Posted by
Share this article
Common Vulnerabilities and Exposures in Cybersecurity: How the E8 Maturity Model Protects Organisations
Protecting enterprise systems from cybersecurity vulnerabilities is crucial for organisations in both enterprise and government organisations. With the rise of cyber threats expected in 2025, knowing common vulnerabilities and exposures is the first step to hardening your defence. Applying the ACSC’s Essential Eight (E8) maturity model to your organisation can be an excellent first line of defence.
What are Common Cybersecurity Vulnerabilities?
Cybersecurity vulnerabilities are weaknesses in systems, processes or policies that attackers exploit to gain access or cause damage. The Australian Cyber Security Centre’s Essential 8 Maturity Model is specifically designed to address common cybersecurity vulnerabilities from a practical, cross-functional perspective.
As Ashur Williams, Essential 8 technical lead, said in a recent webinar:
"With the Essential Eight, we're looking to stop unpatched vulnerabilities that can be exploited because this is a big issue (for organisations)."
The most common vulnerabilities in enterprise environments that are addressed in the E8.
The Essential Eight, formulated by the Australian Signals Directorate (ASD), comprises key strategies to bolster organisations' defences against cyber threats. An Essential Eight assessment reviews how well these strategies are implemented and functioning within an organisation, ensuring that cyber security measures are both robust and effective. This evaluation involves examining the maturity of each strategy, pinpointing areas needing enhancement, and verifying adherence to ASD's standards. Here are the most common vulnerabilities:
1. Unpatched Software and Systems
Unpatched applications and operating systems are the most exploited vulnerabilities in enterprise environments. Threat actors target organisations that don’t update their systems regularly, using known weaknesses to breach defences.
Solution: Patching (Essential 8 Strategies 1 & 2)
Implement automated patch management to ensure all applications and operating systems are up to date, especially internet facing systems in the DMZ (demilitarized zone).
2. Inadequate Multi-Factor Authentication (MFA)
Many organisations still only use passwords, a single login activity, which are easily compromised. Advanced threats use stolen credentials to get into critical systems.
Solution: MFA Implementation (Essential 8 Strategy 3)
Implement MFA not only for internal users but also for third-party and external systems. This additional layer of defence protects against compromised credentials.
3. Excessive Admin Privileges
Unrestricted admin access is a big risk, especially if credentials are compromised or misused.
Solution: Least Privilege Access (Essential 8 Strategy 4)
Implement Role-Based Access Control (RBAC), a Workforce Identity and Access Management strategy, to give users only the permissions they need for their job roles. Williams said limiting what people need to do their job via RBAC helps implement zero-trust principles to mitigate insider threats and misuse.
4. Malicious Software and Office Macros
Malware is still a big threat, which can be introduced through malicious macros in Office files and documents. While macros can be useful, they can also be used to deploy ransomware or steal data.
Solution: Disable Macros (Essential 8 Strategy 6)
Disable or restrict macros in Office applications unless absolutely necessary. Use whitelisting to enable allowed macro programs.
5. Poor Backup Practices
Inadequate or outdated backup processes can make the impact of ransomware attacks or data breaches much worse. Without proper backups, recovery efforts will stall and critical systems will be down for extended periods.
Solution: Backups and Testing (Essential 8 Strategy 8)
Develop a backup strategy that includes regular testing and backups are stored offline or in a secure cloud environment.
Overcoming the Challenges of Cybersecurity
While vulnerabilities are important to address, organisations often struggle to implement robust cybersecurity. As Williams says, balancing security strict measures with balancing productivity is a top challenge in governance measures like the E8.
IT Manager Tips:
Cultural Shift to Security: Get the whole organisation to understand why security is necessary. Leadership buy-in is key to driving this cultural change.
Phased Implementation: Implement cybersecurity controls in stages rather than trying to fix all vulnerabilities at once. Start with high priority areas like MFA and patching.
Continuous Monitoring: Reassess systems and update security controls as threats evolve.
How Tesserent Can Help
Tesserent has deep expertise in assisting both government and private organisations to implement the relevant Essential Eight controls contextualised to our clients’ environments. Our proven methodology is based on a solid partnership with our clients, starting by understanding your goals and your specific cyber risks and threats. Get in touch to discuss an Essential Eight Maturity Uplift, tailored to your requirements.
Upcoming Events
A webinar in January to unpack the annual updates to the Essential Eight model.
Essential Eight training in January 2025 through ALC.
Contact us
Speak with a Tesserent
Security Specialist
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.