The DESE ISMS Scheme – A Quick Overview

The Department of Education, Skills and Employment’s (DESE, ‘the Department) new Information Security Management Scheme calls for all providers of employment skills, training, and disability employment services to gain ISO27001 and Right Fit for Risk accreditation.

The objective of this scheme is to ensure that providers are in compliance with the Departments contractual and legal obligations. These obligations aim to ensure the department’s IT environment and confidential data are being managed responsibly via an Information Security Management System (namely, ISO 27001 and the Australian Governments Information Security Manual).

Recognising the baseline requirements of ISO 27001 do not entirely cover the specific and evolving legal requirements for providers, the Department has introduced several new mitigation strategies to bridge these security gaps. These new requirements are referred to as ‘Right Fit for Risk’.

Right Fit for Risk does not undermine or diminish the existing standards for ISO 27001, but rather supplements the baseline requirements to create an Information Security Management System that is specific to the needs and obligations of the Department’s providers.

Under the RFFR, providers with a caseload larger than 2000+ per annum are required to attain certification to the Department’s contractual requirements Statement of Applicability. Certification allows organisations to tender for deeds and provides assurance that government data and personal information is handled securely.

See our RFFR & DESE ISMS Scheme Services here

What is ISO 27001?

The gold standard of Information Security Management Systems is ISO 27001, which is recognised globally and covers 114 security control methods. This ISMS contains all the resources, systems, tools, policies, controls, communication protocols and processes that manage information security in an organisation.

As mentioned, the Department has recognised that there are requirements specific to their providers. Specifically, the DESE ISMS Scheme calls for all providers to implement the clauses in Annex A of ISO 27001 (in other circumstances, these clauses can be omitted at the discretion of the organisation). Otherwise, the ISO 27001 certification process is the same for both providers under this scheme and other businesses.

Accreditation for ISO27001 can be an arduous and time-consuming process, but the benefits of gaining certification are ultimately worth the hassle. On top of securing your organisation’s data and systems, becoming ISO 27001 accredited can open new market opportunities by demonstrating your commitment to protecting customer and client information.

What is RFFR?

The DESE Information Security Management Scheme customises the baseline requirements of ISO 27001 with additional controls set by the Australian Government’s Information Security Manual (ISM).

The scheme, as mentioned, incorporates all the baseline requirements of ISO 27001, HOWEVER you must also develop a Statement of Applicability that considers the specific security risks and needs of your organisation, and the applicability of controls outlined in the Australian Information Security Manual.

Your Statement of Applicability should address RFFR core expectations, such as the Australian Cyber Security Centre’s Essential Eight strategies, personnel security, and data sovereignty.

What is a Statement of Applicability?

As part of the Right Fit for Risk and DESE ISMS Scheme, organisations are required to submit a Statement of Applicability (SOA).

The SOA is a central document that outlines and defines how your organisation has implemented information security. In order to prepare your SOA, you should start off by listing the controls from the Australian Governments Information Security Manual and determine whether they are applicable; which risk or business requirement drives it; and how it will be implemented.

The Right Fit for Risk DESE ISMS Scheme Accreditation Process

The Department is the accrediting authority for this scheme; thus, organisations are required to check in at 3 milestone points throughout the accreditation process.

Milestone 1:

Business Maturity Assessment

Milestone 1 determines how your organisation uses information and manages security. The initial maturity of your organisation’s information security is assessed against the ASD Essential Eight maturity model.

You should work closely with DESE through this process as the Department will provide the guidance and approach needed to advance to further milestones.

Milestone 2:

Statement of Applicability and ISO 27001 Accreditation

Milestone 2 requires the implementation of a customised Information Security Management System PLUS full accreditation of ISO 27001.

This means that in addition to the 114 annex A controls in ISO 27001, your scope should incorporate the controls defined in the Australian Governments Information Security Manual.

You must also submit a Statement of Applicability that, as previously mentioned, determines whether controls in the ISM are applicable to your organisation and how you have implemented these controls.

Tips for achieving this milestone:

• Perform a gap analysis to highlight areas where your information security controls are inadequate
• Perform a threat/risk assessment to identify risks and validate whether the solutions you have already implemented are working as intended
• List the controls in the Australian Governments ISM and justify your reasons for applying or not applying them into your ISMS. If you do not have a justifiable reason for not implementing a certain control, you should consider taking the steps to implement it
• Employ the services of a Managed Service Provider to assist with ISO 27001 implementation. While oftentimes costly, an MSP will speed up the accreditation process exponentially (sometimes by up to 6-12 months)

Milestone 3:

RFFR Accreditation

To pass milestone 3 you’ll need to demonstrate the effective implementation of the ISMS and applicable controls. Ensure you have incorporated the RFFR requirements into your ISMS and scope and taken all the ISM controls into consideration. You should also make your certification body aware of the customised nature of the ISO 27001 certification so you can gain the appropriate accreditation.

See our RFFR & DESE ISMS Scheme Services here

Here’s a not-so-fun fact: 95% of organisations have Office 365 mailboxes that are harbouring malicious emails. Many of these socially engineered attacks can slip through your existing defences, landing in your users’ inboxes and leaving your organisation open to potential risks. Furthermore, viruses and phishing attempts can slip through your gateways and, if left undetected, can cause millions of dollars in loss of revenue.

This is why it’s vitally important for organisations to assess and understand their email security vulnerabilities, and ensure that you and your users are fully protected against hacking attempts.

