ACSC updates the Essential Eight

The Australian Cyber Security Centre has updated the Essential Eight Maturity Model to ensure it remains fit for purpose for both government and industry.

Key modifications to the model include balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure.

The updated model recommends that when vendors assess a discovered vulnerability to be of a critical nature, organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours.

In addition, increased emphasis has been placed on patching applications that routinely interact with untrusted content from the internet, such as web browsers and email clients. Patching timeframes for these applications has been strengthened from within one month to within two weeks for Maturity Level One.

To counterbalance these changes in high-risk scenarios, patching of systems for less important devices such as workstations has been modified from within two weeks to within one month for Maturity Level Two and Three.

Other significant changes revolve around multi-factor authentication. These include a new minimum standard for Maturity Level One for the adoption of stronger forms of MFA, an amendment to the existing requirement for Maturity Levels One to Three, which had previously allowed customers to easily opt out of MFA, and a new requirement for users to authenticate to their workstations using a form of phishing-resistant MFA for Maturity Levels Two and Three.

Other requirements at higher maturity levels include protecting event logs from unauthorised modification and deletion and monitoring them for signs of compromise.

There are also new requirements to implement application control in response to malicious actors increasingly using living off the land techniques, to either disable or uninstall Internet Explorer 11 due to its discontinuation by Microsoft, and to consider the business criticality of data when prioritising backups.

Image credit: iStock.com/Andreus