Story image

How Australia’s ‘Essential Eight’ sets the standard for sensitive data protection and breach notification

14 Mar 17

Globally, more and more jurisdictions are releasing mandates that will have a substantial impact on companies regarding breach notification and the protection of sensitive data.

One of those cyber security mandates put into action recently happened in Australia. On February 13, the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016.

This mandate will put pressure on Australian businesses to provide information on sensitive data breaches. The new rules require Commonwealth government agencies, private sector organisations, and any businesses that are regulated by the privacy act, to get in line within 12 months. Failure to do so puts businesses at risk of civil penalties, public reputational harm, and other negative financial consequences.

The new bill will help to draw attention to cyber security solutions as well as focusing on the practices that protect data and business systems throughout Australia. Companies will need to account for their security systems and take steps to ensure they have the right technologies and plans in place to prove protection.

Companies receive help with this task, thanks to The Australian Signals Directorate (ASD), a Department of Defence intelligence agency responsible for signals intelligence (SIGINT) and information security (INFOSEC).

The agency produces a security guidance risk-planning baseline called ‘Strategies to mitigate cyber security incidents.’ It’s a prioritised list of practical actions that organisations can put into place to help shore up their information security postures.

Aligned with the updated security mandate is the latest version of the mitigation strategies, called the ‘Essential Eight.’ After a business has performed its due diligence to identify which core assets require attention, the type of adversaries it faces, and what level of protection is needed, the business will have a baseline cyber security posture. Ostensibly this baseline will make it much more difficult for an adversary to compromise the system. Additionally, businesses will have a good handle on how to measure the security controls that play an important part of ensuring proper protection.

The ‘Essential Eight’ practises fall into the following categories across two distinct functional areas:

The first four are focused on stopping malware from running:

  • Application whitelisting – Control which programs can run on your systems, and stop the rest.
  • Patch applications regularly – stop attacks from exploiting known vulnerabilities.
  • Disable untrusted Microsoft Office macros – a common channel for malware.
  • Harden user applications – block Web browser access to Adobe Flash player    (uninstall if possible), Web advertisements, and untrusted Java code on the Internet.

The second four limit the extent of incidents and help recover data:

  • Restrict administrative privileges – Limit privileges to only those who need them.
  • Patch operating systems – To avoid known security vulnerabilities that can be exploited or move to threat mitigation by introducing a compensating control to protect unsupported systems.
  • Backup important data daily– and ensure it meets the specifications of data retention policies.   
  • Apply multi-factor authentication – add a second factor beyond a simple password across all systems.

On a recent tour of the region, I had the privilege of meeting with one of the lead directors of the ASD, when the ‘Essential Eight’ was in final edit mode. I had the chance to discuss the security controls and was impressed to hear the ASDs’ plans for supporting businesses with the new mandates via the mitigation strategies.

The ASD is actively engaging with businesses in the case of an incident and offering support before, during and after the mandatory notification that would be triggered under the breach notification laws.

This is a great example of supporting and standing behind the mitigation strategies and is also a good way to promote adoption to ensure businesses are moving toward better security postures. It also ensures businesses are fully transparent in the case of an incident.

It was also encouraging to find common ground between the mitigation recommendations put forth by the ASD and the way Carbon Black approaches security posture through our focus on event stream processing, ranking risks throughout the attack cycle, as well as proof of data integrity and policy enforcement.

Carbon Black has promoted the idea of implementing a good security mitigation baseline as the first step to moving towards better security protection, and also advocates the necessity for most organisations to have the option to implement these baselines quickly, while collecting valuable intelligence from the get-go.

Just as the ASD aims to ensure that its strategies are customisable and accessible for organizations, Carbon Black places importance on providing attack mitigation that businesses can stand up quickly and easily, while deriving effective threat metrics that can help get to the root of solving the threat problem.

After careful review of the new ‘Essential Eight,’ it is apparent the ASD has taken implementation and audit fatigue into account when designing the mitigations.  This is the last item that many baselines and frameworks fail to address.

A mitigation strategy is only as strong as the completeness of its implementation. Many other jurisdictions should take a page from the ASD on how to encourage businesses to take the first steps to creating an environment fostering better security. The new strategy ensures that businesses will be able to take advantage of the suggested security parameters quickly and start down the road of better risk and threat mitigation.

Article by Christopher Strand,  security risk and compliance officer at Carbon Black.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
The disaster recovery-as-a-service market is on the rise
As time progresses and advanced technologies are implemented, the demand for disaster recovery-as-a-service is also expected to increase.
Cohesity signs new reseller and cloud service provider in Australia
NEXION Networks has been appointed as an authorised reseller of Cohesity’s range of solutions for secondary data.
The key to financial institutions’ path to digital dominance
By 2020, about 1.7 megabytes a second of new information will be created for every human being on the planet.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
NVIDIA sets records with their enterprise AI
The new MLPerf benchmark suite measures a wide range of deep learning workloads, aiming to serve as the industry’s first objective AI benchmark suite.
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.