The Australian Signals Directorate (ASD) has recently updated its Essential Eight Maturity Model, reflecting the evolving cybersecurity landscape and the need for more robust defenses against increasingly sophisticated threats. Below is an overview and analysis of the key changes made in November 2023, highlighting their significance and implications for organizations striving to enhance their cybersecurity posture.
Key Changes and Their Importance
- Patching Applications and Operating Systems:
- Critical Vulnerability Response: The update mandates a 48-hour response time for critical vulnerabilities, emphasizing the urgency in addressing high-risk scenarios. This change, applicable across all maturity levels, underscores the importance of rapid response to prevent exploitation by malicious actors.
- Prioritized Patching Guidance: The focus on patching applications frequently interacting with untrusted internet content within two weeks (from one month) and the shift to weekly vulnerability scanning (from fortnightly) for these applications at Maturity Level One, highlights the need for proactive defense against common attack vectors.
- Rebalanced Patching for Less Critical Systems: The extension of patching timeframes for operating systems on less critical devices to one month, and the corresponding adjustment in vulnerability scanning frequency, reflects a more nuanced approach to resource allocation, balancing security with operational practicality.
- Multi-Factor Authentication (MFA):
- Enhanced MFA Standards: The introduction of a minimum standard for MFA at Maturity Level One, requiring ‘something users have’ in addition to ‘something users know’, addresses the weaknesses in previous MFA implementations. This change is crucial in fortifying authentication processes against common attack methods.
- Phishing-Resistant MFA: The requirement for phishing-resistant MFA at lower maturity levels and for customer-facing services storing sensitive data, reflects an acknowledgment of the growing sophistication of social engineering and phishing attacks. This proactive stance is vital for protecting both organizational and customer data.
- Restrict Administrative Privileges:
- Governance of Privileged Access: The addition of requirements for consistent governance processes in granting and rescinding privileged access, applicable across all maturity levels, is a critical step in controlling one of the most targeted aspects in cybersecurity – privileged accounts.
- Internet Access for Privileged Accounts: The amendment allowing limited internet access for privileged accounts, under strict controls, recognizes the practical needs of managing cloud services while maintaining security integrity.
- Application Control and Microsoft Office Macros:
- Annual Review of Application Control Rulesets: The emphasis on regular reviews and the implementation of Microsoft’s recommended application blocklist at a lower maturity level, reflects an adaptive approach to the ‘living off the land’ techniques used by attackers.
- Changes in Macro Management: The removal of the requirement for macro execution event logging and the new mandate for more secure V3 digital signatures for macros at Maturity Level Three, demonstrate a shift towards more effective and practical control measures.
- User Application Hardening:
- Disabling or Removing Internet Explorer 11: This change acknowledges the risks associated with unsupported software and the necessity of keeping the application landscape up-to-date and secure.
- Enhanced Hardening Guidance: The requirement to implement both ASD and vendor hardening guidance, with the more stringent taking precedence, reinforces the importance of a layered and comprehensive approach to application security.
- Regular Backups:
- Business Criticality in Backups: While no significant changes were made, the encouragement to consider the business criticality of data in prioritizing backups is a reminder of the importance of a strategic approach to data resilience.
- Cross-Cutting Measures:
- Event Log Management: The requirement for centralized collection, protection, and analysis of event logs at Maturity Level Two, with a focus on internet-facing infrastructure, represents a strategic approach to detecting and responding to potential compromises.
The November 2023 updates to the ACSC’s Essential Eight Maturity Model signify a strategic and nuanced evolution in Australia’s cybersecurity framework. These changes reflect a deep understanding of the current threat landscape and a commitment to providing organizations with practical, effective guidance to bolster their defenses. As cyber threats continue to evolve, these updates are a crucial step in ensuring that Australian organizations remain resilient and secure in an increasingly complex digital world.