Skip links and keyboard navigation

Help shape the For government website by joining our user research panel.

Register now

QGEA directions and guidance

Essential Eight guideline

Document type:
Guideline
Version:
Final v2.0.0
Status:
CurrentNon-mandated
Owner:
Queensland Government Cyber Security Unit
Effective:
November 2024–current
Security classification:
OFFICIAL-Public
Category:
Cyber security

Introduction

This guideline provides information and advice for Queensland Government agencies to consider when assessing the implementation of the Information security policy (IS18) policy requirement 3, for the implementation of the Australian Signals Directorate (ASD) Essential Eight Strategies. This document does not form a mandatory component of the above-mentioned policy, and it should be used to ensure a better practice industry approach is considered when assessing the implementation of the Essential Eight Maturity Model.

Due to the lack of flexibility in the ASD Essential Eight maturity model, Queensland Government has adopted a control effectiveness-based risk approach when applying the Essential Eight strategies.

Guidance overview

Purpose

This purpose of this guideline is to:

  • provide clarity on maturity level targets, control selection and application.
  • facilitate an accurate assessment of the effectiveness of the Essential Eight controls across agencies to inform cyber security resilience level summary for the Queensland Government’s executive’s leadership group.
  • enable consistent whole-of-government IS18 reporting on Essential Eight components.
  • enable the Queensland Government Cyber Security Unit to track departments’ progress in reducing their cyber security vulnerability level.

Audience

This document is primarily intended for:

  • Information security management system (ISMS) managers who oversee the Essential Eight assessments for the IS18 annual returns.
  • agencies who use security assessors who evaluate the Essential Eight implementation and complete the annual reporting template.

Scope of this guideline

This guideline applies to the Essential Eight security controls as defined by ASD and as adopted by the Queensland Government for Information security policy (IS18).

Maturity level targets

To assist organisations with their implementation of Essential Eight, four maturity levels have been defined (maturity level zero through to maturity level three). Except for maturity level zero, the maturity levels are based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures) and targeting. The strategies guidance addresses targeted cyber intrusions (i.e. those executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, ‘business email compromise’, and industrial control systems.

Maturity level zero

This maturity level signifies that there are weaknesses in an organisation's overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below.

Maturity level one

The focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that are widely available to gain access to, and likely control of, systems. For example, adversaries opportunistically use a publicly available exploit for a security vulnerability in an internet-facing service which had not been patched or authenticating to an internet-facing service using credentials that were stolen, reused, brute forced or guessed.

Generally, level 1 adversaries are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target. Adversaries will employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications, for example, via Microsoft Office macros. If the account that an adversary compromises has special privileges, they will seek to exploit it. Depending on their intent, adversaries may also destroy data (including backups).

Maturity level two

The focus of this maturity level is adversaries operating with a modest step-up in capability from the previous maturity level. These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools and techniques. For example, these adversaries will likely employ well-known tradecraft to better attempt to bypass security controls implemented by a target and evade detection. This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.

Generally, adversaries are likely to be more selective in their targeting but still somewhat conservative in the time, money and effort they may invest in a target. Adversaries will likely invest time to ensure their phishing is effective and employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications, for example, via Microsoft Office macros. If the account that an adversary compromises has special privileges, they will seek to exploit it; otherwise, they will seek accounts with special privileges. Depending on their intent, adversaries may also destroy all data (including backups) accessible to an account with special privileges.

Maturity level three

The focus of this maturity level is adversaries who are more adaptive and much less reliant on public tools and techniques. These adversaries are able to exploit the opportunities provided by weaknesses in their target's cyber security posture, such as the existence of older software or inadequate logging and monitoring. Adversaries do this not only to extend their access once initial access has been gained to a target, but to evade detection and solidify their presence. Adversaries make swift use of exploits when they become publicly available, as well as other tradecraft that can improve their chance of success.

Generally, adversaries may be more focused on particular targets and, more importantly, are willing and able to invest some effort into circumventing the idiosyncrasies and particular policy and technical security controls implemented by their targets. For example, this includes social engineering a user to not only open a malicious document but also to unknowingly assist in bypassing security controls. This can also include circumventing stronger multi-factor authentication by stealing authentication token values to impersonate a user. Once a foothold is gained on a system, adversaries will seek to gain privileged credentials or password hashes, pivot to other parts of a network, and cover their tracks. Depending on their intent, adversaries may also destroy all data (including backups).

