A targeted, but unsophisticated series of cyber attacks on the Australian government has left a lot of us dumbfounded. Many wonder how it’s even possible to breach such high-level accounts as those of government officials, who are expected to use at least basic cyber security strategies. Unfortunately, it did not take much for state-based hackers to execute these attacks successfully. On the contrary, they used well-known exploits, standard open-source systems, and searchable “copy-and-paste” code to carry out their plans.
Had certain government institutions proactively followed the Australian Cyber Security Centre’s (ACSC) safety recommendations, such low-level attacks never would have made it past the firewall, so to speak. That’s why we at Club IT have taken this disaster as a chance to spread awareness of the ACSC’s Essential Eight cyber security strategies.
Let’s learn from this incident and strengthen our defenses together, using the strategies below.
The Essential Eight Defined
The Essential Eight is, essentially, a list of cyber security guidelines. Altogether, it represents the baseline standard of control mechanisms that all internet users should ideally be employing on their devices.
Data shows that 25% of all cyber security attacks are targeted in some way, although “highly targeted” attacks may be as low as 15%. What does this mean? You’re mitigating against a median 80% of cyber security incidences if you’re implementing the Essential Eight. These measures could have prevented Australia’s governmental institutions from being compromised. Now, just imagine what they could do for your business.
While you’re here, note that the ISO 27001 checklist is internationally recognised, and any business who wants to take cyber security seriously should start with that. Then, implement your technical guidelines given in the Essential Eight.
The Essential Eight covers three categories: anti-malware, damage minimisation, and data recovery. We’ll lay them out for you and explain exactly what each strategy protects you from.
Essential Strategy #1: Application Patches
Any web browser you can think of, in addition to such commonly-used programs as the Microsoft Office and Adobe Suites are examples of software with regular patch updates. If you remember the days of Adobe Flash, in particular, it could run shell commands—which meant it had direct access to your operating system. That’s the type of risk you’d want to patch away immediately.
Anything created by human hands is going to have some sort of vulnerability. So even though Flash has faded from use, you have to stay mindful of the host of other applications you use on a daily basis. Macros, for example, can do automated tasks, like fill Excel spreadsheets—but they can also access your operating system, just like Flash would.
We’ve talked elsewhere about having a managed IT services provider, like Club IT, to constantly monitor and patch any weak spots in your system. In cases of “extreme risk,” you should take care of any necessary patching within 48 hours. Patching is essential, as is monitoring for any holes that might require a patch. If it’s something you can’t do, we can do it for you. Whether you do it yourself or hire a professional business IT service make sure you’re keeping your software up-to-date at all times!
Essential Strategy #2: Application Control
What if one of your employees tries to install/run malicious software, even unknowingly? If you’ve already got a good cyber security package, chances are it blocks these threats automatically. If you don’t, you should strongly consider looking into one. The purpose of this cyber security strategy is to block certain scripts and executable files from running on your system at any time. For how to handle this specifically within your business, seek direct professional advice.
In general, it comes down to permissions. In a work environment, you should never allow privileges to install anything or open .EXE files. Lock down your network such that only an administrator has the capability to make any changes—because even if you trust your employees, they can make mistakes.
Whitelist applications are another helpful, albeit tedious practice to look into for controlling what applications can run on your network.
Essential Strategy #3: MS Office Macro Settings
Again, this is to preventing the delivery and execution of malware. Configure your internet settings so that you are blocking macros. Allowing only certified macros can catch a large number of broad-net cyber security attacks that would otherwise penetrate your system. Especially for this cyber security strategy, it may be worthwhile to conduct reviews within your business as part of a regular auditing process.
Essential Strategy #4: User App Hardening
Hardening your apps is another method of preventing malicious programs from infecting PCs on your business’s network. What this means: be scrupulous about app permissions (just like you should be with user permissions). Don’t auto-accept all permissions any time an app requests them. Read through the list of requested permissions and only allow what is necessary. Disable the rest!
If a new application won’t run without being given certain sensitive permissions, contact your IT department before using it. Though it may be a nuisance to determine when certain permissions are warranted, it’s a lot less stressful than dealing with a virus or stolen data.
Configure your web browser, via settings, to block ads as well as Java and Flash (or better yet, uninstall it). Why? Because these are all popularly used by cyber criminals to deliver and execute malicious code. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Restrict the functionality of these apps to do only what you need. For example, don’t allow your PDF viewer to display clickable links. Those links could lead somewhere dangerous, whether your employees realise it or not.
Essential Strategy #5: Administrative Privilege Restriction
This one is fairly simple: don’t give administrative privileges to anyone but administrators. Just like you only let apps do what is necessary, only let personnel access what they must. Receptionists, for example, do not need administrative privileges to execute the core functions of their job.
Additionally, don’t use privileged (admin) accounts for inherently risky activity such as logging into your email or surfing the web. Remember, administrators’ accounts hold full control over the business network. At no point should a hacker be given any chance to take advantage of that power.
Reminder: the ISO 27001 standard talks about role-based access more in-depth. For now, remember: the less users with admin privileges, the better.
Essential Strategy #6: Operating Systems Patches
Use the latest, supported version of your operating system at all times. Patch computers (including network devices, like your router and any extensions) that are found to have vulnerabilities. Furthermore, you should be sure to have systems in place, like Club IT offers, to automatically detect new updates. That way, there is no gap between the time they come out and the time you install them.
Tip: Windows 10 is pretty aggressive about patching, making them a safe (albeit inconvenient) example of a secure, up-to-date OS.
Essential Strategy #7: Multi-Factor Authentication
Also called two-factor authentication, this cyber security strategy exists to verify who you are before giving you access to your accounts. Essentially, it uses additional checks even after you input your password, adding layers of difficulty for anyone trying to gain unauthorised access to your data.
It might be annoying that your bank texts you that six-digit code every time you try to log in, but you might not be the only one trying to check your balance. Other examples include everything from security questions (“What was the name of your first pet?”) all the way up to fingerprint scanning.
Anything accessed remotely, including from the cloud, should have multi-factor authentication enabled. A whole range of platforms, like Duo Security, offer this capability. Platforms like G-Suite and Office 365 actually have it built-in. It should be your default. Club IT’s professional advice: make a mental list of all remotely accessible systems. Then, go through and proactively ensure that each one requires at least two factors of authentication.
Essential Strategy #8: Daily Backups
If someone corrupts or otherwise compromises your data, you’ll be glad you backed it up! Also, data is always changing. You want your backups to reflect your most recent settings and file information in case of a cyber attack, so make sure that backing up your data is a daily occurrence. If your business gets hacked, it’s bad enough that someone gains access to your data. But it can get worse: you can actually lose access to your own data. Mitigate against this by backing everything up every day. Or, leave it to the experts at ClubIT!