Breaking down the ASD’s “top four” strategies to mitigate cybersecurity incidents
The Australian Signals Directorate's (ASD) "Essential 8" is an excellent, tried-and-true security guide, designed for Federal government and agencies, that is absolutely relevant to the security of all businesses.
While the entire guide should be standard reading for all security professionals and IT administrators, within it lies the 'top four', which are the four most instrumental aspects of any organisation's security strategy.
The top four consist of Application Whitelisting, Patch Applications, Patch Operating Systems and Restrict Administrative Privileges.
According to the ASD, "At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the top four mitigation strategies as a package.
While as the ASD states, the top four were constructed in 2011, they remain the top four today for a very good reason.
We - in conjunction with emt Distribution - break down each of the ASD's top four and why they are so important.
#1: Application Whitelisting
As number one on the ASD's list, the importance of Application whitelisting can't be understated.
Application whitelisting is the opposite to Antivirus. In AWL, if an executable file is not in the allowed list, it won't run. It's not reliant on knowing what is malicious, it only needs to know what is considered acceptable in a given environment.
This is what makes AWL the most effective way to prevent malicious, unknown or unacceptable software from executing on a machine.
Good AWL solutions are built with existing business workflows in mind, with minimum impact on business processes and performance. And good AWL solutions certainly do exist.
Daniel Schell, co-founder of Australian application whitelisting company, Airlock Digital says, "True application whitelisting removes the ability for attackers to execute malicious and unknown code. This significantly increases the difficulty of attack, blocking unseen malware and removing core tools attackers need to use.
Application whitelisting only lets files approved to run, run. If it's not in the whitelist, it won't execute.
So why do more businesses not incorporate application whitelisting into their cyber threat mitigation strategies?
According to Schell, it's because of a simple misconception.
"It suffers from a perception that it's difficult to manage and puts an onerous burden on IT Administration. It's also perceived to slow down an end user's ability to add new legitimate programs to a system," Schell says.
Application whitelisting solutions have come a long way. Going back 6 years, the resources required to maintain a solution was significant, and workflows were impacted - a case of the tail wagging the dog.
As Schell puts it, "In order for an application whitelisting solution deployment to be successful, it needs to align with current business processes.
"When business processes need to change in order to fit in with application whitelisting, then we tend to see significant pushback from the business. This ultimately leads to AWL getting a negative reputation.
Schell also added, "A solid useful application whitelisting solution should slot into existing workflows, be specific to the environment it's being used in, require minimum people hours to maintain and make it easy for users to function, without compromising on security. We've achieved this with Airlock".
#2 Patch Applications and #3 Patch Operating Systems
According to the Flexera Country Report 2017, in Australia Apple iTunes 12.x ran at an unpatched rate of 49%, VLC Media Player 2.x at 49%, Adobe Reader XI.x at 53% and PuTTY 0.x at 51%.
Each of these applications have had malware that targets these vulnerabilities and applying the patches effectively mitigates the risk of being infected by that malware. If the vulnerability doesn't exist, the malware cannot achieve its goal.
Flexera senior director of research and security Kasper Lindgaard says, "The exploitation of software vulnerabilities is one of the most common methods in external attacks. Software vulnerabilities are used, not only to initiate an attack, but to escalate privileges, move within systems, conceal attacks and exfiltrate data.
"By maintaining comprehensive processes to apply security patches, businesses shut this important window of opportunity for criminals and experience a substantial reduction in the risk of incidents.
With vulnerabilities and their patches being highly publicised, slow remediation should not be an option.
"One of the challenges in patching operating systems is the risk of breaking those systems and another is the disruption that the patching activity may cause, which may impact productivity," Lindgaard continues.
"Most risks associated with patching activities can be mitigated by implementing policies and procedures that take into consideration business requirements. By neglecting security patches under the assumption that it's problematic to manage them, organizations are accepting a level of risk that they can't measure or track.
#4 Restrict Administrative Privileges
According to Thycotic chief security scientist Joseph Carson, Privileged Access Management (PAM) is one of the most effective cybersecurity threat mitigation strategies because it makes cybercriminals job much more difficult.
It forces hackers to continuously repeat hacking techniques that increase the risk of exposing themselves.
"PAM can also be used to improve insights into vulnerability assessments, IT network inventory scanning, virtual environment security, identity governance, and administration and behaviour analytics," Carson says.
"By paying special attention to privileged account security, you can enhance all your cybersecurity efforts, helping to safeguard your organization in the most efficient and effective way possible.
Carson believes Privileged Account Management is sometimes perceived as complex, expensive and requires highly skilled technical resources to implement it.
He says that while this may have been true in the past, it's no longer the case.
"PAM doesn't have to be an insurmountable challenge. Any organization can control, protect, and secure its privileged accounts (and make the hacker's job more difficult)," Carson says.
"Thycotic have made PAM accessible, simplified, affordable and easy to learn for any employee who has some technical knowledge." From PCI DSS to the Australian Information Security Manual, managing and protecting privileged accounts is embedded in almost all major compliance and regulatory requirements.
"As a result of compliance drivers, the wide use of PAM (has) accelerated in those heavily regulated industries like finance, healthcare and governments," Carson continues.
"These have since become best practices for other industries which have seen PAM becoming a must-have security control that is effective at stopping hackers from gaining access.
The Wrap
The solid foundation for a good defensive strategy to block the majority of malicious attacks does not need to be difficult.
The "top four" key strategies lay this foundation. Augmented with good gateway defence, user education and review, businesses can improve their security posture significantly.
Companies such as Airlock Digital, Flexera and Thycotic have solid solutions that specifically address these strategies, and when deployed give a level of defensive protection that all organisations should strive to attain.
In turn, this reduces the reliance on post-incident investigation. If incidents don't happen, investigation becomes less necessary, and backups are less likely to be relied upon.