Welcome back everyone to part 2 of ‘Decoding the ACSC’s Essential Eight mitigations strategies explained’. For those who haven’t read the first instalment, I highly recommend checking it out, as in this article we’ll be jumping right into final four mitigation strategies. In a later piece, I’ll also be sharing my take on the different maturity models and what they mean going forward. Let’s get to it!
1. Configure your Microsoft Office macro settings
Macros are little bits of code used to automate a lot of the routine tasks run by Microsoft Office applications. They’re great for productivity; with a single command or keystroke, you can execute a series of operations in applications like Microsoft Word, Excel or PowerPoint which can make your life a whole lot easier. Take for example your company letterhead. It’d be painstaking to have to recreate that every time you wanted to use the letterhead. But by setting up the macro once, you effectively never have to worry about the correct and consistent format of your company letterhead for any word docs again. You can just run the same macro every time!
Even though macros are handy, they also open up your organisation to risk. Cybercriminals can embed infected macros in common Microsoft Office documents, and any unwary user could accidentally trigger them with a simple command or keystroke. Or even just by opening the document which would automatically set off the macro. In today’s ever-evolving threat landscape, attacks like this generally exploit one specific vulnerability... and if you’re guessing it’s Human Error, then you’re absolutely correct.
Now depending on your organisation and, for a lack of a better phrase, your relationship with macros, it will be entirely up to you to work out what would be the best way to deal with them. Say, for an organisation that doesn’t really have a business requirement for using macros, apart from the occasional user here and there. You might decide it’s not worth the risk and disable it across your entire Microsoft Office suite. Why tempt fate, right? If there’s no real reason why they should be enabled, you can just turn macros off for everyone and limit your exposure to the risk they carry. For businesses whose finance department are the only ones who ‘need’ macros, you could enable them just for those
through GPO, while checking to make sure the macros are from a trusted location and digitally signed by trusted publishers.
The key thing here is to configure your settings based on your business requirements. Every business organisation will need its own configuration. There are a lot of moving parts, so planning is the most critical step. If you must use them, make sure you have an updated store of all your required macros. All it takes is a single person to make a mistake and run a bad macro, so make sure that due diligence is done when testing and vetting your macros.
Here’s a table from the ACSC to help guide your decision process:
2. Harden your user applications
Unlike application control, which is more about which applications your business needs to be able to operate, application hardening is looking at the applications you have and deciding what functions they should be able to perform and which functions should be disabled. When we introduce a new piece of tech, the temptation is to start using it right out of the box, so to speak. But in all the excitement, we usually forget about changing the default settings (or its security settings). In other words, we forget to secure it.
Application hardening can involve disabling unnecessary services, removing unused software, changing defaults, setting up access control, etc. It sounds tedious to have to go back and do a full software audit (in some cases we would have/create an inventory for this) but it’s important for protecting your business and minimising the risk of malicious codes accessing your network.
In addition to the security uplift, application hardening also brings other benefits. For one thing, your applications should be easier to maintain since they’ll have fewer active components. A neat side-effect of application hardening is that it could also improve software performance. After all, we’re limiting the number of tasks the app needs to do, rather than wasting processing power on functionality we don’t need.
3. Use multi-factor authentication (MFA)
MFA is an authentication method that requires a user to be validated by two different authentication methods to gain access to an application. For the majority of us, MFA authentication factors will contain two of the three criteria below (with #1 and #2 being the most common):
Knowledge - Something only you would know, like a password or PIN
Possession - Something only you would have, like your phone or a keyfob
Inherence - Something unique to you, like biometrics, fingerprints, voice recognition or facial recognition (though that might be pretty hard nowadays with everyone wearing masks everywhere.)
A common example of MFA would be a user entering their login credentials, then having to enter a one-time-password (OTP) sent to their phone to complete the authentication process. Depending on where your business is at, MFA could either be fully implemented or just one part of your security roadmap. Although not new, it’s something that a lot of businesses are now looking at seriously, given the way we work has changed drastically (shoutout to all the people still working from home, we’ll get through it 😊! )
When looking to compromise a network, threat actors will attempt to steal legitimate user credentials through tactics such as phishing emails. When successful, these threat actors could gain access to the network and start their attack under the guise of a legitimate employee. MFA is one of the most effective controls a business can implement to prevent these attackers from gaining access to a device or network and ultimately, confidential data. In a world where a lot of services and applications exist in the cloud, it’s important to have controls in place to prevent unwanted access to your data.
But do all your applications need MFA? Potentially. This is where you, as a business, need to determine which applications and systems should be prioritised for MFA rollout. The key here is to make sure you have full visibility of all the applications that need it, while also avoiding the dreaded password complexity dilemma, where users are confused as to which credentials to use and how to login to their applications.
This provides a great segue into one of the biggest MFA hurdles: how this extra layer of security will be received by the people who have to use it on a day-to-day basis. There will be staff who will need a lot more hand-holding through this process, just as there will be staff who will kick and scream about how annoying MFA is and how it’s not allowing them to do their job. Stay the course; it’s important to get all users accustomed to using MFA in their day-to-day. The transition will take some getting used to, but it’ll be worth it. At the end of the day, MFA could be the difference between identifying an intruder in your network, or your business filling out the Notifiable Data Breach online form for the OAIC.
4. Keep daily backups
If there were a list of certainties I’ve learned throughout my life, it would contain death, taxes, the Collingwood Football Club underperforming (good ol’ collywobbles!) and that something will always go wrong. That’s just a part of life, and part of living and working with technology.
Backing up your data is simply copying your data from your computer. We’ve all been through the pains of working on a document for 5 hours straight, only to have the computer crash unexpectedly while we come to a sobering realisation that we forgot to save our work. It’s great that we have autosave capability now, but what happens when you accidentally leave your laptop on the train and never see it again? Hopefully, you had the foresight to keep a backup of your critical data somewhere else. And where you keep that copy of data is very important, especially when you start to talk about data on a larger scale and all the other things that can go wrong. Backups safeguard you and your business from accidental or malicious attempts at data deletion.
Depending on your business, there may be a lot more than just data you’d want to backup. Things like software and configuration settings may need to be backed up and tested, as well as the data on all of the desktops, laptops and servers in your business.
Having a solid backup plan does require an investment of time and resources, but compared to the challenging task of recovering data which hasn’t been backed up, it very much is a case of short-term pain and long-term gain. Consider bringing in other stakeholders to talk about backup planning and immediate areas of focus. A robust and effective backup plan (which should be baked into your Business Continuity Plan (BCP)) could determine the survival of your business.
And that brings us to the end of the Essential Eight! I did want to talk about the different maturity models involved, but it seems that this article is already getting longer than I first anticipated. The good news is that there will be a part 3 which will focus solely on the maturity models, so I look forward to sharing that with you guys soon.