Friday, 1 May 2015

Cyber Essentials Scheme explained

Cyber Security is of increasing importance to private companies, SMEs and organisations. Becoming certified against a cyber security standard can be proven a trivial task. Getting familiar with the Cyber Essentials Scheme might proven invaluable when it comes to the cyber security of a business/organisation and to obtaining government contracts. Becoming certified to a cyber security standard significantly lowers the risk of becoming the victim of a data breach. 

According to the Verizon Data Breach Investigations Report (2013-2015) most of the attacks require very little skill or experience to be carried out. Consequently, the UK government in order to roll out a basic level of security for protecting businesses against these widely spread cyber attacks (usually low-tech attacks) introduced the Cyber Essentials Scheme on the 1st of October 2014.

- What is the Cyber Essentials Scheme:
The Information Assurance for Small and Medium Enterprises Consortium (IASME), the Information Security Forum (ISF) and the British Standards Institution (BSI) have all been involved in the creation of the scheme. These bodies tried to create a scheme that will it be easy to implement taking under consideration that the cost for becoming compliant needs to be kept to the minimum. That way, becoming compliant with the Cyber Essentials Scheme and being certified wont be seen as an additional unnecessary cost to the business but rather a significant increase to their overall security posture. 

Most organisation might already have the controls in place in order to be certified. However, it is possible that even large organisation might not have covered every security requirement. Of course, the scheme only sets a basic level of protection against the threats and vulnerabilities seen daily. Organisation which tend to deal with more targeted attacks should consider creating a stronger apparatus. Keep in mind that the requirements are kept generic in order to apply to organisation of all sizes. Also, forthcoming changes in legislation are coming with the roll out of the EU Data Protection Regulation

Most cyber attacks we see in the UK are opportunistic untargeted attacks. Cyber criminals use widely available tools and known techniques to identify weak targets and exploit poor implemented security measures, systems with known weaknesses and vulnerabilities, organisations with lack of security awareness and the overstretched support and use of legacy systems. 

- The Requirements and Measures for the Cyber Essentials Scheme:
Before starting to panic it is essential to understand the different but yet common type of attacks which can be split into five categories: 
  1. Social Engineering
  2. (Distributed) Denial of Service (DDoS, DoS)
  3. Brute Forcing
  4. Physical attacks
  5. Exploitation of vulnerabilities
The Cyber Essentials Scheme focuses on the first three types of attacks by enforcing a set of requirements for basic technical protection against Cyber Attacks. These requirements are composed of five key measures which you need to have in place in order to be able to defend your organisations against this fast evolving landscape of cyber threats. 

These measures are as follows:
  1. Boundary firewalls and Internet gateways
  2. Secure configurations
  3. Access control
  4. Malware protection
  5. Patch Management
The aforementioned measures need to be applied to your IT infrastructure in scope. So, one of the important steps in becoming compliant is to correctly define what is in scope. It is understandable that sometime it is not possible to enforce a measure under specific circumstances. The scheme understands that and allows you to create compensating controls instead. 

Briefly, the "Boundary firewalls and Internet gateways" measure deals with the presence of your firewalls and their correct configuration. Segregation of the flat network is mandatory. Also, the firewalls, switches and gateways need to have the appropriate security configurations along with the use of strong passwords. Last but not least, the firewall rules in place must be tested for effectiveness, disallowing administrative interfaces to be accessible by unauthorised parties internally and/or externally. 

The "Secure Configurations" measure refers to what it is known as "system hardening". There are guides depending on what technology you are using which recommend the best security configurations for ensuring that hardware and software are properly configured. Consider looking into the guides published by the National Institute of Standards and Technology (NIST) or the Centre of Internet Security (CIS). As an example, any default accounts with default login credentials are the easiest way in for attackers along with legacy software being used, or not used any more but hasn't been removed yet, which has known security issues. 

The "Access Control" measure deals with the level of access (privileges) the users have on systems. Administrative accounts must not be used and should be tightly controlled. Employees need to be given accounts which have access to exactly what they need to access using the least privileges. Also, enforcing a strong password policy for users is mandatory along with an expiration date for accounts which are no longer going to be used after a specific period. 

The "Malware Protection" measure is trying to address the issue of dealing with all these different types of malicious software targeting your systems such as Viruses, Trojans, Worms, Scareware, Spyware, Adware, Ransomeware, etc. Obviously, this measure enforces the use of antivirus and antimalware solutions to all devices connected to the infrastructure (desktops, laptops, servers, mobile devices). Keep in mind that not only devices which connect to the Internet need to be protected against malware. Off-line systems are a potential target for malware which can be infected or infect other systems by the use of removable storage devices. Last but not least, any solution that you choose to protect the infrastructure from malicious software should also be able to blacklist access to website and online resources which have been reported as hosting malicious content/code.

The "Patch Management" measure focuses on keeping the software being used up-to-date. Vulnerabilities are being discovered almost in daily basis (e.g. Poodle, Shell Shock, SuperFish, Adobe Flash, etc.). It is mandatory to ensure that your systems are being updated and patched in regular intervals (it is suggested within 30 days). For any zero day (0day) threats you should update/patch as soon as possible (it is suggested within 14 days). From my point of view, any critical issues and 0day threats should be patched immediately. Make sure you stop using out-of-date systems for which support is no longer available and for which no security patches are being released. 

- Getting Certified:
Once you have defined what is in scope and implemented the five measures according to the Cyber Essentials requirements it is time to attempt certification. What that means is that you must choose a certification body. The certification body is an organisation which has been vetted by an accreditation body such as CREST or IASME. You can find a list of accredited certification bodies at the website dedicated for this purpose:

There are two categories for the Cyber Essentials Scheme. You can get certified to two different levels:
Cyber Essentials or Cyber Essentials Plus

The Cyber Essentials category is fairly simple. There is a self-assessment questionnaire that the appropriate person needs to fill out. The questionnaire is given to you by the certification body you choose. The CEO or someone at the board level must sign the declaration which states that you are in compliance with the requirements of the scheme and that the responses given in the SAQ are accurate. 

The Cyber Essentials Plus category is similar to the previous category with a more thorough check that what is in scope is secure. Effectively, the certification body will visit your premises and carry out test on your infrastructure, in order to verify that the Cyber Essentials controls and any compensating controls have been implemented correctly. 

Of course the certification is done in annual basis and it is in your best interest to maintain the certification status. 

Also, the Plus level of the certification is possible to give you a competitive advantage against the competition when bidding for projects. 

Further reading: Cyber Essentials Requirements 

No comments:

Post a Comment