Cybersecurity Strategies Compared: ACSC Essential Eight & CCCS Canada Top 10

Digitally Vicarious
Jan 20 · 6 min read
Photo by Sora Shimazaki from Pexels

Part 2: Australia vs Canada

I spend a lot of time focusing on our cybersecurity strategies and controls here in Australia and what other sovereign nations worldwide are doing to safeguard their data and systems. Regardless of whether other countries are part of the commonwealth or not, many similarities assure us we’re on the right path and differences we can learn from and adopt.

This article will review the Government of Canada Communication Security Establishment (CSE) Canadian Centre for Cyber Security (CCCS) Top 10 IT Security Actions. This publication will be compared at a high-level to our own Australian Cyber Security Centre’s (ACSC) Essential Eight Strategies to Mitigate Cybersecurity Incidents.

Canada Reference: CCCS Top 10

Australia Reference: ACSC Essential Eight

Let’s have a look at what my homeland of Canada is doing, shall we?

Control 1: Consolidate, monitor and defend Internet gateways

ACSC Essential Eight Equivalent: None

The Essential Eight does not have an equivalent per se, but other strategies in the larger list of 37 can apply. “Deny corporate computers direct internet connectivity” (rated excellent) and “Network-based intrusion detection/prevention system” (rated limited) can be considered. Still, our old friends, firewalls, play a vital role in this regard. In essence, firewalling, proxying, and another content filtering solution can assist.

Control 2: Patch operating systems (OS) and applications

ACSC Essential Eight Equivalent: Patch Applications / Patch Operating Systems

As was the case with the CERT NZ list, these two Essential Eight controls are combined. It’s safe to say that virtually everything runs an operating system, from your servers to your workstations, mobile devices, network infrastructure equipment, and network-attached devices. Keeping them up to date with the latest stable releases should be part of your everyday maintenance regime.

Control 3: Enforce the management of administrative privileges

ACSC Essential Eight Equivalent: Restrict administrative privileges

Controlling who has the “keys to the kingdom” is a long-standing practice that seems to be becoming more relevant. Removing local admin rights, managing domain and network admin accounts, and leveraging password vaults is more common than a decade ago. Zero Trust, Just-In-Time / Just Enough Administration is also creeping into corporate practices, although probably not as fast as I’d like.

Control 4: Harden operating systems (OS) and applications

ACSC Essential Eight Equivalent: User Application Hardening

I have seen a more common practice establishing a Standard Operating Environment (SOE) with systems hardened before being deployed into the corporate network instead of putting things in place and then trying to configure them afterwards. Most vendors produce “hardening guides” on how to optimise the security of their products and are worth the read. Frequent Vulnerability Assessments and Penetration tests can identify actual and potential weaknesses in your configuration to remediate your network and update your SOE. If you don’t need it, don’t enable it and be sure to get rid of all the defaults. Do we ever need these insecure management and monitoring protocols when there are secure alternatives available? Lock it down (but don’t go so far as to hinder productivity).

Control 5: Segment and separate information

ACSC Essential Eight Equivalent: None

This control is a bit of a different control but makes a lot of sense. From the ACSC list of 37, we can consider “Network segmentation” (rated excellent), but that addresses the network element. A good data classification strategy is needed to identify what data you have, its criticality and priority, and what controls must be applied to make this work. From a Zero Trust perspective, examine the security of the applications and data and who (or what) needs access. Think of this strategy as the modern-day equivalent of “don’t put all your eggs in one basket”.

Control 6: Provide tailored awareness and training

ACSC Essential Eight Equivalent: None

While the Essential Eight doesn’t mention the human factor (and it should), the ACSC at least mentions “User education” (rated good), and “Personnel management” (rated very good) in the broader set of 37 controls. People are your greatest asset and most significant liability, but when enabled and educated, and provided the right tools and capabilities, are a force to be reckoned with by even the most skilled cybercriminal. One of the most common attack vectors is the human element, so it only makes sense to harden your workforce as well as your systems.

