I recently proposed a security talk for the Technology Association of Grantmakers (TAG) annual meeting (IRL!). When I asked Karen Graham of TechImpact if she wanted to co-present with me, she brought up a security framework that TechImpact likes to use, called the “Essential Eight.” Karen said they like the framework because it can be adapted to the capabilities of each nonprofit.
I had not heard of the “Essential Eight” but promised to check it out. So, here you go, and you can thank Karen for shining a light on this framework.
The “Essential Eight”
The “Essential Eight” comes from the Australian Cyber Security Centre (ACSC). I have fond memories of working with folks in Australia (and New Zealand), so I am already inclined to like the framework.
The ACSC lists eight mitigation strategies (the “Essential Eight”).
- Application control
- Vulnerability testing and system patching
- Microsoft Office macro security
- Hardening Microsoft 365 and extant versions of Office
- Restricting administrative privileges
- Keeping Windows on a release that still receives security updates
- Keeping Windows Server on a release that still receives security updates
- Implementing multi-factor authentication
These “Essential Eight” mitigation strategies do not break new ground. And at the outset, the ACSC acknowledges that the list is intended for Windows environments. Even so, this is a valuable list to work from. We have discussed each of these strategies, but they bear repeating.
- Keep your devices patched and up to date. And for heaven’s sake, keep the device’s Operating System on a release that still receives security updates from the vendor.
- If your organization does not normally use macros, disable them!
- Test your network regularly.
- MFA! MFA! MFA!
- Watch who has administrative privileges (including consultants and partners) and remove the privileges when they are no longer needed.
Allow me to explore a few of these “Essential Eight” strategies in a bit more detail.
Look to Control Applications
Application Control, one of the “Essential Eight,” is a new wrinkle to consider. Most IT managers are reluctant to “lock down” applications to only what is authorized. This makes sense: do you really know what people are or are not using to do their work?
And yet, we can start at a more basic level. Group your users into those that have a need for scripting tools and those that do not. The latter will be the largest group.
For these (non-script) users, you can
- Block files from executing if they are in user profile directories, such as %AppData% and %LocalAppData%.
- Associate script file types such as .js and .ps1 with Notepad. Users who click on these file types will open Notepad, rather than launch an executable.
- Disable access to scripting utilities such as Windows Host Script and PowerShell.
Harden Your Versions of Office
Hardening your version of Microsoft Office, another of the “Essential Eight” strategies might seem puzzling. Office is secure. It just offers many tools that can cause havoc if used by an attacker.
Let me start with the obvious: keep your version of Microsoft Office on a release that still receives security updates. The simple way to do this? Use Office 365/Microsoft 365 to download and use the current version of Office. Yes, there might be reasons why this approach is not practical in your environment. But I do not think, “keep the interface in line with what people are used to” is a valid reason. Why would you not want to use a more improved version of Office?
This “Essential Eight” strategy focuses on reducing the ability of Office applications to launch cyber attacks. Microsoft offers several group policies that can reduce the Office attack surface. (Read more here). You can block Office applications from creating executable content. And you can block Office apps from creating child processes.
If you are not using Windows Defender Antivirus to run these blocks, check if your antivirus application can create similar blocks.
Watch Those Administrative Privileges
We have talked about this “Essential Eight” strategy before. As this article from KnowBe4 highlights, IT professionals are the most heavily targeted people in an organization. And 47% have admitted they fell for a phishing attack. (The speculation is that these folks think they are more security-savvy than they really are.)
Here is a simple way to describe the problem.
- IT person assigns Global Admin (aka Superuser) administrative privileges to her user account.
- Later, IT person receives a phishing email, clicks on the link, and confirms her credentials… handing them to the hacker.
- Hacker (or whoever bought the credentials) uses the account to gain administrative access to the organization’s systems.
What is the way to prevent this attack?
Start with MFA
Start with MFA. As with other attempted account takeovers, MFA (what you have/what you know) will often stop these attempted account takeovers in their tracks.
Next, reduce the scope of administrative privileges that IT folks have. Not everyone needs to be a Global Admin. Some folks just need to handle billing or assigning licenses to new users.
Account Segregation How-To
Even with MFA and reduced admin roles in place, we recommend these steps.
- Set up an account that you will only use for administration. Assign it with Global Admin privileges.
- Remove any administrative privileges from your user account.
- Forward emails received by the admin account to your regular user account. We normally advise against auto-forwarding rules, but since email is being forwarded from one organizational account to another, the risk is low. This forwarding will keep you informed about administrative actions you are being asked to take. But reviewing the messages in your regular account will keep you from responding to a phishing message from an account with elevated privileges.
- Now, when you want to take some administrative action, you can log in using your administrative account and do your work. If your user account gets compromised, the hackers have not gained any administrative privileges.
Use the “Essential Eight” to Strengthen Your Cyber Defenses
There are great advances being made in creating tools that will combat cyber attacks. Of course, there are also great advances being made to foil these tools and take advantage of weaknesses in software to launch attacks.
These “Essential Eight” strategies bring us back to a fundamental truth. If the device cannot launch a program, it cannot launch an attack. Be thoughtful about who in your organization needs to use macros, Visual Basic scripts, and the like to do their job. Now consider all the other folks that get by just fine without such executables.
Let the math work for you. Reduce the number of devices that can launch executables and you reduce the number of places where an attack could originate.
Side Note: I will be taking a break for the next couple of weeks. Expect to hear from me mid-June!