The Australian Cyber Security Centre Essential 8

The Australian Cyber Security Centre Essential 8

While no set of mitigation strategies are guaranteed to protect against all cyber threats, the Australian Cyber Security Centre recommends organisations implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. 

A large portion of the Essential 8 maturity model is focused on vulnerability management. The Essential 8 defines four maturity levels numbered zero through three:

Maturity Level Zero signifies that there are weaknesses in an organisation’s overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below. 

Maturity Level One is focused on adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems. 

Maturity Level Two is focused on adversaries operating with a modest step-up in capability from the previous maturity level. These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. 

Maturity Level Three is focused on adversaries who are more adaptive and much less reliant on public tools and techniques. 

The Essential 8 model breaks down into eight mitigation strategies categorized by Application Control, Patch Applications, Configure Microsoft Office Macro-Settings, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-factor Authentication. and Regular Backups.  


How Nucleus Helps Organisations Achieve the Essential 8
 

Achieving any level of the Essential 8 requirements requires a strategy that involves a broad set of people skills, processes, and tools. Nucleus aligns well with broad coverage of the requirements across the outlined categories which include Patch Management, User Application Hardening, and Patch Operating Systems.

Patch Management

Essential 8 Requirement

Nucleus Capability

Patches, updates, or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.  
(Level 1-3) 

Nucleus identifies if an asset is publicly accessible and sets the attribute as public facing, allowing you to quickly identify externally accessible assets. Nucleus then provides a list of vulnerabilities associated with those assets, and lets you know which vulnerabilities have a patch and which are known to be exploitable. Remediation tickets can be created using this criteria with a due date of 48 hours from the discovery date if an exploit exists, or two weeks if no exploit exists in order to meet this requirement. 

Patches, updates, or vendor mitigations for security vulnerabilities in office productivity suites, web browsers, and their extensions, email clients, PDF software, and security products are applied within two weeks of release  
(Level 1-3)  
 
or within 48 hours if an exploit exists.  
(Level 3) 

Nucleus produces a software inventory from your scan data. You can view the software list directly in the UI, and you can also export it in CSV or Microsoft Excel format. The export is useful for building lists that you can use in the rules to set due dates, since they will be based on keywords specific to your software inventory. 
 
Nucleus provides a list of vulnerabilities associated with those assets, and lets you know which vulnerabilities have a patch and which are known to be exploitable. Remediation tickets can be created using this criteria with a due date of 48 hours from the discovery date if an exploit exists, or two weeks if no exploit exists in order to meet this requirement.

Patches, updates, or vendor mitigations for security vulnerabilities in other applications are applied within one month of release. (Level 2-3) 

Nucleus provides a list of vulnerabilities associated with those assets, and lets you know which vulnerabilities have a patch and which are known to be exploitable. Remediation tickets can be created using these criteria with a due date of 1-month. 

A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services. 
(Level 1-3) 

Nucleus integrates with industry leading vulnerability scanners such as Qualys, Tenable, and Rapid-7, and ingests data on a user defined schedule including daily scans for internet-facing services. We also track last seen dates for assets so you can easily audit assets that are out of compliance. 

A vulnerability scanner is used at least Fortnightly* to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers, and their extensions, email clients, PDF software, and security products. 
(Level 1) 
 
*weekly 
(Level 2-3) 

Nucleus integrates with industry leading vulnerability scanners such as Qualys, Tenable, and Rapid-7 and ingests on a user defined schedule including fortnightly/weekly scans for internal assets. We also track last seen dates for assets so you can easily audit assets that are out of compliance. 

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications. 
(Level 2-3) 

Nucleus integrates with industry leading vulnerability scanners such as Qualys, Tenable, and Rapid-7 and ingests on a user-defined schedule including fortnightly/weekly scans for other applications. We also track last seen dates for assets so you can easily audit assets that are out of compliance. 

Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed. 
(Level 1-2) 
 
Applications that are no longer supported by vendors are removed.

(Level 3) 

When using scanners that support EOL software visibility such as Tenable or Qualys, Nucleus can surface those EOL findings and automate opening remediation tickets to prioritize the software for removal. 

User Application Hardening

Essential 8 Requirement

Nucleus Capability

Internet Explorer 11 is disabled or removed. 
(Level 3) 

Run a Tenable policy compliance scan to find Internet Explorer 11 and related registry keys, then import the scans into Nucleus to track compliance over time.

.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed. 
(Level 3) 

Run a Tenable policy compliance scan to find .NET Framework, related registry keys, then import the scans into Nucleus to track compliance over time. 

Windows PowerShell 2.0 is disabled or removed. 
(Level 3) 

Run a Tenable policy compliance scan to find Powershell and related registry keys, then import the scans into Nucleus to track compliance over time. 

Patch Operating Systems

Essential 8 Requirement

Nucleus Capability

Patches, updates, or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists. 

Nucleus identifies if an asset is publicly accessible and sets an attribute as public facing, allowing you to quickly identify externally accessible assets. Nucleus then provides a list of vulnerabilities associated with those assets, and lets you know which vulnerabilities have a patch and which are known to be exploitable. Remediation tickets can be created using this criteria with a due date of 48 hours from the discovery date if an exploit exists, or two weeks if no exploit exists in order to meet this requirement.  

Patches, updates, or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month* of release. 
(Level 1) 
 
*two weeks (Level 2) 


*or within 48 hours if an exploit exists. (Level 3) 

Nucleus provides a list of vulnerabilities associated with those assets, and lets you know which vulnerabilities have a patch and which are known to be exploitable. Remediation tickets can be created using these criteria with a due date of 1-month, two weeks, or 48 hours to meet the requirements of Levels 1, 2, and 3. 

A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services. 
(Level 1-3) 

Nucleus integrates with industry leading vulnerability scanners such as Qualys, Tenable and Rapid-7 and ingests on a user defined schedule including daily scans for internet-facing operating systems. We also track last seen dates for assets so you can easily audit assets that are out of compliance. 

A vulnerability scanner is used at least *fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers, and network devices. (Level 1) 
 
*weekly (Level 2-3) 

Nucleus integrates with industry leading vulnerability scanners such as Qualys, Tenable, and Rapid-7 and ingests on a user defined schedule including fortnightly/weekly scans for operating systems on internal assets. We also track last seen dates for assets so you can easily audit assets that are out of compliance. 

Operating systems that are no longer supported by vendors are replaced. 
(Level 1-3) 

Nucleus provides a centralised view of assets across your enterprise giving you visibility into operating systems that are no longer supported by vendors. Nucleus provides automated ticketing for remediation to replace these operating systems. 

The latest release or the previous release of operating systems are used for workstations, servers, and network devices. 
(Level 3) 

Nucleus provides a centralised view of assets across your enterprise giving you visibility into what operating systems are used for workstations, servers, and network devices. 

Nucleus has helped industry-leading customers prioritize, assign, and remediate over 3.5 billion vulnerabilities across their varied global organizations. Ready to get started on your ASD Essential 8 journey? Get in touch to get started.