The Cyber Essentials scheme is a world-leading assurance mechanism for organisations of all sizes to help demonstrate that the most critical cyber security controls have been implemented.
Although not adequate in the – relatively uncommon – case of a cyber criminal targeting your organisation using bespoke tools, Cyber Essentials’ controls can prevent 80% of common cyber threats.
To highlight the importance and usefulness of the Cyber Essentials scheme, we are producing a series of blog posts each of its five security controls.
This blog post covers secure configuration – checking the settings of new software and devices and, where possible, making changes that raise your level of security, disabling or removing any functions, accounts or services that you don’t require.
Security misconfiguration: a common loophole targeted by criminal hackers
Security misconfigurations are one of the most common gaps that criminal hackers look to exploit. Both the SANS Institute and the Council on CyberSecurity advise that, after taking inventory of your hardware and software, secure configuration is the most important security control. Indeed, a recent report by Rapid7 highlighted that some kind of network or service misconfiguration is encountered in internal penetration tests more than 96% of the time.
To give some indication of the scale of the commercial issue, here are some widely reported examples of organisations affected by breaches caused by misconfiguration issues:
- Equifax: 146 million names, 99 million addresses, 209,000 payment cards, 38,000 drivers’ licences and 3,200 passports exposed.
- Verizon: 6 million people’s data exposed, including names, addresses, phone numbers, PINs and other account details.
- Veeam: 4.5 million marketing data records exposed, including names, email addresses and IP addresses.
Secure your devices and software
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. In the case of a router, for example, this could be a predefined password, or in the case of an operating system, it could be the applications that come preinstalled.
It is easier and more convenient to start using new devices or software using their default settings. But it’s not the most secure, and accepting the default settings without reviewing them can create serious security issues.
These settings can provide cyber attackers with opportunities to gain easy, unauthorised access to your information.
Web server and application server configurations play a crucial role in cyber security. Failing to manage the proper configuration of your servers can lead to a wide variety of security problems. These could include:
- Unpatched security flaws in the server software;
- Server software flaws or misconfigurations that permit directory listing and traversal attacks;
- Improper file and directory permissions;
- Unnecessary services enabled, including content management and remote administration;
- Default accounts with their default passwords;
- Administrative or debugging functions that are enabled or accessible;
- Overly informative error messages;
- Misconfigured SSL certificates and encryption settings;
- Use of default certificates; and
- Improper authentication with external systems.
Computers and network devices should also be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.
This means deciding which applications and programs will be installed on the devices that employees will use, and removing or adding options from the predefined ones.
This will help prevent unauthorised actions being carried out and will also ensure that each device publicly discloses only the minimum information necessary.
How Cyber Essentials can help
By setting standard configurations for your systems based on industry best practices, such as the Cyber Essentials scheme, and continually monitoring for changes from that baseline, organisations can quickly identify a misconfiguration that could be exploited and address it.
- For computers and network devices, your organisation should routinely:
- Remove and disable unnecessary user accounts;
- Change any default or easily guessable account passwords to something less obvious;
- Remove or disable unnecessary software;
- Disable any auto-run feature that allows file execution without user authorisation; and
- Authenticate users before enabling Internet-based access to commercially or personally sensitive data, or data critical to the running of the organisation.
- For password-based authentication, your organisation should protect itself against brute-force password guessing by using at least one of the following methods:
- Limit the number of attempts (or guesses) allowed within a certain period.
- Set a minimum password length of at least 8 characters but don’t set a maximum password length.
- Change passwords promptly when the user knows or suspects they have been compromised.
- Have a password policy that informs users of best practices.
Being Cyber Essentials-certified demonstrates your commitment to cyber security. The details of any organisation that has certified to the scheme can be searched by anyone wishing to assess their supply chain on the NCSC’s (National Cyber Security Centre) dedicated page.