What is ASD essential 8? Your complete Cyber Security guide.

“Safeguard your businesses against cyber threats such as hackers, ransomware, and data breaches. The essential 8 establishes robust cybersecurity measures, that include proactive risk management, operational resilience, and security awareness.”

The Essential 8 was officially introduced as part of the Australian Government’s cybersecurity strategy. It built on previous initiatives such as the ASD Top 35 Strategies to Mitigate Cybersecurity Incidents, which were developed to provide technical recommendations and actionable advice for minimizing vulnerabilities. Over time, the focus narrowed to eight fundamental strategies deemed critical for mitigating the majority of cyber risks.

The Australian Signals Directorate (ASD) introduced the Essential 8, a set of cybersecurity strategies to protect organizations from various cyber threats. This framework enhances resilience against attacks on critical systems and sensitive information.

Developed by the ASD, a government agency under the Department of Defence, the Essential 8 benefits from contributions by cybersecurity professionals, government officials, and industry stakeholders. It reflects ASD’s technical expertise and commitment to safeguarding Australian organizations.

Rooted in efforts to strengthen national cybersecurity, the Essential 8 evolved from the ASD’s broader guidelines and was officially part of the Australian Government’s cybersecurity strategy. It builds on previous initiatives like the ASD Top 35 Strategies, focusing on eight key strategies to mitigate most cyber risks.

The Business Objectives of the Essential 8

The Essential 8 is designed to achieve several key objectives that support the overarching goal of cybersecurity resilience:

• Risk Mitigation: By addressing common vulnerabilities and attack vectors, the Essential 8 reduces the likelihood of successful cyberattacks.
• Operational Continuity: Daily backups and proactive measures ensure that organizations can recover quickly and maintain business operations in the face of disruptions.
• Compliance: The framework provides a baseline for cybersecurity that aligns with regulatory requirements and industry standards.
• Cost Efficiency: By focusing on high-impact strategies, the Essential 8 allows organizations to allocate resources effectively without unnecessary expenditures.
• Security Culture: Implementing the Essential 8 fosters a culture of security awareness and responsibility within organizations.

Why Was the Essential 8 Proposed?

The Essential 8 was proposed in response to the increasing frequency and sophistication of cyberattacks on Australian entities. Key motivations behind its introduction include:

• Rising Cyber Threats: Organizations were facing ransomware, data breaches, and other malicious activities that threatened operational integrity and public trust.
• Cost-Effective Security: Implementing comprehensive cybersecurity measures can be resource-intensive. The Essential 8 provides a prioritization framework, enabling organizations to focus on strategies that yield significant risk reduction.
• Standardization: Disparities in cybersecurity practices across industries and institutions made it challenging to achieve consistent protection. The Essential 8 aimed to establish a benchmark for effective security measures.
• Proactive Defence: The framework emphasizes preventative actions rather than reactive responses, aiming to mitigate threats before they materialize.

The Essential 8 Checklist

1. Patch Applications
2. Patch Operating Systems
3. Implement Multi-Factor Authentication
4. Restrict Administrative Privileges
5. Application Control
6. Restrict the use of Microsoft Office Macros
7. User Application Hardening
8. Perform Regular Backups

The Essential 8 Security Strategies in Depth

1. Patch Applications

Outdated software is a common entry point for cyberattacks. This strategy emphasizes the importance of regularly applying security patches to applications to close vulnerabilities. Patches are updates of software issued by the software maker or software vendor. These updates contain – updates, bug fixes and often the fixing of security issues. They are critical for maintaining the security of systems. The patching process not only includes applying patches, but extends to identifying vulnerabilities, applying patches, and verifying that the patches have been successfully implemented.

Once a patch for a vulnerability is released by a vendor, it should be applied in a timeframe commensurate with an organisation’s exposure to the vulnerability. For example, once a vulnerability in an online service is made public, it can be expected that malicious code will be developed by malicious actors within 48 hours, sometimes within 24 hours.

Affected Software for Patch Application

The “Patch Applications” strategy affects a wide range of software, including:

• Office productivity suites (e.g. Microsoft Office – Word, Excel, etc)
• Web browsers and their extensions (e.g. Internet Explorer, Google Chrome, Mozilla Firefox)
• Email clients (e.g. Microsoft Outlook)
• PDF software (e.g. Adobe Acrobat)
• Security products (e.g. Antivirus Software, Anti Malware)
• Your third party or legacy applications (e.g. SAP, MYOB, Quicken, Salesforce, Oracle, Lotus etc)
• Other commonly used applications that may be targeted by cyber threats

How often should application patches be applied ?

Some form of scheduled or automated system should be put in place to be made aware of patches from vendors. Many vendors currently have agents installed on your PCs to automatically check for new patches. Other options include multiple staff receiving security bulletins from your vendors.

Once a patch for a vulnerability is released by a vendor, it should be applied in a timeframe commensurate with an organisation’s exposure to the vulnerability. For example, once a vulnerability in an online service is made public, it can be expected that malicious code will be developed by malicious actors within 48 hours, sometimes within 24 hours.

2. Patch Operating Systems

“Patching operating systems” involves regularly updating the operating system software to fix security vulnerabilities. The operating system is the core software that is installed on a desktop or server that then allows other applications to ruin. Typically for your desktop this is either Microsoft Windows, Apple MacOS or Linux. The patches are released by vendors and are critical for maintaining the security and functionality of systems. The process includes identifying vulnerabilities, applying patches, and verifying that the patches have been successfully implemented.

Affected Software for Patch Operating Systems

The “Patch Operating Systems” strategy affects a wide range of operating systems, including:

• Windows: All versions, including Windows Server and Windows 10/11.
• Linux: Various distributions such as Ubuntu, Red Hat, and CentOS.
• macOS: Apple’s operating system for Mac computers.
• Other operating systems: Including those used in network devices (like Cisco IOS), Servers (Unix, AIX, Novell, etc) , and specialized equipment.

How often should Operating System patches be applied?

The ASD provides specific time frames for applying patches based on the criticality of the vulnerability and the exposure risk:

• Critical vulnerabilities: Patches should be applied within 48 hours if identified as critical by vendors or if working exploits exist.
• Non-critical vulnerabilities: Patches should be applied within two weeks for internet-facing systems and within one month for non-internet-facing systems

3. Implement Multifactor Authentication

Multifactor Authentication (MFA) is a security measure that requires users to provide two or more forms of verification to access a system, application, or service. This additional layer of security helps protect against unauthorized access, even if one factor (like a password) is compromised. Generally 2-Factor Authentication is what most web portals and software vendors are now implementing.

What “Multifactor Authentication” or “Two Factor Authentication” Means

MFA involves using a combination of:

• Something you know: Such as a password or PIN.
• Something you have: Such as a physical token, smartcard, or mobile device.
• Something you are: Such as biometric verification (fingerprint, facial recognition).

By requiring multiple forms of verification, MFA adds an extra layer of security beyond just a password, which can be easily compromised.

Affected Software for Multifactor Authentication

MFA is applicable to a wide range of software and systems, including:

• Email services: Such as Microsoft Outlook and Gmail.
• Cloud services: Such as Microsoft 365, Office 365, Microsoft Azure, Google Workspace, and AWS.
• VPNs and remote access solutions: To secure remote connections.
• Enterprise applications: Such as ERP and CRM systems.
• Identity and access management systems: Such as Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory.

Time Frames for Implementing MFA

The ASD Essential 8 Maturity Model outlines different maturity levels for implementing MFA, each with specific requirements:

• Maturity Level 1: Basic implementation of MFA for all users accessing sensitive data or systems.
• Maturity Level 2: MFA is enforced for all remote access and for users with privileged access.
• Maturity Level 3: MFA is enforced for all users, including those accessing less sensitive systems, and includes advanced authentication methods such as biometrics

Organizations are encouraged to progressively implement MFA across all systems and users to achieve higher maturity levels, thereby enhancing their overall security posture.

4. Restrict Administrative Privileges

Restricting administrative privileges involves several key practices:

1. Minimizing Privileged Accounts: Only a small number of users should have administrative privileges, and these should be strictly controlled and monitored.
2. Separate Accounts for Admin Tasks: Users with administrative privileges should have separate accounts for administrative tasks and regular activities.
3. Regular Review and Validation: Administrative privileges should be reviewed and validated regularly on a scheduled basis, to ensure they are still necessary. This includes revalidating privileges when users change roles or leave the organization.
4. Least Privilege Principle: Users should be granted the minimum level of access necessary to perform their duties.

Restrict Administrative Privileges Affected Software

This strategy affects a wide range of software and systems, including:

• Operating Systems: Windows, Linux, macOS.
• Enterprise Applications: ERP, CRM, and other business-critical systems.
• Network Devices: Routers, modems, switches, firewalls.
• Cloud Services: Platforms like AWS, Azure, and Google Cloud.
• Database Management Systems: SQL Server, Oracle, MySQL.

Time Frames for Implementing Restrictions

The ASD Essential 8 Maturity Model outlines different maturity levels for implementing this strategy, each with specific requirements:

• Maturity Level 1: Basic implementation, including identifying and documenting privileged accounts.
• Maturity Level 2: Regular review and revalidation of administrative privileges, disabling accounts after a period of inactivity (e.g., 45 days).
• Maturity Level 3: Advanced controls, such as automated disabling of inactive accounts and more frequent revalidation (e.g., every 12 months)

By implementing these practices, organizations can significantly reduce the risk of unauthorized access and improve their overall security posture.

5. Application Control

Application control is a security measure designed to protect against the execution of unapproved or malicious applications. It involves creating and enforcing rules that allow only trusted applications to run on a system. This helps to prevent malware infections and unauthorized software installations.

Application Control Affected Software

Application control affects a wide range of software, including:

• Executables: Programs and applications that can be run on a computer.
• Software Libraries: Collections of pre-written code that applications can use.
• Scripts: Automated sequences of instructions, such as Bat Files, PowerShell, Visual Basic or Python scripts.
• Installers: Software or programs used to install applications.
• Drivers: Software that allows the operating system to communicate with hardware devices.

Implementing Application Control Steps

Implementing application control involves several key steps:

1. Identifying Approved Applications: Determine which applications are necessary and trusted for your organization.
2. Developing Application Control Rules: Create rules to ensure only approved applications can execute. This can be done using methods such as cryptographic hash rules, publisher certificate rules, and path rules.
3. Maintaining Application Control Rules: Use a change management process to update and maintain these rules as new applications are introduced or existing ones are updated.
4. Validating Application Control Rules: Regularly validate the rules to ensure they are effective and up-to-date.

Time Frames for Implementing Application Control

The ASD Essential 8 Maturity Model outlines different maturity levels for implementing application control, each with specific requirements:

• Maturity Level 1: Basic implementation, including identifying and documenting approved applications.
• Maturity Level 2: Regular review and validation of application control rules, ensuring they are enforced consistently.
• Maturity Level 3: Advanced controls, such as automated enforcement and frequent validation (e.g., annually or more frequently).

By implementing these practices, organizations can significantly reduce the risk of unauthorized software execution and improve their overall security posture.

6. Restrict the use of Microsoft Office Macros

Restricting the use of Microsoft Office macros involves several key practices:

1. Disabling Macros by Default: Macros should be disabled by default to prevent unauthorized execution. Users should only enable macros if they have a demonstrated business need.
2. Blocking Macros from the Internet: Macros in files originating from the internet should be blocked to prevent the execution of potentially malicious code.
3. Enabling Macro Antivirus Scanning: Antivirus scanning for macros should be enabled to detect and block malicious macros.
4. Preventing Users from Changing Macro Settings: Users should not be able to change macro security settings, ensuring that the organization’s policies are consistently enforced.

