Should We be Looking Down Under to Improve Our Security?

Security is a global problem, so it makes sense that we look beyond our own borders for a solution. One source of inspiration in its approach to security is the Australian Department of Defence (DoD), which places the mitigation of cybersecurity risk high on its agenda of priorities.

To help protect organizations, it has created an eight-step guide for organizations to follow. Developed by the Australian government's Defence Signals Directorate, the part of the DoD responsible for cybersecurity, the Essential Eight is a set of research-based rules relevant to all businesses with an eye on data protection. Here at Avecto, we believe that these principles can be applied to organizations operating anywhere in the world. 
 
Broken down into two core aims – to prevent the spread of malware and limit the extent of incidents, as well as aid data recovery - the Essential Eight is a list of practical actions organizations can take to strengthen their cybersecurity protocols. Building defense in depth is the goal of this process. Organizations that can implement all of the following measures more likely to be secure against an online assault. 
 
To help to prevent the execution of malware, the Essential Eight recommends:  

• Application whitelisting: A strict list of accepted applications that can run within a system, to the exclusion of all others. 
• Patch applications: Regular patching can fix known security vulnerabilities in applications which can help to shore up cyber defenses. 
• Disable untrusted Microsoft Office macros: Macros are increasingly recognized as a means for malicious parties to download and operate malware – the disabling of all untrusted macros can reduce this risk. 
• User application hardening: Blocking all web browser access to Adobe Flash player – and uninstalling if possible – as well as blocking advertisements and untrusted Java code on the internet. 

Meanwhile, actions to limit the extent of attacks or data breaches, should they occur, and to support enhanced data recovery include: 

• Multi-factor authentication: Users will only be granted access to data or applications after providing multiple forms of authentication. This can typically include a password, a unique physical token, such as fingerprints, or biometric data. 
• Daily backup of important data: All data should be regularly backed up and stored offline. 
• Patch operating systems: Regular patching to fix known security vulnerabilities in operating systems will help to improve cyber defenses. 
• Restrict administrative privileges to operating systems and applications based on user duties: Only those employees who have a direct need for administrative privileges – for example, to manage systems or install legitimate software – should be granted this status. 

Each of the above measures plays a vital role in enhancing the defenses of organizations against the malicious activities of those who probe their networks looking for weaknesses. Used in conjunction, the Essential Eight enables organizations to identify those assets that are most in need of protection, who the most likely sources of threat will be and to set the most appropriate level of defense for networks and individual applications. 
 
The Essential Eight is a recommendation that continues to evolve, with the DoD actively updating its guidance in line with the latest threats and risks to organizational security. 
 
There are two measures of the Essential Eight that stand out from the rest in terms of their ability to protect an organization's precious data - application whitelisting and the restriction of admin privileges. 
 
Whitelisting 
Whitelisting is the creation of an approved list of applications that are authorized to operate on individual devices. In this way, companies can limit their exposure to malware, as untrusted operations – those not on the whitelist – will be automatically turned off. 
 
It is a security approach that is designed to protect against malicious code. It can be especially useful when applied to the computers of high-risk users – those most likely to be targeted by attackers – such as senior managers, system administrators or individuals whose function gives them access to sensitive data, such as those in HR or finance.

Implementing whitelisting can be a daunting prospect to carry out company-wide, but by doing so for those who face the highest risk, businesses can gain a significant level of protection. To carry out whitelisting organizations are advised to undertake the following steps: 

1. Identify applications that are essential for operations and authorize these to be used on all systems. 
2. Develop application whitelisting rules and an implementation framework to ensure only those applications listed in step one can be executed. 
3. Regularly update and maintain the application whitelisting rules using a change management program. 

It is important that application whitelisting does not replace anti-virus or other security software already in place on systems, as these measures perform a necessary function and add strength to the protection of data. 
 
Restriction of admin privileges
Although whitelisting is a helpful proactive measure, the restriction of admin privileges can be a powerful tool in network safeguarding, with this process helping to ensure that only those who require the ability to change fundamental aspects of a network or individual computer systems are able to do so. 
 
Some may view blanket admin privileges as beneficial to companies in terms of individual flexibility, with staff being able to add, change or customize their computer to best suit their needs.

However, by failing to monitor this activity, companies that are attacked by a malicious party have little defense against the spread of infection in their systems and could suffer considerable consequences as a result. 
 
Individuals who retain admin privileges could have the ability to make significant changes to a system's configuration or operation, bypass critical security settings and access sensitive information. Taking away this level of privilege can therefore only be a positive step in enhancing network security. 
 
Advantages of their removal also includes the creation of a network environment that is more stable, predictable and easier to support, as fewer users are able to make changes to the environment, either intentionally or otherwise.

Restricting admin privileges within an organization is best practice that all companies should adopt. According to the Australian DoD, this is how it is achieved: 

1. Identify tasks which require administrative privileges to be performed. 
2. Validate those staff members that are required and authorized to carry out these tasks. 
3. Create separate attributable accounts for staff members with administrative privileges, ensuring that their accounts have the least amount of privileges needed to undertake their duties. 
4. Regularly review the accounts of those with admin privileges to ensure these powers remain relevant to their role, removing privileges when appropriate. 

To further bolster the security of organizations operating with user admin accounts, these accounts should be restricted from activities that present a risk to cybersecurity, including reading emails, opening attachments or connecting to the internet. Individuals with admin privileges should have separate accounts created to carry out these day-to-day tasks. By taking these steps, IT leaders can have more peace of mind that each of their endpoints will be protected.