Boosting Your Web Application Security: Unveiling the Secrets of ASD’s Essential Eight Controls

We understand the threat posed by hackers who exploit commonly available techniques to gain unauthorised access and control over websites, web applications, Content Management Systems and third-party tools like Amazon Web Services (or other hosting accounts), Customer Relationship Management Systems and more.

The reality is that hackers will take advantage of vulnerabilities in internet-facing services. They may also use stolen, reused, or guessed credentials to authenticate. They often target sites at random, rather than specific targets, seeking common exploits across systems rather than unique security holes. 

User accounts are often targeted to exploit privileges or escalate them to allow lower-level users to perform administrator tasks. Their intentions may involve data theft, destruction, denial-of-service techniques to disrupt access to data or general vandalism.

This is where we come in. We implement robust security measures and industry best practices to protect against these threats where relevant. With our proactive approach, we ensure data integrity, system availability, and user confidentiality.

As most of our software runs on Linux, we skew our implementation based on the Australian Cyber Security Centre Hardening Linux Workstations and Servers guidelines. These are more specific to the infrastructure and applications we run. There are various levels of Maturity with the Australian Signals Directorate (ASD) Essential Eight. We focus on Maturity Level One which includes:

Application Control

How We Address This

We address Application Control for Linux-based environments by implementing stringent control measures to regulate and authorise the execution of applications.

Example

We utilise Linux-based access control mechanisms. This includes mandatory access control (MAC) frameworks like AppArmor. These mechanisms define and enforce policies that restrict application execution based on predefined rules.

This ensures that only trusted and authorised applications can run within the CMS environment (e.g. the webserver specifically or Docker container). This reduces the risk of unauthorised or malicious software compromising the system.

Patch Applications

How We Address This

We ensure applications are patched regularly for Linux-based environments. This includes the Linux operating system (generally Ubuntu in our case) and web server software like NGINX, Apache, and others commonly used to run our websites and web applications.

Example

For a website or web application we manage we implement a patch management process. We then establish a test environment (called a staging environment). Critical patches and out-of-sync security patches are prioritised, alongside monitoring and verification of patches.

Configure Microsoft Office Macro Settings

How We Address This

As Microsoft desktop applications are not supported natively on Linux environments, we do not focus on this to much extent. We do ensure that our Windows terminals have macros disabled by default to mitigate potential risks. However, we provide flexibility to administrators to adjust these settings based on specific requirements or business needs. 

User Application Hardening

How We Address This

We perform application hardening on web servers by implementing application whitelisting and restricting user privileges. We also enable secure default configurations for applications and web server software. This includes enforcing strict whitelisting policies, limiting privileges to necessary tasks, and establishing secure default settings. These measures enhance the security of the web server environment and mitigate potential vulnerabilities.

Example

For example, on a Ubuntu web server creating a deployment role to deploy code rather than using the administrator account. We can also disable software that isn’t used and restrict access for applications like NGINX and Apache to only access required folders.

Restrict Administrative Privileges

How We Address This

To address this point we adopt the privilege of least privilege and implement strong access controls. The principle of least privilege is a security concept that advocates granting users the minimum level of access necessary. It aims to restrict privileges and permissions to only what users need to fulfil their specific roles or responsibilities.

Example

For example, in a CMS solution or web application running on Ubuntu, we would implement:

• User Role-Based Access: We define different user roles with specific privileges based on their responsibilities. Administrators have elevated privileges for managing the system whereas a deployment user would have privileges to perform CI/CD functionality.
• Sudo Access: We configure sudo access carefully, granting it only to necessary users (in our case one administrator account) and limiting the commands they can execute.

Patch Operating Systems

How We Address This

We follow a proactive approach to keep operating systems and web server software up to date with the latest security patches and updates. We do this to continuously monitor the official sources and repositories for security updates and patches. Patch management is completed once security patches are identified. Timely deployment occurs when key security updates are released outside of a patch cycle.

Example

In a Linux-based environment, we prioritise security updates for a CMS solution or web application running on Ubuntu by:

• Enabling Automatic Updates
• Regular Patch Review of relevant Operating System versions and web server software
• Running a staging environment to ensure updates do not adversely affect the application or its functionality
• Create a Scheduled Maintenance and Patch Deployment process

Multi-Factor Authentication

How We Address This

We implement additional layers of security for Multi-Factor Authentication to authenticate user access for a CMS solution or web application. We use an SMS or Google Authenticator approach as the 2FA device. It’s also worth noting that even though 2FA is important we often hear from a business perspective it can not be implemented or is too intrusive based on day-to-day business operations so is often left out as a known risk.

Example

Users register on the Drupal CMS with their email addresses and password. During registration, they are prompted to set up 2FA for their account. They download and install a trusted authentication app on their mobile device, such as Google Authenticator or Authy. Within the CMS, users access their account settings and scan a QR code using the authentication app to configure their accounts.

When logging in, users enter their email address and password, followed by the current verification code generated by the authentication app. If the entered code matches, access to the Drupal CMS is granted. This 2FA setup adds an extra layer of security by requiring both a password and a time-based verification code. This protects user accounts from unauthorised access.

Regular Backups

We perform regular backups for Linux-based environments as part of our approach. This addresses the ‘Regular backups’ control of ASD Essential Eight. It also allows us to ensure any disaster recovery activities we may need to perform go smoothly.

We ensure that all web servers and database servers have a rolling 30-day daily backup. This allows for quick and efficient restoration of data in the event of data loss or system failures.

Additionally, we maintain a comprehensive version control system to store historical code versions. This ensures that any changes can be tracked and reverted if needed. Our robust backup and version control practices provide peace of mind to our clients. It also ensures their valuable data is safeguarded and ensures business continuity.

Cyber Security is of utmost importance in today’s digital landscape. The Australian Signals Directorate (ASD) Essential Eight controls provide a solid conceptual foundation for enhancing security. While not all controls may apply or be feasible for every setup and business, understanding the risks they address is crucial. 

At Arcadian Digital, we recognise the uniqueness of each organisation and offer tailored solutions to assess and strengthen its security measures. If you need assistance in reviewing your current setup or implementing these controls, we are here to help. Contact us today to safeguard your digital assets and protect against evolving cyber threats.