Secure configuration is one of the five key controls mandated by the UK Government’s Cyber Essentials scheme. It refers to security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary cyber vulnerabilities.
Why is secure configuration important?
Failure to manage the proper configuration of your servers can lead to a wide variety of security problems. In particular, it can enable rogue agents to easily detect vulnerabilities with common security scanning tools. Once detected, vulnerabilities can be exploited very quickly and result in the total compromise of a system or website, including databases and corporate networks.
A data breach suffered by US health insurance provider Premera Blue Cross in March this year led to the compromise of 11 million customer records, bringing into light issues related to secure configuration.
According to Help Net Security, the audit found that “some patches were not being implemented fast enough”, “a vulnerability scan found insecure server configurations”, and “they had no documented baseline system software configurations, which prevented an effective audit of its security configuration settings”.
How is secure configuration achieved?
Here are a couple of tips on secure configuration based on the 10 Steps to Cyber Security guidance and the Cyber Essentials scheme. Following them will minimise risks when installing computers and network devices.
- Develop a consistent software installation and configuration management process or system. This should be supported by documented corporate policies and procedures.
- Remove or disable unnecessary functionality from ICT systems, and keep them patched to eliminate known vulnerabilities.
- Avoid using default passwords for your systems and devices.
- Don’t install unnecessary software on networks and servers.
- Assign proper file and directory permissions, and remove unnecessary access privileges from user accounts.
- Don’t auto-run features that are enabled without first obtaining administrator consent as these can activate the installation of malware.
- Install personal firewalls on all devices, including mobile devices.
- Review and update your configuration management system frequently.
If you want to learn more about Cyber Essentials’ five key controls and how to implement them correctly, read Cyber Essentials – A Pocket Guide. It is a non-technical explanation of Cyber Essentials, making it easy for anyone to understand the scheme and how to meet its requirements.
Cyber Essentials certification
Launched in 2014, the government’s Cyber Essentials scheme aims to help organisations better manage the variety of business issues introduced by the growing number of cyber threats.
Certification to the scheme will demonstrate to your customers and business partners that fundamental cyber security measures are in place, and provides evidence of your organisation’s security posture.