Essential 8 Recommendations
Application Whitelisting
What: Limits applications from loading to memory if they are not defined by hash, location, owner, publisher.
Why: to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers
User Application Hardening
What: Restrict applications to the uses they are needed. Limit the ability for them to be used maliciously.
Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Multi-factor Authentication
What: Apply MFA/2FA to all systems/processes that allow it.
Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
Patch Operating Systems
What: Protect against known exploitations by applying security and critical updates.
Why: Security vulnerabilities in operating systems can be used to further the compromise of systems.
Configure Microsoft Office Macro Settings
What: Restrict Office Products from running Macro scripts
Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.
Restrict Administrative Privileges
What: Stop the elevated access users need to install most applications. (Note: this does not stop applications running. That don’t require installations)
Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.
Daily Backups
What: Backup all critical data to encrypted, isolated and restricted systems both onsite and offsite daily as a minimum. (Note: We recommend backups are performed as often as possible in order to reduce your Recovery Point Objective)
Why: To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).
Additional Recommendations
Device Whitelisting
What: Limits use of pre-approved specific devices to pre-approved users/groups/networks at configured times.
Why: to prevent unknown potential malicious devices entering your network.
Assists with: DLP
Device Filtering
What: Limits data being read or written using pre-defined filetypes/filetype groups.
Why: When approved devices are connected they are filtered to only allow the following filetypes in/out.
Assists with: DLP
Device Auditing / Shadowing
What: Take logs and file copies of used files.
Why: Review and understand what files are being copied/edited to/from devices that are approved. No just logging but complete shadow copies of the file transmitted.
Assists with: DLP
Network Auditing/Filtering
Why: Control threats with behavior based patterns. Ensure networking systems are dynamic enough to prevent unusual behavior.
System Redundancy
What: Have your system designed to cater for planned or unplanned system outage.
Why: Maintain Business continuity with redundant high availability designed systems.
Disaster Recovery Plans
Why: Ensure you have a plan and process on how to recover from a Disaster.
Consider:
– Recovery Time Objectives (RTO)
– Recovery Point Ojbectives (RPO)