CYBER SOLUTIONS

A comprehensive guide to the Essential Eight:

Improving your cyber maturity with the Essential Eight

A guide for small and medium Australian

businesses seeking to improve their cyber
posture with the Essential Eight.
Why a cyber security strategy is no longer
negotiable for Australian Businesses

The Australian Cyber Security Centre (ACSC) created the

Essential 8 to provide Australian business with strategies
to mitigate cyber incidents. It is a prioritized list of
practical actions that businesses can take to make their
business more secure.

The advantage of the Essential 8 is that it is customizable

to each business based on their risk profile and the
threats they are most concerned about. Whilst no single
strategy is guaranteed to prevent a cyber attack, it is
recommended that businesses implement the essential
mitigation strategies as a baseline.

The strategies have been developed to prevent an

attack and protect your data and networks. The cost of
implementing a cyber security strategy is far more cost
effective than responding or recovering from a cyber
incident.

What is cyber resilience or cyber

posture?
Cyber resilience is the ability to adapt
to disruptions caused by cyber security
incidents while maintaining continuous
business operations. This includes the
ability to detect, manage and recover
from cyber security incidents.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 2

All businesses operate online, but The Australian Government, led by the
Australian Cyber Security Centre (ACSC),
has your business considered how
is striving to assist businesses prevent cyber
safe its digital operations are? breaches occurring and strengthen their
cyber security posture.
As you expand your online presence,
cybersecurity must be a top priority due to As the first line of defence, they developed
the growing number of cyber attacks—in fact the Essential 8. By complying with the
there has been a 600% increase in 2021. Essential 8, you will be in the best position to
protect your digital assets against an attack.
Reported in the Australian Cyber Security
Centre’s (ACSC) 2020-2021 Annual Cyber
Threat Report observes that over the 2020-
21 financial year, ACSC received over 67,500
cybercrime reports, an increase of nearly
13 per cent from the previous financial year.

They also found that even after an attack 72%

of breached Australian businesses thought it
unlikely they would get attacked again and
took no real measures.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 3

What is the Essential Eight?

The Essential Eight is a cyber self-assessment tool

developed by the Australian Cyber Security Centre
(ACSC), helping Australian businesses measure their
cyber security maturity and mitigate cyber security
incidents posed by various cyber threats. They have
been designed to safeguard Microsoft Windows based
internet-connected networks.

Developed by the ACSC, the Essential Eight are supported

by the Victorian Government Chief Information Security
Officer (CISO) as being foundational security strategies
crucial to managing contemporary cyber security threats.

Analysis by the Cyber Safety Unit’s (CSU) Cyber Incident

Response Service (CIRS) found that 84% of reported
incidents in 2020/21 may have been prevented or
reduced by the implementation of a minimum of one
of the Essential Eight tactics.

Why should businesses implement

and comply with the Essential 8?
Implementing the ACSC Essential 8
effectively helps you achieve a baseline
cyber security posture to prevent an attack.
Whilst this may sound straight forward,
many businesses struggle to achieve this
level of cyber security even today.

Cyber security is constantly evolving and we

must adjust to meet those threats. Building
a strong cyber security strategy is a journey
and an ongoing program that adapts and
evolves to keep up with the market. The
Essential 8 is a critical part of this journey.
It provides a solid foundation to contribute
towards the success of your cyber program.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 4

The maturity model explained Fortunately, the Essential 8 can be tailored
according to your business’ risk profile and
The ACSC developed a four-tier maturity requirements. They have been designed
model to enable businesses to provide to complement each other, and to provide
advice to businesses on how and what coverage across a range of cyber threats
to implement to mitigate different levels and cover 8 areas:
of adversary tradecraft and targeting.
Protect
When implementing the Essential Eight, • Application control
businesses should first identify a target
maturity level that is suitable for their • Patch applications
environment, they should then progressively • Configure Microsoft Office macro settings
implement each maturity level until that
• User application hardening
target is achieved.
Limit
Four maturity levels have been identified
(Maturity Level Zero through to Maturity • Restrict administrative privileges
Level Three) with the exception of Maturity • Patch operating systems
Level Zero, the maturity levels are based
on mitigating increasing levels of cyber • Multifactor Authentication
attacks. As such your business must
Recover
consider what level of cyber attacks
you are wanting to mitigate. • Back up