Biggest threats to your email accounts:

There are many threats that could potentially compromise your email accounts, with the most prevalent being:

1. Business Email Compromise Attacks

A Business Email Compromise (or BEC) attack occurs when a scammer impersonates a high-level executive. They can then trick colleagues, customers and partners into transferring funds, participating in seemingly legitimate transactions, or disclosing sensitive data.

 2. Phishing Attacks

Phishing is the practice of sending fake communications (most commonly emails) that seemingly come from reputable sources with the intention of tricking the receiver into supplying private, commercial or financial information or installing malware. 

3. Malware Delivery

In email scams, malware is always hidden in malicious links and attachments that may look legitimate and reliable but will execute viruses on your devices once opened.

How to combat threats with an Email Threat Scanner

In conjunction with Barracuda, we are offering a free security assessment of your Office 365 environment. Using artificial intelligence and API integration with Office 365, Barracuda Email Threat scanner can quickly and efficiently discover email attacks currently sitting in your mailboxes.

What threats can Barracuda ETS identify?

ETS scans Office 365 environments to identify phishing and other cyber fraud threats that may already exist in your inbox. It allows you to identify:

• Spear phishing
• Business email compromise
• Conversation hijacking
• Brand and domain impersonation
• Extortion
• Scamming
• URL phishing

ETS also reviews high risk employees (those who may be receiving more attacks than others) and detailed threat insights that can be filtered based on individual threat types (such as phishing or BEC).

How does it work?

Contact us for a personalised email threat scanner link! Once we’ve provided you with the link, it takes less than a minute to set up, with no impact on your email performance. Once your scan is complete, we can review the results and discuss how to enhance your email security posture with additional user awareness training and advanced threat detection tools.

Regular Backups

Hi everyone, and welcome to the final episode of eight weeks of the essential eight! In this episode we’ll be discussing regular backups, why they’re considered essential, and how you can achieve maturity level one. Let’s begin!

The ACSC defines this strategy as: Regular backups of important new/changed data, software, and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually, and when IT infrastructure changes.

Why regular backups?

If the mitigation strategies you have meticulously put in place fail, or things go completely sideways due to a catastrophic event, backups are vital for the continuation of your business operations.

Data and files have always been the backbones of businesses, for as long as businesses have existed. Once upon a time, our organisational data was physically held in filing cabinets or piled in boxes in a dingy room in the back of the office. Back then, company data was constantly in danger of going missing, being incorrectly filed, or was at the mercy of natural disasters.

We’ve come a long way from filing cabinets and physical documents. These days, most of our data is stored on servers, hard drives, or in the cloud. But with these technological advancements, our data is now under more threat than ever. Not only do we also experience data loss due to natural disasters and incorrect filing (how many times have you thought ‘now where on earth did I save that document!?’), we must also defend against ransomware/malware attacks, accidental deletions/damage, server outages, and a whole host of other potential threats that are waiting to snatch away your data and remove it from existence, oftentimes with devastating results.

What causes data loss?

As mentioned, there are several ways your data can disappear from the ether, with the most common being:

HUMAN ERROR:

Humans make mistakes, and sometime human error can result in overwriting important files and deleting information that is essential to your business. Human error can also result in other forms of data loss such as spillage, drops, or other accidents that could damage devices/servers.

EXTERNAL SECURITY THREATS:

Viruses, malware and ransomware are the biggest threats to your data. Malware can slow down your systems, and steal or corrupt your data. Worse still, ransomware does the same with the added threat of holding your data ransom until you pay a hefty fee.

OUTAGES:

Power outages can completely halt business operations by shutting your systems and devices down without warning. This not only results in the loss of unsaved data but can also corrupt files due to improper shutdown procedures.

THEFT:

Many businesses assign laptops to their employees and allow them to take their devices with them when they leave the office. This, of course, can result in the loss or theft of company property. If their unbacked-up files on lost or stolen devices, you can say goodbye to those files forever.

How to protect your data

So how do we lessen the impact in the event of data loss? The biggest defence against human error and external threats is to BACK UP YOUR DATA. And I don’t just mean save your files on a hard drive or a USB and tuck it away into a ‘safe’ place – that solution is simply not viable for organisations storing valuable data.

As a business owner, you absolutely need a diligent backup program with multiple backup and recovery points. This brings us to the 3-2-1 backup rule.

WHAT’S THE 3-2-1 BACKUP RULE?

The rule goes like this:

3 COPIES OF YOUR DATA
2 BACKUPS ON DIFFERENT MEDIA (for example, on your computer, external hard drive, or on-premise server)

1 BACKUP OFFSITE (e.g. in the cloud, or in an offsite server or data centre)

Following the 3-2-1 backup rule, it is advised that businesses should have both an on-premise and cloud-based backup solution.

Now let’s delve into maturity level one requirements:

Maturity Level One Requirements

Requirement 1:

Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.

This one is self-explanatory – you should be backing up your data regularly, with multiple disaster recovery points to fall back on in the event of malware or ransomware attacks. At the end of the day, the regularity of your backups is up to you, but as a general rule of thumb, you should make sure you are backing up your data daily and retaining your data for a period of 3 months or more.

Requirement 2:

Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.

Whether your backups are on an on-premise server or in the cloud, you should be testing the accessibility of your data regularly. In the event of a disaster, you need to be able to recover and restore your data from a period before the event occurred. Every 3 months, perform a disaster recovery exercise to ensure that your backups are working correctly and you can access files that are essential to your business.

Requirement 3:

Unprivileged accounts can only access their own backups, so obviously users who have standard user accounts should not be able to access any backups that they have not backed up themselves. This is because standard user accounts can be vulnerable to attack, so it’s best to have important backups well out of reach of your standard accounts.

