Best practices are key when approaching your cybersecurity and compliance strategy, any source of guidance is beneficial.
The Cyber Essentials is a UK Government, industry-supported set of best practices introduced by the National Cyber Security Center (NCSC) to help organizations demonstrate operational security maturity.
The guidance contained within is not country-specific, any organization can use it to guide their security program to build a more secure foundation for their business and focus technical architecture and setup on secure best practices.
The program offers two routes to certification:
- Cyber Essentials: A self-assessed option giving protection against a wide range of cyber-attacks, showing organizations how to address the basics and prevent the most common types of incidents.
- Cyber Essentials Plus: Includes a hands-on technical verification of the controls and best practices put into place that align with the Cyber Essentials certification.
The UK government requires all suppliers bidding for contracts involving the handling of sensitive and personal information to hold an up-to-date Cyber Essentials certificate.
However, while the technical best practices provide specific guidance to follow it is important to understand the intent of the guidance and augment or modify them to ensure a secure and resilient outcome.
Firewalls and other network devices
All devices run network services to allow them to communicate with other devices and services. By restricting access to these services, you reduce your exposure to attacks. You can do this using firewalls or network devices with firewall functionality. For cloud services, you can achieve this using data flow policies.
The Firewall requirement specifies several controls, including that you must change default administrative passwords to a secure alternative, or disable remote administrative access. We strongly recommend that administrative access is disabled or restricted to a high degree. In a recent Cisco Zero Day the administrative access was used to gain access to organization’s networks.
You must also block unauthenticated inbound connections by default, this is often setup by default but can be removed, and in the real-world firewall rules are often relaxed to fix problems or allow applications to operate to maintain availability. We strongly recommend monitoring configuration and changes at the source, as well as through change management and approval processes.
Insecure default configurations
For all devices, especially those that provide network capabilities you must ensure that computers and network devices are properly configured to provide only the services required to fulfil their role
Standard out-of-the-box configurations often include one or more weak points such as pre-enabled user accounts and pre-installed – but unnecessary – applications or services.
These default installations can allow attackers to gain unauthorized access to your organization’s sensitive information. You should ensure that systems are configured with the minimum set of access and services to provide the most secure systems.
Security vulnerability management
Vulnerability management is a key topic for all security teams, Cyber Essentials requirements states that you must ensure that devices and software are not vulnerable to known security issues for which fixes are available.
The Cyber Essentials requirements recommend that all released updates are applied within 14 days of being available. This is a reasonable time frame for teams to operate, however it is also true that vulnerabilities often start to be exploited by attackers within days of being disclosed.
In the real-world updates can take time to deploy, teams will often put compensating controls into place to limit the exploitability of the vulnerability – we recommend that those compensating controls are verified at source to ensure they stay in place until the updates are made.
If they are not limiting business services – they are doing no harm – it is good practice to leave them in place. Vulnerabilities exist before they are disclosed by vendors, so it is wise to operate the most secure state possible at all times.
How ScienceLogic can help
ScienceLogic’s solutions provide the means to monitor – and alert – based on known good state for configurations, your teams can maintain vital awareness of the actual state of network configurations against network security best practices such as the UK’s Cyber Essentials.
By comparing the configurations during regular backups using simple or complex rules and pre-configured templates repetitive processes – like audits and configuration backups – can be automated to manage those configurations.
It is of utmost importance for organizations to build a comprehensive understanding of their systems with a complete inventory of assets allowing you to understand what assets you have and how they are configured.
Contact us to discuss our Network Configuration Management and Compliance solutions with one of our experts.
