iTnews

Overhaul of ASD's Top 4 cyber threat strategies

By Allie Coyne on Feb 6, 2017 12:00AM
Overhaul of ASD's Top 4 cyber threat strategies

Broadened to "essential eight".

The Australian Signals Directorate has undertaken a significant revamp of its top four strategies to mitigate targeted cyber intrusions, doubling the core security controls to eight and expanding its reach to cover a wider threat range than just "targeted" attacks.

It's the first overhaul to the highly-regarded controls - which are mandatory for all government agencies, and which form the basis for the security posture of many private enterprises - since 2014.

ASD first published the guidance in 2010. It says the controls mitigate over 85 percent of techniques used in targeted cyber intrusions. 

Until now, the document [pdf] has centred on four strategies: application whitelisting, patching applications, patching operating system vulnerabilities, and restricting administrative privileges.

Once those four had been met, agencies could select to implement additional mitigation strategies to address security gaps from a list of 30 other recommended controls.

Now the ASD has extended that core list from four to eight, under what it is now calling the "essential eight" strategies to mitigate cyber security incidents.

The list now includes "essential" requirements to disable untrusted Office macros, harden user applications, back up important data daily, and implement multi-factor authentication.

Untrusted Office macros should be disabled to prevent malware running and to block adversaries from accessing sensitive information, the ASD said.

End user applications need to be hardened - web browser access to Adobe's Flash player, web advertisements, and untrusted Java code should be blocked - to shut down popular malware delivery vehicles.

All data must be backed up and securely stored offline so an agency can access it again in the event of a cyber security incident.

And agencies must implement multi-factor authentication to make it "a lot harder for adversaries to access your information", using, for example, a passphrase, physical token, and/or biometric data, the ASD said.

Previously, the controls around Office macro settings, multi-factor authentication, and user application hardening were listed among the 30 extra mitigations organisations could choose to implement.

They have now been escalated to "essential" status, but do not become mandatory until - and if - the government decides to include them alongside the existing top four in its protective security policy framework (PSPF).

Defence and the Attorney-General's Department are currently reviewing whether to update the PSPF to include the four new "essential" controls. No timeline for a decision has been given.

Once the essential eight mitigation strategies have been correctly implemented, the ASD says, a "baseline cyber security posture has been achieved".

"While no single mitigation strategy is guaranteed to prevent cyber security incidents, ASD
recommends organisations implement a package of eight essential strategies as a baseline," it said in official guidance, sighted by iTnews.

"This baseline makes it much harder for adversaries to compromise systems."

The controls list has been broadened in scope to capture not only targeted cyber intrusions, but also ransomware, malicious insiders, business email compromise, "external adversaries with destructive intent", and threats to industrial control systems.

The ASD advises organisations to first implement the controls for high-risk users and computers with access to important data and those exposed to "untrustworthy internet content", before implementing it for all other users and computers.

The new controls will be published to the ASD's website today.

Government agencies are required to report on their compliance with the top four strategies as part of their required annual PSPF security assessments to their relevant minister.

They are able to determine their own timeframes for implementing the mandatory security controls based on their unique environments, but need to chart how they are working doing so.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
asd cyber governmenti governmentit security strategies to mitigate targeted cyber intrusions top 4

Partner Content

As Australian companies lean more heavily on the cloud, edge security is finding its stride
Partner Content As Australian companies lean more heavily on the cloud, edge security is finding its stride
COVID puts agile IT under the microscope
Promoted Content COVID puts agile IT under the microscope
Nestlé subsidiary sees sweet returns from data-driven transformation
Partner Content Nestlé subsidiary sees sweet returns from data-driven transformation
New Intel NUCs advancing mini-PC possibilities for business
Partner Content New Intel NUCs advancing mini-PC possibilities for business

Sponsored Whitepapers

Is the technology refresh dead?
Is the technology refresh dead?
DevSecOps: A framework for digital innovation
DevSecOps: A framework for digital innovation
Encryption: Protect your most critical data
Encryption: Protect your most critical data
Overcoming data security challenges in a hybrid, multicloud world
Overcoming data security challenges in a hybrid, multicloud world
Move beyond passwords
Move beyond passwords

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [Webinar] - Transformation versus compliance – a guide for CXOs
  • Masters of Microsoft Licensing
By Allie Coyne
Feb 6 2017
12:00AM
0 Comments

Related Articles

  • Govt mulls stricter cyber security accountability for agencies
  • Prime Minister's department among agencies to fail cyber security audit
  • Govt agencies face annual cyber security audits for next five years
  • Govt has never considered a bug bounty program, says ASD
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Aussie Broadband to white label its services

Aussie Broadband to white label its services

Aussie Broadband says some customers are switching providers to get high-speed NBN discounts

Aussie Broadband says some customers are switching providers to get high-speed NBN discounts

Vodafone hit by nationwide 4G outage

Vodafone hit by nationwide 4G outage

ATO loses its cyber security chief

ATO loses its cyber security chief

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.