Part V: Requirements 4. Malware protection, and 5. Patch management
Malware protection software is a necessary cyber security requirement. We all have knowledge of malware threats in one form or another and experience teaches us to be wary of certain links and email attachments.
Cyber Essentials starts with the assumption that computers connected to the internet are vulnerable to attack from malware and therefore malware protection is seen as a key feature of basic cyber hygiene requirements.
4. Malware protection
Objectives Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software.
Malware, such as computer viruses, worms and spyware, is software that has been written and distributed deliberately to perform unauthorised functions on one or more computers.
Computers are often vulnerable to malicious software, particularly those that are exposed to the internet (e.g. desktop PCs, laptops and mobile devices, where available). When available, dedicated software is required that will monitor for, detect and disable malware.
Computers can be infected with malware through various means often involving a user who opens an affected email, browses a compromised website or opens an unknown file on a removable storage media.
Basic technical cyber protection for malware
The organisation should implement robust malware protection on exposed computers. As a minimum:
- Malware protection software should be installed on all computers that are connected to or capable of connecting to the internet.
- Malware protection software (including program code and malware signature files) should be kept up-to-date (e.g. at least daily, either by configuring it to update automatically or through the use of centrally managed deployment).
- Malware protection software should be configured to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder) and scan web pages when being accessed (via a web browser).
- Malware protection software should be configured to perform regular scans of all files (e.g. daily).
- Malware protection software should prevent connections to malicious websites on the internet (e.g. by using website blacklisting).
The scope of malware protection in this document covers desktop PCs, laptops and servers that have access to or are accessible from the internet. Other computers used in the organisation, while out of scope are likely to need protection against malware as will some forms of tablets and smartphones.
Website blacklisting is a technique used to help prevent web browsers connecting to unauthorised websites. The blacklist effectively contains a list of malicious or suspicious websites that is checked each time the web browser attempts a connection.
Cyber Essentials assumes that 'robust malware protection' will help to protect your system. That protection comes from 'malware protection software' (the Objectives section avoids the outdated term 'antivirus').
The aim of course is to protect against human nature and the inevitable introduction of commonly found types of malicious software to a system. There's no mention here of highly sophisticated, targeted, zero-day and persistent advanced malware threats that Advanced Malware Protection (AMP) for Networks is designed to provide - at a price few could afford.
Malware is commonly spread by people clicking on an email attachment or a link that launches the malware. Therefore, the best general advice to any organisation is: tell your staff about the risks before you get infected!
Don’t open attachments or click on links unless you’re certain they’re safe, even if they come from a person you know. Some malware sends itself through an infected computer. While the email may appear to come from someone you know, it really came from a compromised computer.
Relying purely on your malware protection software is not a good idea. You should take steps to raise staff awareness of the external threats, and what steps they can take as individuals to avoid malware infection.
Personally, I would like to have seen a reference to training employees in cyber security awareness and incident reporting rather than total reliance on software tools: both are important in reducing the risk of data breach.
Likewise, there should be a 'health warning' about advanced persistent threats to dispel the notion that Cyber Essentials controls are effective against 100% of the malware attacks perpetrated by determined hackers.
However, what Control 4 attempts to do is probably a realistic goal for 'essential security' given the limited aims of Cyber Essentials certification.
And so, finally, we arrive at the fifth and final Cyber Essentials Control:
5. Patch management
Objectives Software running on computers and network devices should be kept up-to-date and have the latest security patches installed.
Any computer and network device that runs software can contain weaknesses or flaws, typically referred to as technical vulnerabilities. Vulnerabilities are common in many types of popular software, are frequently being discovered (e.g. daily), and once known can quickly be deliberately misused (exploited) by malicious individuals or groups to attack an organisation’s computers and networks.
Vendors of software will typically try to provide fixes for identified vulnerabilities as soon as possible, in the form of software updates known as patches, and release them to their customers (sometimes using a formal release schedule such as weekly). To help avoid becoming a victim of cyber attacks that exploit software vulnerabilities, an organisation needs to manage patches and the update of software effectively.
