What’s up with cybersecurity down under?

Crikey! It’s time to say g’day to the Essential Eight

Australia has gone through a rough patch when it comes to cybersecurity. In September 2022, Optus, the country’s third-largest telecommunications provider, was attacked by cybercriminals who stole the personal data of 9.7 million customers including names, birthdates, home addresses, phone, and email contacts. That wasn’t all—the hackers also stole the Medicare details, passport, and driver’s license numbers of some customers, putting them at risk for identity theft and fraud. There have been conflicting reports on how the hackers implemented the attack, but many claim that a simple error gave them access through an API without requiring authentication.

Australia was still reeling from the Optus attack when the next one hit. In October 2022, cybercriminals penetrated the network of Medibank, one of Australia’s leading health insurance providers. The hackers got ahold of the names, dates of birth, phone numbers, email addresses, and addresses of over nine million current and former customers. Even worse, they stole the health claims of 160,000 Medibank customers and demanded a ransom payment for their return.

When a Medibank representative issued a statement saying that they would not meet the hackers’ demands in keeping with the Australian government policy against paying ransom, the hackers began releasing Medibank data on the dark web. In addition to personal info and details about generic claims, the criminals released personal information about sensitive topics including mental health issues, drug addiction, and pregnancy terminations. A subsequent investigation determined that the attack was set in motion when credentials of an individual with high-level access to Medibank’s systems were compromised and sold to hackers on a Russian cybercriminal forum.

And then, in March 2023, consumer lender Latitude revealed that 6.1 million customer records, 7.9 million driver’s license numbers, and 53,000 passport numbers had been stolen in yet another high-profile cyberattack. As a consumer lender, Latitude collects many identification documents as part of its credit-checking process for new customers, including unique identifiers that were targeted in the attack.

Of course, Australia isn’t alone. Cybersecurity Ventures predicts that at the current rate of growth, global damage from cyberattacks will amount to about $10.5 trillion annually by 2025. But the spate of massive attacks put cybersecurity on the agenda for Australians and raised the profile of  the Essential Eight Maturity Model (E8MM).

What is E8MM?

E8MM is a cybersecurity framework that was developed by the Australian Cyber Security Centre (ACSC) in 2017. It was updated in July 2021 to address emerging threats, and again in 2023, following a thorough review and consultation with government and industry partners.

E8MM presents eight essential mitigation strategies that can help organizations bolster their protection against cyber threats like the ones described above.

E8MM mitigation strategies

The mitigation strategies included in the Essential Eight are:

1.    Application control

This mitigation strategy aims to prevent attackers from running programs and malware that allow them to access and steal data. Compliance with E8MM requires organizations to confirm that all programs that are installed are on the list of approved applications.

2.    Patch applications

Even after an application vulnerability has been identified and a patch has been created, not all companies implement the patches immediately. In fact, failing to patch known vulnerabilities, whether due to neglect or technical issues, is one of the most common enterprise security gaps. E8MM requires all patches or mitigations to be applied within 48 hours, and stipulates that no unpatched applications be used.

3.    Configure Microsoft Office macro settings

Macros are often used to run commands that allow attackers download and install malware. E8MM specifies that Office macros should be allowed only when there is a business requirement, and even then, they should be monitored and the type of commands they can issue should be restricted.

4.    User application hardening

The default settings on web browsers, PDF software, Microsoft Office, and other applications aren’t always the most secure.  E8MM details ways to configure the settings of these common applications to make it more difficult for criminals to install malware.

5.    Restrict administrative privileges

Administrator accounts are a key target for criminals, as they enable access to an entire network. E8MM provides guidelines for securing access to and use of these accounts to prevent them from being manipulated to gain control over systems.

6.    Patch operating systems

Unpatched operating systems can be exploited by attackers to penetrate applications and access the information they contain. As for applications, E8MM requires that all patches for Windows be implemented within 48 hours and that out-of-support versions for which security patches are unavailable not be used.