Requirement 4:

Unprivileged accounts are prevented from modifying or deleting backups.

Similar to requirement 3, standard user accounts should be denied access to the settings or modifications of your backups. This is so if an adversary happens to gain access to a standard user account, they won’t be able to delete or modify your settings, thus rendering your backups useless.

Where do you start? 

There’s a good chance your business already has cloud backups and on-prem backups, buti f you don’t, there are a whole host of solutions available to you.

Here are a couple of our recommendations:

• Veeam
• Barracuda
• Synology
• Or our own cloud backup solution, which can guarantee the safety of your cloud data in our Tier 3 Data Centre.

And that’s it for regular backups!

But before you go, since this is the last episode of this series, I’d like to offer everyone watching a 15% discount on eStorm’s cyber security audits and assessments. During the audit we can assess your essential eight implementation and give you detailed recommendations on how to improve your cyber security position.

Thanks for watching, and as usual, if you have any questions please feel free to contact me. Farewell, until we meet again!

Hi everyone and welcome to episode 7 of eight weeks of the essential eight. In this episode we’re going to discuss multi-factor authentication (AKA MFA), why it’s considered essential, and the maturity level one requirements.

The ACSC defines this strategy as:

Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.

What is Multi-Factor Authentication?

MFA is ‘a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier’.

In simpler terms, MFA is the act of using multiple verification methods to verify a user’s credentials. It adds another layer of security by forcing users to provide another means of identifying oneself.

Let’s imagine you’re a bartender. Someone approaches you asking for a martini (shaken, not stirred) and claims to be over the age of 18, but they’re acting a little suspicious and the felt moustache above their lips is hanging slightly askew. So, you ask for ID and everything seems to check out – the ID card looks legitimate and the photo resembles them exactly.

But we all know that licences can be forged or stolen, and identities can be faked with moustaches purchased from costume stores.

The digital world faces much of the same challenges (minus the fake moustaches). Think of your password and username as your ID – this too can be stolen or forged by adversaries, and it’s easier than you may think. Phishing scams and data breaches both pose serious threats to the security of your login details and information, but multi-factor authentication can offer much better guarantees. In fact, a striking statistic is that MFA prevents 99.9% of identity attacks if implemented correctly.

MFA is based on a combination of different authentication factors. An authentication can come in many different forms, such as a password, a pin, an SMS code, or facial recognition, but these on their own are not enough to secure your account against cyber attackers. You need to use at least two different authentication factors for it to pass as MFA. These factors are; biological (who a user is), knowledge (what a user knows), and possession (what a user has).

Here are a few examples of each factor:

1. The knowledge factor:

   This factor is based on what the user knows. Some examples would be things like a four-digit pin, passwords, or information like your mother’s maiden name, or a previous address.

2. The possession factor:

   This factor is bason on what the user has. The user must have something specific in their possession, such as an SMS code sent to their phone, a software or hardware token, or a security badge.

3. The biological factor:

   This factor is based on what the user is. Examples of biological verification methods can be retina scans, fingerprint scans, facial recognition, or digital signatures

By applying two or more of these different authentication factors, you make is significantly harder for adversaries to gain access to your devices, networks, systems, and sensitive information. This is because even if an attacker does happen to gain your password and username (whether through a phishing attack, data breach, or other means) they can’t surpass the second authentication method, as they’re unable to verify something the authenticated user has (such as an SMS code) or something the user is (such as a fingerprint scan).

Ideally, MFA should be implemented for all user logins (including office computers). If this is impracticable, then you should at least ensure MFA is being used by all users who have access to sensitive data and information, have admin privileges, or have remote access. Which brings us to maturity level one requirements.

Maturity Level One Requirements:

Requirement 1:

Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.

When users are, for example, accessing your network remotely, they must be using Multi factor authentication in order to verify and approve their access to your network remotely.

Requirement 2:

Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.

An example of third-party facing services that store your organisation’s data would be a cloud service (whether that be Microsoft, Google, or AWS), thus users should be using MFA when requesting access to your sensitive data.

Requirement 3:

Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.

You should be enabling MFA on ALL of the applications your users are accessing, including emails, Adobe, social media accounts, and any other web applications your employees are using. You’ll find that most apps will offer MFA, so check the web apps and internet-facing services your organisation uses for the option to enable MFA in their settings. Then go ahead and enable it for those that do!

Requirement 4:

Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.

This one might not apply for a lot of organisations, but in short, you are expected to enable MFA by default on your internet-facing services that are used by non-organisational users, such as clients or customers.

Let’s use a university as an example. Each student is given an email account that is activated by the school. MFA should, by default, be enabled for students who are logging into their accounts, with the option to opt-out if they choose.

Where do you start?

Let’s face it; MFA is going to be annoying and time consuming for your end users. Every time they log into your cloud environment or access your network remotely, they will need to follow the MFA login process. Every. Single. Time. It’s not fun, but it is necessary, and unfortunately it’s something that they’ll need to get used to.

The first step is to take a look at your cloud environment. Now most major cloud services (including Office, SharePoint, Google Cloud, Azure and AWS) offer basic MFA features in their settings. Make sure to enable this in your admin panel for the users in your organisation. I’ve included a few MFA setup tutorials Microsoft, Google, Azure and AWS below:

Microsoft Office/SharePoint Tutorial

Google Cloud Platform Tutorial

Azure Tutorial

AWS Tutorial

You can also consider using Microsoft Authenticator or Google Authenticator, available for iOS or Android devices. With Microsoft Authenticator, users can receive sign in notifications through their mobile that they can approve or deny, or use the app to generate OATH verification codes.

