All your operating systems, apps, software and services you use must be configured correctly to protect you from attacks. Secure Configuration of user and system devices and servers must enable you to protect these assets and know when there has been a compromise.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Available in video and podcast media.
This is the third in the series of blogs specifically about the Cyber Essentials Certification Scheme, and the second one providing technical aspects of compliance. This looks at some of the detailed questions around the controls for the secure configuration of devices covered in the Certification scope. Like the first set of controls, which were around network gateways, this second set of controls looks at secure configuration that the IT support or systems administrator would set for all other users.
Common Issues with User Devices
Like the section on gateway questions, this section of questions doesn’t actually go into the technicalities of how compliance is achieved, but rather focuses on the end result. And as we stated in our last episode the knowledge and experience required to achieve compliance is relatively low technical or low knowledge set of practices which can be achieved relatively easily.
- When Small Organisations purchase any new user devices, they should configure them immediately with the appropriate security configuration settings. The longer they are not correctly configured, the longer the opportunity for attackers take advantage. The settings in question include those explored later.
- New devices often come with pre-installed software, some pre-installed software has been known to be vulnerable and not updated by the vendor. In some cases, the pre-installed software has been spyware. For work devices, an organisation should only have software that has been authorised for use for the organisation and the individual user.
- In many new devices the default user is pre-configured to be the administrator, where the user starts to use the device as the administrator rather than to set up a non-administrator account, they make it easier for attackers to install malware. This is because only administrative accounts can install applications.
- Also, in new devices there is often a pre-configured guest account, such accounts have been known to be used to compromise the device, as the default for such accounts is that they don’t have any password set for them.
- For many Small Organisations, when setting up a machine they may not necessarily create a new device specific password on administrative accounts in the belief that there is great trust between the small number of employees; so, this can be done much later on. What is missed in such assumptions is that while an administrative account is used anyone can install new applications and without a password, including the installation happening remotely when visiting a webpage with malware on it.
- Apart from not having a device specific password the other related issue is that the password does not conform to current guidance on strong passwords, thus making easy for guessing or cracking.
- As with network gateway devices, at the first sign of a compromise, the passwords should be changed. However, the natural thinking is that there hasn’t been a compromise, and without the right tools in place to verify this, there is a tendency to be over optimistic and assume everything is OK.
- The element of trust in Small Organisations in relation to devices often extends to not setting up a block after a certain number of failed login attempts. This makes it easy for an attacker to be able to continue to try as many passwords as they like.
- As a legacy setting from the days when portable media was more important than it is now, many devices may still come with a default setting which enables the automatic installation or running of any apps on a CD/DVD, USB or memory stick. This has been used as an easy way for anyone with access to a device to install any rogue software of their choosing.
- One of the other difficulties with all devices and not just new devices, is that the required configuration settings are not applied consistently across every device before it is allocated to an individual user.
- We have seen some Apps which are not regularly updated by vendors to have been attacked and have malware inserted in them. So that when the vendor roles out the update, it goes onto all devices automatically on the belief that the update is going to be trusted by all.
As with network gateway issues, these are very easy to fix to enable an Organisation to comply with this section. Although, we have given the examples related to new devices, because that is where we see the issues originate, the issues may apply to any device regardless of how old it is.
Scoping Devices for Certification
There are many aspects that are not required by the Certification, especially related to the new Work from Home changes we have seen and mentioned in the last episode. However, despite not being questioned, it doesn’t mean that Organisations shouldn’t consider them as good practice while the Organisation is giving this topic attention.
What we mean by this is that, although IASME provided clarification of what is considered Home Working and what network gateway devices should be included when responding to questions, to benefit fully from this exercise of reviewing security, it is probably worth considering better wider security devices and practices. So, although there is not requirement for Cyber Essentials Certification to include beyond what it states, the Organisation can still copy the practice in many larger organisations, which is to ensure that any device which is used to access, view, process, etc. to at least meet the minimum-security configuration settings.
For a Small Organisation, this could mean that it considers all devices owned by directors to be in scope, or if it wants to go further than that, to consider any employee devices in scope regardless of whether they are personal or not.
As already mentioned, this is not a requirement, but greatly improves the security posture of the Organisation. When deciding whether or not it is relevant or do this sooner rather than later, could depend on the business sector, the type of processing the organisation undertakes, the type of data which may regularly be accessed. For example, any organisation providing care or personal services, and dealing with personal or sensitive data may want to consider the wider view of device scope with the aim of improving security rather than take a narrower approach just so that it can comply.
Each Organisation should decide what is best for the work that it does, and we are not suggesting that every Organisation should be as rigorous in its first attempt to comply with the Certification; basically, just do what is right for your Organisation and the work it does. As security professionals we will always recommend a risk-based approach, which sometimes may mean doing comparatively less, or comparatively more, but the goal being to manage the risk specific for your Organisation’s needs.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
The questions relating to the secure configuration section of the Cyber Essentials submission enable a business to demonstrate that every device is locked down from the outset as a new devices is commissioned for a user, and that it continues to be configured appropriately for each user throughout its life. As with the previous section, most of the questions relating to this section provide obvious information as to what is required to comply.