SEC URIT Y F E AT URE
Protecting Your Security Business from Cybersecurity Risk By Tony Vizza, Director of Cyber Security Advocacy, Asia-Pacific, (ISC)²
Operational risks associated with cyber security have now taken centre stage for organisations across the globe. Magnified by the frenetic pace of digitisation due to organisations large and small shifting their operations to predominantly work-fromhome arrangements due to COVID-19, organisations have had to rapidly activate, implement and extend IT-based services simply to survive. This immediate change has resulted in organisations forgoing standard levels of due diligence and risk assessment they would ordinarily employ – resulting in a huge increase in the amount of cyber breaches that have wreaked additional havoc at a time when organisations are desperately trying to stay afloat in grim social and economic circumstances. The United States Federal Bureau of Investigation (FBI) has recorded a 400% increase in cybercrime since the beginning of the COVID-19 pandemic. Here in Australia, the Federal Governments Australian Cyber Security Centre (ACSC) is releasing regular updates regarding the elevated cyber security threat environment being caused by COVID-19. This new landscape has already amplified a heightened threat environment, with the (ISC)2 Cyberthreat Defence Report for 2020 indicating that 81% of organisations globally suffered some sort of cyber breach in the previous year, a record high. Whilst these are challenging times for all organisations, there are ways to help protect organisations from cyber security breaches. For Australian organisations, the definitive resource to achieve this is the Australian Signals Directorate (ASD) Essential Eight. The Essential Eight comprises the mitigation strategies deemed as critical to provide a minimum baseline of cyber security readiness appropriate to organisations large and small. The Essential Eight includes a subset of the comprehensive Strategies to Mitigate Cyber Security Incidents, which the Australian Government is aiming to achieve. The strategies seek to prevent malware delivery and execution, limit the extent of cyber security incidents and recover data and systems availability. In this article, we consider the Essential Eight strategies and how to apply them to a security business context. 2 8 SEC UR IT Y IN S IDE R | SE PTE M BE R 2020
MITIGATION STRATEGIES TO PREVENT MALWARE DELIVERY AND EXECUTION The old saying “prevention is better than cure” is very applicable to cybersecurity issues, and the Essential Eight includes four strategies that aim to ensure that cyber incidents don’t occur in the first instance. These strategies include: 1. Application Control. This seeks to prevent the running of unauthorised or unapproved applications which may be malicious in nature. This includes application installers, files such as DLL’s and scripts. A good starting point is to restrict any installation of applications unless approved by a qualified system. Another prudent approach is to ensure that your organisation uninstalls any applications it doesn’t need or use. 2. Patch Applications. Patches are released by application developers to address any new vulnerabilities discovered in those applications. Applications that should be patched regularly include but are not limited to web browsers, productivity applications such as those in the Microsoft Office suite (Word, Excel and PowerPoint), Java, Flash and programs such as Adobe Acrobat. While many applications include automated patching, these systems can fail, so patching should be verified. 3. Configure Microsoft Office Macro Settings. Microsoft Office macros can be useful but can also be used to deliver and execute malicious code on workstations. The best approach is to block all macros from the internet and only allow digitally signed macros that have been tested and reside in a trusted location. 4. User Application Hardening. This refers to the practice of disabling options within programs that could be exploited to deliver and execute malicious code on a system. In practice, this means configuring web browsers to block Flash, ads or Java from executing; disabling unneeded features in applications such as Microsoft Office, browsers, PDF viewers and other applications that your organisation uses. In doing so, your organisation reduces the attack surface a miscreant can use to gain access.
