Essential Eight vs Vulnerability Scanning: What’s the Difference?
By Andrew McDowell
What is vulnerability scanning for websites?
Vulnerability scanning is pretty much what it sounds like; a test for weak points in a website technology setup that makes it vulnerable to exploits. The real world equivalent is having your house reviewed by a physical security expert for weak points that criminals can use to break in when you are not at home. Checking a website for vulnerabilities is done using purpose built software tools. There are a great variety of tools out there for this that break down into two categories, opensource and proprietary. Opensource solutions are built by communities of technologists and software developers and are made freely available through code repository or binary distribution downloads. What's common is, a company building a software solution and then making it available to the community for free and providing services around it. Linux is probably the most successful example of this. Proprietary solutions are those made by commercial companies who do not share the solution, but charge for it. These solutions run the full spectrum of cheap ($25 per month) to very expensive ($1 million and upwards with support contracts). They all do the same basic function of testing your website for weaknesses. The difference between this is cybersecurity penetration testing, in that vulnerability testing is the starting point for a pen-test. Skilled pen-testers will run vulnerability scans probing different parts of a website and accompanying services looking for weak points, much like a criminal breaking into a house. When a pen-tester has assessed the weak points, they begin the process of exploiting them to see how far they can be leveraged for criminal activity, such as IP theft, financial gain, ransonmare, or reputation loss. Keep in mind, not all criminal activity is about stealing. Just as much damage to a brand can be caused by hijacking a business website and replacing legitimate images with offensive ones. For a lot of businesses this kind of reputation loss is hard to come back from.
What is the Essential Eight compliance standard?
The Essential Eight is compliance standard produced by the Australian Signals Directorate specifically for SMEs.
"The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to mitigate cyber security incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight." (ASD Essential Eight Assessment Process Guide)
Where the Essential Eight differs from ISO standards that have an international appeal, such as ISO9001 and ISO27001, is in the scope and how companies use it. The Essential Eight is a tight set of controls that fit all businesses regardless of size, and there is no official audit that needs to be done by registered auditors. Instead, assessments are made against the standard's controls, which can be done by in-house staff with a reasonable technical background. This makes the Essential Eight compliance framework very accessible. Companies are not on the hook for tens of thousands of dollars to get certified. Any company can make a self assessment by following the controls and documenting their achievement. This gives them a benchmark that gives real guidance on their level of risk and what they need to do to reduce it.
How do they fit together?
Assessments are point-in-time benchmarks, vulnerability testing done with scanning tools provides ongoing monitoring. To use a real world analogy, an assessment is the security expert coming to your house twice a year to check your locks are in working order, testing the batteries on your outside cameras and their wiring, and all the other testable items which they then note in a report and give to you. Monitoring is the work your cameras do, every day and night, which gives you peace of mind that the boundary of your house is always scanned, particularly when you're not at home.
Monitoring proof is part of the assessment controls to evidentially prove that you are checking your digital assets with reasonable frequency so that you are ahead of vulnerabilities that expose you to risk. A reasonable frequency would be weekly testing for your website vulnerability, even for sites that don't change all that often. Remember, while you may not make changes to your site more than once a year, that doesn't mean you can take for granted your site security. Operating systems, web development frameworks and all the plugins they use are shifting sands where vulnerabilities can be introduced at any time. Continuous monitoring should be part of your responsiblities as a business owner with a website.
Why do I need an Essential Eight assessment?
The Essential Eight compliance standard was first released back in 2017, and every couple of years updates are rolled out to keep current with the state of consumer technology applications and services. Today, it's quickly becoming a defacto standard for insurance companies if you want cover for compensation of cyber incidents such as ransomware. Given the rapid acceleration of AI in society for legitimate and illegitimate uses, it has led to an increase in companies seeking insurance policies against worst case scenarios. But insurance companies want evidential proof that you are meeting a standard of cybersecurity, and that standard is increasingly the Essential Eight controls.
Alongside this, the Australian Securities and Investment Commission (ASIC) is more aggressively promoting cyber resilience, and the requirement that companies take proactive measures to achieve resilience by directly adopting the Essential Eight controls (ASIC cyber resilience good practices).
That the governing body for business registration has called out cyber risk and management of it, as a priority, coupled with insurers requiring proof of Essential Eight assessment for policies, significantly raises the requirements for compliance to this standard by all businesses.
How Biz Secure Online is moving into Compliance Assessment as a Service
During the first 6 months of operation as a company, we've built a solid website vulnerability testing service that companies can use to test their website security. This was the first milestone in a journey. What we have been working on is an Essential Eight compliance solution that will integrate with our testing solution. This first version of the compliance solution will coincide with our principal founder in Australia undertaking a certificate course in Essential Eight assessment to gain specific skills and knowledge in this standard. Putting it altogether, we will offer consultancy assessment services with our software solutions as tooling to facilitate the assessment process specifically the ASD Essential Eight. We'll be able to provide companies with the checkpoint-in-time review and ongoing monitoring to stay in front of your security awareness after the report has been delivered.
Wrap-up
It's an exciting time for Martin and I as we make progress on maturing our business services. As always, please feel free to email us on support@bizsecure.online with real feedback or suggestions.
