The recent and unexpected update to the Australian Signals Directorate’s Essential Eight Maturity Model serves to keep the ASD’s guidelines relevant going forward and address the latest weak points in IT security. What stays the same though is the ASD’s guidance on practical updates on how to stay ahead.
While these guidelines are specifically relevant to federal government organisations’ critical infrastructure they are now being pushed indirectly to contractors or businesses who work with the federal government. But even though these guidelines may not be mandatory for private businesses, they are best practice. If they are good enough to safeguard our political, defence and economic interests as a nation, they should be appropriate to safeguard our businesses from the majority of possible cyber security attacks and incidents.
This recent update sees fewer restrictions around patching but a higher level of control on Application Whitelisting which has now been extended to all workstations for levels 1 and 2 of the maturity models. Multi Factor Authentication no longer permits the use of SMS, emails or voicemails for level 1 maturity and specifically states a requirement for passwords to be longer than six characters at all levels.
But what does this actually mean for today’s IT professionals?
These changes reflect the changing priorities required to address today’s threat landscape. With the loosening of controls around patching, the ASD acknowledges the balancing act that security personnel must perform in certain environments. There is definite acknowledgement of the dilemma faced where patching may break functionality vs maintaining a secure environment and strict adherence. A reduction in the burden on already overworked IT admins meeting requirements while allowing better automation is removing overhead while not reducing security.
The higher importance placed on Application Whitelisting definitely reflects what we see in the marketplace. With Application Whitelisting now available as a mature solution it is reasonable to expect organisations to use it across their entire environment. Increased visibility alone of endpoint applications makes life easier for security, helpdesk and management alike stopping more endpoint threats before they reach any part of the network.
Combined focus on patch automation and increased scope of Application Whitelisting we also see as acknowledgement of a more distributed workforce need for security and higher difficulty in controlling remote endpoints.
The more specific wording for Multi Factor Authentication also recognises how threat actors are now working around basic MFA and endeavours to close those weak spots.
There are now only three maturity levels instead of the original five: Partly (level 1), Mostly (level 2) and Fully (level 3) aligned. Level 0 is no longer listed as it doesn’t meet even the most minimal criteria and level 4 is only required on an ad hoc basis depending on advice from the ASD. These changes assume that organisations will now at least begin to adhere to these standards to a degree and give a clear path to full alignment at level 3.
The biggest takeaway from this update appears to be that it is no longer reasonable for a business entity to not address the Essential Eight, especially with the removal of level 0. If a business has not yet met the criteria for level 1 then its current security measures are faulty and need immediate remediation.
We welcome this specific update because it reflects what our customers have been demanding already: solutions that address the Essential Eight and beyond to ensure organisations’ networks are ahead of requirements using the latest technologies.
About the Author
Alex Duffy is a Security Solutions Architect for Adelaide-based value added cyber security software distributor and vendor representative emt Distribution.
Join the newsletter!