Cover Feature Cyber Security
Implementing the essential eight
T By Tony Campbell ACSM Editor
he Australian Cyber Security Centre (ACSC) most cited security guidance is, “Strategies to Mitigate Cyber Security Incidents,” or more commonly called the Essential Eight. Let’s look at these eight security controls and see why ACSC recommends that all organisations should adopt them to bolster their cyber defences.
Get the Basics Right Three of these controls are basic system management procedures that organisations should already be doing. Timely installation of patches (for applications and operating systems), along with backups, are the best place to start. If patches are applied as soon as vendors release them, a significant volume of malware can be rendered inert. Attackers require vulnerabilities for malware to attack: without vulnerabilities, they cannot operate. Modern operating systems and applications automatically install patches, so there’s no excuse to be anything but up-to-date. System backups are fundamental management
36 | Australian Cyber Security Magazine
activities that all organisations should be doing. Backups provide the most reliable way to recover from a virus attack and can be used to recover lost or damaged data. The most prevalent cyber threats affecting today’s organisations are Ransomware; data is encrypted and the only way to recover it is to pay the ransom in the hope the criminal will provide the decryption key. However, a properly backed up system allow quick recovery to a point, prior to infection.
System and Application Hardening The Essential Eight has two controls in this category: hardening Microsoft Office and general user application hardening. Office can run embedded applications that automate certain functions. These applications (macros) are written in an embedded programming language called Visual Basic for Applications (VBA). Macros can access the operating system and pass data between Office applications, which is why criminals use it to write exploit code. Microsoft recognises VBA’s potential for abuse and
