The ASD (Australian Signals Directorate) has recently updated their cybersecurity guidelines and recommendations for Australian businesses and organisations.
The Following is a summary of the new ASD changes.
Application And Operating System Management
The ASD has determined that critical vulnerabilities should be addressed within 48 hours of identification, and upon detection of this type of threat, businesses should patch or apply any updates or forms of mitigation within two days of discovery.
More broadly, the ASD now has an increased focus on applications and systems that regularly come in contact with untrusted content, such as browsers, email clients, office software, or security software. With this new focus, the time suggested for patching relevant applications and systems is reduced from one month to two weeks, and associated scanning is now advised to take place once a week, reduced from the previous fortnightly advice.
To counterbalance this tightening, the patching of systems associated with less important devices, like non-internet-facing entities, has been extended from two weeks to one month, and the associated scanning of less important devices is now recommended to be undertaken fortnightly rather than once a week.
And new advice has been issued to reinforce the application of patches, updates, and other mitigations to vulnerabilities that exist in drivers and firmware.
Multi-Factor Authentication (MFA)
The ASD has recognised that weaker forms of MFA exist, and they have now implemented a minimum standard for MFA which increases the security of the authorisation process. This includes the addition of a “something that users know” challenge to the already existing “something that users have” challenge.
In a customer service setting, user password only access continues to be open to exploitation, and the ASD is now advising that MFA be attached to customer service portals at all times, and an identified weakness allowing consumers to avoid the MFA process altogether has now been addressed.
Also, the use of phishing-resistant forms of MFA will now be promoted and encouraged. This is in recognition of wider community adoption of MFA; an increase in international standards; and is needed to mitigate an increase in attacks against weaker forms of MFA’s.
Finally, an onus has been placed on users of workstations to authenticate to their use via a form of phishing-resistant MFA, such as a security key or smart card.
There is a noted absence of regulation for the granting, controlling, and rescinding of access privileges, and new requirements have been added to ensure consistency when managing privilege access to applications and systems.
Previous requirements restricting the access of privileged accounts to the internet have been amended to assist those that administration cloud services, though accounts with these privileges will need to be identified and limited.
Historically, the credentials of local administrator accounts were required to utilise complex passwords and enhanced management, and these principles have been expanded to include emergency access accounts, as these accounts are of high value and importance.
And additional requirements for privileged users involved with administrative infrastructure have been added. This includes those that use secure workstations, as well as the enabling of memory isolation and increased security functionality within the Microsoft Windows environment.
Microsoft Windows Macros
There has been a change in advice surrounding the logging of Microsoft Windows macros, with the requirement to collect and analyse macro execution events for signs of compromise now being removed, though a new condition has been added to enforce the use of more secure digital signatures.
User Application Management
With Microsoft Internet Explorer 11 being phased out, businesses are now asked to either disable it or uninstall it from their operating systems.
Additionally, a previous requirement regarding the logging of PowerShell activities has been amended to avoid duplication. To compliment this, a requirement to log command line process creation events has been added.
While there has been no substantial changes in this area, businesses are encouraged to assess the criticality of their data when prioritising their backups, rather than focusing only on backing up their perceived most important data.
In terms of overall security, the ASD recommends businesses wholly adopt its advice along with any provided by a vendor whenever available, with the more stringent requirements taking precedence if any conflicts of implementation should occur.
The landscape of cybersecurity is complex and constantly changing, and Aryon can ensure that your business is up to date and well protected. Contact us today to find out how Aryon can help keep you up to date and aligned with ASD guidelines.