For Cyber Security Awareness Month, we talk to Kinetic IT’s Customer Development Manager, Mark Pacitti, about the Essential Eight Assessment, how it protects you against cyber threats – and helps you sleep better at night.
Did you know that more than 50% of all businesses are not fully prepared for a cyber-attack and 95% of cyber security breaches are caused by human error? With over 50% of all cyber-attacks targeting small and medium-sized businesses, there is a (reported) cyber-attack every eight minutes in Australia.
These are just a few of the many keep-you-awake cyber statistics we now read about regularly in the media. To address this threat, there are numerous cyber services and solutions for many different aspects of cyber risk – but where do you begin in tackling this fast-growing concern?
A solid starting point is the Essential Eight Assessment. Before we dive into it, let’s look at where the Essential Eight comes from, what it’s all about, and how it can help you sleep better at night.
What is the Essential Eight?
Back in 2010 – a whole generation ago in cyber security time – the Australian Signals Directorate issued a set of 35 “Strategies to Mitigate Cyber Security Incidents”. Each of the 35 strategies has a Relative Security Effectiveness Rating (RSER) ranging from essential to excellent, very good, good, and limited.
Put simply, the “essential” in Essential Eight refers to the eight mitigation strategies which have an RSER of essential.
When these Essential Eight security strategies are implemented effectively, it is much harder for adversaries to breach your network. While no set of mitigation strategies can provide guaranteed protection against all cyber threats, organisations are recommended to implement and regularly revalidate the Essential Eight as a baseline.
It is estimated that effective implementation of the Essential Eight can mitigate (but not eliminate) up to 85% of targeted cyber-attacks against Microsoft Windows-based networks. And that certainly helps us sleep better at night!
The Essential Eight Mitigation Strategies | |||||
|---|---|---|---|---|---|
Table 1: The Essential Eight Mitigation Strategies | |||||
Application Control | User Application Hardening | ||||
Patch Applications | Restrict Administrative Privileges
| ||||
Patch Operation Systems | Multi-Factor Authentication | ||||
Configure Microsoft Macros | Perform Regular Backups | ||||
Mitigation Strategy Controls
Each Mitigation Strategy has several security controls or requirements, which are used to determine its maturity level. As an example, below is a list of all the security controls for MFA (multi-factor authentication).
RELATED CONTENT: What is the most secure multi-factor authentication method?
Maturity Level | Mitigation Strategy Controls for MFA | |||
|---|---|---|---|---|
Table 2: Security Controls for MFA | ||||
1 | MFA is used by an organisation’s users if they authenticate to their organisation’s internet-facing services. | |||
1 | MFA is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s sensitive data. | |||
1 | MFA (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store, or communicate their organisation’s non-sensitive data. | |||
1 | MFA is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services. | |||
2 | MFA is used to authenticate privileged users of systems. | |||
2 | MFA uses either: something users have and something users know, or something users have that is unlocked by something users know or are. | |||
2 | Successful and unsuccessful multi-factor authentications are logged. | |||
3 | Successful and unsuccessful multi-factor authentications are centrally logged and protected from unauthorised modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected. | |||
To be assessed as meeting the requirements of a maturity level, your organisation needs to have implemented all the controls for each mitigation strategy, up to and including, that maturity level.
Outside the Eight
For context, below is a snapshot of some of the 27 mitigation strategies with an RSER below that of essential. This is not to say that the other 27 mitigation strategies are not important. It is purely intended to highlight what the Essential Eight are not, as well as what can subsequently be tackled to mitigate the remaining 15% of risk from targeted attacks.
Migration Strategy | RSER | |||
|---|---|---|---|---|
Table 3: Mitigation Strategies | ||||
Network segmentation | Excellent | |||
Web content filtering | Excellent | |||
Email content filtering | Excellent | |||
Endpoint detection and response software on all computers | Very good | |||
Anti-virus software with up-to-date signatures | Limited | |||
IDS/IPS | Limited | |||
Unlike a Penetration Test, an Essential Eight Assessment does not physically or logically touch your network or systems in any way. Rather, the assessment is carried out via a series of interviews with key stakeholders. The Essential Eight Assessment will then rate your organisation’s effectiveness in implementing each of the eight mitigation strategies against its controls.
This can be summarised and reported as seen in the table below. An entire assessment and report production can take as little as a few days to complete, so it is a low-cost, high-value insightful asset.
Migration Strategy | Current Maturity | Level 1 Controls Implemented | Level 2 Controls Implemented | Partial Controls Implemented |
|---|---|---|---|---|
Table 4: Essential Eight Assessment Report | ||||
Application Control | 0 | 0/1 | 1/2 | 3 |
Patch Applications | 0 | 4/5 | 4/7 | 3 |
Patch Operation Systems | 2 | 4/4 | 6/6 | 1 |
Configure Microsft Macros | 0 | 3/4 | 7/11 | 1 |
User Application Hardening | 0 | 3/5 | 7/12 | 0 |
Restrict Admin Privileges | 0 | 1/5 | 1/5 | 0 |
Multi-Factor Authentication | 0 | 1/4 | 5/7 | 0 |
Perform Regular Backups | 0 | 1/4 | 3/4 | 1 |
For each of the eight mitigation strategies, the Essential Eight Assessment Report will also describe the risks associated with the individual controls that are not implemented to the required maturity level. Quotes can then be obtained, and costs calculated to mitigate against the identified risks.
While the language of an Essential Eight Assessment will be technical and low-level in nature, it can be used to underpin and validate an Executive or Board Level Security Risk Report. As a starting point, this ensures it is made very clear to Executive Management and Board Members what the organizational security gaps are against an industry-recognized standard, along with ownership of the risks associated with choosing not to commit funds to address the gaps.
For more information on how Kinetic IT’s security solution PROTECT+ can help you get 85% of the way towards a better night’s sleep through an Essential Eight Assessment, please contact protect@kineticit.com.au
About Mark Pacitti
Mark Pacitti is an Account Manager within Kinetic IT’s cybersecurity practice, PROTECT+. Mark has more than 25 years experience in the ICT industry, including a focus on cybersecurity in recent years. Throughout his career he has taken pride in first and foremost building customer relationships based on value and trust.
