Passing a fully-independent external assessment in order to achieve at least your cyber essential targets is paramount to protect your business data. Our methodology includes evidence of security across five areas of cyber security:
- Boundary devices
- Secure configuration
- User access control
- Malware protection
- Patch management
Cyber essentials scope is:
- Desktops PCs, laptops, tablets and smartphones
- Internet connected services such as email and web applications
One of the first requirement areas to review is the boundary firewalls and internet gateways, which form the outer defence agains external threats. Few of the areas we can review in regards of firewalls and gateways are:
- That administrative password on these systems must be changed from the default password shipped with the system.
- Check that rules on the devices must be documented and authorised.
- Review and/or remove obsolete rules.
- Verify that devices should block unnecessary services.
- Configure the administrative interface to be only accessible from within the organisation.
When IT equipment is shipped, generally is configured to be easy to install and start working. That often means that security features are not switched on and administrator access is set up with well-known default credentials. The second area of cyber security covers the activity required to lock down IT equipment into a secure state. It includes activities to ensure secure configuration by:
- Removing unnecessary default accounts
- Changing default passwords
- Removing or disabling of any unnecessary applications and services.
- Configure the requirements of personal firewalls in installed on all PCs.
The third area is access control. This has always been difficult to get right, with often too many people having legacy access still enabled and privileges that are higher than necessary. While this is not normally a problem, it becomes one when a hacker gets access to their account. As a result, the scheme looks for users to have the minimum privileges necessary to carry out their business requirements, a user ID and strong password used to control access, ensuring privileged accounts are not used for Internet activity, such as web browsing or email, as these are vectors for malware, and all accounts when no longer required, are disabled or removed:
- Providing minimum necessary privileges
- Requiring setup of user ID and strong passwords
- Restricting privileged accounts from internet activity
- Disabling or removing accounts when no longer required.
The final area is patch management. Most software contains technical vulnerabilities, and when discovered they are quickly incorporated into malware in order to exploit systems which use that software. This often happens within 24 hours of the vulnerability being discovered. Eventually, vendors will provide an update to their software, known as a patch, to remove the vulnerability. We looks for organisations to apply updates in a timely fashion as well as any software in use to be licensed. Cracked copies of software are often a source of malware infection. Patch management includes:
- Timely patching
- License software
- Staff training