Developing a cyber security baseline can be daunting. Oftentimes the burden falls on the Chief Information Officer or Chief Technology Officer. These executives typically have plenty of information technology expertise but lack enough Information Security expertise to feel comfortable making decisions without outside advice.
This usually leads to engagement with consultants who suggest one of two approaches:
The Tool Salesman: Focused on selling security utilities and/or managed services.
The CPA Model: Focused on selling process audits and gap assessments.
Security utilities, process audits, and gaps assessments all have their place in a mature information risk program. Each fail to meet the needs of the organization on their own. Before implementing any tool or assessments, management should establish a security baseline.
Implementing a Risk Based Cyber Security Baseline Based on ASD’s Essential Eight
Approximately 90% of all successful cyber-attacks involve direct interaction with an employee. The most common forms of attack take place via e-mail. Australian’s foreign intelligence collection agency developed an enterprise strategy to address this problem.
The Essential Eight is a prioritized collection of controls meant to protect an organization against the most common cyber threats. The program is designed to provide the greatest reduction of risk for every dollar spent on implementing each control.
Essential Eight Strategy
Mitigation strategies to prevent malware delivery and execution
1. Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
All non-approved applications (including malicious code) are prevented from executing.
2. Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
Microsoft Office macros can be used to deliver and execute malicious code on systems.
3. Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Security vulnerabilities in applications can be used to execute malicious code on systems.
4. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Mitigation strategies to limit the extent of cyber security incidents
5. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
6. Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Security vulnerabilities in operating systems can be used to further the compromise of systems.
7. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
Mitigation strategies to recover data and system availability
8. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
To ensure information can be accessed again following a cyber security incident (e.g. after a successful ransomware incident).
Risk3sixty’s Approach to Enterprise Information Risk Management
Risk3sixty encourages clients to adopt an information security framework rightsized for their organization. We base this decision on industry, jurisdiction, customer base, maturity and so forth. Common examples include ISO 27001, NIST Cyber Security, CIS CSC 20, and SOC 2.
The Essential Eight is a great starting point. Its controls should fit within all Cyber Security frameworks. We refer to the Essential Eight when developing remediation strategies, budgets, and resource plans.