November 2023 ASD Essential Eight Maturity Model changes — IIS Partners

By Sascha Hess

The Australian Signals Directorate (ASD) updated its Essential Eight Maturity Model this November. Since 2017 the model has been updated regularly, supporting the implementation of the Essential Eight.

The Essential Eight can be considered a prioritised minimum security control baseline, referred to as mitigation strategies in the guide. The model comprises three maturity levels which can be considered ‘threat profiles’. Insights for refining the model are derived from various cyber-related fields, such as security testing, cyber threat intelligence, and learnings from responding to incidents.

This year, notable changes include:

Introduction of “patches assessed as critical by vendors” as an additional prioritisation criterion. Patches for critical security vulnerabilities for internet-facing systems are now required to be applied within 48 hours, even in the absence of a known exploit. Tighter time frames are also established for patching applications processing untrusted content from the internet (e.g., browser, PDF reader).
Enhancements to the use of multi-factor authentication (MFA) universally, like expanding the use of phishing-resistant MFA.
In response to attacks against citizens that continue to only use passwords, online access to organisation’s sensitive data now requires multi-factor authentication from Maturity level One.
A significant tightening of privileged account management practices around validation for requesting accounts, periodic revalidation, accounts with internet access and break-glass accounts.

As adding is typically favoured over removing in standards, it is good to see that the review also resulted in removing or easing a couple of requirements (i.e., macro execution event logging and patching for less important devices).

For a comprehensive list of changes, please visit the dedicated page on cyber.gov.au. IlS has compiled a marked-up table of the Essential Eight Maturity model which highlights the November 2023 changes for easier reference.

The increased focus on timely patching, use of robust multi-factor authentication and tightening the use of administrative access accounts help organisations to better defend against threat actors’ common attacks. IIS recommends all organisations to review their practices now in light of these changes.

IIS can help you review and uplift your current security practices and capabilities. Please contact us if you require assistance.