Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The Australian Cyber Security Centre (ACSC) maintains a guideline called ‘The Essential Eight: Strategies to Mitigate Cyber Security Incidents’. Government departments’ cyber resilience is measured against these controls. Research shows that successful implementation of the Essential Eight fends off 85% of targeted cyber-attacks, so it’s a very sound security strategy to follow.
Let’s explore the ACSC’s Cyber Maturity Model for Essential Eight compliance to understand how it works, what to look out for and why you should apply it within your organisation.
Maturity models have been around for decades, coming from research carried out by the US military. In essence, maturity models measure process or implementation maturity, where five levels are used to report on the organisation’s approach to a given outcome.
With cyber security, ACSC’s Essential Eight cyber maturity model helps organisations determine compliance with those eight critical security controls:
As a rule of thumb, organisations are encouraged to aim for a maturity level of three, since at level three controls are institutionalised and consistently implemented across the entire organisation.
ACSC advises that organisations, such as critical infrastructure providers, that are under continued and unrelenting attack by highly skilled adversaries – known as advanced persistent threats (APTs) – should strive for level four maturity (the highest level), as at this level, security controls are performing at their best.
You and your security team should start by preparing an honest current state review. It’s easy to self-assess at maturity level three without looking at the underlying implementation detail. Yet, the detail is where the weaknesses can negate the value of the control. To achieve maturity level three against the Essential Eight’s Application Whitelisting control, for instance, the following conditions need to be met:
If any of these conditions are not met, you can’t claim level three maturity for Application Whitelisting. At level three, the solution must extend to all important servers, whereas at level four, it has to extend to all servers. The reality of Application Whitelisting is that it is a powerful security control, preventing unknown software from running on your systems. Yet anyone who has implemented Application Whitelisting knows how hard it is to set up, with significant integration and software distribution overheads, leading to an increase in service desk calls and inflated costs.
If Application Whitelisting runs on workstations, it prevents so-called drive-by downloads running on your systems and stops viruses and malware launching from malicious email attachments.
Looking into the detail is when things get interesting. Take the control called, Configure Microsoft Office Macro Settings. At cyber maturity level three, the following requirements are specified:
By implementing these requirements throughout your organisation, many common macro viruses will be stopped. Most harmful macro code comes from malicious email attachments hidden within spreadsheets or documents. When you open these malware files, the Visual Basic for Applications (VBA) code hidden inside executes and the infection takes hold. With these macro controls, rogue code cannot run since it is identified as originating from the Internet. Users can continue to write their own macros and publish them inside the organisation within Trusted Locations, so no functionality is lost.
If you prefer to aim for cyber maturity level four (targeted at higher risk environments such as critical infrastructure), then the requirements change as follows:
At cyber maturity level four, all macro code is blocked. There is no doubt that this is a more secure configuration, but it renders VBA unusable by all users. If your users rely on macros then level four isn’t a tenable security target, since the loss of functionality won’t be tolerated by the business. In this case you could seek an alternative way to achieve the same level of risk reduction, such as through monitoring what macros do when they run and alerting your Security Operations Centre when something malicious occurs.
The Essential Eight controls are the most fundamental security requirements you can implement to protect yourself from hackers. Monitoring compliance of your security controls allows you to ensure your defences remain effective as your systems change and threats evolve. Let’s look at one of the E8 controls ‘daily back up of important data’, as an example.
Without good backups, it’s hard to recover from a ransomware infection. Regular verified backups allow you to revert to a good copy of your data, eradicating the infection from your system. By monitoring your backup system using system management tools or by having your security team monitor them using your Security Information and Event Management (SIEM) system, you can monitor compliance and fix issues when they appear.
Your organisation’s cyber maturity may not be aligned to the Essential Eight security controls as there are many other recommended models, depending on the jurisdiction your business operates within; for example the UK NCSC’s 10 Steps to Cyber Security and North America’s C2M2 Model (originally established to measure maturity in the energy sector). However, there is no doubt the Essential Eight provides an excellent baseline for security.
 ACSC’s Maturity Model https://acsc.gov.au/publications/protect/Essential_Eight_Maturity_Model.pdf
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.