When the Australian Signals Directorate (ASD) released its Top Four Strategies to Mitigate Targeted Cyber Intrusions in 2011, it was revolutionary, because it cut to the chase. Do these four things first, before anything else, and you'll repel 85 percent of targeted intrusions.
On Monday, the ASD released the new improved version. It's now the Essential Eight, and the advice is just as blunt.
"The eight mitigation strategies with an 'essential' effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware, that ASD considers them to be the cyber security baseline for all organisations," the ASD writes.
"Any organisation that has been compromised despite properly implementing these mitigation strategies is encouraged to notify ASD."
The Top Four was intended to defend against targeted intrusions, including those executed by advanced persistent threats such as foreign intelligence services. That list remains the same, although the order has changed.
The Essential Eight expands the defences to cover "ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise', and industrial control systems".
The Essential Eight is divided into two sections. The first two items in each section were part of the original Top Four.
To prevent malware running:
- Implement application whitelisting, so only selected software applications can run.
- Make sure all applications are kept patched.
- Disable untrusted Microsoft Office macros, because they're increasingly being used to enable the download of malware.
- Harden users' applications by blocking web browser access to: Adobe Flash player, uninstalling it if possible; web advertisements; and untrusted Java code.
Microsoft Office macros have been singled out to reflect the prevalence of malicious macros. The ASD has seen their advice "mitigate attempts to compromise Australian organisations by adversaries working for a foreign intelligence service," ASD writes.
"The list of applications has been reordered since Flash, web browsers, and Microsoft Office are exploited more than Java and PDF viewers ...
"Some organisations might choose to support selected websites that rely on ads for revenue by enabling just their ads and potentially risking compromise."
To limit the extent of incidents and recover data:
- Restrict administrative privileges to people who truly need them for managing systems, installing legitimate software, and applying patches.
- Patch operating systems, and keep them patched.
- Use multi-factor authentication.
- Back up important data daily, and store it securely.
"Multi-factor authentication is now rated 'essential' to reflect the prevalence of passphrase theft and the abuse of remote access for infiltration, data exfiltration, and persistence," the ASD writes.
As with the Top Four, the Essential Eight is based on ASD's experience responding to cyber security incidents, performing vulnerability assessments, and penetration testing Australian government organisations.
The ASD has also revised its full list of mitigation strategies, classifying them as essential but of lower priority, very good, good, and limited.
The strategies of limited effectiveness include: signature-based anti-virus software; TLS encryption between email servers; network-based intrusion detection and prevention system using signatures and heuristics; and capturing network traffic to perform incident detection and analysis.
The original Top Four won the US Cybersecurity Innovation Award in 2011. According to Alan Paller, founder and director of research of the SANS Institute, the genius was encouraging organisations to fix the Top Four before anything else.
"It takes such guts to put white space in a list, to say: 'This is enough. This matters. Do it first.' That's what Australia did, and no one else had the guts to do that," Paller told a meeting of security professionals in Sydney in 2012.
The Essential Eight is just as gutsy.
Most of the ASD's top recommendations continue to focus on basic network hygiene, and most of that can be achieved by the IT department simply doing its job properly. But cybersecurity vendors want to sell fancy and expensive techniques, some of which do very little to improve security.
The ASD's recommendation that every organisation install ad blockers will also be controversial, given that it declares as hostile a key part of online business models.
Given all the warnings about cyber threats and cyber war, we do want a secure internet, don't we? Well this is how you do it.