• Maturity Level Zero: Not yet aligned The Essential Eight outlines a minimum
to the intent of the mitigation strategy. set of preventative measures, businesses
(No Compliance) need to implement additional measures
to those within this maturity model where
• Maturity Level One: Partly aligned with it is warranted by their environment. Further,
the intent of the mitigation strategy while the Essential Eight can help to mitigate
(Low Compliance) the majority of cyber threats, it will not
mitigate all cyber threats. As such, additional
• Maturity Level Two: Mostly aligned mitigation strategies and security controls
with the intent of the mitigation strategy need to be considered.2
(Medium Compliance)

• Maturity Level Three: Fully aligned

with the intent of the mitigation strategy.  
(Highly Protected)1

1. “ACSC Annual Cyber Threat Report 01 July 2020 to 30 June 2021”, ACSC, Sep 21 2 Essential Eight Maturity Model, ACSC,

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 5

The Essential 8 Mitigation Strategies
The Essential 8 framework provides a
prioritized list of baseline security controls
that businesses can implement to protect
and improve their cyber security.

These eight key security controls are

recognized globally as critical to cyber
resilience as they help prevent attacks, limit
the impact of attacks and recover data and
system availability.

The Australian Signals Directorate (ASD)

found that these eight controls can mitigate
up to 85% of cyber attacks.

Essential 8 Cyber Security

Mitigation Strategies

PREVENT LIMIT RECOVER

Application control Patch Operating Daily Backups

Systems
Patch applications
Multi-factor
Configure Microsoft Authentication
Office Macro
Restrict
User Application Privileges
Hardening

2. Essential Eight Maturity Model, ACSC, https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 6

The Essential 8 in more detail
Layering preventative measures will help
you limit the extent of a security incident
and reduce the ability for the incident to
spread to other systems.

The Essential 8 is designed to reduce

your attack surface as well as the number
of incidents that may occur in your
environment. Furthermore to shield and
block an attack whether they start as a
phishing, malware, or hacking attack there
are4 levels of protection to put in place.

Prevent malware delivery & execution Limit the extent of incidents and data recovery

Application whitelisting Patch Operating Systems

Patch Applications Multi Factor Authentication

Configure Microsoft Office Macro Settings Restrict privileges

User application hardening Daily Back ups

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 7

Prevent malware delivery & execution
The first phase of a cyber security strategy should reduce your attack surface which will
reduce the number of incidents that occur in your environment. Whether they start as
a phishing attack, hacking or malware, there are 4 layers of protection to put in place:

Application Whitelisting

Whitelisting allows only selected software applications to run on your end points preventing
unapproved and harmful programs from installing and running on your systems.

Why Do this Dynamic whitelisting delivers a high level of security.

It blocks all non-approved software, including malware.

To reach level 3 maturity Must be implemented on all work stations and servers to manage
a wide variety of file types.

Microsoft’s ‘recommended block and driver block rules are implemented

and should be validated annually or more frequently.

Central logging is required for allowed and blocked executions.

Patch Applications

Patches fix security vulnerabilities in software applications and serve to protect your
technology from newly identified threats.

Why Do this Cyber actors will use known software vulnerabilities to target computers.

To reach level 3 maturity All internet facing services or applications are patched within
2 weeks of a patch release or within 48 hours if an exploit exists.
Others should be patched within a month.

A vulnerability scanner is used daily to identify missing patches or

security updates for vulnerabilities in internet facing servers. Weekly for
productivity applications and every 2 weeks for other applications.

Applications that are no longer supported by the vendor removed.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 8

Configure Microsoft Office Macro Settings

Microsoft Office applications can used software known as ‘macros’ to automate routine
tasks. Implementing correct configuration, restricting access to business data by machines
and individuals from the internet.

Why Do this Macros are used increasingly to enable the download of malware,
compromising a system through legitimate functionality rather than a
software vulnerability. Enabling access to sensitive information.

To reach level 3 maturity Minimise the scope for macro use and reduce the attack surface

Users with no requirement for macros should be disabled via policy.

