Understanding & implementing the essential 8: A guide for organisations

In today’s increasingly digital world, cyber threats are a constant concern for organisations of all sizes. To combat these threats, the Australian Cyber Security Centre (ACSC) has developed a set of baseline strategies known as the Essential Eight. These strategies are designed to help organisations mitigate cyber risks and protect their digital assets. This article will provide a comprehensive overview of the Essential Eight and offer practical guidance on how to implement these controls effectively.

What is the Essential 8?

The Essential 8 is a set of eight mitigation strategies that the ACSC recommends as a baseline for cybersecurity. These strategies are aimed at preventing malware delivery and execution, limiting the impact of cybersecurity incidents, and enhancing overall security posture. The Essential Eight consists of:

Application Control
Patch Applications
Configure Microsoft Office Macro Settings
User Application Hardening
Restrict Administrative Privileges
Patch Operating Systems
Multi-factor Authentication (MFA)
Regular Backups

Implementing the Essential 8

Effective implementation of the Essential 8 requires a strategic approach and a commitment to continuous improvement. Below, we provide detailed guidance on how to implement each control.

1. Application Control

Objective: Prevent malicious code from executing on systems.

Implementation Steps:

Whitelisting: Implement application whitelisting to ensure that only approved applications can run on your systems. This can prevent the execution of unauthorised or malicious software.
Regular Reviews: Regularly review and update the whitelist to ensure it includes all necessary applications and excludes any that are no longer needed.
Automated Tools: Utilise automated tools to enforce application control policies across the organisation.

Best Practices:

Start with a small, controlled environment to test the application control process before rolling it out organisation-wide.
Involve end-users in the process to identify necessary applications and minimise disruptions.

2. Patch Applications

Objective: Mitigate vulnerabilities in applications to prevent exploitation.

Implementation Steps:

Automated Patching: Use automated patch management tools to regularly update applications with the latest security patches.
Patch Prioritisation: Prioritise patching based on the severity of vulnerabilities and the criticality of the applications.
Vulnerability Scanning: Conduct regular vulnerability scans to identify and remediate unpatched software.

Best Practices:

Establish a patch management policy that defines the frequency and process for applying patches.
Ensure that all stakeholders are aware of the importance of patching and the role they play in the process.

3. Configure Microsoft Office Macro Settings

Objective: Prevent the execution of malicious macros in Microsoft Office applications.

Implementation Steps:

Disable Macros by Default: Configure Microsoft Office to disable macros by default and only enable them for trusted documents.
Macro Signing: Require that all macros are digitally signed by a trusted source before they can be executed.
User Training: Educate users about the risks associated with macros and how to identify potentially malicious documents.

Best Practices:

Regularly review and update macro policies to reflect current threats and organisational needs.
Monitor macro usage and investigate any anomalies.

4. User Application Hardening

Objective: Reduce the attack surface of user applications.

Implementation Steps:

Disable Unnecessary Features: Disable features in user applications that are not needed, such as Flash and Java, to reduce potential attack vectors.
Security Settings: Configure security settings to enhance protection, such as enabling security features in web browsers and email clients.
Regular Updates: Ensure user applications are regularly updated with the latest security patches.

Best Practices:

Conduct regular audits of user application settings to ensure they comply with security policies.
Provide users with guidelines on how to configure their applications securely.

User adjusting application settings on a computer screen with security icons like locks and shields. Orange and black colour palette, emphasising cybersecurity.

Enhancing cybersecurity: A user configures application settings, focusing on security features to harden defences | Empire Technologies

5. Restrict Administrative Privileges

Objective: Limit the impact of compromised accounts with administrative privileges.

Implementation Steps:

Least Privilege Principle: Implement the principle of least privilege by granting users the minimum level of access necessary to perform their duties.
Privilege Management Tools: Use tools to manage and monitor administrative privileges.
Regular Reviews: Regularly review and audit administrative privileges to ensure they are appropriate and necessary.

Best Practices:

Implement multi-factor authentication (MFA) for all administrative accounts.
Provide training for administrators on secure practices and the importance of privilege management.

6. Patch Operating Systems

Objective: Mitigate vulnerabilities in operating systems to prevent exploitation.

Implementation Steps:

Automated Patching: Use automated tools to ensure operating systems are regularly updated with the latest security patches.
Patch Prioritisation: Prioritise patching based on the severity of vulnerabilities and the criticality of the systems.
Vulnerability Scanning: Conduct regular vulnerability scans to identify and remediate unpatched systems.

Best Practices:

Establish a patch management policy specifically for operating systems.
Communicate the importance of operating system patching to all stakeholders.

7. Multi-Factor Authentication (MFA)

Objective: Strengthen authentication processes to prevent unauthorised access.

Implementation Steps:

MFA Implementation: Implement MFA for all critical systems and applications, particularly those accessible from the internet.
User Education: Educate users on the importance of MFA and how to use it effectively.
Continuous Monitoring: Monitor MFA usage and investigate any anomalies.

Best Practices:

Use a combination of factors (e.g., something you know, something you have, and something you are) for robust authentication.
Regularly review and update MFA policies to reflect evolving threats.

8. Regular Backups

Objective: Ensure data can be restored in the event of a cyber incident.

Implementation Steps:

Automated Backups: Implement automated backup solutions to ensure critical data is regularly backed up.
Offsite Storage: Store backups in a secure, offsite location to protect against physical disasters.
Backup Testing: Regularly test backups to ensure they can be restored successfully.

Best Practices:

Develop a comprehensive backup policy that defines the frequency and process for backups.
Train staff on backup procedures and the importance of regular backups.

Modern scene of data backups with a server room, computer showing backup progress, and icons like cloud storage and shields, in orange and black colours.

Securing your data: Regular backups ensure data restoration and protection against cyber incidents | Empire Technologies

Conclusion

Implementing the Essential Eight is a critical step for organisations looking to enhance their cybersecurity posture. By following the guidance provided above, organisations can effectively implement these controls and mitigate the risk of cyber threats. Continuous monitoring, regular updates, and ongoing user education are key to maintaining a robust security environment.

For more detailed information and resources, organisations can visit the ACSC’s Essential Eight page (Cyber.gov.au) (Cyber.gov.au) (Cyber.gov.au) (Cyber.gov.au). By staying informed and proactive, organisations can better protect their digital assets and ensure their long-term security and resilience.

27 May 2024

Essential 8