Cybersecurity incidents carry with them tremendous potential for financial, operational and reputational damage to organizations. To stay ahead of the fallout, enterprises need strategies to mitigate cybersecurity incidents in order to mount an effective response to security incidents. Of course, the best defensive strategy is one that aims to reduce the likelihood and impact of incidents in the first place.
To try to help organizations build robust defenses, the Australian government recently updated its list of eight essential strategies to mitigate cybersecurity incidents. While the Australian government's list focuses on endpoint-based threats and controls almost exclusively, strategies to mitigate cybersecurity incidents need to be more comprehensive to include network security controls, secure software development practices, security awareness training programs and other elements of a strong cybersecurity program.
Analyzing Australia's top 8 cybersecurity strategies
Let's take a look at the Australian government's suggested strategies and then discuss whether they are holistic enough to truly serve as a reasonable baseline for enterprise security.
Deploy multifactor authentication. Multifactor authentication (MFA) is the gold standard for securing user accounts. Combining traditional password security mechanisms with biometric or device-based authentication dramatically reduces the risk of compromised user accounts. I agree with the Australian government on this count -- if you're not already using MFA, deploying it should be one of your highest priorities.
This article is part of
Restrict administrative privileges. Administrative privileges allow accounts to bypass many restrictive security configuration settings in both applications and OSes. Malware infections or other compromises of administrative accounts have the potential to cause far more damage than those conducted against standard user accounts. Again, no argument from me on this count. Administrative privileges should be carefully limited, and users with administrative rights should have both administrative and normal user accounts. They should only use the administrative account when they explicitly need to use those privileges.
Patch OSes and applications. I'm cheating here and combining two of the essential eight strategies to mitigate cybersecurity incidents into a single piece of advice: You simply must apply security patches in a reasonable time frame. While most organizations understand this from an OS perspective, they often fail to apply the same level of rigor to application patches, which have the potential to be just as risky. Technology leaders should deploy configuration management systems that enable the automatic monitoring and application of security patches across the organization.
Harden user applications. The Australian government advises locking down applications to secure configurations that limit the potential for damage. It specifically calls for blocking the use of many extensions to web browsers, PDF viewers and productivity applications. That's good advice, but it misses the mark on this one by neglecting to mention the importance of hardening the OS as well. Administrators should carefully review OS settings to remove unnecessary services, disable unused local accounts and configure other security-related settings.
Block Microsoft Office macros. Microsoft Office macros enable the execution of potentially untrusted code. I don't argue with the fact that the essential eight strategies to mitigate cybersecurity incidents calls for them to be blocked. My problem is that this is really just a specific example of the previous advice: Harden user applications. If I were rewriting this list, I'd delete this item and add one of the many gaps I'll discuss in a moment.
Whitelist applications. Application whitelisting controls require administrators to preapprove any application used on any device in the organization. While this is a great security control, the reality is that it simply isn't feasible in many organizations. Application whitelisting prevents users from installing software that doesn't appear on a preapproved list. This might be possible in a hospital or bank, but it would never work on a university campus, for example. If you can deploy application whitelisting, that's great. But this point doesn't rise to the level of an essential control, in my opinion.
Perform daily backups. Backups are essential security controls and are effective against a wide variety of threats. Restoring backups can help an organization recover from ransomware, cybervandalism, user error and even natural disasters. Daily backups are a bare minimum standard for data protection. In reality, most organizations cannot afford to lose the data generated during a typical business day and should consider a more frequent backup regimen.
Adding on to cybersecurity strategies
The Australian government's essential eight strategies to mitigate cybersecurity incidents all offer good advice for safeguarding enterprise IT systems. But while each strategy is necessary, they are not sufficient as a group to protect an organization against reasonably foreseeable threats. For example, the list completely overlooks the encryption of mobile computing devices, a strategy that most cybersecurity professionals I know would consider essential to mitigate against the risk of lost or stolen devices.
The essential eight also focus almost exclusively on endpoint-based threats and controls. What organization wouldn't consider encrypted wireless networks, perimeter firewalls, centralized logging or intrusion detection and prevention to be essential components of its cybersecurity strategies?
The bottom line is that this list from the Australian government serves as a good reminder of some strong endpoint security controls, but it fails to make the grade as a list of baseline security controls.