Home Security Security expert evaluates ASD's eight cyber security steps

The "essential eight" cyber security steps released by the Australian Signals Directorate in February will help organisations in meeting the requirements of the recently passed data breach bill, a security expert says.

Christopher Strand, security risk and compliance officer, at Carbon Black, told iTWire that globally, more and more jurisdictions were releasing mandates that would have a substantial impact on companies regarding breach notification and the protection of sensitive data.The good news about most of the new steps was that they were not so much about security technologies you needed to bolt on. The bad news was that they required physical and mental effort to meet the code – to do something.

One of those cyber security mandates was the Privacy Amendment (Notifiable Data Breaches) Bill.

"This mandate will put pressure on Australian businesses to provide information on sensitive data breaches. The new rules require Commonwealth government agencies, private sector organisations, and any businesses that are regulated by the privacy act, to get in line within 12 months," Strand said.

"Failure to do so puts businesses at risk of civil penalties, public reputational harm, and other negative financial consequences."

Carbon Black Chris Strand

Strand said the new bill would help to draw attention to cyber security solutions as well as focusing on the practices that protect data and business systems throughout Australia. Companies would need to account for their security systems and take steps to ensure they have the right technologies and plans in place to prove protection.

He said the ASD's list comprised practical actions that organisations could put into place to help shore up their information security postures.

"Aligned with the updated security mandate is the latest version of the mitigation strategies, called the "Essential Eight". After a business has performed its due diligence to identify which core assets require attention, the type of adversaries it faces, and what level of protection is needed, the business will have a baseline cyber security posture. Ostensibly this baseline will make it much more difficult for an adversary to compromise the system. Additionally, businesses will have a good handle on how to measure the security controls that play an important part of ensuring proper protection," he said.

The remainder of this article is in Strand's words:

The ‘Essential Eight’ practices fall into the following categories across two distinct functional areas:

The first four are focused on stopping malware from running:

  • Application whitelisting – Control which programs can run on your systems, and stop the rest.
  • Patch applications regularly – stop attacks from exploiting known vulnerabilities.
  • Disable untrusted Microsoft Office macros – a common channel for malware.
  • Harden user applications – block Web browser access to Adobe Flash player    (uninstall if possible), Web advertisements, and untrusted Java code on the Internet.

The second four limit the extent of incidents and help recover data:

  • Restrict administrative privileges – Limit privileges to only those who need them.
  • Patch operating systems – To avoid known security vulnerabilities that can be exploited or move to threat mitigation by introducing a compensating control to protect unsupported systems.
  • Backup important data daily– and ensure it meets the specifications of data retention policies.   
  • Apply multi-factor authentication – add a second factor beyond a simple password across all systems.

On a recent tour of the region, I had the privilege of meeting one of the lead directors of the ASD, when the ‘Essential Eight’ was in final edit mode. I had the chance to discuss the security controls and was impressed to hear the ASDs’ plans for supporting businesses with the new mandates via the mitigation strategies.

The ASD is actively engaging with businesses in the case of an incident and offering support before, during and after the mandatory notification that would be triggered under the breach notification laws.

This is a great example of supporting and standing behind the mitigation strategies and is also a good way to promote adoption to ensure businesses are moving toward better security postures. It also ensures businesses are fully transparent in the case of an incident.

It was also encouraging to find common ground between the mitigation recommendations put forth by the ASD and the way Carbon Black approaches security posture through our focus on event stream processing, ranking risks throughout the attack cycle, as well as proof of data integrity and policy enforcement.

After careful review of the new ‘Essential Eight,’ it is apparent the ASD has taken implementation and audit fatigue into account when designing the mitigations.  This is the last item that many baselines and frameworks fail to address.

A mitigation strategy is only as strong as the completeness of its implementation. Many other jurisdictions should take a page from the ASD on how to encourage businesses to take the first steps to creating an environment fostering better security. The new strategy ensures that businesses will be able to take advantage of the suggested security parameters quickly and start down the road of better risk and threat mitigation.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities