How Australia’s Essential Eight sets the standard for data protection & breach notification
FYI, this story is more than a year old
Globally, more and more jurisdictions are releasing mandates that will have a substantial impact on companies regarding breach notification and the protection of sensitive data.
One of those cyber security mandates put into action recently happened in Australia. On February 13, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016.
This mandate will put pressure on Australian businesses to provide information on sensitive data breaches. The new rules require Commonwealth government agencies, private sector organisations, and any businesses that are regulated by the privacy act, to get in line within 12 months. Failure to do so puts businesses at risk of civil penalties, public reputational harm, and other negative financial consequences.
The new bill will help to draw attention to cyber security solutions as well as focusing on the practices that protect data and business systems throughout Australia. Companies will need to account for their security systems and take steps to ensure they have the right technologies and plans in place to prove protection.
Companies receive help with this task, thanks to The Australian Signals Directorate (ASD), a Department of Defence intelligence agency responsible for signals intelligence (SIGINT) and information security (INFOSEC).
The agency produces a security guidance risk-planning baseline called ‘Strategies to mitigate cyber security incidents.’ It’s a prioritised list of practical actions that organisations can put into place to help shore up their information security postures.
Aligned with the updated security mandate is the latest version of the mitigation strategies, called the ‘Essential Eight.’ After a business has performed its due diligence to identify which core assets require attention, the type of adversaries it faces, and what level of protection is needed, the business will have a baseline cyber security posture. Ostensibly this baseline will make it much more difficult for an adversary to compromise the system. Additionally, businesses will have a good handle on how to measure the security controls that play an important part of ensuring proper protection.
The ‘Essential Eight’ practises fall into the following categories across two distinct functional areas:
The first four are focused on stopping malware from running:
- Application whitelisting – Control which programs can run on your systems, and stop the rest.
- Patch applications regularly – stop attacks from exploiting known vulnerabilities.
- Disable untrusted Microsoft Office macros – a common channel for malware.
- Harden user applications – block Web browser access to Adobe Flash player (uninstall if possible), Web advertisements, and untrusted Java code on the Internet.
The second four limit the extent of incidents and help recover data:
- Restrict administrative privileges – Limit privileges to only those who need them.
- Patch operating systems – To avoid known security vulnerabilities that can be exploited or move to threat mitigation by introducing a compensating control to protect unsupported systems.
- Backup important data daily– and ensure it meets the specifications of data retention policies.
- Apply multi-factor authentication – add a second factor beyond a simple password across all systems.
On a recent tour of the region, I had the privilege of meeting with one of the lead directors of the ASD, when the ‘Essential Eight’ was in final edit mode. I had the chance to discuss the security controls and was impressed to hear the ASDs’ plans for supporting businesses with the new mandates via the mitigation strategies.
The ASD is actively engaging with businesses in the case of an incident and offering support before, during and after the mandatory notification that would be triggered under the breach notification laws.
This is a great example of supporting and standing behind the mitigation strategies and is also a good way to promote adoption to ensure businesses are moving toward better security postures. It also ensures businesses are fully transparent in the case of an incident.
It was also encouraging to find common ground between the mitigation recommendations put forth by the ASD and the way Carbon Black approaches security posture through our focus on event stream processing, ranking risks throughout the attack cycle, as well as proof of data integrity and policy enforcement.
Carbon Black has promoted the idea of implementing a good security mitigation baseline as the first step to moving towards better security protection, and also advocates the necessity for most organisations to have the option to implement these baselines quickly, while collecting valuable intelligence from the get-go.
Just as the ASD aims to ensure that its strategies are customisable and accessible for organizations, Carbon Black places importance on providing attack mitigation that businesses can stand up quickly and easily, while deriving effective threat metrics that can help get to the root of solving the threat problem.
After careful review of the new ‘Essential Eight,’ it is apparent the ASD has taken implementation and audit fatigue into account when designing the mitigations. This is the last item that many baselines and frameworks fail to address.
A mitigation strategy is only as strong as the completeness of its implementation. Many other jurisdictions should take a page from the ASD on how to encourage businesses to take the first steps to creating an environment fostering better security. The new strategy ensures that businesses will be able to take advantage of the suggested security parameters quickly and start down the road of better risk and threat mitigation.
Article by Christopher Strand, security risk and compliance officer at Carbon Black.