The Australian Signals Directorate (ASD) — which is tasked with proving whole of government security guidance as well as conducting offensive cyber operations — has released an updated list of security mitigation strategies it deems essential for government agencies to implement.
The list of eight mitigation strategies — dubbed the ‘Essential Eight’ — builds on the ASD’s Top 4 list. The Top 4 security mitigation measures have been mandatory for federal agencies since an April 2013 update to the government’s Protective Security Policy Framework.
The updated PSPF set a target date of mid-2014 for compliance. Despite their mandatory status, the implementation of the Top 4 has been mixed.
The Top 4 are whitelisting, application patching, OS patching, and the restriction of administration privileges based on user duties.
A key priority in the government’s national cyber security strategy, which was released last year, was updating the ASD’s Top 4 guidance. The ASD in May last year released a range of updated security manuals to accompany its key Top 4 guides.
The cyber security strategy also earmarked $1.3 million in additional funding for the ASD to establish a rolling program to assess the cyber security of government agencies. In addition, the ASD is to receive an $11 million to boost the ability to uncover security vulnerabilities in government systems.
“Incorporating the Top 4, the eight mitigation strategies with an 'essential' effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations” new ASD guidance states.
“The eight strategies will help protect businesses from ransomware, malicious insiders, business email compromise, threats to industrial control systems, and adversaries with destructive intent,” the minister assisting the prime minister for cyber security, Dan Tehan, said in a statement.
Tehan and Prime Minister Malcolm Turnbull last month that they would make the ASD available to brief the leaders of Australian political parties on cyber security. The announcement was came in the wake of allegations that Russia sponsored the hacking of the Democratic National Committee in an attempt to influence the US election.
“The prime minister has announced a special briefing for Australia’s political institutions to help protect our democratic process against foreign cyber influence,” Tehan’s statement today said. “These eight strategies will help them, and businesses of all size, protect themselves.”
The expanded list of “essential” strategies is:
Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with 'extreme risk' vulnerabilitieswithin 48 hours. Use the latest version of applications.
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate.
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Patch operating systems.Patch/mitigate computers (including network devices) with 'extreme risk' vulnerabilitieswithin 48 hours. Use the latest operating system version. Don't use unsupported versions.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high-availability) data repository.
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.