ASD’S ESSENTIAL EIGHT AT A GLANCE
While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recom- mended to implement eight essential mitigation strategies as a baseline.
This baseline, known as the Es- sential Eight, makes it much harder for adversaries to compromise sys- tems. Furthermore, implementing the Essential Eight pro-actively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber se- curity incident.
Before implementing any of the mitigation strategies, organisa- tions should perform the following activities:
• identify which systems require protection (ie which systems store, process or communicate sensitive information or other in- formation with a high availability requirement)
• identify which adversaries are most likely to target their systems (eg nation-states, cyber criminals or malicious insiders)
• identify what level of protection is required (ie selecting mitigation strategies to implement based on the risks to business activities from specific adversaries).
There is a suggested implementa- tion order for each adversary to assist organisations in building a strong cy- ber security posture for their systems. Once organisations have implement- ed their desired mitigation strategies to an initial level, they should focus on increasing the maturity of their imple- mentation such that they eventually reach full alignment with the intent of each mitigation strategy.
1. Application whitelisting
2. Configure Microsoft Office macro
settings
3. Patch applications
4. User application hardening
5. Restrict administrative privileges 6. Patch operating systems
7. Multi-factor authentication
8. Daily backups
For more information about mak- ing your business cyber smart, head to www.cyber.gov.au or contact ACSC.
ASD and ACSC
LTGEN Frewen was clear that his double hatted status is a temporary move until Ra- chel Noble replaces MacGibbon as head of ACSC. ASD has grown and expanded from support to military operations. As ASD transitioned to statutory authority status in 2018, the Chief of the Defence Force was very keen to ensure ASD didn’t get drawn away from support to military operations. LTGEN Frewen brings a ‘customer set of eyes’ to the range of intelligence and cyber challenges that both Defence and govern- ment similarly face.
“Deployed and home-based systems are increasingly integrated and the challenges are growing as more devices and platforms become connected. There’s no going back and the world is only going to become more connected,” LTGEN Frewen said.
The industry facing side of the piece un- der ACSC has been an interesting transi- tion for the organisation, with the govern- ment workforce seeing a mix of security clearances depending on the task at hand, with movement between cyber sections more free under the new model.
“We have Joint Cyber Security Centres (JCSCs) in all capital cities except Hobart and Darwin. Not just Canberra – they provide a space to talk to industry, to hold training, exercises and discussion. They play an important part in raising aware- ness and increasing cyber resilience. The community, business and government can come together to get advice,” LTGEN Frewen explained to ADM.
This is a frequent activity for ACSC as ‘there is no set and forget cyber solution’, LTGEN Frewen said. ASD works closely with Major General Marcus Thompson’s Information Warfare Division in VCDF Group. See ADM’s May edition for more on Information Warfare Divisions’ work under MAJGEN Thompson.
“Cyber awareness is increasing, we need to keep apace of the constantly evolving threat,” LTGEN Frewen said. “Cyber secu- rity is hard but the majority of the threats are known and can be effectively mitigated by applying ASD’s Essential Eight (see box for more on the Essential Eight).
“Third party providers are a concern as vulnerable in the supply chain. We need an
enterprise wide approach when it comes to cyber management across the supply chain.”
More than ICT
Confirming that cyber is not just an ICT problem but a whole of business and whole of government issue, cyber policies need constant attention as threat actors are per- sistently looking for opportunities. This awareness is a rising tide that is benefitting everyone, LTGEN Frewen said.
“Our resilience can always be better but there are so many resources available to sup- port government agencies and business look- ing to make sure they are working to an ap- propriate level,” LTGEN Frewen explained to ADM. “The future will hold many chal- lenges for us. AI and quantum computing era will mean things we can’t yet possibly comprehend. There are great benefits to mankind and risks too. We need to evolve as we won’t need humans to build firewalls, we’ll need to train them to work in the cyber security space of the future. Clearheaded and sophisticated thinking is required to ensure we are prepared for the future. Humans are central and essential to being prepared.”
www.australiandefence.com.au | July 2019 | 19
GETTY