SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 11 - 22 minutes)

Cyber Essentials Certification - Gateways & Firewalls

Hot

Great Wall of China

An Organisation’s Internet Gateways (mainly routers and firewalls) are usually packaged in with modems as single devices and enable access to the Internet. Firewalls help control the flow of data coming into and out of an Organisation. Together these devices play a big role in the security of a Small Organisation’s network.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.

 

Introduction

This is the second in the series specifically about certifying in the Cyber Essentials Basic Self-Certification Scheme; the first episode was a general introduction and focussed on answering questions about the Scheme and the Certification scope. This episode delves into the first set of controls, which is Internet Gateways and Firewalls.

An important point to keep in mind is that one of the aims of Cyber Essentials was to stop 80% of the most common low-level attacks to any Organisation of any size. So, although the Certification is considered to be useful for Smaller Organisations, its coverage is relevant for any Organisation.

In the open access public section of this episode, we cover the common network issues that Cyber Essentials Basic aims to address, and why scoping these is important for succeeding in achieving the Certification.

Default sample awareness and knowledge infographic

Common Network Issues Cyber Essentials (Basic) Addresses

There are many technical issues that network devices like routers and firewalls are able to deal with, but if we ignore most of those we are left with a set of non-technical or low knowledge set of practices which all sized Organisations should have in place. It is these that Cyber Essentials covers, since it doesn’t enforce the application of any particular technical firewall rules.

We’re going to look at this topic by exploring a combination of what people get wrong and what attackers try to exploit, which includes the following:

  • A default known documented router administrator password – although this has changed for most devices, as vendors don’t have a single password for every device it produces, it hasn’t changed for all routers. There was a time when every router would come with a default known documented router administrator password, which made it easier for attackers to perform an attack locally and remotely. Today, often Internet Service Providers (ISPs) will provide routers with a unique password (or at least from a very large list), but these details are usually on a sticker on the bottom of the device or something to that effect. So, although it is good that there is not a single password for all device models from a particular vendor, the fact that users often still leave the password the device came with is not good.
  • The changed password is not a secure password – often users may change a password, but it is not secure either in length or complexity to be broken by attacker tools.
  • Not changing the password even if there may have been a suspected compromise – some users live in the belief that no one is interested in them, their lives and their Internet Connectivity (therefore they don’t need to worry about being attacked). On the whole this may be true, what is also true is that the Internet is continuously being probed by automated tools, some owned by governments, others owned by telecommunications companies, or by security vendors, or owned by security researchers, or by criminals looking to identify easy to crack routers. So, it is likely that at least one of those automated services probing every IP address every day will likely be able to spot an IP address that is running a particular vulnerable device or service with ease.
  • Default services on routers may be pre-configured to be on for home users but are not required for workplace networks – domestic needs for gaming, streaming, peer to peer networking are not the same as a workplace network. There are many services routers have built into them, some of which open the router or the network to attacks.
  • Workplace routers should be configured for the workplace – this sounds obvious but is often not the case due to assumptions that either devices come ready secured for use, or due to the lack of basic knowledge to make the necessary configuration changes. A router has often been likened to the doors and windows of a house, these must be configured to securely let the right people in through the door and air through the windows at the right times of the day and throughout the year. A unconfigured router may have vulnerable, unnecessary or misconfigured services running and not what the Organisation actually needs.
  • Broadcast services are not blocked – basically, there are some services which will regularly inform anyone listening that they open to communication. Sometimes these are not always on the router but are not blocked by the router, for example, services which may be running on network devices like surveillance cameras which have a web server that may be announcing to the world that it is happy to broadcast its images. So, the router can be used to not only block services it has built-in, which may be vulnerable, but also anything on the network as well.
  • Any changes made to a workplace router should be documented – apart from it being good practice, documentation helps someone who knows what should and should not be running to very quickly identify what configuration changes need to be made.
  • The firewall built into the router is often not configured to be of any use for blocking any traffic in or out – firewalls are there to help block traffic both coming in and going out. Not configuring the firewall is like having extra locks on your doors and windows but not using them.
  • Forgetting that a router or firewall contains a computer and needs firmware system updates to fix known vulnerabilities.
  • The router or firewall is not set to block remote configuration – most small organisations are unlikely to be in a situation where they regularly need to configure their devices remotely. By enabling remote configuration opens up one more attack point for attackers who are more likely to know what they are doing.
  • Where remote configuration or administration is enabled, it doesn’t utilise two-factor authentication. Although remote administration should not be enabled, where it is essential for the organisation to have this service, it should not be easy for attack tools to break into these devices using just a password.
  • Devices with a built-in software firewall should be enabled – often users don’t like having to teach the firewall what is good and bad traffic and end up turning these off. Turning off firewalls reduces the level of protection that is actually there and available for free.

The interesting thing about many of these things that people get wrong, is that they are not difficult to fix by most non-technical people.

Impact of Enforced work from Home and Return to Offices

We have to acknowledge the fact that we are covering this topic at a time when the world is considering coming out of lockdown. At the moment we are not aware of any changes to Cyber Essentials with the forced home working for many employees in most organisations. Any organisation which only had office-based employees before the pandemic and is seeking to comply with all employees working from home now will be impacted by any changed advice.

We put the question to IASME about the impact of Home Working and what difference it will make to Cyber Essentials, the position for Home Working is as follows:

  • No requirement to list home routers - although many like us have continued to do so.
  • Homeworkers can rely on either the Home Router or Software firewall – although both are actually important for Office based working.
  • New Homeworking Definition:
    • 'Any employee contracted or legally required to work at home for any period of time at the time of the assessment, needs to be classed as working from home for Cyber Essentials' (Previously the homeworking definition was framed around a minimum number of hours that the employee would have to be working from home).

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

 


Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 


Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from https://www.pixabay.com.