Approved macros run from trusted locations or sandboxes. Approved

macros come via trusted publishers and cannot be manually enabled and
must be reviewed annually.

Macros cannot come from the internet, AV scanning enabled, Win32 API
calls cannot be made, and users cannot edit macro settings. All allowed
and blocked macros must be logged centrally.

User Application Hardening

Disabling of unnecessary features across various platforms including Adobe Flash, Web ads
and untrusted Java code on the internet. Reducing how open you are reduces the points of
entry or vulnerability into your business.

Why Do this Apps such as Flash and Java have long been popular ways to deliver
malware. User-targeted vulnerabilities are the fastest way to gain a
foothold in an organization. Updating these applications is critical; but
where not needed, remove or block them.

To reach level 3 maturity Internet Explorer 11 is disabled or removed, web browsers cannot
process java from the internet or web advertisements.

MS Office and PDF tools are blocked from creating child processes,
executable content, or injecting code in other processes.

ACSC or vendor guides on app hardening for browsers, office and PDF
tools is implemented.

Old versions of .NET (2.0,3.0,3.5) and PowerShell (2.0) are disabled or

removed.

Blocked PowerShell executions are centrally logged and protected.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 9

Limit cyber security incidents
In some circumstances, you cannot prevent an attack, however, with the following three
mitigation strategies, you can ensure the breach does not extend too far and protect your
data from theft.

Patch Operating Systems

A patch will fix security vulnerabilities in an operating system. Always patch and update end
points and network devices to the latest operating systems so they can be protected from
the latest threats.

Why Do this Adversaries will use known security vulnerabilities to target Mobiles and
Desktops. Most vulnerabilities found on an endpoint are going to be in
the software running on the system, and new vulnerabilities are identified
regularly

To reach level 3 maturity Internet facing services, workstations or servers and network devices are
patched within 2 weeks of patch release or 48 hrs if an exploit exists.

A vulnerability scanner is used daily for internet facing services, weekly

for workstations or servers and network devices.

Latest or previous release of operating systems are used for workstations

or servers and network devices. Operating systems that are no longer
supported by the vendor are removed.

Restrict administrative privileges

Administrative privileges should be programed for managing systems, installing legitimate

or approved software and applying software patches. They should be regularly revalidated
and those with privileged accounts should not be used for web browsing, email checking or
whilst working remotely.

Why Do this Admin accounts are the “keys to the kingdom.” Adversaries use them
for full access to information and systems. There are many vulnerabilities
that, if exploited, give the attacker permissions equal to the current user.

To reach level 3 maturity All privileged access to systems or applications is limited to only what’s
needed and is validated at request then reviewed after 12 months and
disabled after 45 days of inactivity.

Privileged accounts cannot access the internet, email, or web services.

These accounts use separate environments, and privileged environments
cannot be virtualized in unprivileged areas.

Just in Time admin is used for administering systems and applications

via through jump servers.

Credentials for local administrator accounts are unique, unpredictable,

and managed.

Windows Defender Credential Guard and Defender Remote Credential

Guard are enabled.

All use and changes to privileged accounts are centrally logged and
audited

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 10

Multi-factor authentication

Passwords are easily hacked. All passwords should have an additional layer of security
requiring identification proof, especially when working remotely or when trying to access
sensitive data.

Why Do this More than 50% of cyber incidents reported in Australia involved
compromised or stolen credentials.

To reach level 3 maturity Users authenticate with MFA to internet facing or 3rd party services that
store or process sensitive data.

Where MFA is available for non-sensitive data it is used. MFA is enabled

by default for non-org users accessing internet facing services.

MFA is used to authenticate privileged users of systems.

MFA is verifier impersonation resistant and uses something users have

and something users know, or something users have that is unlocked by
something users are.

MFA success and failure is centrally logged for audit

Recover data and system availability

In the unfortunate incident when you are attacked by a ransomware or your data has
been corrupted, you must recover a previous version of your data. For that recovery to be
successful you need daily back ups that are stored securely offline.

Patch Operating Systems

A patch will fix security vulnerabilities in an operating system. Always patch and update end
points and network devices to the latest operating systems so they can be protected from
the latest threats.

