Saturday, January 20, 2024

The Four Critical Flaws Of The Australian "Essential Eight Maturity Mode" & How They Can Be Fixed

 


When we think of Cybersecurity, we often think of the United States and other nation threat actors, such as those of China, Russia, North Korea, etc.  We often don’t think about the other players such as those in the European Union (EU), the African continent, or even the Pacific Rim nations.  So it is in with regards to the latter that that this blog is about.

Starting in 2020, Australia made some serious headway into improving its overall lines of defenses, by investing well over $1 Billion into its Cybersecurity posture.  This was officially called the “Cybersecurity Strategy 2020”.   But despite this huge effort, more security breaches have occurred in the Land Down Under than had been anticipated.

For example, in its Cyber Threat Report 2022-2023, there were 58 incidents that were classified as an “Extensive Compromise”, and also there were well over 190 other incidents that were also classified as “Isolated Compromises”.  This report can be seen at the link below:

https://www.darkreading.com/cybersecurity-operations/missing-cybersecurity-mark-with-essential-eight

In response to these alarming stats, the Australian Government updated one of its newer frameworks, which is called the “Essential Eight Maturity Model”.  More information about this can also be seen at the link below:

https://www.infosecassure.com.au/post/essential-eight-changes-july-2021

While it has been claimed that this framework provides excellent guidance on such areas as patching, backups, and application control, it is severely lacking in other areas, especially those of SaaS based applications, and Identity and Access Management.  Another sharp criticism of it has been in the area of the Cloud.  It does not specifically address how to best protect security issues in this regard, but rather, it only focuses on those risks that are posed to an On Prem Infrastructure. 

In fact, there is only area of this entire framework that really addresses of how to better protect online accounts.  So what can be done to improve this very important framework?  Here are some key areas that need to be addressed:

1)     Configuration Management:

When one thinks of this, the image of changes in builds to software applications often come to mind.  But Configuration Management goes far beyond this.  It should address everything that happens within the infrastructure of a business, all the way from the servers to physical access entry scenarios.  Anything and everything that is related as it relates to the IT and Network Infrastructure and any changes to them that are going to happen has to be addressed here, at this level.

2)     Identity and Access Management:

This was just examined earlier in this blog.  With a lot of businesses now going to the Cloud, establishing the appropriate levels of permissions for the appropriate job titles is now a must.  But it has to go beyond this.  The framework also has to take into account what is known as “Role Based Access Control”, or “RBAC” for short.  This is where the rights, permissions, and privileges are also assigned based upon the roles that they do in their particular job.

3)     Third Party Applications:

Given the explosion of the IoT and everything digital, third-party mobile apps and just apps in general are becoming extremely popular.  While it is important to give your employees access to what they need to make them productive, you also have to make sure that your business does not succumb to the risks of what is called “Shadow IT”.  This is where your employees download unauthorized apps to onto their work devices for the sake of ease of use, familiarity, and comfort. 

4)     The Right Controls:

Pretty much all employees, whether hybrid, On Prem, or remote now access shared resources onto the Cloud.  Therefore, the right controls need to be put into place to make sure that these critical assets are protected the best that they can be.  Also, regular audits need to be conducted on these controls in order to make sure that they are still optimal.  If not, they will have to be replaced and/or upgraded.

My Thoughts On This:

Even here in the United States, we have many government and even private sector-based entities that have come out with these kinds of frameworks.  The most notable ones are from the NIST and CISA.  But in order to keep these frameworks updated to the best degree possible, it will literally “Take A Village” to make it all happen.  In other words, feedback and input has to be provided at all levels, and the upgraded frameworks have to be tested on a regular basis.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...