Learn more about Microsoft Authenticator

When it comes to a robust and powerful MFA security platform, we recommend Duo. Duo natively integrates with any application or platform, including Microsoft, Software as a Service tools, or on-premise environments. But perhaps most importantly, it can be used to add multifactor authentication to your VPN or remote access client. Using the one security solution, you can consolidate all your MFA requirements and easily deploy it across your applications, cloud environments, VPN or remote access clients, and devices.

Learn more about Duo!

And that’s it for multifactor authentication! As usual, if you have any questions please don’t hesitate to contact me and I will see you next time!

Hi everyone, and welcome to this week’s episode of eight weeks of the essential eight. In this episode we’re going to discuss the essential eight mitigation strategy ‘configure Microsoft Office macros’, why it’s considered essential, and how to implement maturity level one requirements. Let’s begin!

The ACSC defines this strategy as:

Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.

What are Macros?

Macros are microprograms designed to make repetitive tasks easier in programs, such as Word or Excel. By recording input sequences like mouse strokes and keyboard presses, it is possible to create an automated set of instructions for a program to follow. Users can then run the macro instead of repetitively creating the same list of instructions.

However, it is easy for malicious macros to run in the same way. These malicious macros can open and automatically run instructions a cyber attacker has developed, causing your computer to embed the malicious macros into your computer files, send emails with malicious codes to your contacts, or run ransomware or malware.

Macros, whether trusted or malicious, can only run if they are opened in associated programs (e.g., Excel or Word). Thus, it is vital that you secure macros in order to reduce the risk of running malicious macros.

Macro configuration best practices

Most productivity suites like Microsoft Office have improved their security surrounding macros by asking users if they are sure they want to run macros when opening a document. However, this simply isn’t enough to protect your business against macros viruses, as the safety of the document or macros are left up to your users to decide, and generally speaking, they are more concerned with getting a task done than checking if the document or macros they’re running are secure.

The level of securing macros depends on your business. For some businesses that rarely use Excel or Word, or have no use for macros, it may be best to simply disable all macros from running and blocking new macros from starting. This however may not be a viable option for businesses that utilise macros to enable efficient daily processes. If this is the case for your business, you must configure Office Macro settings to manage appropriate macros. This means that only approved users should be allowed to execute macros from a trusted location via a secure network path. It is possible to set these controls in the Office Trust Centre interface or in Group Policy settings.

Maturity Level One Requirements: 

Requirement 1:

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement

Which basically translates to ‘if you don’t need it, don’t use it’. Operating by the principle of least privilege, use Group Policy Objects in your Active Directory to define macro privileges and only assign those privileges to users who absolutely need macros to complete their jobs.

Requirement 2:

Microsoft Office macros in files originating from the internet are blocked

By default, macros in Word, Excel and PowerPoint files are enabled according to the macro warning setting. Files are identified as coming from the Internet based on the zone information added to the file by the Attachment Execution Service (AES). AES adds zone information to files that are downloaded by Outlook, Internet Explorer, and some other applications. Office provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet, so make use of that when implementing this requirement.

Requirement 3:

Microsoft office macro antivirus scanning is enabled

Most antivirus vendors are capable of scanning for script-based threats (such as Macro viruses), so you should be using your endpoint protection/antivirus vendor or software to scan for these malicious macros, along with most applications and files on your network.

Requirement 4:

Microsoft office macro security settings cannot be changed by users

There’s no point in setting up solid macro security settings if your users can easily disable or get around them. Be 100% sure that your controls for macros are placed in the hands of trusted admins, and that these admins are the only ones capable of making changes.

How do I set up macro security settings?

As I mentioned earlier, you can apply macro security settings with Group Policy Objects in Active Directory. I’ve included a link in this blog post so you can find out more, or you can just type into Google ‘configure ms macro settings in group policies’ for a number of tutorials.

Restrict or block macros: https://4sysops.com/archives/restricting-or-blocking-office-2016-2019-macros-with-group-policy/

Or you can get your Managed Service Provider to assist you, if you have one!

And that’s it for MS Office Macros. As usual, if you have any questions please don’t hesitate to send through an email.

Patch Applications & Operating Systems

Essential 8 Mitigation Strategies 2 & 3: (Patches, updates, or vendor mitigations for security vulnerabilities in internet-facing services should be applied within two weeks of release, or within 48 hours if an exploit exists.)

Let’s delve into what this means.

What are patches?

Patches are fixes in software code that address security gaps, add new functionalities, or repair broken functionalities. These patches usually come in the form of an update (for instance; the notifications you’ve inevitably received for Windows 10, Adobe Reader or even your phone’s operating system).

Everyone dreads these updates, but it is vitally important we stay on top of patches to minimise security risks. Failing to update applications or software can cause critical issues in the integrity of your devices and computers, as these patches keep you one step ahead of attackers and their latest methods of exploitation. In fact, about 57% of data breaches are attributed to poor patch management.

As an enterprise or organisation, especially one with hundreds of employees and devices, managing patching can become a real pain. Unless you have implemented whitelisting or mobile device management, it can be difficult to keep track of every application, software, browser, and even plugin that has been installed on your systems.

You can send email blasts out to your users to remind them to update when a new patch comes out, but as mentioned, no one likes updating their devices, and many users may just put it on the backburner, which can cause serious gaps in your cyber security for attackers to exploit.

The best way to keep on top of patching yourself is to create a patch management plan and policy. To do this, you must first start with understanding the devices, operating systems, browsers, and third-party applications your users have installed on your network, and segment them into high and low risk categories.

