Essential Eight authentication measures: Latest update from the Australian Signals Directorate (ASD)
In the ever-evolving threat landscape, staying ahead of cybercriminals is paramount. The Australian Signals Directorate (ASD) has been at the forefront, providing guidance to Australian organizations in bolstering their cybersecurity posture. One of their cornerstone initiatives, the Essential Eight, has recently been updated to address the dynamic nature of cyber threats.
In this blog, we explore the significance of the Essential Eight and the key updates introduced by the ASD in November 2023, with a special focus on new requirements in the area of multi-factor authentication (MFA).
The Essential Eight: Strategies and maturity levels
The Essential 8 is a set of strategies recommended by the ASD to mitigate cyber threats. First introduced in 2017 by the Australian Cyber Security Centre (ACSC), these strategies offer a robust cybersecurity framework to enhance an organization's resilience against a variety of cyber risks.
The Essential Eight comprises practical and effective measures that, when implemented, aim to significantly reduce the risk of a successful cyber attack.
The mitigation strategies, security controls, and technical controls that constitute the Essential Eight are:
- Patching applications: As a baseline, regularly update and patch applications to address vulnerabilities and prevent exploitation.
- Patching operating systems: Ensure that operating systems are up-to-date with the latest security patches to prevent vulnerabilities from being exploited.
- Multi-factor authentication: Implement MFA to add an additional layer of security for user authentication.
- Restricting administrative privileges: Limit the number of accounts with administrative privileges to minimize the potential impact of compromised credentials.
- Application control: Prevent the execution of unapproved/malicious code, programs, including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTML Applications), and installers.
- Restricting Microsoft Office macros: Manage and control Microsoft Office macro settings to mitigate the risk of macro-based malware.
- User application hardening: Configure web browsers and email systems to block malicious content.
- Daily backups: Prioritize regular backups of important data and ensure that backups are isolated from the network to mitigate the impact of data loss.
To support Australian organizations in adopting the Essential Eight, a framework consisting of four maturity levels (ranging from Maturity Level Zero to Maturity Level Three) was established. These levels gauge an organization's capability to counter escalating levels of malicious tradecraft (namely, tools, tactics, techniques, and procedures). It is crucial for organizations to assess the desired level at which they intend to mitigate these threats.
Generally, Maturity Level One may be suitable for small to medium enterprises, Maturity Level Two may be suitable for large enterprises, and Maturity Level Three may be suitable for critical infrastructure providers and other organisations that operate in high-threat environments.
Changes to multi-factor authentication
In November 2023 the Australian Signals Directorate (ASD) published an update to its Essential Eight Maturity Model. This coincided with the Australian Government’s release of the 2023-2030 Australian Cyber Security Strategy, which aims to help become Australia a world leader in cyber security and security maturity by 2030.
The most important changes related to multi-factor authentication are the following:
- Authentication factors standardization: In the earlier version of the Essential Eight Maturity Model, Maturity Level One did not specify the types of authentication factors for MFA, leading to the adoption of potentially weaker forms, such as security questions, which are generally not recognised as valid authentication factors. The November 2023 update addresses this by introducing a minimum standard requiring “something users have” in addition to “something users know”, aligning with recognized authentication factors.
- MFA for web portals: Australian organizations are now required to enforce the use of MFA for protecting web portals storing sensitive customer data. This amendment aims to enhance security and minimize cyber security incidents such as data breaches by discouraging the use of weak password-based authentication, particularly for online services that handle personal, health, or identity-related data. Further, an approach of providing the option of phishing-resistant MFA for customers at lower maturity levels, while requiring its use for customers at higher maturity levels, has also been adopted. This change impacts Maturity Level One through Maturity Level Three.
- Adoption of phishing-resistant MFA: As a response to increased attacks against weaker MFA implementations, the rise of international standards like FIDO2/WebAuthn, as well as cyber policy changes by ASD’s international partners (e.g. US government), MFA requirements have been bolstered to require the use of phishing-resistant MFA by organisations at a lower maturity level. This impacts Maturity Level Two.
- Workstation authentication: A significant addition is the requirement for users to authenticate to their workstations using a form of phishing-resistant MFA, such as security keys, smart cards, or Windows Hello for Business. This applies to both Maturity Level Two and Maturity Level Three.
Phishing-resistant authentication is one of the key strategies to strengthen cyber security
Similar trends take place in other regions around the world. In the United States, the White House Executive Order 14028 from May 2021 mandates US federal government agencies and their suppliers to use multi-factor authentication (MFA). Issued less than a year later, Memorandum M-22-09 from the White House Office of Management and Budget (OMB) requires US government agencies to use phishing-resistant MFA for their workforce.
Similarly, in Europe the revised Network and Information Security (NIS2) directive requires organizations from critical sectors to consider strong authentication as a key factor to mitigate cyber security risks. In the financial services sector, the upcoming Payment Services Regulation (PSR) may bring new authentication requirements. We will be keeping an eye out to see whether the Regulatory Technical Standards under the PSR will refer to phishing-resistant authentication.
Conclusion
The updated Essential Eight Maturity Model places multi-factor authentication, and especially phishing-resistant authentication, at the forefront of cyber security measures, underscoring its importance in mitigating a broad spectrum of cyber threats and fighting cybercrime.
OneSpan applauds the initiative of the Australian Signals Directorate in leveraging phishing-resistant MFA to keep its organizations and citizens more secure from cyber threats, and improving cyber resilience.
More information about the ASD’s Essential Eight is available here.
More information about OneSpan’s phishing-resistant authentication products is available here.