Security and compliance is a sore subject for most small and medium sized enterprises. PCI-DSS for example can be a long and painful process for small retailers that are left feeling understandably frustrated at the end of an 80 page document heavy with technical jargon. The next challenge to look forward to is the abundance of guidance and industry bodies, but with no single place to check against a simple number of guidelines.
Currently the UK cyber security environment is not regulated by compulsory compliance policies. While industry specific frameworks are in place – PCI-DSS for retail, STIG for military, NERC for energy – no clear guidance exists for ensuring organizations operate in a cyber-safe manner for their benefit as well as for the benefit of their customers.
The Cyber Essential Scheme, the new best-practice guidance emitted by the UK government in response to industry demands of a better cyber security policy for the business landscape, was released on the 7th of April 2014. The project follows a call for evidence which concludes that cyber security standards should be internationally recognized, promote international trade, allow systems to exchange and use information efficiently and be auditable.
5 points of the cyber essentials scheme:
1. Boundary firewalls and internet gateways
The objective is to restrict unauthorized access from the internet by configuring firewall rules, internet gateways or other network devices.
What to look for?
Default admin passwords, firewall rules, blocking of vulnerable services (like NetBIOS, SMB, tftp, RPC etc), updates for firewall rules and restricted access to the admin interface for the boundary firewall should assist with securing inbound and outbound network traffic.
Case in point
The Target breach was achieved through a third-party vendor. Limited access was not enabled on the POS network; hence the attackers gained access to the contractor’s credentials, which managed environmental controls remotely, and from there it was only a matter of time until the hackers infiltrated the payment processing systems across the entire network.
2. Secure configuration
Is default-mode safe-mode? Whether it’s a computer, a network, or a phone the “out-of-the-box” mode is never safe, which is why stronger authentication is required.
What to look for?
Removing unnecessary user accounts – especially any with special access privileges - and pre-installed unnecessary software, changing default passwords, disabling the auto-run feature to prevent code being executed without user knowledge and consent and installing a personal firewall.
Case in point
When the Winter Olympics were taking place in Sochi, the NBC News’ ran a story on how the reporter’s phone and test computers were hijacked ‘before we even finished our coffee’. Later, the story was proved a hoax, as a combination of risky user behaviour (clicking unknown links, visiting suspicious websites) and default security settings left intentionally on the two test laptops.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.