Take a moment to pat yourself on the back!
You’ve worked hard to implement each of the eight cyber risk mitigation strategies contained in the Australian Signals Directorate’s (ASD) Essential Eight. Now that you’ve reached Maturity Level One (ML1), this should ensure that your organisation is ready to stop most common types of cyber-attacks.
But this is just the first step – What if your organisation were to face a more sophisticated threat actor?
This is where the Essential Eight Maturity Level Two (ML2) can assist. ML2 takes your cyber maturity to the next level, arming you to defend against more determined attackers.
What is Essential Eight Maturity Level Two?
The focus of ML2 is on threat actors who have more advanced or sophisticated capabilities. Such attacks may occur less frequently, but the threat they can pose to your organisation is greater.
These attackers aren’t just looking for easy targets. They are prepared to invest time and effort in specifically targeting organisations that offer greater rewards.
Importantly, these attackers will make use of more effective tools in carrying out their malicious activities. It is likely that they will seek to bypass security controls and evade detection using compromised credentials. These may be obtained via phishing and social engineering techniques.
By aligning with ML2, your organisation can help stop attackers who are deliberately targeting your organisation.
How does Maturity Level Two differ from Maturity Level One?
One of the key features of the Essential Eight’s Maturity Level Two is its focus on incident response.
Incident response is vital as it is impossible to reduce cyber risk down to zero. In the event of a cyber incident, it is essential that organisations have the ability to respond effectively and recover quickly. This will enable them to resume operations and contain any damage caused by the incident.
ML2 emphasises the importance of continuously analysing cyber security events, so that a rapid response can be launched whenever a cyber security incident occurs. That is why continuous monitoring of your digital environment with the use of SIEM platforms, as well as comprehensive incident response plans, are essential.
ML2 also emphasises the need for cyber security incidents to be appropriately escalated to your organisation’s Chief Information Security Officer (CISO) or another appropriate individual, as soon as possible. This will help ensure that your incident response plan is enacted quickly, thereby containing the damage to your organisation.
Furthermore, ML2 emphasises the importance of reporting cyber incidents to the Australian Signals Directorate (ASD) as soon as possible after they occur or are discovered.
1-APPLICATION CONTROL
To reach ML1 we recommended that you limit staff access to applications that you know are secure, and that you could achieve this with the use of an application whitelisting platform.
To reach ML2, it is important to realise that, like everything in cyber security, application control is not a “set and forget” activity. You will need to strengthen your application control settings on an ongoing basis. One of the most effective ways you can achieve this is through implementing AppLocker, Microsoft’s recommended application blocklist.
AppLocker is an application whitelisting platform that restricts which applications users can run based on a range of rules, including the software’s developer or location. Your IT administrators will be able to implement rules according to defined groups within your organisation, or even to specific individual users.
In line with the need for continuous strengthening, you should also ensure you are reviewing the rules you implement around application controls on an annual basis.
2- PATCH APPLICATIONS
When it came to application patching, we advised that ML1 required organisations to develop and implement patching processes, preferably on a routine basis, such as monthly.
Once you have procedures in place to help you keep up to date with application patching, ML2 requires you to take the next step by using vulnerability scanners, so no applications are accidentally forgotten.
Ideally, vulnerability scanning should occur on a fortnightly basis. They can help you identify any missing patches or updates in your environment.
In particular, a vulnerability scanning tool can be used to pinpoint bugs in applications that tend to fall between the cracks. Most organisations prioritise patching Microsoft 365, web browsers, email clients, PDF software, and security products. However, organisations often have a range of other applications in their environment that tend to be patched less frequently.
3- CONFIGURE MICROSOFT OFFICE MACROS
Macros, which allow users to automate a range of repetitive actions in the Microsoft Office suite of applications, can represent a significant risk to an organisation. Because macros run automatically, cyber-criminals are known to manipulate them in order to execute malicious software.
That is why we advised that it was important to disable macros to achieve ML1, unless specific employees could demonstrate an overriding need for them to access macros.
You should also have controls in place that prevent individual users from changing macro settings in the Microsoft Office suite. This helps ensure that users cannot circumvent macro security controls.
In order to align with ML2, you should also ensure that macros cannot make Win32 API calls. Win32 is an application programming interface (API) that allows developers to create applications that can run on the Microsoft Windows operating system.
