Australian agencies no longer have to apply "extreme risk" patches to applications and operating systems used by high-risk and regular users on different cyles in order to qualify for a middle level of maturity under the government’s “Essential Eight” model.
The change is one of several made by the Australian Cyber Security Centre (ACSC) to the Essential Eight maturity model, which was re-published overnight.
The public-facing portion of the model is now noticeably slimmer; whereas it previously had five levels of maturity, it now has three.
The former “maturity level zero” - essentially indicating what underdone security looked like - has vanished entirely.
There is also no longer published guidance for what was known as “maturity level four”, a higher-risk category.
Agencies falling into this category are now advised to “contact the ACSC for additional advice”.
Patch timing
One major change is around patching regimes - which account for two of the so-called 'Top 4' mitigations that are mandatory for agencies to meet.
Previously, to attain level two maturity, agencies had to adopt a two-lane approach to applying "extreme risk" patches, whereby high-risk users’ machines were patched within 48 hours, and everyone else was patched within two weeks.
The 48 hour requirement for high-risk users has been dropped from level two, and is now only a requirement at level three - the level at which ACSC says agencies should aspire to be anyway.
(Before and after of word changes around patching for the 'Essential Eight')Taking longer than 48 hours to apply "extreme risk" patches to any user, however, runs counter to guidance in the Information Security Manual (ISM) [pdf]. The ISM says "extreme risk" patches should be applied within 48 hours, "high risk" patches within two weeks, and "moderate or low risk" patches within one month.
Timely patching has been called out in past audits of compliance with the Essential Eight mitigation strategies.
To achieve level three, an additional requirement has been added for some form of automation around patch management.
“An automated mechanism is used to confirm and record that deployed application and driver patches or updates [and operating system and firmware patches or updates] have been installed, applied successfully and remain in place,” the new requirement reads.
Other changes
Elsewhere, requirements have been beefed up.
Application whitelisting was previously only required for “high-risk” users to achieve either level one or level two maturity; this has now been upgraded to “all workstations”.
For multi-factor authentication, “SMS messages, emails and/or voice calls” are now no longer acceptable factors for level two maturity.
In addition, all maturity levels have a slight wording change, replacing “passphrases” with “passwords with six or more characters” as an acceptable factor.
On user application hardening, the lowest level of maturity no longer permits ‘click to play’ prompts for Flash content; it must now be blocked or disabled at all levels, reflecting revised guidance provided at the end of last year.
There is a new requirement for level three agencies to test backups “at least daily”, compared to the prior guidance of “daily”, and for level one agencies to test recovery mechanisms work “at least once”.