Once you’ve done this, create a policy that establishes which applications will be patched and when, and under what conditions. For example, someone with admin privileges may need to patch their applications automatically, while those with restrictions are offered a more flexible timeframe. Another example is setting a 24–48-hour timeframe for OS updates but allowing a 1–2-week timeframe for browser or non-critical updates.

After you have your policy in place, follow up with audits to ensure your employees and end users are compliant, and review and optimise your policy to ensure you are following best practices.

Patch Apps & OS Maturity Level 1:

Requirement 1:

Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services and operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.

Requirement 2:

Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, security products, and operating systems of workstations, servers and network devices are applied within one month of release.

Requirement 3:

A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services and operating systems of internet-facing services.

Requirement 4:

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, security products, and operating systems of workstations, servers and network services.

Requirement 5:

Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, security products, and operating systems that are no longer supported by vendors are removed or replaced.

Don’t want to keep track of patches manually?

Luckily there is plenty of software or IT companies out there that can do the grunt of the work for you. By employing software vendors or MSPs, you can automate updates and patches to a granular level and set and forget it, revising occasionally to ensure patches are rolling out correctly.

User Application Hardening

Hi everyone, and welcome to this week’s episode of eight weeks of the essential eight. This week we’re going to explore the essential eight strategy User Application Hardening, and how you can achieve maturity level one.

The ACSC defines this strategy as:

Essential 8 Mitigation Strategy 5: User application hardening to configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g., OLE), web browsers and PDF viewers.

What is user application hardening?

When applications are installed, many of us are guilty of clicking NEXT until we get to the ‘install’ button.

By default, many apps enable functions that aren’t necessary for users while also permitting lowered security level settings. By simply allowing the application to follow the default installation guide, we may be opening opportunities for cyber attackers to infiltrate our systems through unneeded features or lower security levels.

This is especially true for applications like web browsers, email clients, PDF software, or Microsoft Office apps because these can be vectors for malware and are more likely to be targeted by adversaries. User application hardening isn’t nearly as intimidating as some of the other strategies, so it’s easy to overlook it. It’s a bit like dusting your fans or cleaning your blinds – you know it will get done, someday, when you find the time. But while we can live with dust or cobwebs, we can’t allow applications with inadequate security settings to remain on our networks.

So, think of user application hardening as a bit like a spring clean of all your applications. By going through your apps, uninstalling features that are unimportant, and setting unique passwords and usernames instead of default details, you make it significantly harder for adversaries to take advantage of your systems.

User Application Hardening Tips

TIP 1:

The best place to start is by obtaining a list of the applications you have installed on your system and remove the apps that provide little or no value. The applications that remain on your network after the cull should be configured according to user hardening recommendations. Most vendors will have hardening guides for their software and applications, so take the time to review industry best practices for the applications on your network and configure them accordingly.

TIP 2:

Additionally, ensure you remove features on applications that you do not need, and save installed files in non-default program folders to trick cyber attackers, who often seek out these default installation locations. You can also run vulnerability scans using tools (like Nexpose, SAINT or Nessus) to locate vulnerable files and applications.

TIP 3:

Finally, use a web browser plugin or web filtering gateway to block online ads, as cyber attackers often create malicious ads (called ‘malvertising’) to compromise websites and systems.

Implementing Application Control: Maturity Level One

Now, for those of you who are keen to align with Maturity level one, let’s delve a little more into the specific requirements.

Web browsers do not process Java from the internet

While Java once enabled a host of features and effects on websites that weren’t possible in older HTML specifications, these days most features that Java brought to the table can be performed within HTML 5, meaning Java is no longer needed for advanced features on website. This is because Java can be a vector for malware, especially if you are using older versions that have vulnerabilities that malicious sites can use to exploit and infect your system.

Many apps still rely on Java, but you don’t need to block it everywhere; you just need to block it from untrusted or uncontrolled sources like the internet and your web browsers.

Web browsers do not process web advertisements from the internet.

Web pop-ups and advertisements aren’t just annoying; they can also be a conduit for malware and nefarious entities, which is often referred to as ‘malvertising’. Malvertising is the use of online malicious advertisements that spread malware and compromise system through the injection of unwanted or malicious code into ads.

You should ensure your organisation employs a means to block web advertising as much as possible. This can be done via Active Directory or Group Policy Objects and can be supported by content filters on web browsers and applications.

Web browser security settings cannot be changed by users.

There’s no point in implementing web browser security controls if your users can just disable them at-will. Thus, the modification of security controls should be limited to as few administrators as possible, and the ability to disable or modify browser security settings should be restricted on your standard user accounts and workstations.

Now like app control, you can use mobile device or desktop management solutions to apply user application hardening on devices. Such solutions include:

• Microsoft: Microsoft Intune
• Apple: JAMF
• SOPHOS endpoint management

And that’s it for this episode everyone! As usual, if you have any questions please feel free to email me, and I’ll see you next week

Hi everyone, and welcome to episode three of eight weeks of the essential eight. In this episode we’re going to explore Application control. We’re going to learn what it is, why it’s considered essential, and how to implement application control in a way that achieves maturity level one. Let’s begin!

What is application control?

Application control is a security control method designed to protect against malicious code by ensuring only approved applications and software can be executed. The easiest way to implement application control is by creating an ‘allowlist’ (previously called a whitelist).

You may have heard of blacklists, which are lists of known malicious code. Most antivirus and antimalware software are built on blacklists, and work by blocking access to any applications the software deems unsafe or dangerous. The danger with blacklists is that there may be a chance for cyber-attacks to occur when the antivirus software has not been updated to stay ahead of the latest attacks.

Think of an allow-list as the inverse of a blacklist. Instead of blocking known malicious code, an allow-list blocks all applications except for ones you have explicitly allowed to execute. This may seem harsh, and it does severely restrict the freedom of end users, but it really is one of the safest ways to prevent the installation of unauthorised or possibly dangerous code from executing on your systems.

Blacklists:

• Lists of KNOWN malicious code
• Antivirus/antimalware software are built on blacklists
• Block access to applications deemed unsafe
• Antivirus software must stay ahead of latest attacks to work

Allowlists:

• The inverse of blacklists
• Blocks all applications EXCEPT for those explicitly allowed
• May restrict freedom of end users
• Safest way to prevent unauthorised or dangerous code executing

Why application control and allow-listing?

As I mentioned, correctly implementing application control lowers the risk of malicious code wreaking havoc on your system.

If your end users aren’t well versed in cyber security safety, they can unknowingly download applications or fall for phishing scams that execute malware or ransomware. With application control in place, it would be nearly impossible for them to do so.

Another reason for application control is to protect against the download of unauthorised software, which can lead to licensing agreement violations, inappropriate conduct, or vulnerable applications that can be manipulated by attackers.

Why application control?

• Lowers risk of executing
• Protects against successful phishing scams
• Prevents unauthorised download of software

Implementing Application Control: Maturity Level One

So last week we discussed restricting admin privileges, so once you’ve got those restrictions in place you’ve already got a pretty good steppingstone into application control.

Similar to what we discussed in last week’s episode on admin privileges, Maturity level one for application control is really just telling you that standard users (AKA those with non-privileged accounts) should have restrictions in place restricting them from installing or downloading apps and software on their workstations, and only approved applications should be installed on their devices.

Before setting those restrictions you absolutely need to make sure your users can access any approved applications they may need to complete their jobs.

Enter allowlists. Now it’s not a requirement in maturity level one to apply allowlisting software, but you do still need to create an allowlist. Having a list of approved applications will make your life, or your IT team’s life, a whole lot easier because there’s no guesswork involved.

If a user requests the installation of an application on their device, you can first refer to them to your list of approved applications. If the requested application is not on the list, you can either deny the request or, if the application is necessary for their job and it is a trusted application with minimal security risks, you can add it to the allowlist.

Having an allowlist also makes it easy to setup devices when you onboard new users. When you hire a new employee, all you need to do is download and install the approved applications and their device will be pre-configured and they won’t need to annoy your IT team every time they need to install new apps like Microsoft Word, Excel or Adobe Creative Suite.

And finally, having an allowlist is essential if, or when, you move on to the higher maturity levels, which do generally require the implementation of allowlisting software.

How do you create an allowlist?

There are two methods to creating an allowlist. The first method is to request a standard list that is typical for your work environment from an allowlist vendor. This standard list contains applications and software that are known to be trusted. Once you have this list, you can customise it further to fit your company and the roles of your employees.

Alternatively, you can use a device or system that you know is clear of malware, scan the installed apps and software, and use this as a standard for your other devices.

Method 1:

• Request a standard list from an allowlist vendor
• The standard list contains trusted apps/software
• Can be customised to suit the roles of your employees

Method 2:

• Select a device/workstation that is clear of malware
• Scan installed apps and software
• Use as a standard for other devices

When you create your allowlist you should be aware that not every user account will be using the same apps. For instance, your creative team may need software that is not typical for standard users, like Adobe Creative Cloud, so you should make sure you accommodate your list to include the apps they use.

You should also take the time to audit the applications your users currently have installed on their devices and computers. Determine which are essential and remove applications that provide little or no value.

You should also consider creating an Application Control policy for your employees. This policy should include your list of approved applications, and should express that it is not permissible to download unauthorised software on devices and workstations.

Once you’re armed with your list of approved applications, you’re ready to set up application control.

Tips for creating allowlist:

• Not  every account/employee will use the same apps – accommodate your list to include all necessary apps for every job role
• Audit applications currently installed on devices
• Remove apps/software that provide little or no value
• Create an Application Control policy for employees

How to set application control policies

If you don’t have an IT specialist in your organisation, Mobile Device and Desktop Management vendors offer application control solutions that require minimal IT knowledge or capabilities to implement.

Mobile device or desktop management software solutions generally make it quite simple to; apply application control on devices, monitor your user’s app usage, set allowlists, easily deploy new users, and manage your organisation’s devices all within one dashboard or interface.

MDM Solutions:

For Microsoft: Microsoft Intune

For Apple: JAMF

SOPHOS endpoint management

If your organisation is Windows-based and you’re not keen on using an MDM solution, another great (and free) tool is Windows Defender Application Control with Configuration Manager. WDAC with Configuration manager allows you to set application control policies for users on your network. If you want to learn more about WDAC, you can click on the following link:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control=

And that’s it for application control! For further resources on application control you can check out the links at the bottom of this week’s corresponding blog post. And as usual, if you have any questions please feel free to shoot through an email. Until next time!

Implementing Application Control: https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-application-control 

Essential Eight Maturity Model: https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model 

JAMF MDM: https://www.jamf.com

MICROSOFT INTUNE MANAGEMENT: https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

SOPHOS ENDPOINT MANAGEMENT: https://www.sophos.com/en-us.aspx 

Hi everyone, and welcome to this week’s episode of Eight Weeks of the Essential Eight. In this episode we’ll be exploring administrative privileges and why restricting these privileges is vital in protecting your business against cyber-attacks.

The ACSC defines this strategy as: restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.