Depending on an adversary's overall capability, they may exhibit different levels of tradecraft for different operations against different targets. For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another. As such, organisations should consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.

Organisations need to consider that the likelihood of being targeted is influenced by their desirability to adversaries.  It is also influenced by impact of a cyber security incident across confidentiality, integrity and availability of their data and the systems on which they are stored (see the Queensland Government information security classification framework (QGISCF) for further information). This, in combination with the descriptions for each maturity level, can be used to help determine a target maturity level to implement.

Finally, maturity level three will not stop adversaries that are willing and able to invest enough time, money and effort to compromise a target. As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual, as well as any additional relevant frameworks.

Maturity level selection

The Queensland Government does not mandate any specific maturity level requirements for entities within the public sector. An agency should select maturity targets following a risk assessment of the environment or system being protected.

When conducting a risk assessment to determine the appropriate maturity level selection, agencies should consider the following:

  • classification of the information assets being protected.
  • criticality of the confidentiality, availability or integrity of those assets.
  • threat actors likely to target such assets.
  • cost and complexity of control implementation.

The outcome of this assessment should allow the selection of maturity level(s) to be applied to each system or environment being protected, noting that multiple environments or systems within an agency may have varying levels of protection required.

Example: While Maturity Level One has been assessed as appropriate for most of an agency’s cloud environment, one database has been classified as Sensitive resulting in a requirement for Maturity Level Two. The higher level of security controls are implemented specifically for the database’s security only, where practical, to reduce inefficiencies.

When implementing Essential Eight requirements, organisations should identify and plan for a target maturity level suitable for their environment and risk appetite. Organisations should then progressively implement each maturity level until that target is achieved.

For organisations with a target maturity level above maturity level one, they may choose to implement individual requirements of a higher maturity level if it is more efficient and cost-effective to do so.

Example: When selecting appropriate Multi-factor Authentication methods to meet Maturity Level One requirements, if an agency is considering targeting Maturity Level Two in the future, the implementation of phishing-resistant methods is recommended

See the Australian Signals Directorate’s Assessment Process Guide for further guidance.

Control compliance

Implementation guidance

Implementation guidance of the Essential Eight maturity model is given by the Australian Signals Directorate via the Essential Eight Maturity Model publication which is a suite of related publications including guidance on the below:

Implementation activities should be conducted by qualified personnel and regular assurance/assessment activities conducted to ensure control implementation is still at maximum strength and relevancy to the most up to date version of the maturity model.

The use of a secure development lifecycle approach should be considered for controls that impact the operating environment. Control implementation should, where possible, be conducted in a test environment prior to being released into a production environment to ensure the intended result is attained from control implementation.

Risk versus compliance

The ASD's Essential Eight maturity model requires complete control compliance to be considered to have attained the targeted maturity level, however; the Queensland Government encourages agencies to take a risk-based approach to control implementation and the selection and adoption of strategy maturity level targets.

Agencies are encouraged to evaluate the prescribed controls against the risks identified to the agency and their systems, implementing controls in a manner consummate to their related risk mitigation effectiveness and risk appetites.

Where there are coverage gaps between current state and target maturity, risk assessments can be conducted allowing the organisation to formally accept the risk of not implementing the controls. If this approach is taken, the controls should be documented as “Not applicable”, with evidence of processes provided during assessments against the framework.

Where assessors identify controls that have been risk accepted using the above process but without adequate evidence of a risk assessment, the mitigation strategy would be considered “Not implemented” and therefore would affect the overall maturity level of the organisation. It is also recommended that the assessor flag the risk acceptance in the assessment report, including noting the recommended re-assessment date of the accepted risk.

Example: “It was observed that 95% of applications receive patches, updates or vendor mitigations within 48 hours when vulnerabilities are assessed as critical by vendors or when working exploits exist. A risk assessment was conducted and the 5% gap was accepted by the Chief Information Security Officer. It is recommended that this risk be re-assessed within the next audit cycle to ensure it remains in appetite of the organisation.”