Cyber-criminals can abuse Win32 API calls by prompting the launch of malicious shellcode without writing anything directly to disk. Click here to learn more about blocking Win32 API
4- APPLICATION HARDENING
When it comes to application hardening, you should already have deactivated software functionality that is not required, as well as blocked Flash or JavaScript, both of which can represent a security risk.
When taking the next step to achieve ML2, harden your applications in line with Australian Signals Directorate (ASD) guidance, as well as guidance from software vendors.
This particularly applies to Microsoft Office applications, as well as PDF software and web browsers.
Importantly, you should ensure that individual users do not have the ability to override security settings, as well as ensuring that child processes cannot be automatically created in the Microsoft Office suite.
5- RESTRICT ADMINISTRATIVE PRIVILEGES
When aligning with ML1, we spoke of the importance of implementing the Principle of Least Privilege (PoLP) to ensure users only have access to systems and data that they absolutely require in order to perform their job.
Once you have implemented user roles and assigned appropriate privileges, there are a number of additional steps you can take to align with ML2.
You should ensure that user roles with privileged access to systems, applications and data are disabled after 12 months, unless revalidated. Furthermore, you should have systems in place to disable a privileged user’s access to systems, applications and data if the user has been inactive for 45 days.
Such measures are particularly important for larger organisations where staff turnover may be high. It is often difficult to ensure that departing employees are quickly offboarded from the active directory, so you need measures in place to ensure that former employees no longer have access to privileged user accounts.
6- PATCH OPERATING SYSTEMS
Patching Operating Systems (OS) was essential for aligning to ML1. When it comes to achieving alignment with ML2, it is best to ensure that OS patching is taking place on a routine basis.
Review OS patching processes, not only when it comes to servers, but also with regards to endpoints. This can be particularly challenging in a BYOD (bring your own device) environment.
Conduct random audits of the personal devices staff are using for work purposes, to ensure all staff are keeping the OS on their devices up to date.
If required, conduct training for staff to ensure they know how to check whether the OS on their personal device is up to date, and how they can manually run updates if not set to run automatically.
7- MULTI-FACTOR AUTHENTICATION
Multi-factor authentication (MFA) is one of the most effective measures any organisation can implement to protect its systems, applications, and data from malicious activity.
To align with ML1, implementing MFA was a key requirement. When it comes to aligning with ML2, it is also important to ensure that your MFA is resistant to phishing attempts.
We know that MFA requires ‘something you have.’ Typically, this is a one-time-passcode that is sent to the user via SMS or accessed via an authenticator application on the user’s phone. However, one-time-passcodes may be vulnerable to phishing.
For this reason, consider the use of physical tokens instead of one-time-passcodes.
A physical token may need to be in close physical proximity to a device, or directly connected to a device via USB, in order to satisfy the ‘something you have’ requirement.
The financial investment in physical tokens, as well as the effort involved in managing physical tokens for all your staff, can be considerable. At a minimum, ensure that privileged access users are required to authenticate with a physical token.
8- REGULAR BACKUPS
Backing up your data is one of the most important measures you can undertake. Regular backups will enable your organisation to resume operations as quickly as possible following a cyber incident.
Ensuring regular backups was a requirement for aligning with ML1. When it comes to aligning with ML2 it is also important to ensure that privileged users cannot modify or delete backups. This is important because if a privileged user account is compromised, you want to ensure that the malicious actor cannot inflict further harm on your organisation by destroying backups, thereby preventing you from recovering after the incident.
These restrictions on privileged users should not extend to admin accounts.
How can Virtuelle help?
There are a range of measures organisations should implement to align with the Essential Eight’s Maturity Level Two. Some of these measures may be onerous, particularly for organisations with IT teams that are busy keeping up with BAU requirements.
Engaging assistance from external experts may be the most effective and efficient way for your organisation to align with ML2.
Virtuelle Group has the expertise to ensure the measures required to align with ML2 are implemented in a way that suits the specific circumstances of your organisation. We work closely with you to understand your existing cyber security capabilities and identify ways in which these can be uplifted to help you resist more sophisticated threat actors.
Contact us today and learn how Virtuelle Group can help protect your organisation.