Guide to the UK government cyber essentials scheme
by Edwin Bentley - Senior Software Developer at Titania - Thursday, 1 May 2014.
The results of the latest cyber threat reports and surveys have denominated 2013 as the year of major breaches. The media naturally focuses on the big stories of massive data breaches or coordinated state attacks which leave in their wake a trail of lawsuits, customer data losses and political conflicts. However that’s not the entire spectrum of the cyber security landscape, nor does it reflect the full damage of attacks in cyber space. The SME landscape has its own perils and it suffers just as much as the large corporate domain. The difference is you don’t often hear about it.

Security and compliance is a sore subject for most small and medium sized enterprises. PCI-DSS for example can be a long and painful process for small retailers that are left feeling understandably frustrated at the end of an 80 page document heavy with technical jargon. The next challenge to look forward to is the abundance of guidance and industry bodies, but with no single place to check against a simple number of guidelines.

Currently the UK cyber security environment is not regulated by compulsory compliance policies. While industry specific frameworks are in place – PCI-DSS for retail, STIG for military, NERC for energy – no clear guidance exists for ensuring organizations operate in a cyber-safe manner for their benefit as well as for the benefit of their customers.

The Cyber Essential Scheme, the new best-practice guidance emitted by the UK government in response to industry demands of a better cyber security policy for the business landscape, was released on the 7th of April 2014. The project follows a call for evidence which concludes that cyber security standards should be internationally recognized, promote international trade, allow systems to exchange and use information efficiently and be auditable.

5 points of the cyber essentials scheme:

1. Boundary firewalls and internet gateways

The objective is to restrict unauthorized access from the internet by configuring firewall rules, internet gateways or other network devices.

What to look for?

Default admin passwords, firewall rules, blocking of vulnerable services (like NetBIOS, SMB, tftp, RPC etc), updates for firewall rules and restricted access to the admin interface for the boundary firewall should assist with securing inbound and outbound network traffic.

Case in point

The Target breach was achieved through a third-party vendor. Limited access was not enabled on the POS network; hence the attackers gained access to the contractor’s credentials, which managed environmental controls remotely, and from there it was only a matter of time until the hackers infiltrated the payment processing systems across the entire network.

2. Secure configuration

Is default-mode safe-mode? Whether it’s a computer, a network, or a phone the “out-of-the-box” mode is never safe, which is why stronger authentication is required.

What to look for?

Removing unnecessary user accounts – especially any with special access privileges - and pre-installed unnecessary software, changing default passwords, disabling the auto-run feature to prevent code being executed without user knowledge and consent and installing a personal firewall.

Case in point

When the Winter Olympics were taking place in Sochi, the NBC News’ ran a story on how the reporter’s phone and test computers were hijacked ‘before we even finished our coffee’. Later, the story was proved a hoax, as a combination of risky user behaviour (clicking unknown links, visiting suspicious websites) and default security settings left intentionally on the two test laptops.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th