Key Updates in the November 2023 Australian Signals Directorate's Essential Eight Maturity Model

The November 2023 update of the Australian Signals Directorate's (ASD) Essential Eight Maturity Model brings significant changes aimed at bolstering cybersecurity measures. In this blog post, we'll delve into the key modifications and explore how organisations can navigate these updates for a more robust security posture.

Patch Applications and Operating Systems:
The update emphasises higher priority patching scenarios, especially for critical vulnerabilities. Organisations are urged to patch, update, or mitigate such vulnerabilities within 48 hours. There's a heightened focus on applications interacting with untrusted content, necessitating a two-week patching timeframe. This update calls for a proactive approach to vulnerability scanning.

Multi-Factor Authentication (MFA):
MFA requirements have been reinforced to combat evolving cyber threats. The new standard mandates 'something users have' in addition to 'something users know' at Maturity Level One. To address password reliance, organisations must enforce MFA for web portals storing sensitive data. Additionally, there's an emphasis on phishing-resistant MFA, along with organisations now requiring staff to MFA when logging onto business systems to achieve Maturity Level 2.

Restrict Administrative Privileges:
Governance processes for privileged access have been refined to include data repositories. Privileged accounts accessing the internet must be explicitly identified and strictly limited. The update introduces requirements for secure admin workstations, break glass accounts, and additional infrastructure hardening.

Application Control:
Annual reviews of application control rulesets and the implementation of Microsoft's recommended application blocklist are crucial at Maturity Level Two.

User Application Hardening:
Given the discontinuation of Internet Explorer 11 support, organisations must disable or remove it. There's a shift towards implementing both ASD and vendor hardening guidance, prioritising the most stringent requirements. The update also focuses on PowerShell logging and command line process creation events at Maturity Level Two and Maturity Level Three.

Regular Backups:
While there are no significant changes, the update encourages organizations to consider the business criticality of data when prioritising backups. This change impacts Maturity Level One through Maturity Level Three.

Logging:
While not an Essential Eight Strategy, changes to logging in this update will have significant impact to businesses. This most recent update has shifted the requirement for centralised logging from Maturity Level 3 now down to Maturity Level 2. This will impact your centralised logging solution significantly as the size of your log repository will grow substantially.

Our Insights:
Balance patching priority based on vulnerability criticality and interaction with the wider internet. A robust and routinely reviewed patch management plan is essential. Event logging and monitoring take on greater importance under these changes, focus on internet-facing infrastructure. Security Operation Centre support is vital to support this activity.

Our recommendations:

1. Security Assessment: Evaluate your organisation's current cybersecurity maturity level against the updated Essential Eight. Identify gaps and prioritise actions for enhancement.

2. Implementation Planning: Develop a comprehensive plan to implement the new requirements. Ensure clear communication and collaboration across teams for seamless integration.

3. Training and Awareness: Educate employees on the updated security measures, especially changes related to MFA and administrative privileges. Foster a cybersecurity-aware culture.

4. Engage with Experts: Consider seeking assistance from cybersecurity professionals to navigate these changes effectively. External expertise can provide valuable insights and support in implementing best practices.

5. Continuous Monitoring: Establish continuous monitoring processes to detect potential signs of compromise. Regularly review and update your cybersecurity strategy to adapt to evolving threats.

By embracing these changes and proactively enhancing cybersecurity measures, organisations can fortify their defences against modern cyber threats. Stay informed, stay secure.