The ACSC have just updated the Essential Eight (E8) maturity model to help businesses stay ahead of the threat landscape as it evolves. Our outline below is a little tech-heavy, but what it highlights is the expectation that businesses must be quicker to respond and more thorough in their efforts to maintain a level of cyber protection the ACSC considers reasonable.
Patching applications and operating systems
When a vulnerability is considered critical in an application or operating system, the ACSC recommend to patch, update or mitigate it within 48 hours of a software update being released by the vendor. This includes drivers and firmware.
If not considered critical, the recommended timeframe to apply a patch is between 2 weeks to 1 month.
At efex, we minimise the risk even further for our customers by automating the patches for operating systems across all our cyber security solutions.
Multi-factor authentication (MFA)
The ACSC is elevating the minimum standard for MFA across most of the E8 maturity levels.
For businesses to maintain E8 maturity level 1, authentication requires something the user ‘has’ (e.g. a smartphone) as well as something the user ‘knows’ (e.g. a password or PIN)
In addition, web portals that store sensitive customer data must now enforce MFA for users to login.
E8 maturity level 2 businesses are being encouraged to adopt phishing-resistant MFA whereby the ‘people element’ is removed from the authentication.
An example is a vendor-neutral standard called FIDO which pairs a device (e.g. your mobile phone) with a website you want to login to. This generates a cryptic key which means the website knows you and trusts your device.
E8 maturity level 3 businesses must now implement phishing-resistant MFA on workstations for extra security.
Restrict administrative privileges
Generally speaking, team members with admin privileges have the ability to bypass security settings and access data in your network.
To minimise the risk this poses E8 maturity 1,2 & 3 businesses have governance processes in place for privileged access to data storage.
These governance processes now extend to include systems & applications.
And for cloud services, there are now explicit ID requirements & stricter limitations in relation to accessing the internet by privileged accounts (e.g. site administrators).
Applications on workstations can be allowed or block based on a set of rules (i.e. control) that a business owner or an IT manager establishes. Application control is one of the most effective ways to strengthen the security of your business systems.
Until now an annual review of these rulesets was required, but the new E8 update also calls for maturity level 2 businesses to implement Microsoft’s recommended application blocklist.
Restrict Microsoft office macros
Macros are embedded code found in Microsoft Office files that help automate repetitive tasks and improve productivity.
Unless there’s a business need, all macros should be disabled for all M365 apps as there’s a significant risk of bad actors bypassing security measures and executing malicious macros.
Where there is a business need, only secure V3 digitally signed macros should be permitted.
User application hardening
Internet Explorer 11 is no longer supported by Microsoft so businesses must disable or uninstall it.
There are also some web browser processing restrictions – Java from the internet, advertisements from the internet, and security settings that can’t be changed by users.
For every business at every maturity level, backups need to be a priority. Microsoft 365 doesn’t have a built in back up, so efex Business Resilience can take care of your backups and provide continuity if you’re hit with a breach.
The ACSC updates to the E8 maturity model is a strategic response to emerging cyber threats. If you haven’t already, it’s essential to understand your current maturity level, determine any gaps and then work towards closing them in line with these updated E8 guidelines.
efex Cyber Essentials & Cyber Premium are straightforward solutions that do all of the above to protect your business and strengthen your cyber maturity. Reach our to our team if you’d like to know more.
For further reading on the E8 and maturity levels, you can read our article published here.
(Feature image sourced from Australian Cyber Security Centre)