Compensating (alternate) controls

Where controls within the Essential Eight strategies are deemed to be inappropriate for a system or unable to be implemented (or possibly not applicable), compensating (or alternate) controls may be applied. Compensating controls should be assessed and approved by an experienced Essential Eight assessor. Where there is uncertainty about the validity of compensating controls, the agency should document a formal risk decision detailing its approach.

For a compensating control to be considered effective it should mitigate risks based on the intent of the initial control. If the specific control intent is not being met, the control is considered a mitigating control, and not a compensating control.

Mitigating controls

While mitigating controls do not provide compliance against the Essential Eight framework, they do offer a level of protection against cyber threats. It is the responsibility of the agency to determine acceptable risk in line with the agency’s documented risk appetite and the gaps left by mitigating controls.

To assist in determining the effectiveness of alternate or mitigating controls, the intent of each Essential Eight strategy has been provided in Appendix A below.

Some examples of compensating controls and mitigating controls have been provided in Appendices B and C below.

Assessment guidance

As part of the IS18 annual return reporting requirements, many Queensland Government entities are required to assess their Essential Eight maturity level. This section has been developed to provide some guidance around the process.

Assessment scope and effort

The agency and the assessors should consider extent of the agency’s Essential Eight deployment maturity when scoping and estimating the assessment costs/effort.

For example, where an organisation’s Essential Eight control maturity is low, it is not economical to plan detailed assessments of controls that are evidently lacking or absent.

Another example is where an organisation has the assets recorded in a configuration tool, the assessment effort planning should use the existing tools reporting capabilities.

An assessment plan should be provided ahead of the assessment being conducted. The ASD has developed assessment plan templates for maturity level one, maturity level two and maturity level three.

Selecting an assessor

Agencies can use the assessment panel under a standing offer arrangement (SOA), ICTSS.2105A (Provision of ISMS and 27001 Services). This panel includes an array of industry partners with Essential Eight assessment experience. It is recommended that agencies vary assessors annually to gain a more measured appreciation of Essential Eight maturity.

Assessment outcomes

Agencies should require that assessors use the ASD's standardised assessment outcomes:

  • Effective: The organisation is effectively meeting the control's objective.
  • Ineffective: The organisation is not adequately meeting the control's objective.
  • Alternate control: The organisation is effectively meeting the control's objective through an alternate control.
  • Not assessed: The control has not yet been assessed.
  • Not applicable: The control does not apply to the system or environment.
  • No visibility: The assessor was unable to obtain adequate visibility of a control's implementation.

In determining compensating control effectiveness, the assessor should ensure that protection provided by any compensating controls is at a level equivalent to those recommended under Essential Eight. This is to ensure that an equivalent level of overall protection against a specific level of adversary targeting, and tradecraft can be achieved and maintained.

Assurance level

The independent assessors should agree with the agency on the degree of evidence provided by the agency. However, there would be an expectation that a reasonable attempt is made to sight the security configuration tools and system management software by the assessor, thus resulting in an Excellent or Good level of evidence (see below for further definition of suitable evidence).

Excellent evidence

Testing a control with a simulated activity designed to confirm it is in place and effective (e.g. attempting to run an application to check application control rulesets).

Good evidence

Review the configuration of a system through the system's interface to determine whether it should enforce an expected policy. (e.g. guided tour of configuration interface).

Fair evidence

Review a copy of a system's configuration (e.g. using reports or screenshots) to determine whether it should enforce an expected policy.

Poor evidence

A policy or verbal statement of intent (e.g. sighting mention of controls within documentation).

Forensics level audits carry a higher cost, while providing a much higher level of assurance against the Essential Eight strategies. A thorough review of system configuration will be less expensive and less time consuming, however exposes the organisation to the risk of incorrectly assigned configurations leaving gaps in security control implementation.

Assessment report

The assessor should write a short Essential Eight assessment report to accompany the Essential Eight reporting spreadsheet. This report should cover:

  • the timeframe of when the controls were assessed
  • a declaration of any potentials for a conflict of interest with the assessed agency for the consulting or auditing company over the prior 2 years
  • the identities of the assessors and their qualifications
  • the assurance level provided based on the extent to which the assessor relied on evidence collated by agency staff.

