ACSC updates the Essential Eight
The Australian Cyber Security Centre has updated the Essential Eight Maturity Model to ensure it remains fit for purpose for both government and industry.
Key modifications to the model include balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure.
The updated model recommends that when vendors assess a discovered vulnerability to be of a critical nature, organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours.
In addition, increased emphasis has been placed on patching applications that routinely interact with untrusted content from the internet, such as web browsers and email clients. Patching timeframes for these applications has been strengthened from within one month to within two weeks for Maturity Level One.
To counterbalance these changes in high-risk scenarios, patching of systems for less important devices such as workstations has been modified from within two weeks to within one month for Maturity Level Two and Three.
Other significant changes revolve around multi-factor authentication. These include a new minimum standard for Maturity Level One for the adoption of stronger forms of MFA, an amendment to the existing requirement for Maturity Levels One to Three, which had previously allowed customers to easily opt out of MFA, and a new requirement for users to authenticate to their workstations using a form of phishing-resistant MFA for Maturity Levels Two and Three.
Other requirements at higher maturity levels include protecting event logs from unauthorised modification and deletion and monitoring them for signs of compromise.
There are also new requirements to implement application control in response to malicious actors increasingly using living off the land techniques, to either disable or uninstall Internet Explorer 11 due to its discontinuation by Microsoft, and to consider the business criticality of data when prioritising backups.
NSW Auditor-General releases cybersecurity insights report
The Cyber security insights 2025 report identifies that while cybersecurity governance in the NSW...
Genetec updates its physical security SaaS platform
Genetec has announced new capabilities for its Security Center SaaS solution including expanded...
ACSC releases advice on implementing SIEM and SOAR platforms
The ACSC says that implementing SIEM or SOAR platforms can greatly benefit organisations by...