Cyber Essentials - Secure your Internet connection
This blog is the first in a series over the coming weeks that will each address one of the five Control Themes underpinning the NCSC Cyber Essentials accreditation program.
To remind ourselves, those themes are:
Secure your Internet connection
Secure your devices and software
Control access to your data and services
Protect from viruses and other malware
Keep your devices and software up to date
Security, whether it be cyber-security or securing a medieval castle, is generally best achieved by multiple layers of defence.
This approach is usually referred to as 'Defence in Depth'. An attacker has to force (or trick) their way through all the layers before they can get to the 'crown jewels'.
If you follow the five Control Themes at all times, then you will be setting up and maintaining the basic layers of defence needed for you organisation to have an effective defence-in-depth cyber-security strategy.
For a castle the outer defensive layer is commonly a moat with a drawbridge providing access to the castle via a portcullis or gate that allows soldiers to control who (and what) may enter.
For the cyber-security of organisations connected to the internet, this job is performed by a firewall or internet router and making sure that this is effectively doing its job is the focus of the first Control Theme for the Cyber Essentials program, 'Secure your Internet connection'.
Strictly speaking an internet router (sometimes called an 'internet gateway', an 'internet firewall' or just a 'firewall') will perform two functions, the first is to direct (route) traffic to and from the organisations internal networks out into the internet, and the second is to provide a security control point that restricts what traffic from the internet can pass into the organisations internal networks (and vice-versa).
The objectives for this Cyber Essentials Control Theme are to make sure that...
Your organisation has a firewall or firewalls (or equivalent devices, hereafter just 'firewalls') between the internet and your internal networks and devices.
The firewalls have been correctly configured so that they are secure.
The configuration of the firewalls' security policy (the 'firewall rules'), that controls which traffic can access your organisation’s internal networks and devices, is secure.
To meet the first objective, you need to have modern firewalls installed to police internet access to and from your organisations internal networks and devices.
In the case where for some reason a device (i.e. a web server) cannot be situated behind your organisations firewalls it must have a host-based or ‘software’ firewall installed and configured.
This could be the ‘native’ firewall provided with your devices operating system; on Macs check the setting in the Security & Privacy section of System Preferences, on Windows laptops you can check this by going to Settings and searching for "windows firewall"; or you could use the software firewall that may be provided by your anti-virus software.
(You are using anti-virus or anti-malware software on all your devices and keeping it up to date … right?? … I’ll talk about this further in a later blog ..)
To meet the second objective, there are several steps that must be taken …
Firstly, the software or operating system for the firewalls must be kept up-to-date.
This means that any security patches from the vendor should be installed ASAP.
(The Cyber Essentials standard says that any rated high-risk or critical by the vendor must be installed within 14 days. If you’ve seen the latest high profile vulnerabilities for Microsoft and Citrix, then you will realise why when it comes to internet facing services, security professionals think that 14 days is much too long...)
It also means that you need to make sure that your device(s) remain ‘in support’ so that you keep receiving security patches. If you haven’t been receiving security patch updates then you should look into this and make sure you are:
a. Covered by an ongoing support agreement that includes security patches
b. On the mailing list to receive notifications of security updates.
Secondly, the default passwords for any administrative accounts on the firewalls must be changed to something that is not easy to guess.
a. You need to do this even if the device comes with a 'unique' pre-configured password.
(i.e. BT Hub)
b. The password must be more than 7 characters (12+ is better)
c. It is a good idea to use a password manager to both generate a random password and
securely store it - the NCSC page here has more:
Thirdly, you need to change the password again if you believe it may have been compromised, i.e. if there has been a virus on your system or if the manufacturer of the firewalls notifies you of a security weakness in their product.
To achieve Cyber Essentials accreditation you will need to have documented the process you follow to do this, and be able to provide that document (but NOT the passwords of course) to the certifying auditor.
Fourthly, the administrative interface of your firewalls (usually this is a web page for administering each device) should not be available direct from the internet (with or without the correct password).
If the administrative interface of your firewalls is available from the internet it must be further protected with either 2-factor authentication or by restricting such access to a trusted IP whitelist, and the business need for this access should be documented and approved by a business manager with appropriate authority.
Finally, to meet the third objective, maintaining a secure policy configuration, requires that you take the following steps …
Firstly, the firewall must be configured by default to block all access inbound from the internet. To put it another way, all attempts at connection from the internet that are not specifically permitted (see below) must be denied.
Secondly, if you have any services running on a device on your internal networks (or on your firewalls) that should be accessible from the internet then your firewall rule configuration must be adjusted to allow that to happen.
Such a service could be a VPN server (sometimes an internal device, sometimes running on the firewall), or a web server providing a service that is accessible by your customers.
In such a case the firewall rules must be modified to allow the access (sometimes referred to as ‘opening a port’), which potentially creates a security risk, and to be compliant with Cyber Essentials all technical details must be documented and the business case must be documented and approved by an authorised manager.
An additional point to look for here, especially for all-in-one internet/firewall gateways for the SOHO market is to disable Universal Plug ’n’ Play (or ‘UPnP’) in the configuration of the firewall. This is a protocol that allows for an application on the internal side of the firewall to dynamically configure the firewall to allow services through from the internet. The usual reason for this is to allow fast internet gaming, but it can easily be abused …
Thirdly, a common source of security weakness occurs where a firewall rule change that has previously been made to enable (permit) such a service, is left in place after the service is no longer needed. This results in access from the internet being provided to a device on your internal network that may no longer be appropriately configured and secured either to provide that service or to defend against cyber-attacks that seek to exploit the access … this is bad!
To defend against this you must have a process in place to …
a. frequently review all firewall services/permissive firewall rules
b. confirm that all firewall services/permissive rules have a documented and approved
business case that is still valid and approved
c. delete or disable all permissive rules that do NOT satisfy (b)
d. confirm that the firewall is still configured to block by default all unknown incoming
To gain Cyber Essentials accreditation you will need to have thoroughly documented this process, i.e. the documentation will need to describe when/how often you review the firewall services / permissive rules, who decides to keep or remove the services/permissive rules, who checks that it has been done and how do they check?
If this all sounds like a lot of work, experience suggests that scheduling regular reviews and documenting thoroughly actually makes it much easier to stay on top of it, and both makes your organisation more secure and makes gaining accreditation that much simpler and smoother.