IASME is the National Cyber Security Centre’s partner for the delivery of the Cyber Essentials scheme and we are firm believers in the five core controls which are the basis for this scheme and encapsulate foundation cyber security best practise.
One thing is certain, if you are going to do cybersecurity right, you’ve got to get the basics right first.
The risk of using legacy and unsupported software
Unsupported software is a key target for cyber attacks. Known vulnerabilities in unsupported software left un-patched are easy targets for hackers who create programmes and services to make them easy to exploit, even for criminals with low levels of technical expertise.
Software and firmware are supported by the manufacturer for a period of time after they have been developed; this can range from two to eight years depending on the manufacturer. This support means that if a mistake or weakness, known as a vulnerability, is discovered in the code that makes up all software, the manufacturer will address it with an update or patch which fixes the problem before it can be exploited by cyber criminals.
All critical and high security updates must be applied within 14 days; the easiest way to achieve this is to enable ‘automatic update’ on all your devices.
For some larger organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company-wide.
It is always a good idea to have backups of your data before updating.
The National Cyber Security Centre has some useful guidance on installing software updates without breaking things.
Create an asset register
Knowing which devices access your organisational data and which software and firmware you have is really important. Keeping a documented inventory of your devices, software, firmware as well as the cloud services you use is sometimes referred to as an asset list.
Maintaining an asset inventory helps to track which software you have in use in your organisation and when it becomes unsupported or is no longer receiving security updates.
Segregate your network
Perhaps because of the financial implications of updating software, using it when unsupported is one of the most common reasons that an applicant fails Cyber Essentials.
If an unsupported or legacy piece of software continues to be used in an organisation, could those vulnerable systems be segregated via a firewall or VLAN onto a closed network? This could keep it safely out of scope and separate to the financial and business data systems of your organisation.
Cloud services are not secure by default
Today, most organisations use some elements of cloud computing; others have migrated their entire IT infrastructure off premises into the ‘cloud’ (Infrastructure as a Service or IaaS). A particularly attractive feature of cloud service tools and applications is that they are highly scalable and easy to access remotely.
It allows for a flexible and collaborative use of a resource without having to make the large outlay for ever changing technology. Yet despite these incredible benefits, there are some serious security concerns. If professionals and customers can access data over the internet from any location, so can criminals.
Most cloud providers (e.g. Amazon Web Services, Microsoft Azure, Google Cloud Platform) attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust, however, they cannot control how their customers use the service, what data they add to it, and who has access.
Most data breaches in the cloud are a result of badly configured accounts and interfaces with the most common cause being weak, default or stolen passwords.
This highlights how important it is that all cloud services are set up correctly and have the essential security controls in place. Organisations should have a comprehensive password policy applicable to all employees and contractors. According to research by Microsoft, there are over 300 million fraudulent sign-in attempts to their cloud services every day, they also estimate that 99.9 per cent of attacks can be blocked simply by using multi-factor Authentication. Enable multi-factor authentication on all accounts accessible over the internet.
Understand the shared responsibility model with cloud services
When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to.
Where an organisation uses Infrastructure-as-a-Service products, such as Microsoft Azure, Rackspace, Google Compute Engine, or Amazon EC2, they access virtual machines (VMs), storage, networks, and operating systems over the internet that are located on part of a server in a data centre. Despite the computing infrastructure being provided remotely by the cloud service provider, all of the security and backing up is the user organisation’s responsibility.
Do your due diligence on your Cloud Service Provider
It is crucial to research the company that is hosting the cloud service and looking after the computers which hold your data. Many data centres are kept up to date and secure, but it cannot be taken for granted as some do not understand or value security. It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.
Account separation
Another common cause behind a cyber breach is when users are using local admin accounts for everyday tasks.
It is best practice that all staff should use a standard user account to carry out their normal day-to-day work and a separate administrator (admin) account should be used to install and remove software, and other administrative tasks. Admin accounts typically have the greatest level of access to information, applications and settings and will cause the most damage if accessed by attackers. An attacker will have the same privileges as the account that you have used to log in and, if that is an admin account, they will be able to perform actions such as install malicious software, delete files and access sensitive data. For this reason, administrative accounts must be restricted, kept track of and not used to carry out everyday tasks.
Did you know the first account that is set up on Microsoft 365 by default is a global admin? These accounts will have full power to configure and change the settings and controls of everything in your organisation’s account. If this account is set up without the necessary security controls and then hacked, an attacker could access your whole system and possibly take all the data out of the organisation.
The huge control panels within the admin centre for a cloud service in Microsoft or Google can be a daunting prospect, and anyone setting up accounts will need to set role assignments, groups and permissions to each account as well as passwords and multi-factor authentication. This is the same whether you are a large enterprise or a micro organisation and therefore expert guidance in configuring these settings may be a necessity.
Close the Remote Desktop Protocol port
Remote Desktop Protocol enables a user of a computer in one location to access a computer or server somewhere else. This is often used by technicians to support users and to carry out maintenance tasks.
Remote Desktop Protocol (RDP) is a common attack vector for ransomware and should not be exposed or accessed across the internet.
Close or block the RDP port at the firewall so that it is not open for use across the internet. Where possible, rather than using remote connections, utilise cloud services such as OneDrive or Google Drive.
Review the cyber security of your organisation against the five controls of Cyber Essentials with the free online Cyber Essentials Readiness Tool. The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.