Australia's cyber defence agency releases new rules for mitigating threats

The cyber arm of the Australian Defence Force, the Australian Signals Directorate (ASD), has completed a remodelling of its guidelines for government departments to mitigate cyber risks.

The ASD’s ‘"Top 4" cyber security controls have been expanded to what the agency is calling the "essential eight".

The controls are mandatory for all government agencies and are also used by business as part of cyber security strategy.

The guidelines were first published in 2010 and this is the first update of the controls since 2014.

“This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems,” the ASD said in the report.

Previously, the four mandatory controls were application whitelisting, patching applications, patching operating system vulnerabilities, and restricting administrative privileges.

The list has now been expanded to include requirements to disable untrusted Microsoft Office macros, harden user applications, back up important data daily, and implement multi-factor authentication.

These four were already listed in the 30 other recommended security controls published by the ASD, but they have now been elevated to “essential” status by the agency.

This does not make the four controls mandatory as this requires a decision from government to include them alongside the existing top four in the protective security policy framework (PSPF).

“Incorporating the Top 4, the eight mitigation strategies with an 'essential' rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations,” the ASD said.

Government departments are required to provide compliance reports to the relevant minister but are able to develop timeframes for doing so as long as they provide progress updates.

"No single mitigation strategy is guaranteed to prevent cyber security incidents. Properly implementing application whitelisting, patching applications, patching operating systems and restricting administrative privileges (referred to as the Top 4) continues to mitigate over 85 per cent of adversary techniques used in targeted cyber intrusions which ASD has visibility of," the agency said.

The release of the “essential eight” comes as the Australian Cybercrime Online Reporting Network (ACCORN) revealed that it received 45,500 reports of cyber crime through its online system in 2016.

The leading types of cybercrime reported to ACORN were online fraud and scams, with 22,679 reports received, accounting for 43.97 per cent per cent of total reports received last year. Online trading issues which affect Australians who buy and sell goods online were the secon