Get in touch
Cybersecurity Frameworks

Cybersecurity Frameworks Unplugged: The Good, The Bad, and The Ugly of the Essential 8

Cybersecurity is a top priority for organizations of all shapes and sizes. For decades cybersecurity frameworks have been created to provide guidelines that help organisations understand their security posture and provide actionable tasks to improve it. These frameworks such as the ASD Essential Eight, provide best practices, controls and processes that are designed to protect your information and infrastructure.

Frameworks will outline key components of a security program, including access control (MFA, limiting admin privileges), patching of operating systems and applications and ensuring backups are in place. The intention is for organisations to use these frameworks to build out a security strategy, aligning their documented policies and procedures to the standards so they can mitigate risks and respond to vulnerabilities and incidents effectively.

While these frameworks can provide significant benefit, and function as building blocks for a broader security programme, they are not flawless. In this blog series we will look at the Good, Bad and Ugly sides of these frameworks, and because its cyber security awareness month we will focus on the ASD Essential Eight as an example.

Here is what you can expect in the blog series unpacking the Essential 8!

  • Part 0, this article right here, will dive into how a framework is intended to function at a high level.
  • Part 1, dives headlong into the Good, how frameworks provide guidance, establish those baselines and best practices and improve your security posture against common threats. We will showcase how businesses use these frameworks to strengthen their defences.
  • Part 2, we look at the Bad. It’s not all sunshine and rainbows, adhering to security frameworks is not always simple. It can build in inflexibility, increase the burden on your resources, lead to a dangerous “box ticking” mindset and lead to technical debt!
  • Finally, the Ugly— what are the hidden risks? There is no silver bullet, or one framework to rule them all! This section will cover how frameworks can lag behind technology, how easy it is to develop a false sense of security and the dangers of predictable security measures an attacker may exploit.

By the end of the series I hope you have a clearer understanding of the risks and benefits of utilising security frameworks. Join us as we unravel the world of cybersecurity frameworks and equip your organisation with the knowledge needed to navigate the modern threat landscape.

But first….Frameworks! – How do they work?

Cybersecurity Frameworks

Governance, Controls and Frameworks!

Well as you may have pieced together already, know from previous experience, or have no clue about…frameworks are a group of “controls”

“But what’s a control? Isn’t that just the little button on my keyboard?”

In the context of cybersecurity a control is “a mechanism used to prevent, detect or mitigate a threat or attack”.

Broadly these are

  • Physical controls like a security guard and locks on doors (not really relevant to this discussion)
  • Technical controls like multifactor authentication
  • Administrative controls like policies and procedures (the really exciting stuff)
  • Operational controls like awareness training, asset classification, reviewing logs (also exciting)

When you implement one of these controls (again very broadly) you want to be able to demonstrate that you meet the outcome of the control and can provide evidence of meeting that control.

“What are you talking about Scott?!”

I’m glad you asked, meeting an outcome of a control would be, getting an MFA prompt when you sign into Outlook or Teams.

Evidence of meeting that control could include a screenshot on the MFA prompt being applied, copies of the Conditional Access Policy you used to configure the MFA, and copy of the policies and procedures used to manage MFA in your environment.

Ultimately you need to be able to demonstrate a configuration is working and be able to provide evidence on how it is configured and why.

Stay tuned for the next part!

Further reading about the Essential Eight can be found at cyber.gov.au or by following the link! Essential Eight Explained | Cyber.gov.au

Read more recent blogs

Cloud computing concept.Abstract cloud connection technology background.

Enabling Private DNS Zones with Internet Fallback

AI Gateway Header

Exposing Azure AI Foundry Endpoints with Azure API Management

Slide1

Defining Data Models – Takes from different angles | Opinionated Pattern Picking

View all blogs

Shape what’s next

Get in touch
1300 907 809
info@arinco.com.au info@arinco.co.nz

Level 5, 440 Collins Street, Melbourne VIC 3000

Level 2, 24 Campbell St,
Sydney NSW 2000

200 Adelaide St,
Brisbane QLD 4000

191 St Georges Terrace
Perth WA 6000

Level 1, 155 Fanshawe Street, Auckland 1010

Part of

Arinco trades as Arinco (VIC) Pty Ltd, Arinco (NSW/QLD) Pty Ltd and Arinco Ltd. © 2024 All Rights Reserved Arinco™ | Privacy Policy | Sustainability and Our Community
Arinco acknowledges the Traditional Owners of the land on which our offices are situated, and pay our respects to their Elders past, present and emerging.

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.

CONTACT US