Closing the cybersecurity compliance gap

There is always a tension between cybersecurity and usability, and nowhere is this more evident than in government.

A recent audit of nine NSW state government agencies, for example, found significant non-compliance with the NSW Cyber Security policy which relies heavily on the Australian Cyber Security Centre’s (ACSC) Essential Eight strategies to mitigate cybersecurity incidents. The NSW audit concluded that none of the participating agencies had implemented all of the Essential Eight controls to at least level one.

Such conclusions are not very surprising in the context of Australian government. An Australian National Audit Office (ANAO) review earlier this year of nine federal government agencies found that none had fully implemented the Top 4 cyber risk mitigation strategies which form the core of the Essential Eight.

So significant were the weaknesses identified by the NSW Auditor-General, however, that audited agencies requested that detailed findings not be reported to the Parliament of New South Wales, “believing that the audit report would expose their weaknesses to threat actors”.

The NSW Auditor-General firmly pointed the finger at culture as a major contributing factor to “poor levels of cyber security maturity”. They observed that while some elements of the government’s policy required investment in technology, others “simply require leadership and management commitment to improve cyber literacy and culture”.

Overcoming barriers to Essential Eight adoption

ThycoticCentrify believes that cybersecurity solutions must also play their part, particularly in overcoming resistance to change. Solutions must be designed to improve user experience and productivity. Cybersecurity should never just be a cost, but also offer a return on investment.

The beauty of the ACSC’s Essential Eight cyber risk mitigation strategies is that they are simple and prescriptive. Because the Essential Eight is relatively easily audited, departments and agencies can be held accountable and forced to improve their performance.

However, a key barrier to Essential Eight adoption has been the difficulty, perceived or otherwise, in implementing two of its most important strategies: application control and privilege management. These strategies, along with the patching of applications and operating systems, make up the Top 4.

With these and other strategies properly implemented, Essential Eight compliance can significantly improve an organisation’s security posture, minimise the risk and costs associated with a data breach and improve operational efficiencies.

The good news for government organisations is that the implementation of application control and privilege management — and other Essential Eight strategies — can be greatly simplified with a comprehensive privileged access management (PAM) solution.

PAM closes the compliance gap

PAM enables organisations to restrict administrative privileges to operating systems and applications based on user duties, as required by the Essential Eight. In particular, the restriction of administrative privileges applies to admin accounts which adversaries target in order to gain full access to information and systems.

Application control, the number one cyber mitigation strategy in the Essential Eight, is also a type of PAM. The strategy calls for organisations to prevent execution of unapproved/malicious programs including .exe, DLL, scripts such as Windows PowerShell and installers.

Research and advisory firm Gartner refers to this capability as privileged elevation and delegation management (PEDM). This enables intelligent allow, block and grey listing of functions on computer endpoints, and the revocation of local admin rights.

To further reduce risk, The Essential Eight requires organisations to prevent users of privileged accounts from undertaking risky activities such as reading emails and opening attachments, or browsing the web.

Implementing this control is made much easier with a PAM solution that can achieve role-based access control at both the credential and application/task level and requires a combination of PEDM and privileged account and session management (PASM), another type of PAM.

Managing privileged access — through PEDM and PASM — closes the biggest Essential Eight compliance gaps for most government agencies. Organisations greatly reduce the opportunities for malware to run on and gain control of endpoint systems. They also limit the opportunity for compromised systems to be used as stepping stones to more valuable information assets.

Other elements of the Essential Eight also have a PAM component. Scanning solutions used to identify vulnerabilities that need to be patched in applications and operating systems should be integrated with the centralised password vault where privileged credentials are secured. Otherwise organisations face increased operational overhead to update credential access for vulnerability scans, or failure to meet the requirements for privileged access.

A PAM solution also simplifies the implementation of multi-factor authentication (MFA). The Essential Eight requires organisations to implement MFA for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important data repository. A PAM solution funnels authentication to these services through a central point so MFA can be implemented with a single integration, rather than hundreds.

Addressing cultural and productivity issues

Many government agencies have concerns about the potential for lost user productivity associated with Essential Eight adoption. Organisations that have tried to restrict administrative privileges or implement application control without the right solutions have often struggled with user resistance. This is usually because they have tried to force staff to change their behaviour and made it more difficult for them to do their jobs.

That is why solutions must be designed with user experience and productivity in mind. With a PAM solution, for example, users should only have to log in once rather than logging into a large number of privileged accounts. This way, they are also relieved of the burden of managing the passwords for each account.

When implementing application control, which somewhat unfairly has a reputation for “admin rights being ripped away” from end users, the right PEDM solution can also make a huge difference to productivity.

Instead of a blanket approach to withdrawing admin rights, access to systems and applications can be controlled on a case-by-case basis. PAM and/or PEDM solutions should provide the ability to elevate access rights on demand. This allows users to run with admin privileges for short periods of time, subject to additional controls.

So, far from making it more difficult to do their jobs, the reality for most staff is not having to worry about complex password policies, increased convenience accessing applications and cloud-based services, and less cyber stress.

The end result is a win-win-win — compliance with government cybersecurity policies, an improved security posture that enables the organisation to confidently manage the risks associated with new digital services and staff that are more productive and less burdened by having to follow cybersecurity policies.

Image credit: ©stock.adobe.com/au/Sikov