Skip to main content

Article authored by Jason Phong

Welcome Readers, in this the fourth edition in our series on cybersecurity we look at the Essential Eight (E8) framework and the particularities to the model for keeping information systems and operating environments in your organisation defended against threats.

The Essential Eight Maturity Model has been designed to protect Microsoft Windows-based internet-connected networks. It is quite an effective set of mitigations when applied in the appropriate context.

We see requirements on Australian government systems from the Department of Home Affairs’ Protective Policy Security Framework Policy 10 C.1.7:

“To meet the minimum requirements established under the PSPF maturity model, entities must implement Maturity Level Two for each of the eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents as set out in the Essential Eight Maturity Model.” – PSPF, HA

However, how do we develop the confidence to say that the Essential Eight Maturity Model isn’t the most relevant for a given system. Perhaps scarce resources should be better utilised on other cyber security activities?

The Essential Eight as a package of mitigations is certainly very effective in addressing situations such as:

  • Unsolicited malicious macros are received by users and when opened they download and attempt to execute further malware;
  • Users have reused credentials that have been exposed in data breaches and attackers are able to attempt authentication to those systems over the internet;
  • An organisation has self-hosted services that process arbitrary data as initiated by users on the internet.

A series of self-diagnostic questions can assist you in determining the appropriateness of applying Essential Eight guidance to your system. The further down the list before you answer yes, the more value you’d get out of allocating resources to alternative mitigation strategies (while acknowledging that some of the Essential Eight may still be quite relevant). The first two are situations where the Essential Eight are highly relevant.

  1. Can a user attempt to authenticate to the system from any internet-connected PC?
  2. Does the system accept unsolicited files and attachments and is it capable of opening external links?
  3. Can a user only attempt to authenticate access to the system using a staff member’s organisationally enrolled device?
  4. Can a user attempt to authenticate access to the system only from specific physical locations?
  5. Are the user workstations mostly non-Windows?
  6. Is the system used to develop and test software, or other arbitrary code?
  7. Is the system required to facilitate immediate and urgent actions, such as where lives are at immediate risk?
  8. Is the system disconnected from the internet?

Consider undertaking threat modelling to understand what’s really at stake and determine how best to protect it.

#securus #securusconsultinggroup #ISM #PSPF #EssentialEight #EssentialEightMaturityModel