Australia directs businesses to apply critical security patches faster

Australia has updated its cyber risk mitigation guidelines for organizations, making changes that include a timeline for applying critical patches and limits to administrative privileges. 

The tweaks are part of an annual update of the nation's Essential Eight Maturity Model, first introduced in June 2017 to guide businesses in safeguarding their internet-connected IT networks against common cyber threats, according to the Australian Signals Directorate (ASD). The updates are based on insights from threat intelligence and penetration tests, assessment of Essential Eight implementations, and feedback from the public and private sectors, both locally and globally.

Also: 6 simple cybersecurity rules you can apply now

The latest revision also encompasses the adoption of "phishing-resistant" multifactor authentication, cloud services management, and incident detection and response for internet-facing infrastructure, said ASD. The intelligence agency sits within the federal government's Department of Defence, where it oversees information security and signals intelligence related to the country's telecommunications, data, and communication networks. 

The Essential Eight Maturity Model provides a baseline designed to make it tougher for adversaries to compromise systems. The model covers eight key areas, such as application control, Microsoft Office macro restrictions, and user application hardening. 

With the latest update, there is an added focus on higher priority patching instances, said ASD, adding that this was implemented based on its assessment of the average time malicious actors take to exploit vulnerabilities. 

When vendors assess a vulnerability to be of a critical nature, such as its ability to bypass authentication for privileged access or facilitate remote code execution without user interaction, organizations should patch or mitigate the vulnerability within 48 hours. This change applies to maturity levels one through to three, ASD noted. 

Under the Essential Eight model, maturity level one is usually applied to small and midsize businesses, while level two is suitable for large enterprises. Level three maturity level is for critical infrastructure providers and organizations that operate in high-threat environments. 

Also: SMBs face growing cybersecurity threats, but basic measures can lower risks

"In providing prioritized patching guidance, increased emphasis has been placed on patching applications that routinely interact with untrusted content from the internet, such as office productivity suites, web browsers, email clients, PDF software, and security software," ASD explained. 

This has driven the need for a shorter patching timeframe for such applications, from within one month to two weeks. Vulnerability scanning activities also have been updated from at least fortnightly to at least weekly for these applications, the government agency said. This change impacts companies with level one maturity.

To help companies meet these changes, patching timeframes for operating systems for less important devices, such as workstations and non-internet-facing servers, have been extended from within two weeks to within one month. Vulnerability scanning activities for such devices also have been revised from at least weekly to at least fortnightly. This change will impact companies in maturity levels two and three. 

In addition, various requirements have been applied to address the absence of governance processes related to granting and controlling privileged access to data repositories. 

Also: Cybersecurity 101: Everything on how to protect your privacy and stay safe online

"Requirements preventing access to the internet by privileged accounts have been amended in a measured manner to support the management of cloud services," ASD said. "Such accounts will need to be explicitly identified and strictly limited to required accesses and duties."

This change impacts companies with maturity levels of one through to three. 

Under restrictions to administrative privileges, for instance, companies in level two maturity should add a requirement to validate first-time requests for privileged access to data repositories. They also should disable privileged access to data repositories after 12 months unless revalidated.