10 minute read
5 Implementing the five controls of Cyber Essentials
5.1 Control 1: Office firewalls and internet gateways
Relevant Toolkit documents:
• Network Security Policy • Firewall Rule Removal Process • Firewall Configuration Standard • Firewall Rule Change Log • Firewall Review Form • EXAMPLE Firewall Configuration Standard • Network Diagram Example
Cyber Essentials certification requires that you configure and use one or more firewalls to protect all your devices from the Internet, including those that connect to public or other untrusted Wi-Fi networks. A firewall simply uses rules to block or allow traffic entering or leaving your network, and these rules can be changed according to what you need to achieve e.g. if you need to be able to log on to a work computer from home.
A “Boundary Firewall” is a software or hardware device used to shield your internal network as a whole from the Internet. For a more complicated set-up with more than one location, you might require multiple boundary firewalls. Personal, or “host-based”, firewalls are usually included on desktop and laptop computers with operating systems, such as Windows, often at no extra charge, or they may be part of an antivirus suite. Make sure these are enabled on every device that has one.
Some internet routers (for example, broadband routers) also act as boundary firewalls. But a firewall can also be a stand-alone piece of hardware connected to the router (search for “SOHO firewall” to see some examples). If you’re not sure, it may be appropriate to ask your internet service provider if your router contains a boundary firewall. To configure the firewall rules on a typical Internet router, you will connect to it from within your internal network using a browser such as Google Chrome and log on to the admin panel.
We recommend starting with a Network Security Policy that defines your approach to securing your network(s) and provides some context to the setup of your firewall(s). Once that’s defined, it’s a case of making sure that your firewall rules are appropriate for your organisation and that any changes to them are properly justified so that holes which unwanted network traffic can exploit are not introduced over time.
In the Toolkit, we provide a template standard for your firewall configuration and a way of recording changes to, and reviews of, your firewall rulesets. We also provide a diagram of a small network to show how the different components may fit together. It’s a good idea to create a picture of your own network both to aid understanding and document how it is structured.
5.2 Control 2: Secure configuration
Relevant Toolkit documents:
• Logging and Monitoring Policy • Software Policy • Mobile Device Policy • Backup Policy • Cloud Computing Policy • Password Policy • Hardware Inventory • Configuration Standard • BYOD Policy • Cloud Services Register • Configuration Specification • EXAMPLE Configuration Specification • EXAMPLE Configuration Standard • EXAMPLE Hardware Inventory • EXAMPLE Cloud Services Register
This control involves choosing the most secure settings for your devices and software. Cyber Essentials certification requires that only necessary software, accounts and apps are used. Most “out-of-the-box” hardware such as laptops are shipped with a set of added-value software and default settings that encourage you to use them, rather than to make them as secure as possible. Attackers often know this, and it makes new computers and devices particularly vulnerable.
This means that a process often known as “hardening” is needed, to remove anything that is not required and bring the configuration to a secure starting point. This may involve uninstalling software, amending configuration settings and changing passwords. Those items that are permitted may be defined in a Configuration Standard, which is a document that sets out how a particular device should be set up.
It’s important to know what hardware you have, so that you can verify that it is all configured correctly. The Toolkit includes a Hardware Inventory spreadsheet to record details of your devices, and you may be able to obtain some of this information from software tools you already use, such as Microsoft InTune (available as an add-on to Office365).
When implemented correctly, passwords are an easy and effective way to prevent unauthorised users accessing your devices. Unfortunately, they can also represent the weakest link in your cyber defences. Passwords should be easy to remember and hard for someone else to guess. The default usernames and passwords which come with new devices, such as “admin” and “password” are the easiest of all for attackers to guess and lists of these may be freely available on the Internet. Change all default passwords before devices are made live (especially your Internet router). The use of other techniques such as
PINs and fingerprint recognition (or more recently, facial recognition) can also help secure your devices, such as smartphones.
For higher-risk accounts, such as those with access to financial and administration functions, two-factor authentication, or “2FA” (also known as multi-factor authentication, or “MFA”) is a highly desirable addition. This usually involves a code being texted to your smartphone which must then be entered after your password. Various authentication apps are also available and widely used, such as Google Authenticator. This means that just knowing the password is not enough, and you must also be in possession of the smartphone (or other type of device, such as the calculator-like gadgets used with many banking websites) to be able to log on. So, someone on the other side of the world who has discovered or guessed your password will be frustrated.
The National Cyber Security Centre has issued updated guidance on how to approach passwords, and the Password Policy in the Toolkit takes account of this.
Within the Toolkit, we also provide a range of policy documents which help to define your approach to areas such as event logging (important for spotting when someone is trying to hack into your systems), backups (vital to recover from a ransomware attack), mobile devices (often a weak link in cyber security) and cloud computing (vulnerable as it is outside your internal network).
