Essential Eight Maturity Model

Download ASD Protect Essential Eight Maturity Model (PDF), October 2017
First published June 2017; updated July, September and October 2017

Introduction

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of ASD’s Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies for targeted cyber intrusions and ransomware are known as the Essential Eight.

This document is intended for cyber security professionals looking to determine the maturity of their implementation of the Essential Eight mitigation strategies.

Maturity levels for mitigation strategies

To assist organisations in determining their maturity in the implementation of the Essential Eight mitigation strategies, five levels of maturity have been defined for each mitigation strategy. Broadly, the maturity levels are defined as:

  1. Maturity Level Zero: Not aligned with intent of mitigation strategy
  2. Maturity Level One: Partly aligned with intent of mitigation strategy
  3. Maturity Level Two: Mostly aligned with intent of mitigation strategy
  4. Maturity Level Three: Fully aligned with intent of mitigation strategy
  5. Maturity Level Four: For higher risk environments.

What maturity level should I aim for?

As a baseline, organisations should aim to reach a maturity level of three for all of the Essential Eight mitigation strategies. However, some organisations are constantly targeted by highly skilled adversaries, or otherwise operate in a higher risk environment. These organisations should aim to reach a maturity level of four for mitigation strategies designed to assist in mitigating the specific threat vectors that adversaries are known to be using against them.

The minimum criteria required to be met for each maturity level, for each mitigation strategy, is covered in the grid at the end of this document.

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian government systems.

ASD’s Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.

Essential Eight Maturity Model

Maturity Level Zero
Not aligned with intent of mitigation strategy
Maturity Level One
Partly aligned with intent of mitigation strategy
Maturity Level Two
Mostly aligned with intent of mitigation strategy
Maturity Level Three
Fully aligned with intent of mitigation strategy
Maturity Level Four
For higher risk environments
Mitigation strategies to prevent malware delivery and execution
Application whitelisting
Workstations

Not implemented on workstations, or

Running in audit mode

Implemented on at least workstations of high-risk users

Running in enforcement mode

Any whitelisting method covering executables

Implemented on at least workstations of high-risk users

Running in enforcement mode

An approved whitelisting method covering executables and software libraries

Implemented on all workstations

Running in enforcement mode

An approved whitelisting method covering executables, software libraries, scripts and installers

Implemented on all workstations

Running in enforcement mode

Exclusively hashed-based whitelisting covering executables, software libraries, scripts and installers

Servers

Not implemented on servers, or

Running in audit mode

Implemented on important servers (e.g. Active Directory, email servers and other servers handling user authentication)

Running in enforcement mode

Any whitelisting method covering executables

Implemented on important servers (e.g. Active Directory, email servers and other servers handling user authentication)

Running in enforcement mode

An approved whitelisting method covering executables and software libraries

Implemented on important servers (e.g. Active Directory, email servers and other servers handling user authentication)

Running in enforcement mode

An approved whitelisting method covering executables, software libraries, scripts and installers

Implemented on all servers

Running in enforcement mode

Exclusively hashed-based whitelisting covering executables, software libraries, scripts and installers

Patch applications
Workstations

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are not applied or are applied on a greater than monthly basis

A non-vendor supported version of any of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied within one month for all workstations

Only vendor-supported yet deprecated versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied within 48 hours for workstations of high-risk users and two weeks for all other workstations

Only vendor-supported yet deprecated versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied and verified within 48 hours for all workstations

Only vendor-supported yet deprecated versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied and verified within 48 hours for all workstations

Only the latest vendor-supported version of the above applications are used

Servers

Patches for extreme risk security vulnerabilities in web server software, other server applications that store important (sensitive or high-availability) data, and all other internet-accessible server applications, are not applied or are applied on a greater than monthly basis

A non-vendor supported version of an application is used for web server software, other server applications that store important data or any other internet-accessible server application

Patches for extreme risk security vulnerabilities in web server software, other server applications that store important (sensitive or high-availability) data, and all other internet-accessible server applications, are applied within one month

Only vendor-supported yet deprecated versions of applications are used for web server software, other server applications that store important data and all other internet-accessible server applications

Patches for extreme risk security vulnerabilities in web server software, other server applications that store important (sensitive or high-availability) data, and all other internet-accessible server applications, are applied within two weeks

Only vendor-supported yet deprecated versions of applications are used for web server software, other server applications that store important data and all other internet-accessible server applications

Patches for extreme risk security vulnerabilities in web server software, other server applications that store important (sensitive or high-availability) data, and all other internet-accessible server applications, are applied and verified within 48 hours

Only vendor-supported yet deprecated versions of applications are used for web server software, other server applications that store important data and all other internet-accessible server applications

Patches for extreme risk security vulnerabilities in web server software, other server applications that store important (sensitive or high-availability) data, and all other internet-accessible server applications, are applied and verified within 48 hours

Only the latest vendor-supported version of applications are used for web server software, other server applications that store important data and all other internet-accessible server applications

Configure Microsoft Office macro settings
Workstations

All Microsoft Office macros can execute without prompting users for approval, or

Microsoft Office macro settings can be configured by users

All Microsoft Office macros can execute, but only after prompting users for approval

