. Some administrator accounts should also have their internet access removed as this will significantly decrease the likelihood of manipulation from the outside world.
Individually, these are small changes, but they have a cumulative effect on the security posture of your organisation. Just like the analogy of preventative medicine above, proactive cyber habits can pay off enormously for the cyber-health and security of your organisation.
Of course, we’ve only covered the top four of the Essential Eight strategies. In my next article, I’ll be looking at the remaining four as well as the different maturity models that come after implementing all of the Essential Eight. Stay tuned!