Cybersecurity Strategies Compared: ACSC Essential Eight & CERT NZ Ten Critical Controls

Digitally Vicarious
Jan 19 · 4 min read
Photo by Philipp Katzenberger on Unsplash

Part 1: Australia vs. New Zealand

I spend a lot of time focusing on our cybersecurity strategies and controls here in Australia and what other sovereign nations around the world are doing to safeguard their data and systems. Regardless of whether other countries are part of the commonwealth or not, many similarities assure us we’re on the right path and the differences show us what we can learn from and adopt.

In brief, I have been reviewing the Computer Emergency Response Team New Zealand (CERT NZ) Ten Critical Controls for organisations and how similar they are to our own Australian Cyber Security Centre’s (ACSC) Essential Eight Strategies to Mitigate Cybersecurity Incidents. Over the coming weeks, I’ll look at what many other countries are doing, but let’s start with our closest ally and our friends across the Tasman Sea.

Reference: CERT NZ Ten Critical Controls

Reference: ACSC Essential Eight

Control 1: Patch your software and systems

ACSC Essential Eight Equivalent: Patch Applications / Patch Operating Systems

The CERT NZ control essentially combines two of the Essential Eight. Keeping software up to date is one of the most efficient and effective mitigation strategies, including operating systems, applications, and the firmware that runs on physical and virtual appliances. Don’t overlook your mobile devices like Apple iOS and Android, either. And yes, any other mobile platforms not mentioned here.

Control 2: Disable unused services and protocols

ACSC Essential Eight Equivalent: User Application Hardening

I’ve always disagreed with an open-to-close architecture where systems have many secure defaults we must turn off or change before we can use the systems. I prefer a closed-to-open approach where we explicitly enable the minimum services with enforced secure settings. I long to see the end of “admin/admin” and default insecure protocols. Even if they’re used for legacy compatibility, it may be time to decommission the legacy tech completely. Regardless, the core message is hardening your systems.

Control 3: Implement and test backups

ACSC Essential Eight Equivalent: Daily Backups

I don’t need to explain this one, but we still see organisations that fail to backup (and more importantly test their backup of) critical data. That includes the system configurations of infrastructure. Time to review your Disaster Recovery and Business Continuity plans also. Safeguarding your data against deliberate and accidental damage is a no-brainer and not optional.

Control 4: Implement application whitelisting

ACSC Essential Eight Equivalent: Application Control

The surest way to defend your systems and data is to control the applications and programs that you use, or which can be used against you. From the most malicious ransomware to the most critical HR application, they’re all composed of programs.

Control 5: Enforce the principle of least privilege

ACSC Essential Eight Equivalent: Restrict administrative privileges

While the CERT NZ control may not focus on admin accounts specifically, you get the idea. Practices like Just-In-Time Administration and Just Enough Administration, Role-Based Access Control (RBAC), and Zero Trust come into play. Removing local admin access from users, managing admin accounts on network devices and mobile assets, and managing your directory services as a source of truth are all must-haves.

Control 6: Configure centralised logging and analysis

ACSC Essential Eight Equivalent: None

Strangely enough, the ACSC doesn’t have the equivalent in its Essential Eight. Throughout the rest of the 37 strategies, there are a few parallels and related controls. “Continuous incident detection and response” (rated excellent), and perhaps “Capture network traffic” (rated limited) along with both network and host-based IDS/IPS touch on it. Notably, this implies having a SOC (managed SOCs are becoming more common), Managed Security Services, and the omnipresent Security Information and Events Management (SIEM) with Security Orchestration, Automation, and Response (SOAR) capabilities.

I expect the next updated list of strategies from ACSC will include this or similar.

Control 7: Implement network segmentation

ACSC Essential Eight Equivalent: None

Although not part of the Essential Eight, ACSC does mention this in the broader set of 37 controls as “Network segmentation” (rated Excellent). Large, flat networks or even those with few VLANs seems to be becoming increasingly rare, with micro-segmentation more popular. Logical boundaries (even supported by physical limitations like dedicated appliances and networks) are an excellent way to adopt a defence-in-depth approach.

Control 8: Manage Authentication

ACSC Essential Eight Equivalent: Restrict administrative privileges

Again, we see a similar-but-not-quite approach where ACSC has the mention in the Essential Eight and some other controls. “Disable local administrator accounts” (rated excellent), “Protect authentication credentials” (rated excellent), and to some extent, “Personnel management” (rated very good) and “User education” (rated good). Sometimes, managing the people aspect can help manage the technical part. CERT NZ also includes password management in this control.

Let’s also not forget ACSC includes “Multi-Factor Authentication” in its Essential Eight, but CERT NZ mentions it as part of this control rather than letting it stand alone.

Control 9: Follow an asset management lifecycle

ACSC Essential Eight Equivalent: None

Strangely, the ACSC 37 strategies don’t mention asset management, but it is riddled throughout the Information Security Manual (ISM), and it’s generally understood. Perhaps the next update to the mitigation strategies will call it a direct control.

Control 10: Set secure defaults for macros

ACSC Essential Eight Equivalent: Configure Microsoft Office Macro Settings

While the ACSC explicitly mentions Microsoft Office, CERT NZ is a bit more general but still says Microsoft Office. Macros can exist on many platforms, so controlling them is critical.

Hopefully, you will find, like I have, that many other countries are taking a very similar approach to Australia in implementing cybersecurity controls, both technical and administrative. Some we adopt from others, and others adopt some from us, but I’m a fan of the approach. If cybercriminals have taught us anything, it’s that they don’t respect sovereign boundaries and laws so the more we can stick together, the better.

Stay safe out there.

The Startup

Get smarter at building your thing. Join The Startup’s +800K followers.

Digitally Vicarious

Written by

Real Name: Logan. Chief Sentence Officer (CSO). Aspiring CIO. Cybersecurity Entertainer, Writer & Presenter. Humanity, not machinery. Empathetic & altruistic.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +800K followers.

Digitally Vicarious

Written by

Real Name: Logan. Chief Sentence Officer (CSO). Aspiring CIO. Cybersecurity Entertainer, Writer & Presenter. Humanity, not machinery. Empathetic & altruistic.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +800K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store