Microsoft Office macro settings are enforced via Group Policy settings

Only signed Microsoft Office macros can execute

Microsoft Office macro settings are enforced via Group Policy settings

Only Microsoft Office macros in appropriately configured Trusted Locations can execute

Microsoft Office macro settings are enforced via Group Policy settings

Microsoft Office macros are blocked from executing and Trusted Locations are disabled

Microsoft Office macro settings are enforced via Group Policy settings

User application hardening
Workstations

Web browsers allow Adobe Flash, web advertisements and Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers aren’t disabled

Web browsers block either Adobe Flash, web advertisements or Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers aren’t disabled

Web browsers block Adobe Flash, web advertisements and Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers aren’t disabled

Web browsers block Adobe Flash, web advertisements and Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers are disabled

Web browsers are hardened using vendor hardening guides, Adobe Flash is uninstalled and both web advertisements and Java from the Internet are blocked

Microsoft Office, web browsers and PDF viewers are hardened using ASD and vendor hardening guides (where available) and unneeded features are disabled

Mitigation strategies to limit the extent of cyber security incidents
Restrict administrative privileges
Workstations and servers

Requirements for privileged accounts are not validated

No duties-based restrictions on privileged accounts are applied

All privileged accounts are capable of reading emails and web browsing

Requirements for privileged accounts are validated initially

No duties-based restrictions on privileged accounts are applied

Most privileged accounts are restricted from reading emails and web browsing

Requirements for privileged accounts are validated initially and on an annual basis

No duties-based restrictions on privileged accounts are applied

All privileged accounts are restricted from reading emails and web browsing using policy controls

Requirements for privileged accounts are validated initially and on an annual basis

Duties-based restrictions on privileged accounts are applied

All privileged accounts are blocked from reading emails and web browsing using technical controls

Requirements for privileged accounts are validated initially and on a monthly basis, or before they are required for a task and revoked immediately afterwards

Duties-based restrictions on privileged accounts are applied

All privileged accounts are blocked from reading emails and web browsing using technical controls

Patch operating systems
Workstations

Patching for extreme risk security vulnerabilities in operating systems are not applied or are applied on a greater than monthly basis

A non-vendor-supported operating system version is used

Patches for extreme risk security vulnerabilities in operating systems are applied within one month for all workstations

Only vendor-supported yet deprecated operating system versions are used

Patches for extreme risk security vulnerabilities in operating systems are applied within 48 hours for workstations of high-risk users and two weeks for all other workstations

Only vendor-supported yet deprecated operating system versions are used

Patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all workstations

Only vendor-supported yet deprecated operating system versions are used

Patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all workstations

Only the latest vendor-supported operating system version is used

Servers

Patching for extreme risk security vulnerabilities in operating systems are not applied or are applied on a greater than monthly basis

A non-vendor-supported operating system version is used

Patches for extreme risk security vulnerabilities in operating systems are applied within one month for all servers and network devices

Only vendor-supported yet deprecated operating system versions are used

Patches for extreme risk security vulnerabilities in operating systems are applied within 48 hours for important servers (e.g. Active Directory, email servers and other servers handling user authentication) and two weeks for all other servers and network devices

Only vendor-supported yet deprecated operating system versions are used

Patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all servers and network devices

Only vendor-supported yet deprecated operating system versions are used

Patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all servers and network devices

Only the latest vendor-supported operating system version is used

Multi-factor authentication
Workstations and servers

Multi-factor authentication is not implemented for users using remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories

Multi-factor authentication is implemented for users using remote access solutions

In addition to passphrases, only authentication methods from the following list are used: U2F security keys, physical OTP tokens, biometrics, smartcards, mobile apps, SMS messages, emails, voice calls and/or software certificates

Multi-factor authentication is implemented for users using remote access solutions and users performing privileged actions

In addition to passphrases, only authentication methods from the following list are used: U2F security keys, physical OTP tokens, biometrics, smartcards, mobile apps, SMS messages, emails and/or voice calls

Multi-factor authentication is implemented for users using remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories

In addition to passphrases, only additional authentication methods from the following list are used: U2F security keys, physical OTP tokens, biometrics and/or smartcards

Multi-factor authentication is implemented for users using remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories

In addition to passphrases, only additional authentication methods from the following list are used: U2F security keys and/or physical OTP tokens

Mitigation strategies to recover data and system availability
Daily backups
Workstations and servers

Backups of important new/changed data, software and configuration settings are either not performed or performed less often than monthly, or

Full recovery has not been tested

Backups of important new/changed data, software and configuration settings are performed monthly

Backups are stored online

Backups are stored for less than three months Full recovery has been tested at least once

Backups of important new/changed data, software and configuration settings are performed weekly

Backups are stored offline

Backups are stored for less than three months

Full recovery has been tested at least once and partial recovery is tested on an annual or more frequent basis

Backups of important new/changed data, software and configuration settings are performed daily

Backups are stored offline

Backups are stored for three months or greater

Full recovery has been tested at least once, including after fundamental IT infrastructure changes, and partial recovery is tested on an annual or more frequent basis

Backups of important new/changed data, software and configuration settings are performed daily or continuously

Backups are stored offline at multiple geographically dispersed locations

Backups are stored for three months or greater

Full recovery has been tested at least once, including after fundamental IT infrastructure changes, and full recovery is tested on an annual or more frequent basis