The Essential Eight
The ACSC recommends that organisations implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Please check the ACSC website for the latest version of the Essential Eight and maturity model.
The ACSC Essential Eight was refreshed on 12 July 2021. This update focused on using the maturity levels to counter the sophistication of different levels of adversary tradecraft and targeting, rather than being aligned to the intent of a mitigation strategy. The redefinition of a number of maturity levels will also strengthen a risk-based approach to implementation of the Essential Eight strategies. As the maturity model has been redefined and many requirements have changed, maturity assessments for the July 2021 model should not be directly compared to earlier versions of Essential Eight.
- Essential Eight Maturity Model FAQ
- Essential Eight Maturity Model
- Cyber Security Terminology
- Information Security Manual (ISM)
Mitigation Strategy | What | Why |
---|---|---|
Application control |
Checking programs against a pre-defined approved list and blocking all programs not on this list |
So unapproved programs including malware are unable to start and preventing attackers from running programs which enable them to gain access or steal data |
Patch applications |
Apply security fixes/patches or mitigations (temporary workarounds) for programs within a timely manner (48 Hours for internet reachable applications). Do not use applications which are out-of-support and do not receive security fixes |
Unpatched applications can be exploited by attackers and in the worst case enable an attacker to completely takeover an application, access all information contained within and use this access to access connected systems |
Configure MS Office macro settings |
Only allow Office macros (automated commands) where there is a business requirement and restrict the type of commands a macro can execute. Also monitor usage of Macros. |
Macros can be used to run automated malicious commands that could let an attacker download and install malware |
User application hardening |
Configure key programs (web browsers, office, PDF software, etc) to apply settings that will make it more difficult for an attacker to successfully run commands to install malware |
Default settings on key programs like web browsers may not be the most secure configuration. Making changes will help reduce the ability of a compromised/malicious website from successfully downloading and installing malware. |
Restrict administrative privileges |
Limit how accounts with the ability to administer and alter key system and security settings can be accessed and used. |
Administrator accounts are ‘the keys to the kingdom’ and so controlling their use will make it more difficult for an attacker to identify and successfully gain access to one of these accounts which would give them significant control over systems |
Patch operating systems |
Apply security fixes/patches or temporary workarounds/mitigations for operating systems (e.g. Windows) within a timely manner (48 Hours for internet reachable applications). Do not use versions of an Operating system which are old and/or not receiving security fixes |
Unpatched operating systems can be exploited by attackers and in the worst case enable an attacker to completely takeover an application, access all information contained within and use this access to access connected systems |
Multi-factor authentication |
A method of validating the user logging in by using additional checks separate to a password such as a code from an SMS/Mobile application or fingerprint scan |
Makes it significantly more difficult for adversaries to use stolen user credentials to facilitate further malicious activities |
Regular backups |
Regular backups of important new or changed data, software and configuration settings, stored disconnected and retained for at least three months. Test the restoration process when the backup capability is initially implemented, annually and whenever IT infrastructure changes. |
To ensure information can be accessed following a cyber-security incident e.g. a ransomware incident). |