5.3 Control 3: User and administrative accounts
Relevant Toolkit documents:
• Access Control Policy • Internet Acceptable Use Policy • User Access Management Process • Cryptographic Policy • Physical Security Policy • System Owners • Admin User Accounts • Cyber Essentials Poster - Passwords • EXAMPLE System Owners • EXAMPLE Admin User Accounts
Cyber Essentials certification requires that you control access to your data through user accounts, and that administrative privileges (e.g. the ability to create users and define who can access what) are only given to those who need them. An Access Control Policy and a User Access Management Process are included in the Toolkit to help you define how this will work within your organisation.
To be able to control your user access, it’s important to know what systems your company uses and the user accounts that are registered within them. This can be more difficult than it
sounds, especially if you make significant use of cloud services available via the Internet. The Toolkit provides spreadsheets that help to define your systems, establish who your system owners are (these are the people who will decide who should have access to the systems or not) and record users (especially admin users) and their current access levels. For a large number of users this information may be better produced from each application itself via reports. Check regularly that only the right users have access, and that no rogue accounts have been created without your knowledge.
Cyber Essentials emphasises that admin accounts should only be used for admin work, and that separate standard user accounts should be in place for everyday computer use, including accessing the Internet.
It’s a good idea to prevent users from installing software on their own computers or, if you find this too restrictive, to only allow software from recognised sources, such as the Microsoft Store, to be downloaded.
We provide a number of other policies in the Toolkit that cover related areas such as use of encryption, physical security and what constitutes acceptable use of the Internet.
We also provide an awareness-raising poster for you to print out (ideally A3 size) and place in user areas. The poster emphasises the need to choose strong passwords and how this may be done.
5.4 Control 4: Malware protection
Relevant Toolkit documents:
• Anti-Malware Policy • Electronic Messaging Policy • Incident Response Plan Ransomware • Cyber Essentials Poster – Phishing
The term Malware comes from “malicious software”, a general term for computer programs that are designed to have some form of adverse impact on computers on which they run. This includes ransomware, which makes files unusable (because it has encrypted them) until the victim pays a ransom, often in a form of cryptocurrency such as Bitcoin, to obtain the key to decrypt the files.
Malware, such as a virus, can be transmitted in an increasing variety of ways, including via an infected email attachment, a compromised website or a user inserting an infected USB stick into their computer. The Toolkit provides a policy covering the correct use of email and a poster to raise awareness of Phishing – the sending of fake emails with malicious intent.
Cyber Essentials requires that you use one or more of three common techniques to address malware, namely antivirus software, whitelisting and sandboxing.
Antivirus software is generally included on the main operating systems used on user computers e.g. Windows 10 and nowadays it does a reasonable job of identifying malware. However, this is very much an “arms-race” situation between the antivirus software vendor and the writers of the viruses, and you may decide that paid-for alternatives provide a better solution. These solutions are often the subject of magazine and online reviews so it’s worth Googling to see what the latest views from the technical community are of their relative merits. Depending on how many computers you are managing, it may be important that some form of central management console is available to be able to assess the health of antivirus controls across the organisation’s computer population as a whole.
Whitelisting requires that you create a list of programs that are allowed to run on the computer and prevent anything else being installed on it. This is useful if the software you use is predictable but can be unwieldy if you need to be able to move quickly to install a new application for urgent business needs.
Sandboxing is a technique used in some software programs that involves segregating a program from everything else on the computer, so that it can’t spread. Look for software that uses this technique and use it in preference to equivalents that don’t.
In the Toolkit, we provide a policy document that covers anti-malware which will supplement your malware protection approach.
5.5 Control 5: Software patching
Relevant Toolkit documents:
• Patch Management Policy • Software Inventory • EXAMPLE Software Inventory
Cyber Essentials requires that patches (also known as updates) are applied promptly to the software in use within the organisation, so that the bugs that they fix can’t be exploited by an attacker. There are several ways of doing this and, in the toolkit, we provide a Patch Management Policy to define your organisation’s approach to patching.
Of course, it’s difficult to know whether your software is being patched if you’re not aware of what software you’re using, so we also provide a Software Inventory to help you to identify the programs that should be patched and whether they are still under support from the vendor. For instance, Microsoft ended its support for Windows XP in 2014 and that for Windows Vista in 2017.
In many cases, it may be as simple as turning on the auto-patching function within the software program so that it identifies that a patch is available, downloads it and applies it without any human intervention. But sometimes patches go wrong (this has been the case with some Windows updates in the past) so it’s a good idea to put some thought into your approach.
For a larger computer population, software inventory and patch management software is very useful in this area to identify what is installed where, and the status of patching on specific computers. Two examples of this are Microsoft InTune (variously known previously as SMS and SCCM) and Desktop Central from ManageEngine.
