Strategies to mitigate cyber security incidents
Today, there are hundreds, if not thousands, of cyber security strategies published that tailor to all sorts of infrastructures, market categories and cyber threats. Knowing which strategies apply to your organisation and where to start cyber resilience activities can be an overwhelming task.
To address this issue, we have compiled a list of mitigation strategies that organisations can use as starting points to improve their cyber resilience and technical details of these strategies. While no single mitigation strategy is guaranteed to prevent cyber security incidents, we have identified eight essential mitigation strategies which should be implemented as a baseline where practicable.
The Essential Eight
Known as the Essential Eight, these mitigation strategies make it much harder for adversaries to compromise your systems. Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a successful large-scale cyber security incident.
The Essential Eight are:
Whitelist approved and trusted programs to prevent the execution of unapproved or malicious programs from executing. This includes all executables (.exe), DLLs, scripts (Windows Script Host, PowerShell and HTA), and installers (.msi). For more on application whitelisting, check out our publication.
Perform regular patching/updating of applications in your system. This includes, but is not limited to, Microsoft Office, PDF readers, Java, Flash and Web Browsers. Vulnerabilities in old versions or unpatched software are often the vector for an adversary to gain control over your system.
Configure Microsoft Office products to block the execution of un-trusted macros. Office macros provide users with handy programming features to perform a job or task much faster and more intelligently than manual methods. However these macros are not immediately noticeable to the standard user and often run in the background without user interaction. An attacker will often populate documents that appear as normal presentations or resumes but upon opening will run code inside macros, giving the attacker a foothold on your system. To mitigate this risk, only allow macros to run from documents in a trusted location with controlled write access or restrict to only digitally signed macros by a trusted certificate.
Harden user applications
Tightly control applications that have the ability perform unwanted or potentially vulnerable actions. Unless the features are explicitly needed, Web browsers should be configured by default to block Flash, advertising and the Java runtime plug-in. We provide a few guides for hardening on our publications page.
Restricting administrative privilege
Restrict administrative privilege for operating systems and applications based on user duties. Periodically review users access and remove un-necessary system privilege. Accounts with exceptionally powerful access (domain and enterprise admins) should not have the ability to browse the internet or read email.
Patching operating systems
Periodically patch and upgrade your operating systems to the latest versions. Ensure you are using supported versions of operating systems to ensure security patches are being developed by the manufacturer as new vulnerabilities are discovered.
Set up multi-factor authentication to provide higher authentication assurance for privileged, power and remote user access. Multi-Factor authentication is essentially the introduction of additional methods for the verification of the users identity. The benefit here is a user won’t be authenticated to a system unless they provide two or more of the following:
- something they know, like a PIN or a password
- something they have, such as a smartcard or a physical one-time PIN
- something they are, such as a scan of their fingerprint, iris, voice or face.
This is particularly important for remote access as a username and password combination alone does not guarantee the person on the other end is who they claim.
Daily backups of the most important new or changed data and configuration settings will allow your business to maintain reasonable availability in the event of a system crash or cyber security incident. Backup plans will vary according to business need, however at a minimum you should be retaining backups for at least three months and storing them disconnected from your system. You should also test the restoration procedure and validate the backup integrity periodically.
Want to know more?
We have developed a document to explain the Essential Eight titled ACSC Protect: Essential Eight Explained (PDF) as well as specific guidance for Linux titled ACSC Protect: Essential Eight in Linux Environments (PDF).
If you need help understanding the maturity of your Essential Eight implementations, you can apply our maturity model for the Essential Eight. This model defines five maturity levels for each mitigation strategy. See [ACSC
Protect: Essential Eight Maturity Model (PDF)](https://www.acsc.gov.au/publications/protect/Essential_Eight_Maturity_Model.pdf).
Want to ask a more specific question?
We also provide additional technical cyber security advice on a range of topics in our publications. Email us for more information.