Requirement 2. Secure configuration, and 3. User access control
The second Cyber Essentials Requirement references 'secure configuration'. At this point, I am reminded of The Security Configuration Benchmarks that are distributed free of charge to propagate their worldwide use and adoption as user-originated, de facto standards.
The CIS Benchmarks are described as "consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia". The Benchmarks are recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices.
There are used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices. Download here: https://benchmarks.cisecurity.org/about/
How does the CES Requirement 2 compare with the CIS Benchmarks?
2. Secure configuration
Objectives Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.
Computers and network devices cannot be considered secure upon default installation. A standard, ‘out-of-the-box’ configuration can often include an administrative account with a predetermined, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications (or services).
Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorised access to an organisation’s sensitive information, often with ease. By applying some simple security controls when installing computers and network devices (a technique typically referred to as system hardening), inherent weaknesses can be minimised, providing increased protection against commodity cyber attacks.
Basic technical cyber protection for secure configuration
Computers and network devices (including wireless access points) should be securely configured. As a minimum:
- Unnecessary user accounts (e.g. Guest accounts and unnecessary administrative accounts) should be removed or disabled.
- Any default password for a user account should be changed to an alternative, strong password.
- Unnecessary software (including application, system utilities and network services) should be removed or disabled.
- The auto-run feature should be disabled (to prevent software programs running automatically when removable storage media is connected to a computer or when network folders are accessed).
- A personal firewall (or equivalent) should be enabled on desktop PCs and laptops, and configured to disable (block) unapproved connections by default.
For SME organisations employing <50 people, among the first things that I would definitely recommend checking are the default configurations of routers, including converged wireless routers with access points (AP) and often an Ethernet switch, which offer little security in their default setting.
Wireless routers are very common in micro-businesses and home office set-ups in particular; hence I would have named these devices by saying:
Computers and network devices (including wireless routers/wireless access points) should be securely configured ...
It is good practice to begin 'hardening' your configuration by ensuring that your router is secure as this is one of the best initial lines of defence. Consult the user’s guide, which will direct you to a predefined URL or IP address where you can do the following:
- Configure the wireless network to use WPA2-AES encryption for data confidentiality.
- Change the default login username, if permitted (refer to the user’s guide), and password. (The default passwords are published in manufacturer’s publications and are readily accessible.)
- Conduct MAC address filtering (a form of whitelisting, or identifying wireless connected computers you trust).
- Change the default wireless SSID.
I would also have stressed that many wired networks base their security on physical access control, trusting all the users on the local network, but if wireless access points are connected to the network, anybody within range of the AP (which typically extends farther than the intended area) can attach to the network. Your security stance will be compromised if it is easy to attack your network using unencrypted wireless access points.
'Control' in management means setting standards, measuring actual performance and taking corrective action. Control is a continuous process.
I would have added to the Cyber Essentials Requirements that you should remove unnecessary software and disable nonessential services, and modify unnecessary default features to eliminate opportunities for attack, on a continuous basis. Your system technology is constantly evolving and new software/software upgrades can introduce security vulnerabilities - see below. Only through system hardening measures can you hope to maintain an optimum level of protection when connected to the internet; and even then unmitigated vulnerabilities will be exploited by the hackers.
From the initial installation onwards, review the features that came enabled by default on your computer and disable or customise those you don't need or plan on using. As with nonessential services, be sure to research these features before disabling or modifying them. Recent operating systems are configured more securely by default and are preferred. However, all systems should be continuously hardened. Besides the operating system, some user-installed applications provide network services to communicate with other devices. In many cases these services are required for the intended operation of the device, and are therefore permitted. However, some applications install gratuitous network services that are either not required or are configured to provide network access when only local access is required. Hence, it will not be enough to apply this requirement once a year or every 6 months and still be confident that you have these issues under control. Cyber security is not a steady state..
Next up: access control. In computer security, general access control includes authorisation, authentication, access approval, and audit.