Why Do this That way, your business can access data again if it is a victim to a cyber
security incident. In the case of a compromised system, it is cleaner to
use a back up rather than trying to take an approach of cleaning and
using the system.

To reach level 3 maturity Backups of important data, software and configuration settings
are performed and retained in a coordinated and resilient manner in
accordance with business continuity requirements.

Restoration of systems, software and important data from backups is

tested in a coordinated manner as part of disaster recovery exercises.

Unprivileged accounts, and privileged accounts (excluding backup

administrators), cannot access backups.

Unprivileged accounts, and privileged accounts (excluding backup break

glass accounts), are prevented from modifying or deleting backups

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 11

What you should do
Cyber security should be your number one focus for 2022 as there are many risk factors
if you do suffer a breach. Prevention and planning ahead can save you a costly recovery.
No matter what size your business is, you must be prepared for a malicious or human
error data breach.

The ACSC recommend that all businesses prioritise the implementation of the Essential
Eight Maturity Model and in particular do the following six actions.

Report your breach to They should be the first call you make when a cyber breach occurs.

1/ your Managed Service

Provider.
They should be able to assist you with all of the relevant information
and documentation about your cyber breach.
A quality Cyber Security provider should also have created an
Incident Response Plan for your business to help you with the
effective and efficient management of your incident.
 
Learn more about selecting an MSSP.

Report all cyber crime This is a central website run by the Australian Cyber Security Centre

2/ and security incidents via

the ACSC ReportCyber
and provides assistance and referral pathways depending on the
nature of the incident or cyber crime.

Your business should have our networks documented and understand

3/
Know your networks
where valuable or sensitive information and infrastructure is located
and apply appropriate cyber security measures proportionate to the
risk of compromise.

Patch within 48 hours Cyber criminals monitor reporting of security vulnerabilities and use

4/ where an exploit exists automated tools to regularly scan and exploit network vulnerabilities.
This means that businesses can no longer rely on monthly patch
update cycles and must prioritise patching to protect their networks
from a cyber incident.
If you are working with an MSSP, they should automatically manage
on your behalf.

Understand and evaluate The first step in cyber supply chain risk management is to identify the

5/ your risks with your cyber

supply chain.
cyber supply chain.
As a starting point, organisations should establish a list of suppliers,
manufacturers, distributors and retailers they have business
arrangements with. Identify those responsible for products or
services with security enforcing functions, privileged access or
handling sensitive as a priority.
Regardless of which suppliers, manufacturers, distributors or retailers
are deemed a high risk at any given time, organisations should seek
3. C
 yber Supply Chain Risk Management. Source: https://www.
cyber.gov.au/acsc/view-all-content/publications/cyber-
to establish cyber security expectations with all of these businesses
supply-chain-risk-management and routine audits should be scheduled.3

Prepare for a cyber An Incident response plan enables businesses to respond efficiently

6/ security incident with

an Incident Response,
Business Continuity
to a cyber security incident, limit its impact and enable its recovery.
Testing the Incident Response Plan, Disaster Recovery and Business
Continuity plans and back ups provides an opportunity to review and
improve your cyber security posture in a controlled environment.
and Disaster Recovery
plans in place.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 12

About Kaine Mathrick Tech

Kaine Mathrick Tech is an Australian MSP Kaine Mathrick Tech’s approach

delivering modern and secure workplace
solutions to small and medium businesses Our managed cyber offering will ensure
that change the game. We bridge the gap your business reaches the maturity level 3,
between technology and humans as your but also takes into account other cyber
services such as:
technology partner. We believe in solving
problems, not just tickets. 1. Security awareness training
2. Encryption
Our solutions include managed IT support
services, managed cyber security services, 3. SIEM
IT strategy and project delivery, modern 4. Dark Web
workplace solutions, cloud migrations,
unified communications all supported by 5. End Point Detection and Response (EDR)
our award winning IT support and helpdesk. 6. Incident Response Plans

Partnering with over 120 Australian And more…

businesses, we believe in partnership and To understand where your cyber posture sits
put people and relationships first. against the Essential 8, take our Assessment.

KAINE MATHRICK TECH A comprehensive guide to the Essential Eight 13

Contact us

1300 174 391

info@kmtech.com.au
kmtech.com.au