Meet the Essential 8
But first, what is the Essential 8?
In 2017, the Australian Cyber Division created a set of guidelines and principles that businesses should use to establish a solid Cyber Security framework within their organisation, this is called the Essential 8. It features a collection of 8 principles and technological configurations that all business should strive to achieve in order to set the foundation for their Cyber Security infrastructure. Whilst the Essential 8 was designed around the Windows Operating System environment developed by Microsoft, it can be adapted into many different offerings.
The Essential 8
Application Control
The execution of applications, software libraries, scripts, installers, compiled html and control panel is prevented from any standard user profile.
Patch Applications
An automated method of scanning devices for vulnerabilities and updates for applications and the
ability to install them. To be run fortnightly at a minimum.
Configure Microsoft Office Macro Settings
Microsoft Office Macros to be disabled by default, approved macros can be enabled, but must be centrally controlled. Users cannot change these settings
User Application Hardening
Web browsers do not process Java from the internet.
Web browsers do not process Ads from the internet.
Internet Explorer 11 does not process content from the internet.
Web browser security settings cannot be changed by users.
Multi-Factor Authentication
MFA to be used by users when connecting to internet facing services.
MFA to be used by users when connecting to third party and cloud services that store organisations sensitive or non-sensitive data.
MFA is enabled by default and auto or self-enrolment is available for an organisations users. An opt-out function
is available for any non-organisational user.
Restrict Administrative Privileges
Privileged Accounts are prevented from accessing the internet, email and web services.
Standard user accounts cannot be privileged, and a separate account must be used specifically for privilege elevation if required.
Privileged accounts are granted only to users who require specific elevation privileges to perform their duties, these accounts are monitored for activity.
Regular Backups
Important data must be backed up in accordance with business continuity requirements.
Backups of important data must be stored securely in a resilient manner (onsite and offsite, for example).
Backup restore testing is completed as part of disaster recovery exercises (quarterly).
Unprivileged accounts do not have access to modify or delete backups or their settings.
Patch Operating Systems
An automated method of scanning devices for vulnerabilities and updates for Operating Systems and the ability to install them. To be run fortnightly at a minimum. If an exploit exists, it must be patched within 48 hours of update release.