Cyber Essentials Control 3. User access controls adopts elements of the this definition in the Requirements including a regular review of special access privileges. It stops short though of calling the process an 'audit'.
3. User access control
Objectives User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When privileged accounts are compromised their level of access can be exploited resulting in large scale corruption of information, affected business processes and unauthorised access to other computers across an organisation.
To protect against misuse of special access privileges, the principle of least privilege should be applied to user accounts by limiting the privileges granted and restricting access.
Basic technical cyber protection for secure configuration
User accounts should be managed through robust access control. As a minimum:
- All user account creation should be subject to a provisioning and approval process.
- Special access privileges should be restricted to a limited number of authorised individuals.
- Details about special access privileges (e.g. the individual and purpose) should be documented, kept in a secure location and reviewed on a regular basis (e.g. quarterly).
- Administrative accounts should only be used to perform legitimate administrative activities, and should not be granted access to email or the internet.
- Administrative accounts should be configured to require a password change on a regular basis (e.g. at least every 60 days).
- Each user should authenticate using a unique username and strong password before being granted access to applications, computers and network devices.
- User accounts and special access privileges should be removed or disabled when no longer required (e.g. when an individual changes role or leaves the organisation) or after a pre-defined period of inactivity (e.g. 3 months).
The first step towards securing a small business network - or indeed any other kind of computer network - is to understand what vulnerabilities an attacker is likely to exploit. You put yourself in the position of an attacker. What is your primary task once you have 'infiltrated' (i.e. got into) a network? It's not really a brain teaser question: just ask yourself what you would do in the real-world to gain access to valuable data assets?
Your job the moment you are in the system is to initiate escalation of privileges, which is how an attacker attempts to gain more access from the established foothold that they have created. After an escalation of privileges has occurred, there is little left in the system's defences to stop an intruder from whatever intent that attacker has. Attackers employ many different mechanisms to achieve an escalation of privileges (too many for this post!), but primarily they involve compromising existing accounts, especially those with administrator equivalent privileges.
In most cases the bad guys need hours to compromise (>75% of the cases) where the good guys rarely get their job done in less than months (incredibly, only about 25% of the breaches are detected in days or less). [Source: The 2014 Verizon DBIR Report: Time-to-Compromise vs. Time-to-Discovery]
After an attacker has compromised a network to the point where a critical account with high privileges is compromised, the entire network can never be considered as completely trustworthy again unless it is flattened and completely recreated. Therefore the level of security for all manner of accounts is a very important aspect of any network security initiative.
In the words of Microsoft Developer Network: "The matter of managing the security for all account types in a network is very important to managing risk for a midsize business network. Internal and external threats must be taken into account, and the solution to these threats must balance the need for security with the functionality a midsize business demands from their network resources." As a small business grows, the number of all types of accounts increases, and so too do the number of exploitable vulnerabilities. However, this is often forgotten in the priorities set by management in the commercial pressure to expand.
Personally, I consider the control themes in this Requirement to be one of the most useful aspects of Cyber Essentials. Administrative accounts should only be used to perform legitimate administrative activities, and should not be granted access to email or the internet. SMEs and quite a few large organisations need to understand the cyber risks associated with administrative, service, application-related, and default accounts.
At this point it is worth remembering that the National Security Agency (NSA) is the font of information security wisdom for the US defence and intelligence communities. Yet, despite this obvious reason for cyber security, NSA's network security was apparently so weak that a single administrator was able to hijack the credentials of a number of NSA employees with high-level security clearances and use them to download data from the agency's internal networks - so the problem really exists.
The administrator referred to here was, allegedly, Edward Snowden!
[Source: Sysadmin security fail: NSA finds Snowden hijacked officials’ logins, Ars Technica, Sean Gallagher - Aug 29 2013, 10:40pm GMTDT].
Perhaps it isn't just the smaller enterprises that need Cyber Essentials?
Next time: Cyber Essentials Controls: 4. Malware protection, and 5. Patch management.
This guest post was written by Michael Shuff. You can email him here. Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM