Australian Signals Directorate’s Top 8 Controls to Mitigate Cyber Security
Incidents & How They Compare to NIST 800-5
Anyone who has been in Cybersecurity, from a student beginning the journey to a seasoned professional, knows about the Security and Privacy Controls for Information Systems and Organizations (NIST 800-53), currently in its fifth revision. NIST 800-53 is a comprehensive guide to all aspects of cybersecurity, ranging from hiring, setting policies, through testing and more. It is the basis for defining security controls and best practices, fortifying systems against threats, both external and internal.
Another popular framework is the CIS Critical Security Controls, a more streamlined approach to implementing effective security controls. Currently in its 8th version, the CIS Controls is a prioritized list of controls and safeguards offering mitigation strategies against attacks to systems and networks. The goal of this framework is to be feasible, flexible, and simple to implement.
And while these might be the best-in-class standards for security, they are far from the only ones in circulation. Another well-regarded standard is the Australian Signals Directorate (ASD) top eight controls to mitigate cybersecurity incidents, otherwise known as The Essential 8.
ASD’s Essential 8 is a concise list of strategies and procedures to help mitigate cybersecurity incidents and present best practices for shoring up a system’s security posture. There are a lot of similarities between this framework and the NIST 800-53 standard, and the goal of this post is to showcase where those similarities occur.
Worth noting that NIST offers a more expansive list of mitigation guidelines and recommendations, whereas the Essential 8 is more refined in scope. The goal of the Essential 8 is to present a comprehensive suite of controls that offers a robust defense-in-depth strategy, while being accessible to all, easy to implement, and cost effective to maintain.
Below is the list of the Essential 8, which is divided into two halves. The first four are the most crucial guidelines. Of these four, Application Whitelisting and Application Patching are the most critical. The remaining four are essential but not nearly as critical.
Application Whitelisting
Coming in at the top of the list, in order of highest priority for the ASD Essential 8, is the directive to whitelist applications. This is a security control that defines access to applications and the execution of programs based on a set of permissions granted by the vendor product chosen, managed through configuration settings. This ensures the right people are using the right application in the right way, and unauthorized programs cannot be executed. The recommended strategy is to employ a list of software applications installed and have an effective change management and patching strategy.
By contrast, NIST presents several different controls to accomplish the same objective, including but not limited to: AC-1 Policy & Procedures; AC-2(7) Privileged User Accounts; AC-2(11) Usage Conditions; AC-3 Access Enforcement (and all subsequent Access Controls); AC-4(20) Approved Solutions; AC-6(10) Prohibit Non-Privileged Users from executing privileged functions.
Patch Applications
Second on the ASD Essential 8 is the directive to patch applications. Keeping the software applications and operating systems (fourth on the list) patched is a simple yet critical mitigation strategy to ensure the system is resilient to attacks and guarded against common vulnerabilities. The guide recommends a 48-hour window for patching software applications and OSs’. New installations are strongly encouraged to use the latest version.
NIST offers a more disparate approach to an effective policy for patch management. Some of these controls include SI-2(4) Automated Patch Management Tools; SI-2(5) Automatic Software and Firmware Updates; SI-2(6) Removal of previous versions of software and firmware.
Restrict Administrative Privileges
The ASD Essential 8 takes a restricted approach to administration rights and privileges. While the admin can have the essential rights and privileges afforded to them, the intent of this mitigation strategy is to avoid granting an overabundance of these privileges. The guideline goes on to suggest that only a trusted administrator be granted access to the system they belong to, and that use of a separate computer and non-admin account for high-risk actions is strongly encouraged.
NIST presents a myriad of controls that covers a more in-depth approach to mitigation of privileges, including: AC-2(7) Privileged User Accounts; AC-2(8) Dynamic Account Management; AC-2(9) Restrictions on use of shared and group accounts; AC-2(13) Disable accounts for high-risk individuals; AC-3(7) Role-Based Access Control; AC-3(15) Discretionary and Mandatory Access; AC-4(17) Domain Authentication; AC-6(5) Privileged Accounts; AC-16(4) Association of Attributes By Authorized Individuals.
Patch Operating Systems
Similar to patch management of applications, ASD Essential 8 rounds out the list of prioritized strategies by encouraging an effective operating system and firmware patch management program to ensure that the latest versions of the OS are in use and have been inoculated against vulnerabilities and potential zero-day exploits. The guide recommends system administrators be subscribed to vendor-provided bulletins and notifications to ensure systems and firmware updates occur in a timely manner.
NIST presents the same controls for OS/Firmware patch management as it does for applications: CM-8(2) Automated Maintenance; CM-11(3) Automated enforcement and monitoring; SA-10(5) Software and Firmware Integrity Verification; MA-3(6) Software Updates and Patches; SI-2(4) Automated Patch Management Tools; SI-2(5) Automatic Software and Firmware Updates; SI-2(6) Removal of previous versions of software and firmware.
Apply Application Control(s)
The ASD Essential 8 offers a simple and effective mitigation strategy against the execution of embedded scripts or unauthorized browser extensions, and that is to block or disable them. Ads, office macros (discussed later) and flash scripts should be blocked. ActiveX, Java, and QuickTime for windows are just a few of the many applications that ought to be restricted. If they must be used, hardening configuration settings is highly recommended.
In contrast, the NIST framework addresses this guideline more comprehensively, presenting similar controls for mitigating the execution of disallowed scripts, applying similar “whitelisting” controls. Some of these are listed as: SI-3 Malicious Code Protection; SI-3(10) Malicious Code Analysis; SI-4 System Monitoring; SI-7(2) Automated Notifications of Integrity Violations.
Restrict/Disable Untrusted Microsoft Office Macros
The mitigation efforts stated in the previous ASD Essential 8 strategy extends to Microsoft Office macros, which has the potential to be leveraged in malware attacks against a system. By blocking or filtering these scripts (ie, disallowing third-party documents with embedded scripts), a system can be guarded against the likelihood of compromise. NIST controls stated earlier apply to this control as well.
Employ Multi-Factor Authentication
The ASD Essential 8 strategy and NIST guidelines overlap in a similar manner regarding the application of additional factors for authentication. At a high-level, the proper authentication workflow for any system should include additional verification factors not limited to a PIN, a token, or biometrics.
NIST controls for MFA include AC-7(3) Biometric Attempt Limiting; AC-7(4) Use of Alternate Authentication Factor; AC-9(4) Additional Logon Information; IA-2(1) Multifactor Authentication to Privileged Accounts; IA-2(2) Multifactor Authentication to Non-Privileged Accounts.
Backup Important Data Daily
Rounding out the list of the ASD Essential 8 is the recommended strategy of daily backups so as to provide up-to-date recoverable data in the event of a ransomware attack, system outage, or natural disaster. The guide encourages a backup retention policy of up to three months, with backups being stored offsite, off any computers.
NIST encourages a similar approach, employing a broader series of controls to provide the best mitigation strategies for a given system: CP-6 Alternate Storage Site; CP-9 System Backup; CP-9(3) Separate Storage for Critical Information. MP-4 Media Storage.
Conclusion
Security strategies can be effective without being overbearing and complicated. They can be cost-effective without incurring significant risk. CIS Security controls offer a robust set of eighteen different controls, whereas the ASD Essential 8 pares this list down to eight of the most pertinent ones. NIST 800-53 might be the gold-standard, but the ASD Essential 8 attempts to set a baseline for applying and employing comprehensive security controls and mitigation strategies at a level that is suitable for most businesses.
If your environment or needs are simple, you might not want to wade through the complexity of NIST or CIS. Choose a framework that meets you where you are at.
Additional Resources
About The Author
With over fifteen years in quality assurance and a background in both English Literature and Information Security, Pablo brings a unique blend of technical expertise, a tester’s mindset, and a passion for secure development. Outside of work, he’s an avid writer with a love for fiction and a drive to share knowledge through blogging and collaboration.