7.    Multi-factor authentication

Multi-factor authentication is one of the most effective ways to prevent criminals from using stolen credentials because in addition to a password, it requires a fingerprint scan or code from a mobile application/SMS code. E8MM requires organizations to implement multi-factor authentication for all applications.

8.    Regular backups

If–or should we say, when–incidents do occur, backups are critical. That’s why E8MM requires regular backups of data, configurations, and settings to be stored disconnected and retained for at least three months.

Maturity levels in E8MM

To address the reality that not all organizations are able to implement the highest levels of security immediately, E8MM includes four “maturity levels”, each of which is sufficient to counter the sophistication of different types of malicious actors. The ACSC recommends that companies aim to increase their maturity levels over time.

Maturity Level Zero

The requirements at this level address organizations with significant weaknesses in their overall cybersecurity, which could be exploited to compromise data confidentiality and integrity, as well as system integrity.

Maturity Level One

Level One requirements are geared to protect organizations against malicious actors who use common, publicly available exploits to target random victims, launch malware, and sometimes destroy data. These include common social engineering techniques and simple phishing attacks.

Maturity Level Two

This level focuses on malicious actors who go a step beyond basic exploits and develop ways to bypass simple controls and even weak multi-factor authentication. They often invest substantial effort in targeting to ensure that their social engineering is effective, or seek accounts with special privileges.

Maturity Level Three

This level targets malicious actors who go above and beyond public tools and techniques and actively evade detection, such as the criminals behind the high-profile Australian attacks. It includes protections against malicious actors who focus on particular targets and invest in bypassing the specific policies and controls of those targets and covering their tracks.

Where does this leave you?

Companies in Australia that fall prey to cyberattacks and are found to have insufficient safeguards in place face serious consequences. Two key regulatory bodies, the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) have jointly initiated an inquiry into the Optus breach.

The highest civil penalty of AUD $2.2 million dollars has been replaced with more substantial fines: The Act now mandates a maximum penalty of AUD $50 million for serious or repeated infringement on an individual’s privacy. This is either three times the gains derived from the breach or 30% of the corporation’s ‘adjusted turnover’ within the ‘breach turnover period’, whichever is higher.

Apart from the Optus case, Medibank and Latitude have both incited Class Action Lawsuits. The Medibank data breach incurred a cost of AUD $46.4 million for the health insurer in the 2022-2023 financial year, and the total cost by the following year could potentially surpass AUD $80 million.

A significant development occurred when the Office of the Australian Information Commissioner (OAIC) and the New Zealand Office of the Privacy Commissioner (OPC) jointly declared a privacy investigation, prompted by the Latitude hack, which marked a pivotal moment in privacy oversight.

While striving for full compliance with E8MM standards (up to maturity level three) is a commendable beginning, no company desires to be the subject of media shaming or face regulatory scrutiny.

When human factors come into play, however, achieving absolute foolproof security is an unattainable goal. Even with meticulous attention to patching, configuration, and implementation of multi-factor authentication, vulnerabilities such as zero-day exploits can pose a challenge. Even the most skilled cybersecurity professionals may overlook something at some stage.

Hence, the most robust defense always lies in prevention, particularly in the realm of the web. Ericom’s isolation-driven solutions create a barrier between endpoints, networks and applications, protecting against breaches even in cases where critical patches or configuration updates are overlooked. This approach proves equally potent against unaddressed zero-day vulnerabilities and aligns with various E8MM mitigation criteria.

Act now to safeguard your company and uphold E8MM compliance with Ericom.

Don’t wait to become the next target.

---

Share this on:

---

About Zoran Pupovac

Zoran Pupovac is a seasoned IT Security Professional, boasting an extensive history of fortifying organizations against the constantly evolving landscape of cyber threats. With over two decades of experience, he offers a wealth of expertise in designing robust security strategies encompassing SASE, Cloud, DLP and Endpoint security. Zoran is adept at implementing cutting-edge technologies and conducting thorough risk assessments.