Cyber Essentials – secure your devices and software
In the UK, the National Cyber Security Centre (NCSC) runs an information assurance scheme called Cyber Essentials. Our blog post series looks at each of the framework’s five focus areas and offers practical hints and tips on security requirements and value to organisations wishing to follow its advice.
Review standard settings
Manufacturers vary in their approach to default “out-of-the-box” settings: some will lock systems down and you need to relax settings to make them work, while other vendors configure their products as open (for usability reasons) and it’s your job as the user to understand these settings and switch off ones you don’t require.
All software has vulnerabilities that need to be patched to keep secure. Microsoft Windows uses an auto-update feature to check which patches are required and suggests when to install them. If you don’t repair these known vulnerabilities, they could be exploited by hackers to gain unauthorised access to your information or launch a denial of service attack that targets your information’s availability. The problem is, it’s not just known vulnerabilities that hackers attack, they look for the most natural path to achieve their goals, which can also be from weak configuration.
To fulfil Cyber Essentials requirements for this mitigation strategy we’d recommend looking first at patching, this applies not just to your operating system; it’s every application running on the platform. A typical Windows PC will have dozens of non-Microsoft applications running on it, some for business reasons, some for entertainment and some of which you are unaware. When Microsoft Windows runs its auto-updater, it doesn’t tell you that your copy of Adobe Photoshop is missing a critical security patch or that you are running a third party web server on your laptop after testing a new development platform that you thought you deleted.
Patching – a critical part of cyber security management
When you start from a fresh build of Windows, we recommend that you catalogue all the software being installed and carry out regular checks on the vendors websites for updates and patch information. Usually, there is an option to set software systems to auto-update, however, they often don’t come with that feature enabled. It pays to switch these features on as soon as you can.
Microsoft has done a lot of work to secure their Windows operating systems, but they do still have vulnerabilities, so update them as soon as possible. Every operating system comes with software features you don’t need. It’s worth carrying out a review to establish what can be disabled or uninstalled, to remove the risk of them being exploited. Hackers can attack products with no known bugs, by misusing the service for their benefit – so if a feature isn’t required, we’d highly recommend switching it off!
Choosing secure settings on your mobile devices is equally as important as any other device in your business. In some cases, applications downloaded from app stores are not thoroughly security tested. The lack of software validation means you are exposed to applications that have malicious code inside games and utilities that allow hackers to access your phone while you use their software. In the age of cloud services, your mobile phone has the same access to all your business data that your desktop or laptop does, so you need to be careful about installing games and unnecessary applications.
The other risk to be aware of is that mobile phones often act as the second factor of authentication for more secure online services or even as the token for accessing your business network over a VPN. For this reason, they are sometimes more critical in terms of their security value (and value to a hacker) than your PC username and password, yet they are often more vulnerable to attack.
Always change default passwords
Many devices come with default passwords. Default passwords should be always be changed on installation. However, many organisations leave these as default, mostly for convenience, which leaves them vulnerable to hackers. Wi-Fi access points, routers and firewalls are often discovered as attack points for hackers, with default passwords or ones that are easily guessable.
The UK’s National Cyber Security Centre has an excellent guide for password usage and administration you could refer to when implementing a security regime for your business. You can access it here.
The value of multifactor authentication
Multifactor authentication (MFA) is by far one of the best security controls you can introduce into your business, since the primary goal of hackers in the initial stages of an attack is to gain access to a user or administrator account, and for both to work, they need the username and password.
Multifactor authentication – a key security control
We would recommend the introduction of MFA into any business infrastructure, so that your workers require a second factor to access essential business data or critical business systems. Many organisations take a blanket approach to MFA where no access is permitted, be it internal or external, without using MFA.
Perform frequent checks and audits
Information security operates in a dynamic environment, what was patched with the latest updates yesterday, may not be covered today.
Monitoring for changes in your security posture is challenging and time consuming. However, it is vital if you want to keep your organisation as protected as possible. If you work for an organisation that is obliged to maintain compliance to regulatory standards, you may well have some insight into the size of the task.
Many organisations use monitoring technology to systematically review their security status. The number one benefit of this is that it alerts your organisation to any potential exposure. However, it also means that you have consistent measurement, a reduced reliance on scarce resources and the minimisation of any human error.
Next steps towards Cyber Essentials compliance
In this post we’ve looked at the Cyber Essentials requirement to secure your devices and software, explaining some of the key things to be aware of.
In future posts will will look at the remaining three baseline technical controls and explain how each one can play a vital role in determining an organisation’s security posture.