Basic technical cyber protection for patch management
Software should be kept up-to-date. As a minimum:
- Software running on computers and network devices that are connected to or capable of connecting to the internet should be licensed and supported (by the software vendor or supplier of the software) to ensure security patches for known vulnerabilities are made available.
- Updates to software (including operating system software and firmware) running on computers and network devices that are connected to or capable of connecting to the internet should be installed in a timely manner (e.g. within 30 days of release or automatically when they become available from vendors).
- Out-of-date software (i.e. software that is no longer supported) should be removed from computer and network devices that are connected to or capable of connecting to the internet.
- All security patches for software running on computers and network devices that are connected to or capable of connecting to the internet should be installed in a timely manner (e.g. within 14 days of release or automatically when they become available from vendors).
Reasonable steps in a sensible approach. I particularly like the reference to removal of out-of-date software. If you don't need it, get rid of it - fast! There's no point in leaving redundant, unpatched application software on a system to help the hacker in their job. De-cluttering improves security.
Defining time limits for applying software updates - i.e. within 30 days of release or automatically when they become available from the vendor, - and, for security patches, 14 days or automatically, for software running on computers or network devices, is, I think, a useful security benchmark.
Less helpful, there are no specific remarks about patching and updating Firewalls, IDS and NIDS (Network Intrusion Detection Systems) that often get a low priority in relation to applying OS patches but are in constant need of attention and monitoring. The alternatives to doing this yourself or building a dedicated in-house team are: (a) outsourcing to a systems security or networking company experienced at dealing with installations and on-going configurations of devices on a daily basis; or (b) using cloud services from public cloud providers like Google Inc. and Amazon Inc. to host services and applications, thereby side-stepping with the need for a complex, time-consuming and expensively-owned network architecture.
But how then do you provide assurance that external service providers, especially for cloud services, comply with Cyber Essentials requirements?
How does Cyber Essentials deal with cloud service provision?
As the Cyber Essentials Scheme Assurance Framework document states:
"Many organisations use cloud services or other externally provided IT services."
Cloud services of course vary considerably. Cyber Essentials applies in different ways depending on whether the applicant retains responsibility for implementation of the relevant set of controls, or whether the cloud service provider has the responsibility. If externally provided IT services are included within the scope of a Cyber Essentials assessment, then:
For Cyber Essentials, the organisation will need to attest that its service provider’s system delivering that service meets the Cyber Essentials requirements for which the service provider is responsible. Existing evidence (such as that provided through PCI certification of a cloud service and appropriately scoped ISO 27001 certifications) may be considered as part this process.
For Cyber Essentials Plus, the organisation will need to ensure that its service provider’s system delivering that service is tested as meeting the Cyber Essentials requirements for which the service provider is responsible.
[Source: Cyber Essentials: Assurance Framework, [PDF] June 2014, section on Cloud Services, p. 10].
Who will test cloud services for compliance with Cyber Essentials?
Penetration testers and ethical hackers are increasingly being called upon to evaluate the security of cloud-based applications, services, and infrastructures. In my view, the popularity of penetration testing will increase as public cloud services change the world of physical server-based IT into a virtual one. The type of cloud will dictate though whether pen testing is possible. For the most part, Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) clouds will permit pen testing. However, Software as a Service (SaaS) providers are not likely to allow customers to pen test their applications and infrastructure, - even if they are applying for cyber Essentials - with the exception of third parties performing the cloud providers’ own pen tests for compliance or security.
Infrastructure as a Service (IaaS) providers (such as Amazon, Rackspace, or ElasticHosts) can offer your organisation use of their "bare metal" infrastructure to develop and deploy applications on any platform or OS (almost). They don’t usually provide automatic OS updates, however.
Even for the Cloud users, Patch Tuesdays is often part of the landscape!
This guest post was written by Michael Shuff. You can email him here. Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM