What is Essential 8?
The Essential Eight was introduced by the Australian Signals Directorate (ASD), and published in 2017. Its purpose is to protect Australian businesses from cyberattacks by protecting Microsoft Windows-based internet-connected networks, through the implementation of eight security controls. These eight security controls are divided into three primary objectives - prevent attacks, limit attack impact, and data availability.
​
3 Primary Objectives covering 8 controls
01
Prevent Cyber Attacks
-
​Application Control - maintaining control over applications to prevent the execution of unauthorised or unapproved software e.g. exe. and scripts.
-
Patch Applications - to remediate or fix any identified vulnerabilities in applications, keeping applications up to date with the latest patches and updates installed.
-
Configure MS Office Macros - Ensure that all unwanted macros are blocked from the internet, only allowing vetted macros within trusted locations.
-
User Application Hardening - to protect systems against an application's vulnerable functionality. E.g. configure web browsers to block flash, ads and javascript.
02
Limit Attack Impacts
-
Restrict Admin Privileges - to prevent admin users from having powerful access to systems. Routinely re-evaluate the need for privileges.
-
Patch OS Systems - Ensuring that the latest operating system version is in use, prevent the use of unsupported versions. Mitigate any identified vulnerabilities that are of ‘extreme risk’ within 48 hours of its discovery.
-
Multi-Factor Authentication - To protect against risky activities, MFA includes VPNs, RDP, SSH, and other remote access, for all users who have privileged access to sensitive systems and networks.
03
Data Availability
-
Regular Data Backups - maintaining daily backups to ensure that access to critical data is always available even in the event of a cyber-attack or incident.
What are the key benefits Essential 8?
Concise and Clear
It gives clear directives to organisations that are looking to reduce the chance of falling prey to data breaches.
Achievable compliance goals
Easy to reach compliance goals with clear outcomes; it is achievable for organizations to prove their compliance to a certain level of maturity.
Risk Vs Response
​The different maturity levels in Essential 8 allow organisations to mitigate risk to a level equal to the adversary they are likely to face. Which can be useful when looking to align to risk management goals.
A focus on technical solutions
The strategies in Essential Eight focus on technical factors for mitigation.
How is Essential 8 implemented?
To assist with implementation, the Essential Eight framework is supplemented by a maturity model, built on the basis of ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and prior experience assisting businesses in the implementation of the Essential Eight. The maturity model consists of four different maturity levels (Maturity Level Zero to Maturity Level Three).
Maturity 0
Signifies that there are weaknesses in an organisation’s overall cyber security posture.
Maturity 1
​Organizations at this level have fundamental protections in place to help prevent cybercriminals and other threat actors from infiltrating systems using common tools and techniques.
Maturity 2
Signifies that strategies are implemented to mitigate a range of sophisticated security attacks, including those that exploit elevated user privileges and vulnerabilities like credential harvesting.
Maturity 3
At the highest level of maturity, organizations deploy a variety of tools, including targeted application controls, workstation logging, and monitoring, to swiftly detect and investigate anomalous activity. They also prioritize rapid patching of known vulnerabilities.
When implementing the Essential Eight, businesses should identify a target maturity level suitable for their environment, and then progressively work on getting each of the eight security controls up each maturity level until that target is achieved. As the eight security controls or strategies complement each other, businesses should plan to achieve the same maturity level across all eight strategies before moving on to higher levels.
The Australian Cyber Security Centre recommends that organisations aim to reach Maturity Level 3 for each mitigation strategy. Once achieved it is important for organisations to maintain that status and recognise that Essential 8 is just a baseline for cybersecurity. If the ACSC believes that your organisation requires a higher level of maturity they will provide tailored solutions to meet your specific cybersecurity needs.
How can Stickman Cyber help?
At StickmanCyber we can help you implement the Essential 8 framework from start to finish using our continuous cybersecurity improvement methodology. Outlined below are the key phases:
Phase 1: Assess - The scope of the engagement will be defined, and a cybersecurity assessment conducted to identify the alignment of current ICT systems, policies and processes to ACSC Essential 8.
​
Phase 2: Plan - From the outcome of Phase 01, the remediation activities identified will be reviewed and prioritised based on the organisation's requirements and recommended maturity.
Phase 3: Execute - Assisting the client in the Implementation of the controls identified in Phase 02.
Phase 4: Monitor - This phase is usually performed monthly as a progress update, with annual reassessment of the activities conducted and maturity achieved, reported to top-level management.
Phase 5: Maintain - This phase is ongoing after Phase 02 to ensure progress is monitored and improvements are implemented, to maintain the level of maturity required.