Artificial intelligence. Blockchain. Zero-day detection. The cyber security marketplace contains a litany of confusing buzzwords that can make an already complex subject sometimes even more confusing. But like so many other fields, before you can make any progress in cyber security you first need to get the fundamentals right.
The fundamentals are often called the ‘basics’, but this doesn’t mean they’re easy. In fact, some big technology companies in the world also struggle with what can be thought of as cyber security 101.
The Australian Government has created a straightforward guide to the cyber security essentials, and how to implement them, to help you protect your business against online threats.
What is the Essential Eight?
The government’s cyber security experts have identified eight essential mitigation strategies designed to help limit your organisation’s exposure to the vast majority of cyber threats.
These eight strategies are a subset of the Australian Cyber Security Centre’s 37 Strategies to Mitigate Cyber Security Incidents and form a strong baseline of protection.
The Essential Eight is broadly aimed at:
- Helping prevent attacks
- Limiting the extent of cyber attacks, and
- Recovering data and systems availability.
Helping prevent attacks
The first step to protecting against an attack is to prevent it from occurring in the first place. The vulnerability of your systems and users can be reduced by implementing the first four steps in the Essential Eight:
- Application control. This is one of the most effective steps in helping to ensure the security of systems. While application control is primarily designed to prevent the execution and spread of malicious code, it can also help prevent the installation or use of unapproved applications, which can bring harm to the security of your systems and data.
- Patching applications, or applying updates, is a critical process to help ensure the security of all your IT equipment. Patches often fix known vulnerabilities or flaws which might provide an entry point for anticipated threats to be released into systems and software. You should aim to always use the latest version of applications where possible, and to patch applications with “extreme risk” vulnerabilities within 48 hours.
- Configure Microsoft Office Macro settings. Macros, a staple in IT systems, automate regular tasks to save time. However, some macros can pose a security risk. A person with malicious intent can introduce a destructive macro in a file to spread a virus on your computer or into your network. You should block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
- User application hardening. With the rapidly shifting technology landscape, a regular clean out of old tools or applications is important to ensure your security posture isn’t being weakened by vulnerabilities in systems (like unpatched software) or processes (like default, weak, or reused passwords). You should especially consider configuring web browsers to block Flash as well as ads and Java, and disabling unneeded features in Office, web browsers, and PDF viewers; these are popular ways for hackers to push malicious code onto your systems.
Limiting the extent of cyber attacks
Breaches are inevitable but they need not be destructive. The next three steps in the Essential Eight will help limit the damage:
- Restrict admin privileges. Hackers actively seek admin accounts to give them greater access to data and systems. Which means the less admin accounts you have the better. Don’t let anyone be the administrator of their machine unless they have a legitimate business need. Set privileges in accordance with the user’s duties and role; someone who mainly works in email and the web doesn’t need to be an admin. Regularly revalidate the need for these privileges.
- Use multi-factor authentication. Multi-factor authentication is a powerful tool in your cyber arsenal. This defense makes it much harder for a hacker to break into your network, and limits their ability to move around should they be able to gain initial access. Aim to have multi-factor authentication on as many systems as possible, especially for VPNs and other remote access tools.
- Patch operating systems. Patching appears twice in the Essential Eight because vulnerabilities in systems and software are regularly used to hack into organisations. Again, you should always aim to use the latest version of operating systems – specifically avoid using unsupported versions – and patch “extreme risk” vulnerabilities in computers and network devices within 48 hours.
Recovering data and systems availability
Have you ever lost a camera or a phone and therefore the photos that were stored only on that device? The same pain is felt when ransomware attacks encrypt a business’ critical data, rendering it inaccessible.
It is often only when something goes wrong that business owners think about their backups. Backing up important data should be an ongoing exercise.
- Daily backups: To ensure information can be accessed following a cyber security incident or outage, back up new or changed data, software and configuration settings daily, and retain it for at least three months. Aim to follow the 3-2-1 backup rule: store your production data and two backup copies on two different mediums (like a cloud service and an offline disk drive), with one of these copies stored offsite (not connected to your network) to ensure you can recover in the event your network is taken offline.
Where and how to start with the Essential Eight
It’s easy to get a little overwhelmed with all the tools and services promising to protect you online.
Master the fundamentals with a trusted security partner. Telstra’s security experts can help assess the maturity of your systems, and help you implement the Essential Eight in the most relevant way for you.
Telstra strongly encourages all businesses to read and consider how the Essential Eight could be implemented within their organisation. More details can be found at the Australian Cyber Security Centre website.