Duo MFA and Australia’s “Essential Eight” Cybersecurity Strategies
Figuring out how to prioritize security projects can be difficult and time-consuming. There are many cybersecurity levers to pull or buttons to push in the quest to reduce the risk surface for an organization. The breadth of the proverbial “attack surface” coupled with myriad paths to “reduce” it can combine to leave security professionals with a sense of dread. While there is no silver bullet or miracle cure for said complication, there are relevant and helpful resources that distill the problem of security overload down into manageable chunks.
The Essential Eight — While no single mitigation strategy is guaranteed to prevent cyber security incidents, organisations are recommended to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems. Furthermore, implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.
One example is the Australian Government’s collaboration with the Australian Cyber Security Centre. Their recently revised and incredibly lengthy Information Security Model probably falls into the “overwhelming” category. However, the Australian Cyber Security Centre has done an excellent job of distilling the eight most important cyber security recommendations into two documents:
The Essential Eight, aside from being a fun catchphrase, is a group of eight “must-do” recommendations from the Australian Cybersecurity Centre. The eight efforts represent the highest impact low-hanging fruit for any IT or security professional. To be concrete, here are the eight broken down by theme:
Prevent Malware Delivery and Execution
Application Whitelisting: prevent the execution of non-approved applications especially those known to be problematic (ex. executables, scripts, and installers).
Patch Applications: Applications that include potentially malicious avenues like Flash and Java should be updated and patched in a timely matter.
Configure Microsoft Office Macro Settings: Macros should be blocked from internet access and make sure any macros in use are vetted and reconciled to trusted areas.
User Application Hardening: Configure web browsers to block Flash, ads and Java on the internet.
Limit Extent of Cybersecurity Incidents
Restrict Administrative Privileges: Restrict privileges based on a least privilege model. Administrators should only have access and authorization based on their responsibilities.
Multi-Factor Authentication: MFA for VPN, RDP, SSH and any user accessing privileged information is business critical.
Patch Operating Systems: Patch computers with “extreme risk” vulnerabilities within 48 hours. Whenever possible only allow the latest operating system.
Mitigation Strategies for Data Loss & Availability:
Daily Backups: On a daily basis, do a delta sync of data that is new or changed and back it up. Keep the data for 3 months. Test the backup.
For any IT or security professional, these eight items provide a great jumping-off point when starting in a new role or beginning a new project. It may seem simple, but that’s the point.
For experienced professionals, the essential eight will probably be second nature - but can still be a nice checklist or assessment on a daily basis. The items force IT administrators to ask themselves questions regarding software and resources being accessed, their current patch and who’s accessing them.
If anyone is reading the Essential Eight and starting to break a little bit of a sweat, never fear - Duo actually helps address four out of the eight. If you look at the current attack surface, you will see an increase in credential-based attacks. Being able to solve for MFA AND achieve these other goals with Essential Eight is highly valuable. A pretty nice ratio for one solution.
Multi-Factor Authentication (MFA): Duo provides MFA that is is easy to use for employees and easy to manage for IT professionals. Duo’s solution integrates simply with hundreds of different resources in an IT environment, and the flexibility in choice of authentication method make it as intuitive as possible for employees to verify their identity.
Patch Applications: Duo can easily identify when users are looking to access corporate resources from an out-of-date web browser. Policy can be set to remind the user to self-remediate and update their browser, and in critical situations, Duo can block resource access until a user has updated their browser.
Patch Operating Systems: Duo can also detect when an end user is accessing resources on a device that is running an out-of-date operating system. Whether a laptop or mobile device, corporately-owned or BYOD, Duo can prompt the employee to update their operating system. In the case of access to business critical resources, Duo can block employees if they have not yet updated to the current version of an operating system.
User Application Hardening: Duo can also set application policy based on the presence of Java or Flash. Duo can block access when it detects all versions of Java or Flash, which is recommended, but it can also limit access to the recent or most updated versions. If employees attempt to access resources and older versions of Flash or Java are detected - Duo can prompt users to update the plugin before they are granted access.
In conclusion, the Essential Eight provides a great framework for addressing security basics in any corporate environment. Whether beginning a new project or adopting a daily assessment routine, the eight concepts provide a useful checklist when thinking about security.
Check out this article on CyberScoop that reports both the Republican National Committee (RNC) and the Democratic National Committee (DNC) are using Duo's 2FA solution ahead of elections to thwart potential threats.