Identity remains the predominant cyber attack vector, and it’s not slowing down anytime soon.

As we have seen in many breaches, attackers ‘simply’ login through a remote access platform and commence their attack.

It’s little wonder then, that in November 2023, the Australian Signals Directorate (ASD) refreshed the Essential Eight Maturity Model (E8MM) to address this increased exposure.

The November Essential 8 refresh represents the sixth time the maturity model has been refreshed since it was first published in June 2017.

The E8 establishes a solid set of controls and practices which cover the ‘basics’ of what any organisation should do across 3 levels of maturity, within each of the 8 control areas.

The most recent refresh in November includes some larger changes to Multi-Factor and Restrict Admin Privileges requirements, and to put it simply, gone are the days that an organisation simply deploys app-based push notifications, SMS or voice-based multi-factor for external users.

In this article we're going to focus on the MFA changes. These directly relate to the rise in Adversary-in-the-Middle (AITM), and MFA fatigue attacks, as means of bypassing traditional MFA challenges.

These attacks have grown exponentially in recent years and this has strengthened the need to increase the use of device telemetry and context that informs authentication requests.

‍
Let’s break down some of the key changes to Essential 8 and the solid reasoning behind the changes:

‍Evolution of Factors

It's no longer acceptable to use ‘something a person knows' such as secret questions, PIN and password. MFA must include ‘something users have’ to minimise ambiguity and this applies to maturity level one as a basic practice. This can be a hardware token or Windows Hello for Business.

Phish-Resistant Moving on up

This is the first release which has established that real-time MFA mechanisms like push notifications via mobile app and SMS are no longer acceptable for Level 2 maturity.

Moving to hardware tokens such as FIDO/WebAuthN hardware ensure the authentication cannot be interfered with by an attacker (or a user tricked into providing a code or accepting a push notification).

Even The Cybersecurity and Infrastructure Security Agency in the US has issued directives to push for the adoption of phish resistant factors.

Won’t Someone Please Think of the Customers

The updated requirements now ensure MFA protections extend to customer web portals that contain sensitive information or functions, and we expect this to continue to expand in coming years.

Given recent widespread credential stuffing attacks, where attackers buy a user's compromised password for one service and attempt to login to a range of other services, hoping the password used is the same.

Overall, these MFA requirements have started to align with the National Institute of Standards and Technology (NIST) 800-63B requirements around authenticator assurance levels and we expect these requirements to become more specific and onerous over time.

It doesn’t need to be complicated to meet these requirements; in fact, the majority of enterprises already have the tools needed to rollout additional protections, and by doing so you may also have the added advantage of making it easier for your employees and your customers accessing what they need to, securely and easily.

‍

‍Get in touch if you want to find out more.