Latest News

The Australian Cyber Security Centre (ACSC) has released a new version of the Essential Eight Maturity Model. Do you know what has changed, and what it means for you?

What is the Essential Eight Maturity Model?

The Essential Eight Maturity Model is a set of prioritised mitigation strategies developed by the ACSC to assist businesses in addressing and eliminating cyber security vulnerabilities. These strategies are drawn from the Strategies to Mitigate Cyber Security Incidents, the main ones being the Essential Eight.

In a nutshell, it’s a rather simple rubric that you can follow to make sure that all your bases are covered when it comes to cyber security. In addition to listing the technical aspects of cyber security that you should address and verify, it also provides a system by which to determine the level of threat you need to mitigate.

5 Changes To The Essential Eight Maturity Model You Need To Know About

1. Maturity Level Zero Has Been Reintroduced: Maturity level zero was not included in the previous version but has been brought back to define a level wherein the organisation is “showing weaknesses” in their overall cyber security posture. This is opposed to the previous version’s lowest level, in which even the least secure organisation in question would still reach Level 1, described as “Partly aligned with the intent of mitigation strategy.”
   
   
2. Redefining Maturity Levels 1 - 3: The higher three levels of maturity have been redefined according to the degrees of adversary tradecraft sophistication and targeting, instead of the degree to which a current organisation is aligned with the overall mitigation strategy. In other words, the ACSC is urging organisations to consider the real-world threats they face, rather than simply attempting to comply with a theoretical mitigation strategy.
   
   
3. Redefined Expectations: The ACSC no longer expects organisations to be compliant with the highest maturity level as a general rule. Instead, they are urging organisations to assess the potential threat they face (based on current trends and the desirability of their assets) and meet the appropriate maturity level to mitigate that threat.
   
   
4. Redefined Approach: This new version of the Essential Eight is focused more on a risk-based approach instead of a compliance-based approach. As with other changes mentioned above, this is due to a more realistic consideration of the current cybercrime climate, and the economics of cyber security development and management.  The ACSC understands that not all organisations will be able to afford the changes necessary to fully comply with a high maturity level. It is more realistic and effective to have them focus on mitigating the greater threats to their cyber security currently at play.
   
   
5. Concurrent Implementation: This version of the Essential Eight recommends that organisations implement mitigation strategies from a given level all at once, rather than on an ad-hoc basis. The ACSC recognises that these solutions and practices work best in concert, and as such, organisations should implement all strategies in one level before moving on to the next.
   

As expected, the technical guidance for each maturity level was adapted according to the insight and data gathered in the 2019 Essential Eight sprints for Federal Government and major cyber security incidents dealt with by the ACSC since the last version was published. Prior to being published, this version of the Essential Eight Maturity Model was thoroughly reviewed by the ACSC, government, and industry partners.

What Are The New Maturity Levels?

As mentioned above, these new versions of the Maturity Levels focus on the potential adversaries to an organisation, rather than the organisation itself:

1. Maturity Level Zero: This level defines an organisation as having weaknesses in its overall cyber security posture. These weaknesses could be exploited by hackers at the level of Maturity Level One or below.
   
   
2. Maturity Level One: This level considers cybercriminals that apply publicly available techniques at a large scale, targeting mass groups of potential targets. Threat vectors are likely social engineering techniques or the targeting of unpatched vulnerabilities.
   
   
3. Maturity Level Two: This level focuses on cybercriminals that are still using publicly available and wide-cast techniques, but will invest somewhat more time and resources in their attacks. They will select their targets somewhat more specifically and will follow up on successful breaches to further compromise data or make use of credentials and access they have gained.
   
   
4. Maturity Level Three: This level of adversaries will specifically target certain organisations, looking for vulnerabilities based on older software, and invest time in improving the quality of their social engineering tactics against specific users. Once they have breached an organisation’s security, they will then invest more time to solidify their access and hide their presence over a greater period of time. 

What Are The Essential Eight?

Addressing the most vital components of a strong cyber security defence, the Essential Eight Maturity Model includes the following (each laid out in their definitions relating to the top 3 maturity levels):

• Application Whitelisting: Application whitelisting is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications. In each Maturity Level, an application whitelisting solution has been implemented on workstations, Active Directory servers, email servers, and other necessary servers.
  
