cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

The Australian Essential Eight is it enough?

Hi All

 

Those of us, who live in part of the Southern Hemisphere, have to abide by the Australian Essential Eight security controls.   Which provided by the Australian Government as part of their Information Security Manual, and a means of improving the maturity and putting controls to protect organisations.

 

There is an interesting piece today about the Essential Eight, which I thought I would circulate and let you read it for yourselves.

 

https://cybertheory.io/essential-eight-is-this-really-an-answer/

 

The main question the article is asking is the essential eight really the answer?  What are your thoughts?

 

Regards

 

Caute_Cautim

6 Replies
Steve-Wilme
Advocate II

It's somewhat in the flavour of NSCSs 10 steps to Cyber Security and CyberEssentials

https://www.ncsc.gov.uk/collection/10-steps

https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure-2-2.pdf

 

It's probably a starting point for organisations that have no security programme or have lost there way, but there is danger in imagining these frameworks are an end state.  It can encourage a once and done mentality and a failure to focus on improvements and learning from incidents.  It where the NIST cyber security framework has advantages, but overall it's a maturity thing.

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Taylor45
Viewer

For almost all federal departments and agencies. The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed by the Australian Signals Directorate.

 

peryourhealth bill

SWALTERS
Newcomer III


@Caute_cautim wrote:

 

The main question the article is asking is the essential eight really the answer?  What are your thoughts?

 


It is part of the answer.  It is a baseline to start with.  And a lot of good can come from properly implementing those 8 controls, as combined they do close off many attack classes.

 

But any company implementing them as a compliance only measure, has a problem right there - they're not approaching security proactively.

 

And yet, we have to start the stalwarts on their security journey somewhere..

 

The problem with questions about "is it enough?" is it implies there can ever be enough.  It also implies that security maturities and risk attitudes are universal amongst all organisations - which is never the case.

 

So we're forced to set a minimum baseline for all, and then expect individual organisation's assess their own levels of risk after that.

dcontesti
Community Champion

MHOO

 

I think these eight are a good start but probably not sufficient.  As the author states these are the common sense approaches to security.  Agree with Steve that this may leave an artificial feeling of comfort.

 

When I read the list, I am not sure all of them are actually doable in a large organization due to reporting structures.

 

So my sense is that the are not sufficient and would make reference to other lists (SANS, NIST, etc.)

 

d

 

 

 

Caute_cautim
Community Champion

@Steve-Wilme   I have to agree with Steve's point, it does in fact provide a false sense of security, even though it is mandated for federal central government, it is often used by other regional government agencies as a baseline.  The intriguing issue, that many face is just how to do characterisation and application whitelisting to an agreed baseline, especially with change management controls and the overheads.  In the words and experience of delivery personnel, it is a royal pain in the proverbial and they just hate it with a vengeance.   They see it as a barrier to getting the job in a timely basis, causing restrictions to the way they want to work, which always causes an overhead.

 

Has any one actually attempted to put in place NIST SP800-167 and won the battle smartly and consistently?

 

Regards

 

Caute_Cautim

SWALTERS
Newcomer III


@Caute_cautim wrote:

@Steve-Wilme   I have to agree with Steve's point, it does in fact provide a false sense of security, even though it is mandated for federal central government, it is often used by other regional government agencies as a baseline.  The intriguing issue, that many face is just how to do characterisation and application whitelisting to an agreed baseline, especially with change management controls and the overheads.  In the words and experience of delivery personnel, it is a royal pain in the proverbial and they just hate it with a vengeance.   They see it as a barrier to getting the job in a timely basis, causing restrictions to the way they want to work, which always causes an overhead.

That's a mindset problem - one that can be overcome with good application whitelisting toolset choices, good application whitelisting design, and some staff training.

 

If the staff believe the security of application whitelisting is a hindrance:

  • They're either correct, and there needs to be a more sensible whitelisting design; or
  • They're incorrect, and they need some encouragement / attitude adjustment.

 

With whitelisting, I usually find ways to encourage all levels of the organisation, on why persisting with it, even becoming a champion of it, will ultimately benefit them. I usually get them to come around in the end.