Australia’s Cyber Security Centre (ACSC – https://www.acsc.gov.au/) provides a list of eight mitigation strategies (the Essential Eight) with practical guidelines for organisations to follow in order to mitigate cyber-attacks via prevalent attack vectors and to enable resilience if an incident should occur. The Essential Eight highlights the need to prevent execution of malignant code in an organisations’ environment, the need to limit the extent of cyber security incidents and the recovery of data from cyber incidents (whether due to malicious security acts, force-majeure or other non-intentional incidents).
Prevention of Malware execution
Application Hardening
| Details of guideline | This guideline deals with the removal (or limitation of permissions of) web-browser plug-ins, including Flash, ActiveX controls and Java applets as well as superfluous features in applications such as Microsoft Office (OLE/ActiveX), PDF viewers and web browsers. |
| Why is this important? | These types of plug-ins and code-execution platforms are target surfaces for delivery and execution of malicious code. |
Application Whitelisting
| Details of guideline | Only approved and trusted applications should be allowed to execute. Unapproved/malicious programs (such as .com, .dll, .exe, .vbs, .js, .ps etc.) should not be allowed to execute. |
| Why is this important? | This reduces the attack surface available for threat actors to use against systems, preventing non-approved code from executing. |
Application Patching
| Details of guideline | Use the latest version of applications and keep all application patches up to date. |
| Why is this important? | Well known exploits will be used by adversaries to compromise systems. |
Microsoft Office Macro Settings
| Details of guideline | Microsoft Office should be configured to block macros downloaded from the Internet and to only allow execution of approved macros in trusted locations with limited write access or alternatively, only allow macros that have been digitally signed with a trustworthy certificate. |
| Why is this important? | Microsoft Office macros are used for the delivery and execution of malicious code. |
Limiting Cyber incidents
Restriction of granting of administrative privileges
| Details of guideline | Administrative privileges should only be granted to users to allow them to execute their duties. These privileges should be re-evaluated regularly. Administrative accounts should not be used for non-administrative tasks. |
| Why is this important? | Due to the elevated privileges granted to administrative accounts, adversaries who achieve control over these accounts will gain full access to systems and the information contained within. |
Patching of operating systems
| Details of guideline | Computers and other network-connected devices should be patched or removed from the network within 48 hours if they are found to contain high-risk vulnerabilities. Only the latest version of operating systems should be used. |
| Why is this important? | Security vulnerabilities in operating systems represent a know attack vector for system compromise. |
Implementation of Multi-factor authentication
| Details of guideline | Multi-factor authentication needs to be implemented for all remote connections such as RDP, VPNs and SSH. Any user actions that require elevated privileges should also require multi-factor authentication, this is also required for access to sensitive data |
| Why is this important? | Multi-factor authentication adds an additional hurdle for adversaries to cross in order to compromise systems/information. |
Backups and Recovery of Data
Daily backups
| Details of guideline | Daily backups of critical data as well as system configurations and settings are required. These backups should be stored in a disconnected state, preferably off-site. Backups should be retained for at least 3 months and restoration of backups should be tested when activated, thereafter at least annually or when infrastructure changes occur. |
| Why is this important? | Information needs to be accessible after a cyber security or other incident that leads to loss of data. |