An intelligence organisation within the Department of Defence, the Australian Signals Directorate (ASD) also offers cyber security guidance to government organisations, but that guidance has been widely referenced by the private sector too.
It’s very comprehensive, offering more than 30 strategies, but it helps organisations prioritise those strategies by classifying what it calls “essentials”. Previously, there were four, but in its latest update, Strategies to Mitigate Cyber Security Incidents, there’s now an ‘Essential Eight’.
However, clearly, the original Top 4 are the things to take care of first.
1. Application whitelisting
The idea behind whitelisting is that it stops all but approved applications from running. Since malware hasn't been approved, it can't run – providing you've implemented whitelisting properly.
A number of tutorials for using Windows' built-in whitelisting capability can be found on the web, for example How to create an Application Whitelist Policy in Windows. Care is necessary to make sure you don't whitelist more applications than you intended, especially when using path (folder) rules. Conversely, some applications may not run properly if you do not whitelist all their components.
ASD does warn that "Implementing application whitelisting across an entire organisation can be a daunting undertaking; however, implementation on systems used by high-value or often-targeted staff members, such as executive officers and their assistants, human resources staff, FOI staff or public relations staff, can be a valuable first step."
From a small business perspective, it may also make particular sense for systems that are dedicated to a single function such as POS.
2 and 3. Patching applications and operating systems
It's worrying that this basic message still isn't getting through to everybody. ASD discounts the idea that updates must be rigorously tested before they are deployed: "There is often a perception that by patching a system without rigorous testing, something is likely to break on the system. In the majority of cases, patching will not affect the function of an organisation’s ICT system. Balancing the risk between taking weeks to test patches and patching serious vulnerabilities within a two-day timeframe can be the difference between a compromised and a protected system."
So when you see an update that addresses a serious vulnerability, don't delay.
See Assessing Security Vulnerabilities and Applying Patches for more details.
4. Restricting administrative privileges
This is another often-repeated piece of advice that is still overlooked.
Users should only have administrative privileges if they really need them (to reduce the risk of people making mistakes or that the credentials will fall into the wrong hands), and they should only use those privileged accounts when necessary – not for run-of-the-mill tasks such as web browsing. If malware does reach the system, it can do more damage more easily if it runs with administrative privileges.
So check that you haven't given users excessive privileges, and think twice before issuing administrative accounts.
That's the Top 4, so what about the remainder of the Essential Eight?
5. Disable untrusted Microsoft Office macros
If none of your people use macros, you can disable them completely to ensure malicious documents can't use macros to damage your interests. If you need to allow some macros to run, it gets more complicated - see the Australian Cyber Security Centre's paper Microsoft Office Macro Security.
If you don't use Office, you don't need to worry about this. But it's a timely warning, as there's a new piece of Mac malware that takes advantage of Office macros.
6. User application hardening
That sounds technical, but the primary recommendation is to "block web browser access to Adobe Flash Player (uninstall if possible), web ads and untrusted Java code on the Internet." The reason is that they are three popular methods for delivering malware.
Removing Flash Player for security reasons has long been advocated in some circles, but the problem is that there are still some sites that rely on Flash. The Chrome, Edge, Firefox and Safari browsers are putting increasing restrictions on Flash content.
As a general rule, if you don't need a particular piece of software, it shouldn't be installed.
7. Multi-factor authentication
Rather than relying on a username and password to identify users, multi-factor authentication adds something you have (such as a smartcard) or something you are (such as a fingerprint).
This is probably overkill in most small business situations, and in any case ASD doesn't recommend universal adoption. It does warn that poor implementation can give a false sense of security, so read Multi-factor Authentication for more details.
8. Daily backup of important data
Unlike the other recommendations, this one doesn't help protect your systems from attack, but if something bad does happen – such as a ransomware attack – it does make it easier to recover.
BIT has published plenty of articles describing ways to back up your systems along with reviews of relevant products. ASD particularly stresses the importance of backing up to a location that is otherwise not connected to the network or a computer, because ransomware and other malware can “encrypt, corrupt or delete backups that are easily accessible”.
“Once the Essential Eight mitigation strategies have been correctly implemented, a baseline cyber security posture has been achieved,” says the ASD.
However, there are several other “excellent” and “very good” strategies that are worth considering too.