Home Security Security expert evaluates ASD's eight cyber security steps

Security expert evaluates ASD's eight cyber security steps

The "essential eight" cyber security steps released by the Australian Signals Directorate in February will help organisations in meeting the requirements of the recently passed data breach bill, a security expert says.

Christopher Strand, security risk and compliance officer, at Carbon Black, told iTWire that globally, more and more jurisdictions were releasing mandates that would have a substantial impact on companies regarding breach notification and the protection of sensitive data.The good news about most of the new steps was that they were not so much about security technologies you needed to bolt on. The bad news was that they required physical and mental effort to meet the code – to do something.

One of those cyber security mandates was the Privacy Amendment (Notifiable Data Breaches) Bill.

"This mandate will put pressure on Australian businesses to provide information on sensitive data breaches. The new rules require Commonwealth government agencies, private sector organisations, and any businesses that are regulated by the privacy act, to get in line within 12 months," Strand said.

"Failure to do so puts businesses at risk of civil penalties, public reputational harm, and other negative financial consequences."

Carbon Black Chris Strand

Strand said the new bill would help to draw attention to cyber security solutions as well as focusing on the practices that protect data and business systems throughout Australia. Companies would need to account for their security systems and take steps to ensure they have the right technologies and plans in place to prove protection.

He said the ASD's list comprised practical actions that organisations could put into place to help shore up their information security postures.

"Aligned with the updated security mandate is the latest version of the mitigation strategies, called the "Essential Eight". After a business has performed its due diligence to identify which core assets require attention, the type of adversaries it faces, and what level of protection is needed, the business will have a baseline cyber security posture. Ostensibly this baseline will make it much more difficult for an adversary to compromise the system. Additionally, businesses will have a good handle on how to measure the security controls that play an important part of ensuring proper protection," he said.

The remainder of this article is in Strand's words:

The ‘Essential Eight’ practices fall into the following categories across two distinct functional areas:

The first four are focused on stopping malware from running:

  • Application whitelisting – Control which programs can run on your systems, and stop the rest.
  • Patch applications regularly – stop attacks from exploiting known vulnerabilities.
  • Disable untrusted Microsoft Office macros – a common channel for malware.
  • Harden user applications – block Web browser access to Adobe Flash player    (uninstall if possible), Web advertisements, and untrusted Java code on the Internet.

The second four limit the extent of incidents and help recover data:

  • Restrict administrative privileges – Limit privileges to only those who need them.
  • Patch operating systems – To avoid known security vulnerabilities that can be exploited or move to threat mitigation by introducing a compensating control to protect unsupported systems.
  • Backup important data daily– and ensure it meets the specifications of data retention policies.   
  • Apply multi-factor authentication – add a second factor beyond a simple password across all systems.

On a recent tour of the region, I had the privilege of meeting one of the lead directors of the ASD, when the ‘Essential Eight’ was in final edit mode. I had the chance to discuss the security controls and was impressed to hear the ASDs’ plans for supporting businesses with the new mandates via the mitigation strategies.

The ASD is actively engaging with businesses in the case of an incident and offering support before, during and after the mandatory notification that would be triggered under the breach notification laws.

This is a great example of supporting and standing behind the mitigation strategies and is also a good way to promote adoption to ensure businesses are moving toward better security postures. It also ensures businesses are fully transparent in the case of an incident.

It was also encouraging to find common ground between the mitigation recommendations put forth by the ASD and the way Carbon Black approaches security posture through our focus on event stream processing, ranking risks throughout the attack cycle, as well as proof of data integrity and policy enforcement.

After careful review of the new ‘Essential Eight,’ it is apparent the ASD has taken implementation and audit fatigue into account when designing the mitigations.  This is the last item that many baselines and frameworks fail to address.

A mitigation strategy is only as strong as the completeness of its implementation. Many other jurisdictions should take a page from the ASD on how to encourage businesses to take the first steps to creating an environment fostering better security. The new strategy ensures that businesses will be able to take advantage of the suggested security parameters quickly and start down the road of better risk and threat mitigation.


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!