Implementing the Essential Eight for MSPs

Following the global compromise of managed service providers or MSPs, the Australian Cyber Security Centre (ACSC) is calling on Australian businesses and individuals to be proactive in implementing better cyber security practices.

While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline.

This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.

Cybercriminals who target organisations can cause irreparable damage, leaving some businesses unable to operate.

Implementing the Essential Eight can be more cost-effective on time, money and effort than having to respond to a successful large-scale cyber security incident.

Before implementing any of the mitigation strategies, it is crucial that organisations identify which systems require protection, which adversaries are likely to target their systems, and what level of protection their business needs.

There is a suggested implementation order for each cyber threat to assist organisations in building a robust cyber security stance.

Once organisations have implemented their desired mitigation strategies to an initial level, they should focus on increasing the maturity of their implementation.

Mitigation strategies to prevent malware delivery and execution:

Application whitelisting

Application whitelisting of approved/trusted programs to avoid the execution of unapproved/malicious programs including .exe, DLL, scripts (eg Windows Script Host, PowerShell, and HTA) and installers.

Why: All non-approved applications (including malicious code) are prevented from executing.

Patch Applications

Patch Applications eg Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.

Why: Security vulnerabilities in applications can be used to execute malicious code on systems.

Configure Microsoft Office macro settings

Configure Microsoft Office macro settings to block macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.

Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.

User application hardening

User application hardening Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (eg OLE), web browsers and PDF viewers.

Why: Flash ads and Java are popular ways to deliver and execute malicious code on systems.

Mitigation strategies to limit the extent of cyber security incidents:

Restrict administrative access

Restrict administrative access to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Do not use privileged accounts for reading email and web browsing.

Why: Admin accounts are the ‘keys to the kingdom.’ Adversaries use these accounts to gain full access to information systems.

Patch operating systems

Patch operating systems Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Do not use unsupported versions.

Why: Security vulnerabilities in operating systems can be used to further the compromise of systems.

Multi-factor authentication

Multi-factor authentication including for VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access and critical (sensitive/high-availability) data repository.

Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.

Mitigation strategies to recover data and system availability:

Daily backups

Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

Why: To ensure information can be accessed following a cyber security incident (eg after a successful ransomware incident).