Earlier this month, we noted more and more jurisdictions are releasing mandates that will have a substantial impact on companies regarding breach notification and the protection of sensitive data.
One of those cybersecurity mandates put into action recently happened “down under.” On February 13, the Australian Parliament Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016.
This mandate will put pressure on Australian businesses to provide information on sensitive data breaches. The new rules require commonwealth government agencies, private-sector organizations, and any businesses that are regulated by the privacy act, to get in line within 12 months. Failure to do so puts businesses at risk of civil penalties, public reputational harm, and other negative financial consequences.
The new bill will help bring attention to cybersecurity solutions as well as focus on the practices that protect data and business systems throughout Australia. Companies will need to account for their security systems and take steps to ensure they have the right technologies and plans in place to prove protection.
Companies have help with this task thanks to The Australian Signals Directorate (ASD), an Australian government Department of Defense intelligence agency responsible for signals intelligence (SIGINT) and information security (INFOSEC).
This agency produces a security guidance risk-planning baseline called the “Strategies to Mitigate Cyber Security Incidents.” It’s a prioritized list of practical actions organizations can put into place to help shore up their information-security postures.
Aligned with the updated security mandate is the latest version of the mitigation strategies, called the “Essential Eight.” After a business has performed its due diligence to identify which core assets require attention, the type of adversaries it faces, and what level of protection is needed, the business will have a baseline cybersecurity posture. This baseline will ostensibly make it much more difficult for an adversary to compromise the system. Additionally, businesses will have a good handle on how to measure the security controls that play an important part of ensuring proper protection.
The “Essential Eight” fall into the following categories across two distinct functional areas:
The first four are focused on stopping malware from running:
- Application Whitelisting – Control which programs can run on your systems, and stop the rest.
- Patch Applications Regularly – Stop attacks from exploiting known vulnerabilities.
- Disable Untrusted Microsoft Office Macros – A common channel for malware.
- Harden User Applications – Block Web browser access to Adobe Flash player
(uninstall if possible), Web advertisements, and untrusted Java code on the Internet.
The second four limit the extent of incidents and help recover data:
- Restrict Administrative Privileges – Limit privileges to only those who need them.
- Patch Operating Systems – To avoid known security vulnerabilities that can be exploited or move to threat mitigation by introducing a compensating control to protect unsupported systems.
- Back Up Important Data on a Daily Basis – And ensure it meets the specifications of data retention policies.
- Apply Multi-Factor Authentication – Add a second factor beyond a simple password across all systems.
On a recent tour of the region, I had the privilege of meeting with one of the lead directors of the ASD, when the “Essential Eight” was in final edit. I had the chance to discuss the security controls and was impressed to hear the ASDs’ plans of supporting businesses with the new mandates via the mitigation strategies.
The ASD is actively engaging with businesses in the case of an incident and offering support before, during, and after the mandatory notification that would be triggered under the breach notification laws.
This is a great example of supporting and standing behind the mitigation strategies and is also a good way to promote adoption to ensure businesses are moving toward better security postures. It also ensures businesses are fully transparent in the case of an incident.
I was also encouraged to find common ground between the mitigation recommendations put forth by the ASD and the way Carbon Black approaches security posture through our focus on event stream processing, ranking risks throughout the attack cycle, as well as proof of data integrity and policy enforcement.
Carbon Black has promoted the idea of implementing a good security mitigation baseline as the first step to moving toward better security protection and also advocates the necessity for most organizations to have the option to implement these baselines quickly, while collecting valuable intelligence from the get-go.
Just as the ASD aims to ensure that its strategies are customizable and accessible for organizations, Carbon Black places importance on providing attack mitigation that businesses can stand up quickly and easily, while deriving effective threat metrics that can help get to the root of solving the threat problem.
After careful review of the new “Essential Eight,” it is apparent the ASD has taken implementation and audit fatigue into account when designing the mitigations. This is the last item that many baselines and frameworks fail to address.
A mitigation strategy is only as strong as how completely it’s implemented. Many other jurisdictions should take a page from the ASD on how to encourage businesses to take the first steps to creating an environment fostering better security. The new strategy ensures that businesses will be able to take advantage of the suggested security parameters quickly and start down the road of better risk and threat mitigation.
Carbon Black is looking forward to delving further into the mitigation strategies and working with the ASD to promote better security posture and reduced threat risk at the ACSC event in Canberra on March 14-16. If you are planning on attending that security event, come and see us and find out more!