Going back to security basics – embracing the Essential Eight

Is your organisation picking the right security battles?

Credit: Dreamstime

When the Australian government published its Top 4 Strategies to Mitigate Targeted Cyber Intrusions, it was like applying Occam's razor to cybersecurity: the approach that makes the fewest assumptions is often the most effective.

These four comparatively straightforward strategies, the Australian Signals Directorate asserted, were sufficient to mitigate 85 per cent of identified intrusion techniques regardless of the environment. Nonetheless, five years after the publication of the Top 4, many businesses still struggle to execute its successor – the Essential Eight.

The Essential Eight aims to establish a security control baseline to make it harder for attackers to compromise a network. These recommendations are split into three categories; malware delivery prevention (application whitelisting, Microsoft Office macro configuration, application patching, and application hardening), cyber incident limitation (administrative privilege restriction, multi-factor authentication, and operating system patching), and data recovery (daily backups and regular testing).

While nothing says “kicking security goals” like dropping big money on a flashy new product, these strategies can be typically implemented without any additional technology – so what is it about implementing the Essential Eight that causes organisations so much grief?

For many CSOs, the answer lies in the fact that they are so busy doing the multitude of things that seem to matter, the few that truly do matter are either overlooked or not given the attention they deserve.

While I’m an advocate of defence-in-depth, organisations frequently muddy the water by throwing several controls at a problem that could be effectively addressed with one. At best, this is a waste of time and effort, and at worst, it actually reduces the overall security of the environment.

Log management is a perfect example. While it can be tempting to enable verbose logging for every device, application or process in the environment, doing so drives the overhead and signal-to-noise ratio through the roof, reducing the overall efficacy of the control. Sometimes less is more, and capturing key events related to high value information, applications or processes generally provides greater assurance that anomalies are not ignored. This is far more manageable than trying to make sense of the static from capturing every conceivable event.

In other cases, the issue is complicated by overcooking the basics. One organisation told me that it had recently implemented 17-character passwords – for every… single… account. While the control was no doubt effective for reducing the likelihood of password cracking, the result was effectively a DoS of the service desk phone line with countless furious users. Further, implementing a control that is so disruptive inevitably provides a very strong incentive for users to circumnavigate it.

It is this inability to pick the right security battles that too often puts organisations at risk.

The Essential Eight was devised to address exactly this problem by establishing an information security baseline for government systems: where it is assumed you cannot defend everything, these strategies help prevent you from inadvertently defending nothing.

In fact, a few simple yet well-implemented security controls can greatly reduce an organisation’s attack surface as they are easier to configure, manage, and track. A single device with an unpatched operating system, unauthorised application, or poorly secured administrator account can offer an adversary a network foothold that can undermine a multitude of other security measures.

This is especially true where the size or complexity of the environment increases the likelihood of misconfiguration or incomplete deployment, potentially creating a false sense of security.

At the end of the day, you are more likely to suffer a breach due to an overlooked or poorly configured network component than a persistent and brilliant malcontent. This is what lies at the heart of the Essential Eight – application whitelisting and proper patching practices might not be the sexiest security strategies, but they remain among the most effective.

Anyone looking to enhance the security of their environment should review the Essential Eight for a sanity check. If you’re concerned about the potential impact of a network intrusion but your privileged accounts are uncontrolled and untrusted Microsoft Office macros are rife, it might be worth putting off that shiny new security product for now, and getting back to the basics.

Elliot Dellys is principal advisor at Hivint.


Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Australian Signals Directorate (ASD)Hivint

More about Microsoft

Show Comments