ACSC updates Essential Eight guidance

The Australian Cyber Security Centre (ACSC) has published updated guidance on implementing the Essential Eight threat mitigation strategies.

The new Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a holistic package before moving to a higher maturity level.

The complementary nature of the mitigation strategy and the necessity of employing multiple strategies to respond to various cyber threats makes this the preferred implementation model, the revised document states.

Organisations should accordingly implement the Essential Eight to the same standard before moving onto higher maturity levels. Implementation should use a risk-based approach, and organisations should strive to minimise any exceptions and their scope, the ACSC said.

The model classifies an organisation’s level of maturity on one of four levels, starting with level zero — showing weaknesses in an organisation’s overall cybersecurity posture. Maturity level one is focused on deterring adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to systems.

Maturity level two is focused on adversaries with more capabilities than in the previous level, while maturity level three is focused on sophisticated, adaptive adversaries who are much less reliant on public tools and techniques.

In addition, the guide has been updated with an increased emphasis on risk management, which includes better enabling organisations to manage risks associated with legacy systems.

The Essential Eight mitigation strategies are application control; application patching; the configuration of Office macro settings; user application hardening; restricting admin privileges; patching operating systems; implementing multi-factor authentication; and conducting regular backups.

Image credit: ©stock.adobe.com/au/Lev