The Australian Cyber Security Centre (ACSC) has strengthened its recommendations for application whitelisting, with an updated version of its ‘Essential Eight’ maturity model pushing for organisations to implement whitelisting on all servers.
The Essential Eight mitigation strategies were unveiled by the ACSC’s parent organisation, the Australian Signals Directorate in 2017. The strategies build on the ASD’s ‘Top 4’ recommendations, which are, in theory, mandatory for Commonwealth agencies.
The Top 4 are whitelisting, application patching, OS patching, and the restriction of administration privileges based on user duties. The Essential Eight adds appropriately configuring Microsoft Office macro settings, user application hardening, implementing multi-factor authentication, and daily backups of key data, software and settings data.
The ASD has said that the Essential Eight are capable of preventing the overwhelming majority of cyber security incidents it investigates.
The ACSC last week updated its maturity model for the Essential Eight. The model allows organisations to assess their security maturity across the eight strategies, with three levels of maturity for each.
Previously to achieve a base level of maturity for the application whitelisting strategy required it to be implemented for all workstations as well as Active Directory servers, email servers and other servers handling user authentication. The update requires an application whitelisting solution to be “implemented on all servers to restrict the execution of executables to an approved set.”
The highest level of maturity now also requires the implementation of Microsoft’s latest recommended block rules to prevent application whitelisting bypasses.
The updated guide also pushes for more frequent testing of backup restoration. The base level of maturity now requires partial restoration of backups to be tested on an annual or more frequent basis, or for level two at least twice a year. Level three requires partial restoration of backups to be tested on a quarterly or more frequent basis.
Last year the ACSC released a major update to the government’s key security guide, the Information Security Manual. Since then the ISM has been updated on a more frequent basis, including earlier this month to incorporate the new Essential Eight maturity recommendations.