Control 7: Protect information at the enterprise level

ACSC Essential Eight Equivalent: None

Potential controls include “Control removable storage media and connected devices” (rated very good) and “Outbound web and email data loss prevention” (rated very good) but don’t paint a complete picture.

The ACSC list of 37 strategies doesn’t call out mobile devices explicitly or MDM yet (perhaps in the next update). The diverse and global ability to access corporate data cannot be ignored. We work anywhere, anytime, from nearly any device.

Organisations often allow staff to use personal devices for business, a cost-saving exercise. If practical, organisations should provide equipment to employees, leverage a device management framework, and enable control using a change management process. Company-owned assets controlled easier without too much of an issue with personal device boundaries.

If bring-your-own-device (BYOD) is considered, a strict control policy must be implemented. Organisations should ideally investigate technologies and their legal requirements to enable BYOD environments in which business information and transactions are segregated and protected from personal use. It’s easier said than done, I know. Like a mobile device management (MDM) system, modern technology can facilitate this control over the personal mobile devices and the network to which they connect. However, be ready for some conflict when imposing corporate policy on private devices. Full disclosure and understanding are a must.

Control 8: Apply for protection at the host-level

ACSC Essential Eight Equivalent: None

The CCCS refers to Host-Based Intrusion Prevention Systems (HIPS), and ACSC also mentions “Host-based intrusion detection/prevention system” (rated very good). When it comes to endpoint protection, the ACSC also says “Antivirus software using heuristics and reputation ratings” (rated very good), “Antivirus software with up-to-date signatures” (rated limited), “Endpoint detection and response software” (rated very good but is now a likely replacement for the other two). To a lesser degree, we can also consider the ACSC controls “Software-based application firewall, blocking incoming network traffic” and “Software-based application firewall, blocking outgoing network traffic” (both rated very good)

Endpoints are not just user workstations, but also mobile devices and servers — or anywhere else your data are at rest, in use, or motion. I think the next ACSC update will reflect a significant change to endpoint protection strategies, but I’m just speculating at this point.

Control 9: Isolate Web-facing applications

ACSC Essential Eight Equivalent: None

I think it’s a given that anything web-facing should be isolated from the internal private network, and for years, this has always been via Demilitarized Zones (DMZs). There were also reverse proxies, but security wasn’t their primary goal with some exceptions. Web Application Firewalls (WAF) are also considered, and software-based application firewalls can be considered. An ACSC control that is relevant can include “Software-based application firewall, blocking incoming network traffic” (rated very good). Other options include moving these off the corporate network to a third-party services provider like a cloud service to gain a separation degree.

Control 10: Implement application whitelisting

ACSC Essential Eight Equivalent: Application Control

I’m quite pleased to see this control arise in most mitigation strategies. While some may refer to it as voodoo, black magic, or the dark arts, it’s compelling. The surest way to defend your systems and data is to control the applications and programs that you use, or which can be used against you. From the most malicious ransomware to the most critical HR application, they’re all composed of programs.

Previously, I reviewed the CERT NZ controls and found them very similar to those of our own ACSC. Here, we can see some similarities with the CCCS Top 10, but a few interesting differences I’d like to explore further and see their effectiveness.

Hopefully, you will find, like I have, that many other countries are taking a very similar approach to Australia in implementing cybersecurity controls, both technical and administrative. Some we adopt from others, and others adopt some from us, but I’m a fan of the approach. If cybercriminals have taught us anything, it’s that they don’t respect sovereign boundaries and laws so the more we can stick together, the better.

Stay safe out there.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Digitally Vicarious

Written by

Real Name: Logan. Chief Sentence Officer (CSO). Aspiring CIO. Cybersecurity Entertainer, Writer & Presenter. Humanity, not machinery. Empathetic & altruistic.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Digitally Vicarious

Written by

Real Name: Logan. Chief Sentence Officer (CSO). Aspiring CIO. Cybersecurity Entertainer, Writer & Presenter. Humanity, not machinery. Empathetic & altruistic.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +788K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store