The State of Play in Cyber Security as we see it. Newsletter May 2020

The Essential 8 framework more important than ever

The recent hack of Toll Holdings for the second time where sensitive data was stolen and their networked was ransomed again has highlighted the importance of Application Whitelisting, Privileged Account Management, Access control in the COVID-19 world is paramount.

Data security, identity and stopping threats are the key themes Securite is working on presently with our clients. There is a focus at the government and enterprise level on tightening cyber security and utilizing the Essential 8 framework. The ASD in April reported to parliament that there remain deficiencies in adhering to the Essential 8 framework at all levels on government and its agencies and suppliers.

There are many ways to address the Essential 8, some are relatively simple, and others are more complex, some can be addressed through policy and others need technical controls.

The most basic and obvious would be to patch applications on the network, you would be surprised how many organisations still do not have a patching regime.

All organisations should look to deploy Privileged Access Management (PAM), Application Whitelisting and Identity Management. When a hacker gets access to a network the first thing they will do is look for a way to go “East/West” on the network to look for valuable data, if they hijack a privileged account they will often have access to the whole network and will be very difficult to detect as they look like a legitimate user. If a piece of malware is unable to execute on the network, then it poses little threat and if you don’t know who the user is on the network then they may not be authorized to be there.

Application Whitelisting is the ability to control what can execute on your network, if a piece of malware or ransomware makes it onto the network it won’t be able to execute so won’t be able to run and do what it is designed to do therefore making it benign.

With regard to PAM, we are seeing that many organisations do not know how many privileged accounts that there are on their network and that privileged accounts are often managed manually by keeping a spreadsheet up to date with credentials. This method has the obvious flaw that if a hacker can access the spreadsheet then they have free access to everything.

Savvy organisations are deploying PAM tools that integrate with directory services and will manage the passwords for any privileged account or service account, the tool will rotate the passwords based on password policy and will be used by an administrator to log into privileged accounts without the admin ever knowing what the password is, this means that when they leave the organisation they can be removed from the directory service and they lose access to all accounts.

Access control and endpoint solutions are more important than ever with people working from home in the COVID19 environment. To prevent malware a great way to do this is to have application whitelisting only allowing a trusted file to execute.

Similarly it is important to ensure that only trusted users are allowed access to the network, by having a strong identity management and authentication process you ensure that only those that you want can get onto the network and can only access the resources that they need to be able to perform their job. This touches on User and Entity Behavioral Analysis, these solutions will base line a user’s normal behavior and flag any action that is outside the norm.

A great way to validate your security posture is by doing penetration testing, traditionally this can be very costly and time consuming. Recently there have been tools developed to allow for automated penetration testing, these would remove the need for a human to run the testing who is only as good as his/her skills set and would allow for continuous scanning of the environment, not a point in time that is usually weeks after the tests took place as the human will need time to put their results into a report which is outdated before received by the CIO/CISO.

Australian organisations need to implement the recommendations of the Essential 8 as a base line, I don’t know of a single organization that can say they have implemented all of these recommendations.

Contact Scott Thomas and Jack Drewe at Securite based in North Sydney for a no obligation discussion of the best of breed cyber security solutions for your risk profile and budget on 02 9957 6666 or inquiries@securite.net.au.