The ASD has provided a template for Essential Eight Assessment Reports which covers in greater detail the specific requirements of a comprehensive report.

The agency should, from the assessment report, provide any control gaps identified during the Essential Eight assessment to relevant agency’s ISMS governance committee.

For further queries and advice on Essential Eight assessment or implementation contact cybersecurityunit@cyber.qld.gov.au.

Appendices

Essential Eight strategy

Intent of the controls

Application control

To prevent the execution of unauthorised software on a system. This is accomplished by creating a list of approved software applications that are allowed to run on the system and blocking the execution of all other software.

Patch applications

To address known vulnerabilities in software and improve the security posture of the system. By addressing bugs and other issues that could be leveraged for malicious purposes. Patching ensures that the system is running the latest version of the software with the latest security features and enhancements. In addition, the intent of the strategy is not only to determine whether applications are patched with the latest updates, but they are done in a consistent manner to effectively mitigate vulnerabilities and exposures.

Patch operating systems

To address known vulnerabilities in the operating system and to improve the security posture of the system. This is accomplished by applying updates, patches, or fixes to the operating system to address known security vulnerabilities that could be exploited.

Patching operating systems is a proactive measure to prevent potential security breaches, by addressing vulnerabilities that could be exploited by attackers. It improves the overall security of the system by addressing bugs and other issues that could be leveraged for malicious purposes. Additionally, it ensures that the systems are running the latest version of the operating system with the latest security features and enhancements.

Restrict Microsoft Office macros

To prevent the execution of malicious macros embedded in Office documents. Macros are small programs that automate repetitive tasks in Office applications such as Word, Excel, and PowerPoint. However, malicious actors often use macros to spread malware or steal sensitive information.

By appropriately configuring macro settings, an organisation can reduce the risk of macro-based attacks by disabling or limiting the execution of macros in Office documents. This helps prevent the execution of malicious macros that could potentially harm the system or steal sensitive information. Additionally, it ensures that only authorised and vetted macros are run on a system.

User application hardening

To reduce the attack surface of applications. User application hardening is accomplished by implementing specific security configurations and settings that reduce the attack surface of the application, limit the permissions and capabilities of the application, and protect against known vulnerabilities.

Restrict administrative privileges

To manage the access and actions that users can perform on a system or network. This is accomplished by providing users with the minimum level of access and privileges necessary to perform their job duties, while preventing them from performing actions that could expose the system. By limiting the access and actions that users can perform on a system or network, accidental or malicious changes to system configurations, unauthorised access to sensitive information, and other malicious activities can be mitigated.

Multi-factor authentication (MFA)

To provide additional security to the authentication process. This is accomplished by requiring users to provide multiple different forms to prove their identity before access is granted to a system.

MFA is a proactive measure to prevent potential security breaches by making it more difficult for unauthorised individuals to gain access to a system.

MFA incorporates cyber security principles such as Defence in Depth where if one authentication process fails an additional process is implemented to provide an additional mechanism where the adversary must compromise.

Regular backups

To ensure that important data can be recovered in the event of a disaster, system failure or cyber security incident. By regularly creating copies of important data and storing them in a safe and secure location, it ensures that the data can be recovered in the event of loss, minimising the impact on the organisation. Additionally, it ensures that the organisation can continue its operations and meet its obligations even in the case of a disaster.

Note that for all compensating controls, a rigorous assessment and approval process should be conducted by an experienced Essential Eight assessor to ensure its suitability and effectiveness. Remember to also document the justification for the use of compensating controls, how they are equivalent to or better than the original control and maintain close monitoring until the actual control can be applied. It is important to note that while controls from the Essential Eight framework can act as Mitigating controls, they cannot be considered Compensating controls in isolation.

Primary control

Alternate/compensating control

Notes

Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.

Use sophisticated ATP and EDR tools that employ behavioural-based analysis, reputational databases and machine learning to detect and prevent the execution of known and unknown malicious software in real-time. These solutions should be configured to automatically block or alert administrators to any unauthorised actions or software based on threat intelligence and anomalous behaviour patterns.

ATP and EDR tools can serve as an effective alternate control by continuously monitoring endpoints for suspicious activities and, using advanced analytics and threat intelligence, can identify threats that would otherwise be prevented by strict application control lists. This control relies on maintaining up-to-date threat intelligence and using a well-configured toolset to detect and control the execution of unauthorised software.

Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.

Employ host-based intrusion prevention systems (IPS) or web application firewalls (WAFs) that automatically apply virtual patches to protect against known vulnerabilities without having to update the vulnerable software itself.

This compensating control uses technology to create a layer of security that mimics the patch's effect by preventing the exploitation of the known vulnerability until the actual patch can be tested and applied.

An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.

Implement a rigorous manual asset management program where IT personnel perform scheduled asset audits every two weeks. This inventory would be cross-checked against network access logs and other records to ensure no asset is missed and would feed into the vulnerability management process.

This compensating measure requires a disciplined approach and additional staff resources but can effectively substitute for an automated asset discovery process if such automation is not feasible. Note that it has a high personnel resourcing requirement.

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

Implement targeted application control policies that block macros in documents originating from the internet and only allow macros to run from trusted and vetted locations, such as a secure enterprise network file share.

Use Office software's built-in sandboxing features, such as Protected View or Application Guard for Office, which allow users to open documents in a restricted environment where macros cannot execute.

This approach relies on the use of security and operational controls to limit the risk of malicious macro execution while still allowing certain macros to run within a controlled and secure framework. Macro execution is restricted to documents from identified and trusted sources, reducing the vast majority of the risk associated with internet-derived macro threats.

Web browsers do not process web advertisements from the internet.

Employ ad-blocking browser extensions that are configured to filter out known malicious advertisement networks.

Implement URL filtering on the network level or via secure web gateways to block traffic from domains that are known distributors of malicious ads or that have a low reputation score according to security intelligence feeds.

This alternative measure addresses the security concerns associated with web-based advertisements by allowing the browser to process only those ads that pass-through security filters. The filtered ads would be from networks that adhere to security best practices and are free from malicious content.

Privileged users use separate privileged and unprivileged operating environments.

Utilise highly secured, dedicated systems (Privileged Access Workstations) exclusively for performing privileged tasks. These workstations would be locked down and not used for internet browsing, accessing email, or other standard user activities. They should have strict security configurations and access controls to ensure only privileged tasks can be performed on them.

The concept of a PAW is similar to the idea of having completely separate operating environments but is specifically tailor-made for security-sensitive operations. This way, privileged users still have two different 'environments' for their work: their regular workstation for day-to-day tasks and the secured PAW for privileged activities. The PAWs must have strict access controls and hardened security configurations, including the inability to perform unprivileged tasks or access unsecured networks. This control assumes rigorous security practices are employed and maintained continuously for the PAWs.

Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.

Employ an adaptive authentication system that applies different levels of user verification based on the assessed risk of the transaction. RBA may consider user behaviour, geolocation, device recognition, and other contextually relevant factors.

Risk-Based Authentication is an intelligent system that strengthens security measures when circumstances deem it necessary, although it might not always apply the same level of security verification as consistent MFA.

Unprivileged accounts are prevented from modifying and deleting backups.

Implement a backup monitoring solution that provides real-time alerts on any access, modification, or deletion attempts on backup data.

Use advanced anomaly detection algorithms that trigger additional authentication challenges or automatic temporary lockdowns when modification or deletion activities are initiated outside normal patterns.

This alternate control assumes a proactive approach to backup protection. By monitoring backup integrity in real-time and deploying anomaly detection, any unauthorised access patterns can be identified and responded to before any actual harm is done to the backup data.

When applying mitigating controls, agencies should assess the residual risk associated with the identified control gap and determine whether it falls within their acceptable risk tolerance levels as defined by their ISMS. There may be more than one mitigating control applied to each control gap.

Primary Control

Mitigating Control

Notes

Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.

Implement strict user account controls that restrict standard users from executing any software installations or running executable files without administrative privileges.

Use group policy objects to define policies that limit the types of applications that non-privileged users can execute. For example, set policies to block commonly abused executables while allowing necessary business applications.

By restricting user permissions, the likelihood of successful execution of unauthorised software can be reduced. Additionally, GPOs can be used to further enforce execution policies for software, scripts, and installers. These controls are not as robust as a full application control regime, as they are more dependent on user compliance and can potentially be circumvented, but they offer additional layers of defence against unauthorised application execution.

Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.

Increase the frequency of system monitoring for indications of compromise or suspicious activity, coupled with a robust incident response plan ready to act on any detected threat. Incorporate threat intelligence feeds for real-time alerts on exploits targeting the unpatched software in question.

While this approach does not prevent the exploitation of vulnerabilities as effectively as the immediate application of patches, it strengthens the organisation's capability to detect and respond to resulting security incidents promptly.

An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities

Implement regular but less frequent manual asset checks combined with network segmentation to minimise the potential impact of undiscovered or unscanned assets. Network segmentation can control traffic flow between network segments, limiting the spread of potential exploitation from unscanned, possibly vulnerable assets.

It's important to note that while this control mitigates some of the risks associated with delayed or incomplete asset discovery, it doesn't fully compensate for not having an automated, comprehensive, fortnightly asset discovery process.

Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.

Enable macros on a case-by-case basis, under strict controls, with rigorous auditing and logging of macro usage.

Ensure that documents which include macros are scanned by the latest anti-malware software with heuristics and that execution logs are monitored regularly for suspicious activity.

Such mitigating controls do not outright prevent the possibility of macro-based threats but can significantly reduce the risk by reinforcing user accountability and leveraging antivirus scanning and logging to catch potential threats.

Web browsers do not process web advertisements from the internet.

Utilise antivirus and anti-malware solutions with real-time web scanning capabilities to detect and block malicious content within web advertisements as they are loaded in the browser. These solutions should be kept up to date to ensure the latest threats are recognised.

This mitigating measure helps protect against the risk of infection from web-based threats embedded in advertisements by actively scanning web content as it’s accessed by users. It may not prevent the display of all potentially harmful advertisements, but it offers a layer of protection by aiming to intercept malicious payloads before they cause harm.

Privileged users use separate privileged and unprivileged operating environments.

Implement software solutions that dynamically elevate user privileges for specific tasks or applications without requiring the user to log into a fully privileged environment. These solutions often include:

  • Just-in-time privilege elevation: Grant   privileges only when needed and for a limited time.
  • Application allowlisting: Allow   privileged operations only through certain approved and secure applications.
  • Session monitoring and recording: Record   all privileged sessions for real-time monitoring and audit trails.

Privilege management software can provide a layer of control and oversight over privileged activities conducted on an otherwise less-secured user environment, giving a mitigation effect without the full separation of environments. While this doesn't completely isolate privileged tasks from the less secure environment, it does help mitigate risks by controlling, monitoring, and auditing the use of privileged operations.

Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.

Implement a strong single-factor authentication control that includes the following measures:

  • Strong password policies: Require   complex passwords that include a mix of letters, numbers, and special   characters, along with regular forced password expiration and reuse   limitations.
  • Account lockout mechanisms: Set up the   system to lock accounts after a specified number of failed login attempts to   prevent brute-force attacks.
  • User behaviour analysis: Monitor login attempts   and usage patterns to detect and respond to unusual activity that may   indicate a security threat.
  • Security questions: Use additional   personalised security questions for user verification during particular   high-risk transactions or after a suspicious activity trigger.

While these measures do not replace MFA, they enhance the security of single-factor authentication and aim to provide additional layers of protection to mitigate the risk of unauthorised access to online services that handle sensitive customer data.

Unprivileged accounts are prevented from modifying and deleting backups.

Deploy network security solutions that perform real-time traffic analysis, including heuristic and behavioural analysis, to identify and block potentially malicious content in web traffic, including advertisements.

Use Endpoint Detection and Response (EDR) tools that can detect and respond to suspicious activities and patterns on user workstations that may be indicative of ad-delivered malware.

While this control allows web browsers to process advertisements, it actively monitors for irregularities or known threat patterns that could suggest a threat, aiming to intercept and manage any risk before it materialises into a security incident.

It's essential to recognise that mitigating controls such as intensive monitoring are not as strong as preventive controls like outright blocking, but they still contribute to the organisation's cybersecurity posture by adding a layer of active defence. These strategies should be backed by strong incident response plans to handle potential security breaches quickly should they occur. Regular assessments should ensure that the implemented monitoring solutions are effective and up to date with evolving cyber threats.

Last updated:
29 November 2024