A recent Tripwire Foundational Security Controls survey of 706 IT professionals and executives in the US and UK looked at the state of five key foundational security controls. In addition to UK professionals being more pessimistic than their counterparts in the US, some interesting results relate to the UK:
- 70% of UK IT professionals said they were ‘confident’ that all of the devices running on their networks were authorised.
- 68% were ‘confident’ that only authorised software was running on their networks.
- 36% were ‘very confident’ in their vulnerability management programme.
- 32% were ‘very confident’ in their patch management programme.
- 47% were ‘confident’ in the secure configuration of routers, firewalls and modems.
- 27% were ‘not confident’ in the secure configuration of any devices on their network.
These controls include the following:
- Accurate and complete hardware and software inventory.
- System hardening through secure configurations.
- Patch and vulnerability management programmes.
The importance of implementing these foundational controls is demonstrated by the United States Computer Emergency Readiness Team (US-CERT) report, which stated that 96% of successful data breaches could be avoided if simple or intermediate security controls were implemented.
The majority of attacks are considered to be of a low-skill level, in which script kiddies and the like use purchased and free tools to run simple scans and exploit common vulnerabilities. These tools are often point-and-click automated scanners and exploitation toolkits that can operate from botnets. This has caused the whole of the IP address space to be scanned, meaning that ‘security through obscurity’ or ‘I’m too small for a hacker to bother with’ is an inadequate excuse for poor security.
In the UK, the government’s Cyber Essentials scheme mandates the use of basic technical cyber protection controls to protect against such attacks.
- Boundary firewalls and Internet gateways
- Secure configuration
- User access control
- Malware protection
- Patch management
The Cyber Essentials scheme was launched in June this year. It is a government-backed, industry-supported scheme to help organisations protect themselves against common cyber attacks. The scheme is administered by the government via accreditation bodies who in turn appoint certification bodies.
The scheme consists of two levels of certification:
- Level 1 – Cyber Essentials: verified self-assessment
- Level 2 – Cyber Essentials Plus: independently tested
For organisations using a certification board accredited by CREST — one of the government-appointed accreditation bodies — the testing procedures are as follows.
Level 1 – Cyber Essentials: verified self-assessment
An organisation must demonstrate its compliance by submitting a questionnaire signed by an authorised signatory of the organisation to a certification board, which is then scored. The organisation must also undergo an external vulnerability assessment from the same certification body.
Level 2 – Cyber Essentials Plus: independently tested
The organisation must complete level 1 as above, and then undergo an internal security assessment of end-user devices.
Both levels are a ‘moment in time’ snapshot of the assessed organisation; they do not provide assurances that controls will continue to be implemented correctly or that the systems are configured to defend against more skilled attacks.
IT Governance Cyber Essentials results
IT Governance has conducted a number of Cyber Essential certifications, and our initial results show that the success rate for applicants is 88%. Of those that pass, 35% have no action points reported.
Action points are observations identified by the certification body that the applicant should review and remediate to improve its security posture.
The most common action points relate to the configuration of the external infrastructure that is tested as part of a level 1 Cyber Essentials certification.
Of the organisations that undergo a Cyber Essentials certification, it is almost an even split between level 1 and level 2 certifications (47%/53%).
Time will tell if the Cyber Essentials scheme will reduce attacks, but it is a foundation for an information security plan, and organisations can build on the controls using controls from ISO 27001 or the PCI DSS to provide more detailed protection against specific attacks and threats to high-risk/impact information.
Penetration testing is used in soil testing to ensure the foundations of buildings are not going to be affected by liquefaction when an earthquake strikes; in information security, we use penetration testing to ensure good foundations for cyber defence. Standards that include penetration testing are used by information security professionals to ensure that the implemented security controls are sound and are likely to survive common security attacks.