Technical Requirements for Basic Protection from Cyber Attack
Standardised approaches to cyber security will be a feature of the IT world in 2015 and beyond. There's simply too much cyber crime and hostile activity on the part of rogue Governments opposed to the Western dominance economically and geo-politically to ignore the problem - even if red tape and tick boxes are not what the 'deregulators' say they want.
But of course, by May 2015 we may be seeing an even tougher line emerging as politicians across the political parties spot the potential in messages that reflect the ordinary citizens' concerns about data leaks. Personal identities are being traded wholesale by organised crime gangs.
The pendulum in America is swinging in favour of standards frameworks. On December 5, 2014, the National Institute of Standards and Technology (NIST, part of the U.S. Commerce Department) issued an update to its Framework for Improving Critical Infrastructure Cybersecurity. Since then, the growing consensus among industry regulators and U.S. lawyers is that the Framework is becoming the de facto standard for private sector cyber security as viewed [Source: 'CIOs Ignore the NIST Cybersecurity Framework at Their Own Peril', Wall Street Journal: CIO Journal: December 18, 2014]. Cyber Essentials will go part-way to addressing the cyber threats tackled by the critical infrastructure cyber security framework, but will the five technical Requirements of the UK scheme be sufficient on their own to protect confidential data assets?
Perhaps more importantly, if the UK Government rejects ISO27001:2013, shouldn't they be aiming higher than a low-cost Scheme designed only to address phishing attacks using malware infection and hacking attacks that exploit known vulnerabilities in Internet connected servers and devices?
The answer, I suggest, could well be a simple 'yes'. However, politically it is difficult (impossible?) to force the adoption of complex and often costly standards-based approaches in what is a fragile economic recovery phase. One suspects though the U.S.A. and Europe will legislate by next decade to effectively compel standardisation and compliance through certification.
Watch this space!
Mandatory standardisation is what has happened in India. Under Sec 43A, the ITA (Information Technology Act) defines what “Sensitive Personal Information” is and the “Reasonable Security Practice” that a company should follow to protect it. The current phrasing can easily be interpreted to make adopting ISO 27001 a matter of legal compliance. While sub-rule 2 does allow for use of an alternate ISMS that meets the requirements, 'reasonable' security practices involve the use of a standards framework.
The UK Data Protection Act says that: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." UK Law has yet to define exactly what the "appropriate" measures are, but one suspects that future EU Regulations will do this in a similar way to India's ITA with reference to Standards.
At the moment, the Data Protection Act, made law way back in 1998 (since which time, a great deal has changed in terms of technology and culture), means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised.
In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff;
- and be ready to respond to any breach of security swiftly and effectively.
At this point, the observant among you will have spotted that the Cyber Essentials control themes fall far short of these DPA requirements as defined by the Information Commissioner; so we must recognise from the outset that whatever value Cyber Essentials Requirements bring to the party, the existing requirements of UK Law mean that organisations must address other information security requirements to comply with the Law.
So what will Cyber Essentials provide you with in terms of a control set?
And is it worth relying on in place of a more comprehensive cyber security or information security standard like the NIST Framework or ISO27001?
Cyber Essentials Controls: what they are, - and what they're not!
Cyber Essentials might not stop a determined cyber attack emanating from a rogue state, but it can help to prevent your organisation being a soft target when it comes to automated hacking tools and opportunists.
The Cyber Essentials Scheme is designed to assist every UK organisation in defending against "the most common forms of cyber attack emanating from the internet using widely accessible tools which require little skill from the attackers". Firstly specific types of attack are identified and secondly the most basic technical controls an organisation needs to have in place are described.
OK. What are the basic technical measures that the Scheme promotes?
The control themes set out in the Cyber Essential Requirements document are relevant to organisations of all sizes. The "exposed technology" is familiar to us all: i.e. computers that are capable of connecting to the internet, including desktop PCs, laptops, tablets and smartphones, and internet connected servers including email, web and application servers.
The Government (almost certainly through evidence presented by the police and the secret work of GCHQ and other national defence agencies?) has developed a detailed knowledge of the basic but successful cyber attacks against UK businesses and citizens of which, the large majority would have been mitigated by full implementation of the controls under the following, selected categories.
'Control Themes' presented in the Cyber Essentials Requirements
To mitigate the threats identified in the Government's research, Cyber Essentials requires implementation of the following controls for basic technical cyber protection:
- Boundary firewalls and internet gateways
Objectives Information, applications and computers within the organisation’s internal networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.
One or more firewalls (or equivalent network device) should be installed on the boundary of the organisation’s internal network(s). As a minimum:
- The default administrative password for any firewall (or equivalent network device) should be changed to an alternative, strong password.
- Each rule that allows network traffic to pass through the firewall (e.g. each service on a computer that is accessible through the boundary firewall) should be subject to approval by an authorised individual and documented (including an explanation of business need).
- Unapproved services, or services that are typically vulnerable to attack (such as Server Message Block (SMB), NetBIOS, tftp, RPC, rlogin, rsh or rexec), should be disabled (blocked) at the boundary firewall by default.
- Firewall rules that are no longer required (e.g. because a service is no longer required) should be removed or disabled in a timely manner.
- The administrative interface used to manage boundary firewall configuration should not be accessible from the internet.
In situations where the administrative interface needs to be accessible from the internet (e.g. because it is supported by a remote administrator or external service provider) the interface should be protected by additional security arrangements, which include using a strong password, encrypting the connection (e.g. using SSL), restricting access to a limited number of authorised individuals and only enabling the administrative interface for the period it is required.
Commentary: Basic stuff, sure, but necessary and often misunderstood. Firewalls are not always properly configured. Tools used by penetration testers can, and often do, find default passwords and common passwords that are an easy target for a dictionary attack. And just like operating systems and servers, if you don’t keep your firewall regularly patched or filtered for the latest known vulnerabilities, or even configured to monitor for irregular patterns in traffic, then you've spent money (sometimes a lot of money) giving yourself and your organisation a false sense of security.
Patching is dealt with by Control 5: Patch Management - albeit in a general way that doesn't provide you with much of a checklist to work from. The problems with new network technology like wireless networks and remote access devices that can be used to circumvent network perimeter security devices like firewalls and IDS, are not specifically addressed here either; and as every IT manager worth their salt knows to their cost, the days of feeling at ease behind boundary firewalls are gone.
Control 1 is important though in ensuring that what protection firewalls can provide is properly configured. For example, that strong passwords (>8 characters, numbers and systems) are used and changed every 60 days, that traffic is monitored and controlled, and that those services which are '...more vulnerable to attack than others' are blocked at your office firewall assuming there's no business case for permitting access.
Next time: Cyber Essentials Controls: 2. Secure configuration; and 3. User access control.
This guest post was written by Michael Shuff. You can email him here. Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM