ACSC tightens access controls for Australian government systems

Out goes multi-factor authentication via SMS messages, emails, voice calls, or software certificates for all but the most immature implementations of the Australian Signals Directorate's Essential Eight.
Written by Stilgherrian , Contributor

Tighter yet more flexible controls for user authentication have been set for Australian government agencies in the new Essential Eight Maturity Model published by the Australian Cyber Security Centre (ACSC).

"The ACSC is de-emphasising a number of vulnerable authentication factors within our maturity model, such as the use of SMS," an ACSC spokesperson told ZDNet.

"A recent example of the vulnerable nature of SMS was highlighted by the compromise of Reddit accounts in mid-2018, where SMS tokens were captured as part of the attack."

The Maturity Model measures an organisation's compliance with the Australian Signals Directorate (ASD) Essential Eight strategies for mitigating cyber attacks. This new version brings the model into line with the new version of the Australian government's Information Security Manual (ISM), which was also just released, following major update in December 2018.

Maturity level three means that the organisation's implementation of the Essential Eight is in full compliance with ISM requirements. The lower maturity levels "provide stepping stones for organisations to reach a compliant state".

Previously, multi-factor authentication required the use of a passphrase plus one other factor. At maturity levels one and two, the allowed factors included SMS messages, emails, voice calls, or software certificates, but at level three they were banned, and the only acceptable options were U2F security keys, physical one-time password (OTP) tokens, biometric, or smartcards.

Now, those first four are only permitted at level one, the most immature implementation level recognised.

"We are also moving from a 'password plus additional authentication factor' approach, to any two suitable, different authentication factors. For example, biometrics plus a U2F security key," the ACSC said.

"This supports the broader industry direction to move beyond the use of passwords and look at other, more effective protection measures such as biometrics and U2F security keys."

Further changes include:

  • Application whitelisting is now mandatory at maturity level two as well as level three.
  • Blocking of risky web content such as Flash content, Java apps, Microsoft Office macros and Object Linking and Embedding (OLE) packages, and web advertisements is now mandatory at maturity level three, as per the current version of the Essential Eight.
  • Mandatory technical security controls to prevent privileged users from reading emails and browsing the web must now also prevent them obtaining files via online services.
  • There must be an "automated mechanism" to "confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place".

While the ACSC doesn't mandate timelines for government agencies to reach specific maturity levels, the Attorney-General's Department does prescribe compliance with the Top 4 as part of its Protective Security Policy Framework (PSPF).

While maturity level 3 represents compliance with the Essential Eight, previous versions of the model included a fourth level, for "higher risk environments". That's been dropped.

"Where the ACSC believes an organisation requires a maturity level above that provided by maturity level 3, the ACSC would provide tailored advice to meet the specific needs of the organisation," the ACSC said.

"The ACSC recommends that all organisations implement the Essential Eight as a baseline, and additional mitigation strategies from the 37 Strategies beyond that, based on risk exposure and cybersecurity threats of most concern to their business."

Related Coverage

Australian political parties also hit by state actor in parliamentary network attack: PM

Prime Minister Scott Morrison has said a sophisticated state actor also hit the networks of Australia's political parties when it attacked the parliamentary network.

Australian government gives Amazon Web Services protected level certification

The cloud giant can now store highly sensitive workloads for Australian government entities.

ACSC dumps annual conference, partners with AISA for cyber events

Australia's cybersecurity agency joins the nation's peak body for cyber professionals to deliver development programs through the government's Joint Cyber Security Centres.

ASD Director-General hits out at encryption Bill fake news

Claims that the new laws will drive tech companies offshore are flawed, according to ASD Director-General Mike Burgess.

5G stakes couldn't be higher so we advised Huawei ban: ASD

High-risk vendors could previously be confined to the edge of networks, but 5G changes that, the Australian Signals Directorate has said.

Editorial standards