This is up from its previous four — application whitelisting, patching applications, patching operating system vulnerabilities, and restricting administrative privileges — and has been called the “essential eight”. As yet these have not been included in the protective security policy framework (PSPF) mandate and will be available on the ASD website shortly.
It says that while the essential four will prevent 85% of cyber attacks and were mandatory for all Australian Government use since 2013, the extra precautions are a result of developments since then.
ASD says these are the essential eight and there are many more steps that could be taken. A range of publications are available on its website.
The measures organisations should now take are:
- Application whitelisting to allow only approved software applications to run on computers.
- Patch applications to fix security vulnerabilities in software.
- Disable untrusted Microsoft Office macros which could be used to enable the download of malware onto computer systems.
- User application hardening that blocks Web browser access to Adobe Flash player, Web advertisements and untrusted Java code.
- Restrict administrator privileges for managing systems and installing software and patches to only users who absolutely need them.
- Patch operating systems to fix vulnerabilities.
- Use multi-factor authentication to make it harder for third parties to access information.
- Back-up important data daily so information can be quickly recovered in the event of a cyber security incident.
The ASD states, “Once the essential eight mitigation strategies have been correctly implemented, baseline cyber security posture has been achieved. This baseline makes it much harder for adversaries to compromise systems."
"While no single mitigation strategy is guaranteed to prevent cyber security incidents, ASD recommends organisations implement a package of eight essential strategies as a baseline,” it added.