Professional Documents
Culture Documents
A Comprehensive Guide To The Essential Eight
A Comprehensive Guide To The Essential Eight
• Maturity Level Zero: Not yet aligned The Essential Eight outlines a minimum
to the intent of the mitigation strategy. set of preventative measures, businesses
(No Compliance) need to implement additional measures
to those within this maturity model where
• Maturity Level One: Partly aligned with it is warranted by their environment. Further,
the intent of the mitigation strategy while the Essential Eight can help to mitigate
(Low Compliance) the majority of cyber threats, it will not
mitigate all cyber threats. As such, additional
• Maturity Level Two: Mostly aligned mitigation strategies and security controls
with the intent of the mitigation strategy need to be considered.2
(Medium Compliance)
1. “ACSC Annual Cyber Threat Report 01 July 2020 to 30 June 2021”, ACSC, Sep 21 2 Essential Eight Maturity Model, ACSC,
Prevent malware delivery & execution Limit the extent of incidents and data recovery
Application Whitelisting
Whitelisting allows only selected software applications to run on your end points preventing
unapproved and harmful programs from installing and running on your systems.
To reach level 3 maturity Must be implemented on all work stations and servers to manage
a wide variety of file types.
Patch Applications
Patches fix security vulnerabilities in software applications and serve to protect your
technology from newly identified threats.
Why Do this Cyber actors will use known software vulnerabilities to target computers.
To reach level 3 maturity All internet facing services or applications are patched within
2 weeks of a patch release or within 48 hours if an exploit exists.
Others should be patched within a month.
Microsoft Office applications can used software known as ‘macros’ to automate routine
tasks. Implementing correct configuration, restricting access to business data by machines
and individuals from the internet.
Why Do this Macros are used increasingly to enable the download of malware,
compromising a system through legitimate functionality rather than a
software vulnerability. Enabling access to sensitive information.
To reach level 3 maturity Minimise the scope for macro use and reduce the attack surface
Macros cannot come from the internet, AV scanning enabled, Win32 API
calls cannot be made, and users cannot edit macro settings. All allowed
and blocked macros must be logged centrally.
Disabling of unnecessary features across various platforms including Adobe Flash, Web ads
and untrusted Java code on the internet. Reducing how open you are reduces the points of
entry or vulnerability into your business.
Why Do this Apps such as Flash and Java have long been popular ways to deliver
malware. User-targeted vulnerabilities are the fastest way to gain a
foothold in an organization. Updating these applications is critical; but
where not needed, remove or block them.
To reach level 3 maturity Internet Explorer 11 is disabled or removed, web browsers cannot
process java from the internet or web advertisements.
MS Office and PDF tools are blocked from creating child processes,
executable content, or injecting code in other processes.
ACSC or vendor guides on app hardening for browsers, office and PDF
tools is implemented.
A patch will fix security vulnerabilities in an operating system. Always patch and update end
points and network devices to the latest operating systems so they can be protected from
the latest threats.
Why Do this Adversaries will use known security vulnerabilities to target Mobiles and
Desktops. Most vulnerabilities found on an endpoint are going to be in
the software running on the system, and new vulnerabilities are identified
regularly
To reach level 3 maturity Internet facing services, workstations or servers and network devices are
patched within 2 weeks of patch release or 48 hrs if an exploit exists.
Why Do this Admin accounts are the “keys to the kingdom.” Adversaries use them
for full access to information and systems. There are many vulnerabilities
that, if exploited, give the attacker permissions equal to the current user.
To reach level 3 maturity All privileged access to systems or applications is limited to only what’s
needed and is validated at request then reviewed after 12 months and
disabled after 45 days of inactivity.
All use and changes to privileged accounts are centrally logged and
audited
Passwords are easily hacked. All passwords should have an additional layer of security
requiring identification proof, especially when working remotely or when trying to access
sensitive data.
Why Do this More than 50% of cyber incidents reported in Australia involved
compromised or stolen credentials.
To reach level 3 maturity Users authenticate with MFA to internet facing or 3rd party services that
store or process sensitive data.
A patch will fix security vulnerabilities in an operating system. Always patch and update end
points and network devices to the latest operating systems so they can be protected from
the latest threats.
Why Do this That way, your business can access data again if it is a victim to a cyber
security incident. In the case of a compromised system, it is cleaner to
use a back up rather than trying to take an approach of cleaning and
using the system.
To reach level 3 maturity Backups of important data, software and configuration settings
are performed and retained in a coordinated and resilient manner in
accordance with business continuity requirements.
The ACSC recommend that all businesses prioritise the implementation of the Essential
Eight Maturity Model and in particular do the following six actions.
Report your breach to They should be the first call you make when a cyber breach occurs.
Report all cyber crime This is a central website run by the Australian Cyber Security Centre
3/
Know your networks
where valuable or sensitive information and infrastructure is located
and apply appropriate cyber security measures proportionate to the
risk of compromise.
Patch within 48 hours Cyber criminals monitor reporting of security vulnerabilities and use
4/ where an exploit exists automated tools to regularly scan and exploit network vulnerabilities.
This means that businesses can no longer rely on monthly patch
update cycles and must prioritise patching to protect their networks
from a cyber incident.
If you are working with an MSSP, they should automatically manage
on your behalf.
Understand and evaluate The first step in cyber supply chain risk management is to identify the
Prepare for a cyber An Incident response plan enables businesses to respond efficiently