Restrict use of Microsoft Office Macros – Affected Software

This strategy primarily affects Microsoft Office applications, including:

• Microsoft Word
• Microsoft Excel
• Microsoft PowerPoint
• Microsoft Access

Time Frames for Implementing the Restricted Use of Office Macros

The ASD Essential 8 Maturity Model outlines different maturity levels for implementing this strategy, each with specific requirements:

• Maturity Level 1: Basic implementation, including disabling macros by default and blocking macros from the internet.
• Maturity Level 2: Regular review and validation of macro settings, ensuring that only users with a demonstrated business need can enable macros.
• Maturity Level 3: Advanced controls, such as blocking macros from making Win32 API calls and more frequent validation of macro settings.

By implementing these practices, organizations can significantly reduce the risk of malicious macro execution and improve their overall security posture.

7. User Application Hardening

User application hardening involves implementing security measures to protect applications from being exploited by malicious actors. This includes disabling or removing unnecessary features, applying security configurations, and ensuring that applications are up-to-date with the latest security patches.

User Application Hardening – Affected Software

User application hardening affects a wide range of software, including:

• Web Browsers: Security settings should be configured to prevent processing of Java from the internet and web advertisements.
• Office Productivity Suites: Applications like Microsoft Office should be hardened to prevent the creation of child processes and executable content.
• PDF Software: Security settings should be configured to prevent unauthorized changes and ensure the software is hardened according to ASD and vendor guidance.
• Other Common Applications: This includes disabling or removing older versions of software like .NET Framework 3.5 and Windows PowerShell 2.0.

Implementing User Application Hardening Steps

Implementing user application hardening involves several key steps:

1. Disabling Unnecessary Features: Remove or disable features that are not required for business operations, such as Java in web browsers and older versions of software.
2. Applying Security Configurations: Follow ASD and vendor hardening guidelines to configure applications securely. This includes settings to block macros, prevent the creation of child processes, and disable web advertisements.
3. Regular Updates and Patching: Ensure that all applications are regularly updated and patched to address known vulnerabilities.

Time Frames for Implementing User Application Hardening

The ASD Essential 8 Maturity Model outlines different maturity levels for implementing user application hardening, each with specific requirements:

• Maturity Level 1: Basic implementation, including disabling unnecessary features and applying basic security configurations.
• Maturity Level 2: Regular review and validation of application hardening settings, ensuring they are enforced consistently.
• Maturity Level 3: Advanced controls, such as automated enforcement of hardening settings and frequent validation (e.g., annually or more frequently).

By implementing these practices, organizations can significantly reduce the risk of application exploitation and improve their overall security posture.

8. Perform Regular Backups

Performing regular backups involves creating copies of critical data, applications, and system settings at regular intervals. These backups are stored securely and can be used to restore systems to a functional state in the event of data loss or corruption. Key practices include:

• Regular Backup Schedule: Establishing a consistent schedule for backups, such as daily or weekly, depending on the criticality of the data.
• Secure Storage: Ensuring backups are stored in a secure and resilient manner, such as offsite or in the cloud, to protect against physical damage or cyber attacks.
• Testing Restorations: Regularly testing the restoration process to ensure that backups can be successfully used to recover data and systems.

Affected Software for Regular Backups

The “Perform Regular Backups” strategy affects a wide range of software and systems, including:

• Operating Systems: Windows, Linux, macOS.
• Enterprise Applications: ERP, CRM, and other business-critical systems.
• Database Management Systems: SQL Server, Oracle, MySQL.
• File Servers and Network Storage: Systems that store important files and documents.

Time Frames for Implementing Regular Backups

The ASD Essential 8 Maturity Model outlines different maturity levels for implementing regular backups, each with specific requirements:

• Maturity Level 1: Basic implementation, including performing regular backups (at least daily) and retaining them for a minimum period (e.g., 90 days). Regularly test restoration from backups, at least annually.
• Maturity Level 2: Enhanced controls, such as identifying and authorizing specific backup administrators, ensuring unprivileged users cannot access or modify backups, and conducting more frequent restoration tests.
• Maturity Level 3: Advanced controls, including preventing all accounts except backup administrators from accessing backups, and using separate break-glass administrator accounts for making changes or removing backups.

By implementing these practices, organizations can significantly reduce the risk of data loss and improve their overall resilience to cyber incidents.