Back to the Basics - Why we Shouldn't Discount the Lessons of the Cyber Essentials Scheme

Written by

Organizations are faced with more assaults against their system each day than ever before, and from every angle, from phishing emails to physical attacks and zero-day exploits. A lack of resources, expertise, and awareness is leaving businesses at risk of attacks, which can open them up to high penalties.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study, $3.62 million is the average total cost of data breach. News of security breaches and their high prices have put large enterprises on alert, but with the changing threat landscape, micro, small and medium-sized enterprises (SMEs) need to be just as vigilant. 

We at Avecto believe that in an age in which comprehensive cybersecurity can seem overwhelming and almost impossible, particularly for smaller businesses, it can help to go back to basics and look at simple measures which can protect organizations from the vast majority of today’s threats. 

In 2014, the UK government launched the Cyber Essentials scheme, which provides five achievable goals that both small and large companies should implement to secure their IT systems. These are five ways to meet these goals, which four years on, remain as relevant as ever.

Implement firewalls and internet gateways to secure internet connections
Devices that protect the network edge, such as routers and firewalls, can fail to provide adequate protection if configured incorrectly. Factory settings, such as blank or default administrator account passwords, can offer an easy point-of-entry for hackers.

Additionally, network rules that allow inbound traffic should always be approved and documented by a qualified member of IT staff, and rules that are no longer required removed as soon as possible.

Access to the administrative interface, whether via a web GUI or command-line console, should be restricted to approved devices on the internal network. If external access to the admin interface is required, additional precautions should be used, such as SSL encryption and SSH with certificates to authenticate hosts and clients.

Choose the most secure settings for your devices and software
Windows 10 is relatively secure out-of-the-box, but as soon as default settings are changed, or third-party software is installed, the potential attack surface can increase significantly.

Following simple best practices can ensure that Windows-based devices stay secure: guest user accounts should be disabled, unnecessary administrative users should be removed, and accounts properly secured with strong, unique passwords. The Autoplay – or Autorun feature in earlier versions of Windows – should be disabled using Group Policy to make sure software on removable media can’t automatically install.

Third-party software has long been considered the biggest threat to Windows devices, with the likes of Adobe Flash, Acrobat Reader, and Java being among the top offenders. Java should be removed wherever possible, and Adobe applications should always be kept up-to-date with the latest versions. Application control, such as that provided by Windows Application Guard and Defendpoint, can also be valuable in preventing users from installing third-party software that might introduce vulnerabilities.

Windows PCs are often used outside the protection of the corporate network, so an endpoint firewall is critical for ensuring devices remain secure when connected to public WiFi or an untrusted network. Windows Firewall, or a third-party firewall that is part of an endpoint security suite, should always be enabled on each device, following the same rules that apply to network-edge security devices.

Control who has access to data and services
The hardest goal to achieve on the Cyber Essentials scheme list requires that administrative accounts are not used on devices with internet access, or for reading email, which rules out assigning administrative privileges to most employees. But this can pose a challenge when running legacy applications since sometimes admin rights are required to perform system tasks.

The use of a third-party least privilege solution enables organizations to remove administrative privileges without impacting the user experience. Applications and processes can be assigned the necessary rights while leaving logged in users with standard user privileges. These measures provide a much higher level of security, meeting the scheme requirements as well as ensuring that users remain productive.

Additionally, exception-handling capabilities such as challenge/response codes can be used to guarantee users have flexible options to request the access they need, with auditing and reporting options that can be used to ensure policy rules are created to suit individual users or groups.

Furthermore, the scheme requires all users to have uniquely named accounts, that administrative accounts be limited to a few authorized employees, and forbids the sharing of administrative logins. Finally, the creation of user accounts should be subject to approval and documented with a business case.

Protecting yourself from malware
The Cyber Essentials scheme strongly advocates whitelisting, which is a straightforward way to prevent users from installing and running applications that may contain malware.

The process involves an administrator creating a list of trusted applications that can run on a corporate device. Any application not on this list will be blocked from running. This is a strong protection as it works even if the malware is undetectable to anti-virus software. Third-party vendors can implement whitelisting overnight, with little ongoing maintenance required thereafter.

It’s also important for businesses to note that as with firewalls, the misconfiguration of antivirus software can render it ineffective. The Cyber Essentials scheme necessitates that all devices connected to the internet be protected by malware protection software, and that the software and signature files should be updated at least daily.

Keep your software patched
Manufacturers and developers release regular updates which not only add new features, but also fix any security vulnerabilities that have been discovered. Regular patching is one of the most important things IT leaders can do to improve security. Operating systems, programs, phones, and apps should all be set to ‘automatically update’ wherever this is an option.

The Cyber Essentials scheme requires that the operating system and third-party software be licensed, supported, and updated automatically, or within thirty days of a patch being released; except for security patches, which must be installed within fourteen days of release.

In the face of a growing range of threats, and with the constant evolution of the way that employees access data, keeping these five steps in mind will go a long way towards helping IT leaders secure their sensitive data and the technology used by their employees. 

What’s hot on Infosecurity Magazine?