Cyber Essentials - Secure your devices and software
This blog is the second in a series that will each address one of the five Control Themes
underpinning the NCSC Cyber Essentials accreditation program.
In my previous blog in this series, I looked into what is required to secure you internet connection. In this blog I will go through the steps needed to address the second Control Theme; secure your devices and software.
This Control Theme is focused on making sure that your organisation's IT equipment and the software running on it is correctly set up and configured to be as secure as it can be.
A term you may have seen used is 'attack surface', this refers to the total number of points that an attacker might use to gain access to a computer system. These points of vulnerability can be put into one of two categories, either a) vulnerabilities in the design and coding of the software running on the system, or b) vulnerabilities in the configuration of the software running on the system.
For any computer system that you have running, it is made up of operating system software and application software. Each line of code in all that software has the potential to be a security vulnerability that falls into the first category above. Of course if all software were well written with no security bugs there wouldn't be a problem ... but as we all know, that is all-too-often not true. So in a very logical sense, the more software you have installed, the more lines of code that might include a vulnerability are installed and so the higher the risk. You are probably not able to identify these vulnerabilities, let alone 'fix' them.
Not all software can be accessed over the network, software that can be is usually referred to as providing a 'service', and it follows that software that provides a service is considered to be higher risk.
The only way to guarantee that your system does not have a vulnerability of this type is to remove all the software installed on it. Of course it would then be nothing more than an expensive doorstop.
The next best thing is to reduce the size of that 'attack surface', the standard says that you must do this by removing or disabling any unnecessary software (this could be applications, system utilities and services provided by the system) on all your computers systems (including laptops, desktops, tables, mobile phones as well as servers) and network devices (including firewalls, routers and any proxy devices).
To meet the standard, you will not only need to be able to say you have done this, but you will also need to have documented the process that you have followed to achieve this. This is also useful in the case of having to replace a faulty system or upgrading a system, as it gives you a repeatable process that is easy to follow.
But even where a software service has been very well written, and is (potentially) very secure, it is often the case that appropriate configuration is required to make it secure and conversely that the wrong configuration can leave it vulnerable.
A common configuration vulnerability is 'auto-run' or 'auto-play' settings on computers, where the system is set to automatically run software it finds on removable media that is connected to the computer (this could be a CD-ROM, a DVD-ROM, a removable hard drive e.g. a thumb drive or an SD-card or micro-SD-card).
This is known to have been used by hackers to target organisations. They leave a thumb drive outside an office building and a staff member sees it and thinks, "I'll just plug this in to my computer, see what is on it, and then I might be able to return it to the correct owner..." Unfortunately if 'auto-run' is active then the malicious software on the drive is invisibly executed and the hacker has got malware onto your internal network.
You must always disable 'auto-run' or 'auto-play' settings on all servers, desktops and laptops.
Another common configuration vulnerability that is easy to avoid occurs when a 'default' account and password are predefined in the software to allow access to a service or to a hardware device. If that default configuration is left unchanged, then the wily hacker doesn't really need to be wily at all - she just needs to know the default account details. In some cases a default account will have a very simple password defined (e.g. 'password'); the hacker just has to try a few common passwords to get access.
You need to delete or disable any unnecessary user or administrative accounts. This could include guest accounts or generic administrative account that won't be used (because of course administrators in your organisation will get individual administrative accounts!)
You need to make sure that passwords are good enough. This means that for all accounts still on your devices the passwords should be 8 or more characters in length and not easy to guess.
In practice, 8 characters is enough to meet the standard, but I would recommend at least 12 characters. Many systems have the ability to enforce a minimum password length and some can also use a password blacklist that lets you specify passwords that are too simple / common and therefore easy to guess, and then blocks them. Remember that enabling these sorts of technical controls only forces a user or administrator to make their password suitably long and hard to guess the next time they change it, so if you are retroactively carrying out these steps on systems that are already in use then you will also need to make sure they change their password on next login.
It is worth noting that many organisations force users to change their passwords regularly, but the NCSC recommends against this practice, as it forces users to remember a new password each time and so users instinctively choose passwords that are easier to remember, which also makes them easier to guess...
If you run any software that provides sensitive information (i.e. business critical or customer information that should not be made public) across the internet to staff, partners or customers, then this creates a number of potential vulnerabilities. To mitigate these issues there are a number of steps that the Cyber Essentials standard expects any organisation to take.
Firstly, and this may seem like stating the obvious, but you must make sure that access to the service is restricted to those who can authenticate with a username and password and that the password used by those accessing the service is hard to guess and at least 8 characters in length, with no upper limit on the length of the password.
Secondly, you need to have a documented password policy that guides users both in the selection and use of good passwords.
Thirdly, in the event that there is some reason to suspect that a user or users passwords may have been compromised you need to have a documented process in place to enforce the change of password of the user or users who access the service. And of course the process must ensure that the new password is at least 8 characters in length and not easy to guess ...
This means that if a user gets a virus, then their account should be disabled and only re-enabled after the infection has been removed and their password changed.
It also means that if a vendor issues a security advisory and patch for a system involved in providing the service, then you should be following the process for all users of the service.
Finally, you need to configure the system to stop brute force attempts to guess a password. This is where a hacker uses automated attack scripts to attempt to log-in with one guessed password after another, until they guess the right one. Such scripts can in theory make tens of thousands of attempts in an hour, and hackers will try all the username and password combinations that experience tells them are most likely to succeed.
To meet this requirement, the standard requires that the system must either lockout a user account after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes. Either of these approaches will make it next to impossible for an attacker to try enough guesses to be able to reliably make the right guess.
If after reading everything above you’re thinking that it is all basic common sense stuff, then you’re right, it is. It is also often not done well, and is therefore like leaving the door open to hackers to traipse around in your systems doing whatever they want.
To make sure this is done, you must not only mandate that it be done via appropriate policy, you also need to make sure that staff understand (via training programs) both the need for these steps to be taken and the processes to achieve them and then you need to keep on checking that it is still being done. Only then will your systems be secured
Updated: This post was updated to remove a reference to switches. The network equipment that may be in scope for Cyber Essentials is equipment that routes (layer 3) traffic flow to/from the internet / internal-computer-systems-in-scope. Devices that are pure switches (layer 2 ONLY) are NOT in scope, neither are Wireless Access Points (unless they also act as routers)