Lately, I have observed a significant increase of focus on “Essential Eight.” In fact, I can call it one of the cornerstones of the latest ACSC strategy promoted for Australian government and non-government enterprises. Let’s have a closer look at these eight:
- Application whitelisting – to control the execution of unauthorized software
- Patching applications – to remediate known security vulnerabilities
- Configuring Microsoft Office macro settings – to block untrusted macros
- Application hardening – to protect against vulnerable functionality
- Restricting administrative privileges – to limit powerful access to systems
- Patching operating systems – to remediate known security vulnerabilities
- Multi-factor authentication – to protect against risky activities
- Daily backups – to maintain the availability of critical data
Do they look familiar? Yes! And it is not a surprise as any decent IT shop has been following them (except for MFA) since the 90s! From the first glance, there is nothing wrong with these eight, they’re just common sense.
Rewind to 1992
In 1992 I joined as the second in command of a small group (about 30 people) of software developers working on a real-time telecommunications system that was in production for a major telephone company. Among other things, I was in charge of security and system administration. We controlled permissions and what could be executed extremely thoroughly. We were a Unix shop, so MS was not an issue, but we were hardening the application and made sure to do all possible (and impossible) logs. Root privileges were controlled very tightly. We did patching religiously (luckily there were not so many patches those days and we had to patch only a couple dozen servers/systems). In those days MFA did not exist, so we did not use it – remote access was via modems with an additional level of protection. We also did daily incrementals and weekly fulls. I cut two additional copies of fulls every Friday, one for my boss and one for me to take home, as offsite storage services were not available then. And we were doing test restores once a quarter.
Fast Forward to 2011
Fast forward to 2011 when I was a CIO at a smaller organization (about 900 users). Our entire IT ecosystem was housed in 6 racks and we followed the “Essential Eight” (without even knowing this term, as it probably was not cast yet those days) religiously, including 2FA (RSA tokens). We struggled with timely patching during periods (from 24 hours to 2 weeks) when the business did not allow us to touch anything…
What happened next? As a result of the amalgamation of 5 entities, this smaller organization suddenly became a part of 30,000+ users behemoth moving from a 6-rack ecosystem into a mixed (fully outsourced/partially outsourced/in-house) ecosystem with an annual operating cost of $80+ M and more than 4000 applications, some of which were simultaneously mission-critical and legacy (e.g. servers they have been running on could not be patched). Put aside the pain of integration and benefits of rationalization (single email, single ERP, etc.), and just think about achieving and measuring compliance with the “Essential Eight” across tens of thousands of devices. We were dealing with patching schedules and completeness (not to say anything about time, cost, the effort required for testing patches and, more importantly, interdependencies). We were also managing MFA in a huge rapidly changing environment (exits, on-boarding, changing roles – like acting for someone on sick or annual leave), dealing with an ever-growing number of external applications that business wants to use or integrate within the current “digital transformation” climate, and etc. and etc.
Chasing the Unattainable Eight
Over the last 10 years, NSW State Government has amalgamated about 200 various departments and agencies into 9 departments. In this current climate of mergers and amalgamations, there is probably no point in time when any sizeable enterprise can confidently say that it is 100% compliant with the “Essential Eight” at any level of maturity and we are possibly chasing an unattainable goal. And this is not a criticism of the “Essential Eight” – they work perfectly well for smaller entities, but they do not work for large enterprises. This is similar to how Newton’s mechanics works at a certain scale but does not work at the scale where Quantum mechanics kicks in. We all know far too well that complexity grows exponentially with linear growth of scale.
The whole model is effectively based on an almost pre-Internet era. The addition of digital transformation and connectivity to the outside world is presumed to be benign when in truth most connections, due to misconfiguration, act as a two-way valve with data flowing in both directions. The model is also strongly focused on MS and doesn’t pay enough attention to the Linux world nor does it take into account the massive shift to the public cloud.
A Closer Look at the Essential Eight
Let’s have a look at the “Essential Eight” maturity model. I am a big fan of maturity models since 1992 when I first heard about CMU CMM. Although I always question the feasibility and value for money of achieving Level 5 maturity, I find other levels very useful and practical, as long as they are assessed by an external party, rather than through self-assessment.
Recently the “Essential Eight” approach has been further extended by the introduction of the maturity model. It is a very useful set of definitions. However, similar to the “Essential Eight” themselves, it does not take into account numerous factors present in large-scale enterprises including interdependencies and interworking in large and complex ecosystems, frequent and numerous people movements and other factors.
False Sense of Security
Lately, several supply-chain attacks have raised questions about checking patches – not only from an interoperability point of view but also from the point of view of the existence of hidden malicious code. I would argue that an enterprise hypothetically operating at level 3 maturity will still be compromised in the case of malicious code being delivered via a patch. And let’s not forget about Stuxnet – we still allow USB devices to be connected.
Are we creating a false sense of security? Do we need a better model?
Despite their flaws, I support the “Essential Eight.” They are good hygiene practices like brushing one’s teeth or washing hands. But, unfortunately, none of these hygiene practices can protect a person from catching chickenpox or measles.