  
• Application Patching: Many of the most common malware and viruses used by cybercriminals today are based on exploiting programming flaws; to address this, developers regularly release software patches and updates to fix flaws and protect the users. That’s why regular patching is such an important part of cyber security. Furthermore, each level also requires that end of life applications (those that are no longer receiving vendor support such as updates, and patches) are updated or replaced with vendor-supported alternatives.
  
  
• Configuration of Microsoft Office Macro Settings: A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. These can be very convenient for users that want to eliminate repetitious or tedious work.  However, because macros deploy an automated series of commands, they are also used by cybercriminals to execute tasks on a target’s system. That’s why there needs to be strict control applied to how macros are allowed to execute.
  
  
• User Application Hardening: This is the security practice of only allowing necessary (and safe) areas of a given application to run. This is done to prevent conventionally unsafe browser-based plug-ins such as Java and Flash from compromising a user’s systems.
  
  
• Restriction of Administrator Privileges: Administrator privileges allow certain users with privileged access to applications, controls and sensitive data. In a poorly secured IT environment, it’s not uncommon to find that all users have Administrative Privileges, which is a major security risk.  All three Maturity Levels require the implementation of security controls to prevent privileged users from reading emails, browsing the web and downloading files from online services.
  
  
• Patching Operating Systems: Similar to application patching, operating systems must be patched as well to make sure that identified security vulnerabilities are not left open for cybercriminals to exploit. Furthermore, each level also requires that end of life operating systems (those that are no longer receiving vendor support such as updates, and patches) are updated or replaced with vendor-supported alternatives.
  
  
• Multi-Factor Authentication: Multi-factor Authentication (MFA) is a superior way to keep your data more secure. MFA requires the user to utilise two methods to confirm that they are the rightful account owner.
  
  There are three categories of information that can be used in this process:
  
  

1. Something you have: Includes a mobile phone, app, or generated code
2. Something you know: A family member’s name, city of birth, pin, or phrase
3. Something you are: Includes fingerprints and facial recognition

At each Maturity Level, it is assumed that an MFA solution has been implemented to authenticate anyone that uses a remote solution, and that the solution uses at least two of the following authentication factors: 

• Passwords (six characters or longer)
• Universal Second Factor security keys
• Physical one-time passwords
• Biometrics
• Smartcards
• Mobile app one-time password tokens
• Emails
• SMS messages
• Voice calls
• Software certificates
  
  
• Daily Backups: Backups are a process by which local data is replicated and stored in a secure offsite location, to protect against permanent data loss. Today, this is often done automatically, via the cloud.  The Maturity Levels for backup best practices include the following:
  
  
• Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.
• Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.
• Unprivileged accounts can only access their own backups.
• Unprivileged accounts are prevented from modifying or deleting backups
  

Which Maturity Level Should You Try To Achieve?

While previous versions of the Essential Eight Maturity Model would have told you to try to achieve Level 3, that’s no longer the case. The ACSC updated the Essential Eight Maturity Model to recognise that different organisations have different resources and face different threats.

Depending on the size of your business and the industry you operate in, the frequency, severity, and type of risks you encounter can vary greatly. In those cases, you may very well move from one maturity level to another over time, and as such, will require more regular updating. 

After all, an enterprise corporation and a small business face different threats and have different resources available to them to invest in cyber security. That’s why this new version of the Essential Eight Maturity Model doesn’t expect both organisations to achieve the same level of maturity. 

How Should You Approach Compliance With The Essential Eight Maturity Model?

You can achieve the appropriate maturity level for your organisation by following these steps:

• Determine Your Risk: By considering the size of your organisation and the threats at play based on the value of your assets, you can get a better idea of which maturity level you need to achieve.
• Assess Your Cyber Security: The next step will be to examine your current cyber security solutions and practices and compare them against the specifics of the Essential Eight Maturity Model and its maturity levels. You can then determine what needs to be improved, upgraded or expanded.
• Remediate Your Cyber Security: With a plan in place, you can then start the remediation processes, addressing any shortcomings in your current cyber security posture when compared to the maturity level you intend to achieve. 

Need Assistance With Your Cyber Security?

Taken all at once, the TBD may seem like a lot to manage on your own. If you’re unsure of how to undertake this process, you should be sure to consult with the experts from CyberUnlocked for assistance.