The focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems. For example, adversaries opportunistically using a publicly-available exploit for a security vulnerability in an internet-facing service which had not been patched, or authenticating to an internet-facing service using credentials that were stolen, reused, brute forced or guessed.
Generally, adversaries are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target. Adversaries will employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications, for example via Microsoft Office macros. If the account that an adversary compromises has special privileges they will seek to exploit it. Depending on their intent, adversaries may also destroy data (including backups).
The Essential 8
| Mitigation Strategy | Description |
|---|---|
| Application control | The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients. |
| Patch applications | Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. |
| Configure Microsoft Office macro settings | Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.Microsoft Office macros in files originating from the internet are blocked.Microsoft Office macro antivirus scanning is enabled.Microsoft Office macro security settings cannot be changed by users. |
| User application hardening | Web browsers do not process Java from the internet.Web browsers do not process web advertisements from the internet.Internet Explorer 11 does not process content from the internet.Web browser security settings cannot be changed by users. |
| Restrict administrative privileges | Requests for privileged access to systems and applications are validated when first requested.Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.Privileged users use separate privileged and unprivileged operating environments.Unprivileged accounts cannot logon to privileged operating environments.Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments. |
| Patch operating systems | Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.Operating systems that are no longer supported by vendors are replaced. |
| Multi-factor authentication | Multi-factor authentication is used by an organisation’s users if they authenticate to their organisation’s internet-facing services.Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services. |
| Regular backups | Backups of important data, software and configuration settings are performed and retained in a coordinated and resilient manner in accordance with business continuity requirements.Restoration of systems, software and important data from backups is tested in a coordinated manner as part of disaster recovery exercises.Unprivileged accounts can only access their own backups.Unprivileged accounts are prevented from modifying or deleting backups. |
