Australian Signals Directorate expands Top 4 cyberthreat mitigation measures to Essential 8
The Australian Signals Directorate (ASD) has expanded its Top 4 cyberthreat mitigation measures to ‘Essential eight’. ASD is responsible for providing cybersecurity guidance and setting policies for all Australian government departments and agencies. ASD's Australian Government Information Security Manual (ISM) provides supporting guidance. , while there is specific guidance for mitigating denial of service, securely using cloud computing and enterprise mobility, including personally-owned computing devices.
The ASD guidance has expanded its scope from targeted cyber intrusions (e.g. those executed by advanced persistent threats) to ransomware, external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems. Insider threats, whether malicious or inadvertent and risks arising from increasingly networked and automated industrial control systems represent two of the biggest concerns in cybersecurity today.
‘Strategies to Mitigate Cyber Security Incidents’ replaces the ‘Strategies to Mitigate Targeted Cyber Intrusions’. The latter consisted of 35 strategies, of which the ‘Top 4’ mitigation strategies, have been mandatory for Australian government agencies, since April 2013.
According to ASD, at least 85% of the techniques used in cyber intrusions could be mitigated by implementing the ‘Top 4’. These were considered to form the cybersecurity baseline for all organisations. The new ‘Essential eight’ mitigation strategies, which include the previous Top 4 will form the new baseline.Any organisation that has been compromised, despite properly implementing these mitigation strategies is encouraged to notify ASD. These are customisable to each organisation based on their risk profile and the threats they are most concerned about.
The companion Strategies to Mitigate Cyber Security Incidents – Mitigation Details document provides updated implementation guidance for the mitigation strategies.
The complete list consists of 37 mitigation strategies. Three new ones have been introduced to recover data and system availability, while two logging mitigation strategies have been combined into one. Each one is rated on relative security effectiveness rating as Essential, Excellent, Very good, Good or limited. They are also rated as high, medium or low on potential user resistance, upfront cost (staff, equipment, technical complexity and ongoing maintenance cost (mainly staff), to give an idea of possible implementation challenges.
The Essential Eight are classified into two categories, the first focused on prevention and the second on minimising impact:
To prevent malware running
- Application whitelisting (Top 4)
- Patch Applications (Top 4)
- Disable untrusted Microsoft Office macros
- User application hardening (for instance, Block web browser access to Adobe Flash Player web ads and untrusted Java code on the Internet.)
To limit the extent of incidents and recover data
- Restrict administrative privileges (Top 4)
- Patch operating systems (Top 4)
- Multi-factor authentication
- Daily backup of important data
ASD advises organisations to identify their assets and perform a risk assessment to identify the level of protection required from various threats, before implementing mitigation strategies. It underlines the need for motivators, such as a detected cyber security incident, a penetration test or mandatory data breach reporting to improve their cybersecurity posture, supportive executives, access to skilled cybersecurity professionals and adequate financial resources. Motivators include a detected cyber security incident, a penetration test, mandatory data breach reporting, mandatory compliance, and evidence of a lower cyber security posture or higher threat exposure than previously realised. ASD advises implementing strategies first for high risk users and computers, such as those with access to important (sensitive or high-availability) data and exposed to untrustworthy Internet content, and then implement it for all other users and computers. Hands-on testing is a necessary subsequent step to verify the effectiveness of their implementation of mitigation strategies.