This strategy is probably the most self-explanatory of the eight, and at a base level, you probably already have some form of admin restrictions in place.

Now you wouldn’t just give the keys to your home to anyone right? Because the more people who have your keys, the more likely it is someone will lose them or leave the house unlocked, which literally leaves the door open for people with ill intent.

Administrative accounts are the keys to your network, data, and systems.

If cyber attackers gain access to these proverbial keys, they can wreak havoc across your network and servers. Attackers use malware and brute force attacks to compromise admin accounts because they are the most powerful in your organisation. As you probably know, users with administrative privileges can make significant changes to their configuration and operation, they can bypass security settings, and they usually have access to sensitive info.

If an adversary succeeds in claiming an admin account through brute force or malware, they can spread malicious code to your entire network, they can avoid detection, access sensitive data, and they can completely resist all efforts of removal.

Referring again to the house keys analogy, you’ve now got a dangerous squatter in your home who is refusing to leave, rifling through your personal belongings, and possibly demanding money. Not an ideal situation you want to be in.

Unfortunately, the solution isn’t as easy as you may think.

First, lets discuss the principle of ‘least privilege’.

The Principle of Least Privilege

In a least privileged environment, most of your users are operating with non-privileged accounts 90-100% of the time. A non-privileged account is a ‘standard user account’, which has a limited set of privileges like web browsing, opening emails, using Office applications, or accessing limited resources or apps that are defined by their role in your organisation.

When you set up a least privilege environment, you review the activities your administrators do and only assign the privileges they absolutely need to complete their jobs.

For instance, a standard user account does not need to install applications, so you should remove those privileges, or someone who only needs access to a database does not need the ability to take backups, and so on. By sharing and assigning certain privileges only to those who need them, you reduce the freedom an adversary may have if they compromise an account.

I promise this will be the last house keys analogy, but basically operating in a least privilege environment means if an attacker gets access to one of your keys they may be able to unlock your gate, but they won’t have the key to open your front door.

So where do you start?

Before you implement the requirements that are outlined in Maturity Level One, you need an inventory or a record of your admin accounts and your organisation’s admin tasks.

How to create a secure admin privileges record:

Step 1:

Every account on your network, and that includes standard user accounts, needs to be checked for their privileges. Users who do not need those privileges should be stripped of them.

Step 2:

Identify the admin tasks your organisation undertakes, like backing up files, resetting passwords, or adding users to new groups.

Step 3:

Each admin task requires only a basic set of privileges, so once you’re armed with a list of your organisations admin tasks you can then create user accounts for your team members and assign ONLY the privileges they need to perform their jobs.

Once you’ve inventoried and set up a record of your admin accounts and privileges, you can move on to implementing the requirements for Maturity Level One.

Maturity Level One Requirements

Requirement 1: Requests for privileged access to systems and applications are validated when first requested

So you’ve determined and documented the privileges for your user accounts, but what happens when you get new users, or the scope of work for one of your current admin users changes?

Anyone who requests certain privileges and has not been previously approved must be evaluated before receiving approval in order to align with this requirement. Do they need administrative privileges? And if so, which privileges do they need? Once this has been evaluated, you can then choose to give those privileges to them.

Remember to document the validated request and add it to your inventory so you can keep track of the allowed privileges.

Requirement 2: Privileged users use separate privileged and unprivileged operating environments

Malware is usually executed through successful phishing attempts, drive-by downloads, or even malware ads on the internet. What this requirement is saying is that users who need admin privileges should have two accounts; one that has privileged access, and one without. That’s so they can use their admin account solely for the tasks that need privileged access, and then use their standard user account for things like web browsing, or checking emails, and opening documents.

Requirement 3: Privileged accounts (excluding privileged service accounts) are prevented from accessing internet, email, and web services

For the same reason as the previous requirement, to completely remove the chances of malware executing on your privileged accounts, you need to set security controls that stop them from reading emails and browsing the web when they are using the admin account.

Requirement 4: Unprivileged accounts cannot logon to privileged operating environments

You shouldn’t log into a system with a user account that has the ability to install new software or make changes to the system. If you go to a website or click on a link in an email that has malware, the malicious software can only run with the privileges of the logged in user account. If that account isn’t an administrator, the malware can’t do much harm.

You should also make sure all default passwords and usernames for admin accounts are updated, and apply multifactor authentication to ensure that even if an adversary gains access to your passwords they won’t be able to get past the second authentication method.

Monitoring Privileged Access Controls

Finally, let’s discuss monitoring and auditing privileged access controls. You should be revalidating all accounts that have privileged access on a yearly basis, or when someone with admin privileges leaves your business.

Your secure inventory/record should include the following information:

• Users who are authorised to access privileged accounts
• The person who provided authorisation for those privileges
• When the privileges were granted
• What privileges were granted
• When privileges were last reviewed
• When the level of privileged access was changed, and to what extent (if applicable)
• When privileged access was withdrawn (if applicable)

Alternatively, you can request the services of an outsourced IT company to assist with auditing your admin accounts and privileges and managing your inventory. A managed service provider can monitor every privileged task that is undertaken on your system, set up or remove admin privileges, revalidate restrictions, and apply policies to your standard user accounts.

And that’s it for restricting admin privileges! Stay tuned for the next episode, where we’ll be discussing application control. If you have any questions about this video please feel free to shoot through an email, and I’ll see you in the next episode.

Hello and welcome to the first episode of Eight Weeks of the Essential Eight.

Topic Areas:

• What is the Essential Eight?
• Do I need to implement the essential eight?
• Why the essential eight?
• The Essential 8 Maturity Model
• Targeting a Maturity Level

History of the Essential Eight:

So lets start with a brief history of the essential eight.

