The Australian Signals Directorate has undertaken a significant revamp of its top four strategies to mitigate targeted cyber intrusions, doubling the core security controls to eight and expanding its reach to cover a wider threat range than just "targeted" attacks.
It's the first overhaul to the highly-regarded controls - which are mandatory for all government agencies, and which form the basis for the security posture of many private enterprises - since 2014.
ASD first published the guidance in 2010. It says the controls mitigate over 85 percent of techniques used in targeted cyber intrusions.
Until now, the document [pdf] has centred on four strategies: application whitelisting, patching applications, patching operating system vulnerabilities, and restricting administrative privileges.
Once those four had been met, agencies could select to implement additional mitigation strategies to address security gaps from a list of 30 other recommended controls.
Now the ASD has extended that core list from four to eight, under what it is now calling the "essential eight" strategies to mitigate cyber security incidents.
The list now includes "essential" requirements to disable untrusted Office macros, harden user applications, back up important data daily, and implement multi-factor authentication.
Untrusted Office macros should be disabled to prevent malware running and to block adversaries from accessing sensitive information, the ASD said.
End user applications need to be hardened - web browser access to Adobe's Flash player, web advertisements, and untrusted Java code should be blocked - to shut down popular malware delivery vehicles.
All data must be backed up and securely stored offline so an agency can access it again in the event of a cyber security incident.
And agencies must implement multi-factor authentication to make it "a lot harder for adversaries to access your information", using, for example, a passphrase, physical token, and/or biometric data, the ASD said.
Previously, the controls around Office macro settings, multi-factor authentication, and user application hardening were listed among the 30 extra mitigations organisations could choose to implement.
They have now been escalated to "essential" status, but do not become mandatory until - and if - the government decides to include them alongside the existing top four in its protective security policy framework (PSPF).
Defence and the Attorney-General's Department are currently reviewing whether to update the PSPF to include the four new "essential" controls. No timeline for a decision has been given.
Once the essential eight mitigation strategies have been correctly implemented, the ASD says, a "baseline cyber security posture has been achieved".
"While no single mitigation strategy is guaranteed to prevent cyber security incidents, ASD
recommends organisations implement a package of eight essential strategies as a baseline," it said in official guidance, sighted by iTnews.
"This baseline makes it much harder for adversaries to compromise systems."
The controls list has been broadened in scope to capture not only targeted cyber intrusions, but also ransomware, malicious insiders, business email compromise, "external adversaries with destructive intent", and threats to industrial control systems.
The ASD advises organisations to first implement the controls for high-risk users and computers with access to important data and those exposed to "untrustworthy internet content", before implementing it for all other users and computers.
The new controls will be published to the ASD's website today.
Government agencies are required to report on their compliance with the top four strategies as part of their required annual PSPF security assessments to their relevant minister.
They are able to determine their own timeframes for implementing the mandatory security controls based on their unique environments, but need to chart how they are working doing so.