Published on the 08/02/2017 | Written by Anthony Caruana
The much maligned spy agency's latest advisory has widespread implications…
Security industry speakers across the country have been left shaking in their suede designer loafers as the Australian Signals Directorate (ASD) has updated its security guidance, moving from a Top Four to an Essential Eight. And the major upshot? Not necessarily what you might think.
Security expert Roger Lowell, for one, has been left reeling.
“I’ve been using the same slide deck for the last three years at conferences. This change is a major issue. I can’t even go back a slide on PowerPoint if I advance too far. But now I have to create some entirely new slides.”
With a number of local security events on the horizon, including the ACSC, AusCERT and AISA conferences, security experts are scrambling to find graphic designers who can make eight dot points fit onto a slide that usually only lists four items.
“Our graphic designer is really struggling,” said Lowell. “He’s just started the school year and he’s forgotten how he created the original deck when he was in Year 9. And the teacher that helped him with Photoshop has been transferred to another school following some sort of incident.”
Making matters even worse for professional security presenters, the title of the ADS’s document has been changed from “Mitigate Targeted Cyber Intrusions” to Strategies to Mitigate Cyber Security Incidents” necessitating more changes to slide decks across the country.
The new Essential Eight replaces the ASD’s Top Four guidelines for managing information security risks.
The old guidelines focussed on application whitelisting, patching applications, patching operating systems, and, restricting administrative privileges.
The new list adds disabling untrusted Office macros, hardening user applications, backing up important data daily, and implementing multi-factor authentication.
This change reflects the changing nature of cyber threats. ASD says the expanded list moves things from the prevention of malware executing to limiting the impact after an infection occurs.
The Essential Eight does provide businesses some useful guidance. But we expect most well organised IT and security teams to already be doing everything in the Essential Eight. From that perspective, the Essential Eight is not going to push most businesses into massive changes in their security posture or planning; the changes are incremental for anyone who has been monitoring the threat environment and adjusting their defences.
The full set of Strategies to mitigate cyber security incidents updated guidelines is here.