The essential eight was originally developed to promote solid security and operational practices within Australian governmental agencies, departments, local councils, and other businesses in the public sector. Now, many private businesses are now looking at the Essential Eight as a good launching place for measuring security controls and setting a foundation for cyber security. The Australian Cyber Security Centre, or ACSC, are the current custodians of the Essential Eight.

When it comes to the security of your business’ information, there are so many factors that come into play; like the sensitivity of your data or how many employees you have. That’s why there isn’t really a ‘one-size-fits-all’ approach to cyber security. What works for you might be completely disastrous for another business. A direct quote from the ACSC states:

“while no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the essential eight, makes it much harder for adversaries to compromise systems.”

As I mentioned, ACSC initially created the Essential 8 to mandate information security compliance across governmental branches. While it is not mandatory for most businesses in the private sector, it is highly recommended. This is because the suggested strategies are a systematic set of security control methods that provide a framework for businesses to manage IT security risks. It’s crucial now more than ever that businesses focus on their information security and protecting their data, and the Essential Eight is built to do just that.

So in short, the essential eight strategies were chosen specifically to fortify the most important avenues of information security, with their main purpose being to protect businesses against malware, ransomware, and data breaches. The strategies are broken up into three components; prevent attacks, limit the extent of attacks, and data availability.

What are the essential eight strategies?

The Essential Eight Maturity Model

Now I’m not going to go into detail about the strategies as we will be discussing them over the next few weeks. What I am going to discuss in this episode is the Essential 8 maturity model. Before we can get to implementing the Essential 8, the ACSC suggests you first identify a maturity level that is suitable for your organisation. There are currently 4 Maturity levels starting with Maturity Level Zero through to Maturity Level Three.

The maturity levels are focussed on mitigating the increasing levels of a potential adversary’s technique, their tools, their procedures and who they tend to target.

Maturity Level Zero

Let’s start with maturity level zero, which was reintroduced this year. This level signifies that there are weaknesses in an organisations overall cyber security posture. So whether you have none of the strategies in place or if you’ve succeeded in implementing a couple of the strategies, your cyber security maturity will be considered level zero because you have those missing control methods in place that leave you open to attack. Adversaries tend to go for the lowest hanging fruit, so even if you have a really solid backup strategy or you use multi-factor authentication, they can and will find other ways to exploit your system. A lot of you will be starting off at level zero, and that’s completely fine because you are attesting to the fact that one or more of your security controls may not be covering your organisation’s cyber risks adequately.

Maturity Level One

Now Maturity Level One focusses on mitigating the risk of a cyber attack from opportunistic adversaries who are looking for any victim rather than a specific target. For instance, they use normal tools that are available online to identify common exploits or vulnerabilities in software or operating systems that are unpatched. So you want to mitigate against common threats, and adversaries out there who are opportunistic rather than targeting organisations with any key objectives to get access to specific information. They’re still a threat, particularly if they manage to affect the availability of your systems.

Maturity Level Two

The focus of Maturity Level Two is to fight against adversaries who are better equipped and employ more advanced techniques, so they may be specifically targeting your organisation and not just spamming you with phishing emails, and they might attempt to impersonate users or accounts in your organisation to gain privileges and access your data. These adversaries are happy to invest more time into their targets and are often better at bypassing security controls and evading detection. Rather than casting a wide net, they are more selective with who they target, but are also wary about the time, money, and effort they invest to compromise their targets’ systems.

Maturity Level Three

And finally, Maturity Level Three is the highest level, and focusses on deterring adversaries who can exploit opportunities they seek in their targets’ cyber security posture, like old software or inadequate monitoring. They are incredibly knowledgeable and use techniques and tools that are not commonly used by less experienced adversaries. They will make swift use of exploits and will find ways to evade detection and solidify their presence. They focus on very particular targets and are willing to invest a lot of time and effort into completely circumventing all the security controls an organisation may have.

When choosing a maturity level to target, you should consider how desirable your company is to an adversary and the type of information your organisation holds and transmits, so if you house a lot of sensitive or confidential data, you should consider targeting level three. Try to take a risk-based approach to the essential eight and consider the implications and the costs to your business if a data breach or a malware attack were to occur.

Now as a side note, to quote the ACSC again,

“organisations are now advised to achieve a consistent maturity level across all mitigation strategies before moving onto a higher maturity level”.

This is because the essential eight strategies are designed to complement each other and provide a blockade against several threats, so it’s important that you plan your implementation to achieve the same maturity level across all eight strategies before moving onto a higher maturity level.

In this series I’ll be giving you tips on how to reach maturity level one. So hopefully once we’ve finished you’ll have a better understanding of the requirements and will be able to independently reach a higher level if need be.

Do I need to implement the essential eight?

If you’re a governmental department, agency or local council then it will be mandatory to implement the E8 and to have a maturity level rating, so I’d suggest you have your E8 implementation assessed by a third party or by your MSP.

If you’re a small to medium sized business, or even a larger organisation who hasn’t begun their journey into cyber security, then I would still suggest you implement the strategies to the best of your ability so you have a maturity level that sets a foundation for further cyber security control.

Slide: Mandatory for governmental agencies and departments.

Not mandatory for most businesses in the private sector.

You don’t have to get your implementation assessed by a third party of course, but I’d still suggest you do because if you’re going to go to all the trouble to implement the E8 you should make sure you’ve done it correctly.

And that’s it for this episode! If you have any questions about the maturity models please feel free to email me, and I’ll see you next week for episode 2!