Cybersecurity Strategies Compared: ACSC Essential Eight & CCCS Canada Top 10
Part 2: Australia vs Canada
I spend a lot of time focusing on our cybersecurity strategies and controls here in Australia and what other sovereign nations worldwide are doing to safeguard their data and systems. Regardless of whether other countries are part of the commonwealth or not, many similarities assure us we’re on the right path and differences we can learn from and adopt.
This article will review the Government of Canada Communication Security Establishment (CSE) Canadian Centre for Cyber Security (CCCS) Top 10 IT Security Actions. This publication will be compared at a high-level to our own Australian Cyber Security Centre’s (ACSC) Essential Eight Strategies to Mitigate Cybersecurity Incidents.
Australia Reference: ACSC Essential Eight
Let’s have a look at what my homeland of Canada is doing, shall we?
Control 1: Consolidate, monitor and defend Internet gateways
ACSC Essential Eight Equivalent: None
The Essential Eight does not have an equivalent per se, but other strategies in the larger list of 37 can apply. “Deny corporate computers direct internet connectivity” (rated excellent) and “Network-based intrusion detection/prevention system” (rated limited) can be considered. Still, our old friends, firewalls, play a vital role in this regard. In essence, firewalling, proxying, and another content filtering solution can assist.
Control 2: Patch operating systems (OS) and applications
ACSC Essential Eight Equivalent: Patch Applications / Patch Operating Systems
As was the case with the CERT NZ list, these two Essential Eight controls are combined. It’s safe to say that virtually everything runs an operating system, from your servers to your workstations, mobile devices, network infrastructure equipment, and network-attached devices. Keeping them up to date with the latest stable releases should be part of your everyday maintenance regime.
Control 3: Enforce the management of administrative privileges
ACSC Essential Eight Equivalent: Restrict administrative privileges
Controlling who has the “keys to the kingdom” is a long-standing practice that seems to be becoming more relevant. Removing local admin rights, managing domain and network admin accounts, and leveraging password vaults is more common than a decade ago. Zero Trust, Just-In-Time / Just Enough Administration is also creeping into corporate practices, although probably not as fast as I’d like.
Control 4: Harden operating systems (OS) and applications
ACSC Essential Eight Equivalent: User Application Hardening
I have seen a more common practice establishing a Standard Operating Environment (SOE) with systems hardened before being deployed into the corporate network instead of putting things in place and then trying to configure them afterwards. Most vendors produce “hardening guides” on how to optimise the security of their products and are worth the read. Frequent Vulnerability Assessments and Penetration tests can identify actual and potential weaknesses in your configuration to remediate your network and update your SOE. If you don’t need it, don’t enable it and be sure to get rid of all the defaults. Do we ever need these insecure management and monitoring protocols when there are secure alternatives available? Lock it down (but don’t go so far as to hinder productivity).
Control 5: Segment and separate information
ACSC Essential Eight Equivalent: None
This control is a bit of a different control but makes a lot of sense. From the ACSC list of 37, we can consider “Network segmentation” (rated excellent), but that addresses the network element. A good data classification strategy is needed to identify what data you have, its criticality and priority, and what controls must be applied to make this work. From a Zero Trust perspective, examine the security of the applications and data and who (or what) needs access. Think of this strategy as the modern-day equivalent of “don’t put all your eggs in one basket”.
Control 6: Provide tailored awareness and training
ACSC Essential Eight Equivalent: None
While the Essential Eight doesn’t mention the human factor (and it should), the ACSC at least mentions “User education” (rated good), and “Personnel management” (rated very good) in the broader set of 37 controls. People are your greatest asset and most significant liability, but when enabled and educated, and provided the right tools and capabilities, are a force to be reckoned with by even the most skilled cybercriminal. One of the most common attack vectors is the human element, so it only makes sense to harden your workforce as well as your systems.
Control 7: Protect information at the enterprise level
ACSC Essential Eight Equivalent: None
Potential controls include “Control removable storage media and connected devices” (rated very good) and “Outbound web and email data loss prevention” (rated very good) but don’t paint a complete picture.
The ACSC list of 37 strategies doesn’t call out mobile devices explicitly or MDM yet (perhaps in the next update). The diverse and global ability to access corporate data cannot be ignored. We work anywhere, anytime, from nearly any device.
Organisations often allow staff to use personal devices for business, a cost-saving exercise. If practical, organisations should provide equipment to employees, leverage a device management framework, and enable control using a change management process. Company-owned assets controlled easier without too much of an issue with personal device boundaries.
If bring-your-own-device (BYOD) is considered, a strict control policy must be implemented. Organisations should ideally investigate technologies and their legal requirements to enable BYOD environments in which business information and transactions are segregated and protected from personal use. It’s easier said than done, I know. Like a mobile device management (MDM) system, modern technology can facilitate this control over the personal mobile devices and the network to which they connect. However, be ready for some conflict when imposing corporate policy on private devices. Full disclosure and understanding are a must.
Control 8: Apply for protection at the host-level
ACSC Essential Eight Equivalent: None
The CCCS refers to Host-Based Intrusion Prevention Systems (HIPS), and ACSC also mentions “Host-based intrusion detection/prevention system” (rated very good). When it comes to endpoint protection, the ACSC also says “Antivirus software using heuristics and reputation ratings” (rated very good), “Antivirus software with up-to-date signatures” (rated limited), “Endpoint detection and response software” (rated very good but is now a likely replacement for the other two). To a lesser degree, we can also consider the ACSC controls “Software-based application firewall, blocking incoming network traffic” and “Software-based application firewall, blocking outgoing network traffic” (both rated very good)
Endpoints are not just user workstations, but also mobile devices and servers — or anywhere else your data are at rest, in use, or motion. I think the next ACSC update will reflect a significant change to endpoint protection strategies, but I’m just speculating at this point.
Control 9: Isolate Web-facing applications
ACSC Essential Eight Equivalent: None
I think it’s a given that anything web-facing should be isolated from the internal private network, and for years, this has always been via Demilitarized Zones (DMZs). There were also reverse proxies, but security wasn’t their primary goal with some exceptions. Web Application Firewalls (WAF) are also considered, and software-based application firewalls can be considered. An ACSC control that is relevant can include “Software-based application firewall, blocking incoming network traffic” (rated very good). Other options include moving these off the corporate network to a third-party services provider like a cloud service to gain a separation degree.
Control 10: Implement application whitelisting
ACSC Essential Eight Equivalent: Application Control
I’m quite pleased to see this control arise in most mitigation strategies. While some may refer to it as voodoo, black magic, or the dark arts, it’s compelling. The surest way to defend your systems and data is to control the applications and programs that you use, or which can be used against you. From the most malicious ransomware to the most critical HR application, they’re all composed of programs.
Previously, I reviewed the CERT NZ controls and found them very similar to those of our own ACSC. Here, we can see some similarities with the CCCS Top 10, but a few interesting differences I’d like to explore further and see their effectiveness.
Hopefully, you will find, like I have, that many other countries are taking a very similar approach to Australia in implementing cybersecurity controls, both technical and administrative. Some we adopt from others, and others adopt some from us, but I’m a fan of the approach. If cybercriminals have taught us anything, it’s that they don’t respect sovereign boundaries and laws so the more we can stick together, the better.
Stay safe out there.
