Risk Mitigation Strategies for Enterprise Systems in Australia
By Shane Boulden, Associate Principal Solution Architect.
According to the Australian Cyber Security Centre (ACSC), Australian organizations are increasingly being targeted by cyber security threats. Leading the Australian Government’s efforts to prevent cybercrime, the ACSC published the Essential Eight—a set of baseline recommendations that define the minimum security controls that should be applied to protect IT systems.
At Red Hat, we believe that implementing cyber security risk mitigation strategies should be automated instead of an unnecessary burden on IT teams. To this end, we ship several widely used security policies with our products that help Australian enterprises implement the risk mitigation strategies identified in the ACSC Essential Eight.
RED HAT’S APPROACH TO IMPLEMENTING THE ESSENTIAL EIGHT
The Essential Eight baseline is designed to make systems harder to compromise. Australian Government organizations, businesses, and individuals are recommended to adopt these eight essential strategies:
- Applying application control to prevent the execution of unapproved and malicious programs.
- Patching applications and using the latest version of applications.
- Configuring Microsoft Office macro settings.
- Setting up user application hardening.
- Restricting administrative privileges to operating systems and applications.
- Patching operating systems, ensuring “extreme risk” vulnerabilities are patched within 48 hours.
- Using multifactor authentication, including for virtual private networks (VPNs), remote desktop protocols (RDP), Secure Shell (SSH), and other remote access tools.
- Scheduling regular backups of data, software, and configurations.
HOW RED HAT ENTERPRISE LINUX SUPPORTS THE ESSENTIAL EIGHT STRATEGIES
Application control is a critical risk mitigation strategy in the ACSC’s guide, which helps ensure that non-approved applications—including malicious code—are prevented from executing. Red Hat® Enterprise Linux® includes an ACSC Essential Eight profile with the File Access Policy Daemon (fapolicyd) to address this requirement. The fapolicyd software framework is supported with Red Hat Enterprise Linux 8, and the framework supports application control based on a user-defined policy.
Patching applications is essential to ensuring potentially exploitable application vulnerabilities are mitigated. Red Hat has worked with customers to create patch management strategies across both Windows and Linux environments, using Red Hat Ansible® Automation Platform to codify update processes.
Another critical strategy is the requirement for regular backups. Bare-metal systems power many hybrid cloud workloads, and teams typically face three challenges to restore a system in the event of an incident:
- Booting a rescue system on the new hardware.
- Replicating the original storage layout.
- Restoring user and system files.
Most backup software only solves the third challenge. To solve the first and second, Red Hat Enterprise Linux includes Relax-and-Recover (ReaR), a disaster recovery and system migration utility.
Relax-and-Recover complements backup software by creating a rescue system, allowing teams to replicate the partition layout and file system on new hardware and prompting for user and system files.
Red Hat also supports customers adopting containers to meet the requirements of the Essential Eight patching strategies. Red Hat OpenShift® supports over-the-air updates, ensuring infrastructure can be kept up-to-date. Using Red Hat Advanced Cluster Security for Kubernetes, teams can see their exposure to unpatched vulnerabilities present in running containers and take actions to mitigate these risks.
Controlling privileged access is another Essential Eight strategy that allows organizations to secure their infrastructure and applications, run business processes efficiently, and maintain the confidentiality of sensitive data and critical infrastructure. Red Hat works with partners like CyberArk to support and automate privileged access management workflows with Ansible Automation Platform, allowing credentials stored in CyberArk to be used when required by Ansible plays. In addition, containerized applications deployed to Red Hat OpenShift can use the CyberArk Conjur Secretless Broker to access credentials stored and audited centrally, without needing to inject these into applications where they can potentially be leaked.
IMPLEMENTING THE ESSENTIAL EIGHT STRATEGIES IN LINUX SYSTEMS
The ACSC published a guide outlining how the Essential Eight can be applied to Linux systems. Red Hat has codified this guidance and included it in the ACSC Essential Eight profile available with Red Hat Enterprise Linux. The ACSC Essential Eight profile is available in the scap-security-guide package in Red Hat Enterprise Linux 7 and 8 since versions 7.8 and 8.2, respectively. The Security Content Automation Protocol (SCAP) Security Guide documentation is installed with the scap-security-guide-doc package under /usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html.
We also provide an Ansible playbook that can be used to remediate systems against the baseline.
Red Hat also provides an Essential Eight profile for use with Red Hat OpenShift. This profile allows teams using Red Hat OpenShift to scan the container against the Essential Eight baseline and report on compliance for both operating system and application programming interface (API) configurations.
The Essential Eight profile for Red Hat OpenShift is provided with every subscription through the Compliance Operator. Read more in a guide to Red Hat OpenShift and the Essential Eight.