Cyber Essentials: The Essential Guide

The Cyber Essentials requirements have undergone numerous updates over the last year, which have impacted both the overall scope of the assessment, as well as each of the key controls.

The following guidance can help to ensure that each of the five key controls have been suitably applied to your devices and user accounts.

If you are considering the Cyber Essentials assessment for the first time, the following guidance can help to establish processes and controls which may not currently be in place.  Additionally we have provided a preparation form, which can help you baseline any areas of your organisation which currently meet the requirements and highlight those which require updates.

Where any current documentation may be incomplete, We have provided template documents which can be used in establishing policies and processes.

The Cyber Essentials Scope

The Cyber Essentials scope is intended to apply to an entire organisations set of assets, and most devices will fall under the defined scope.

Devices which will be considered in scope are:

• Desktops, Laptops, Thin Clients, Virtual Desktops which are in use by your organisation, providing users with a typical desktop environment
• Servers, Physical, Virtual and Hypervisors
• Personal Devices or Bring Your Own Devices, BYOD, including laptops, desktops, mobiles, are in scope if used to access organisation resources or data, including email or logging into remote access solutions
• Cloud Services, including IaaS, PaaS and SaaS
• Firewalls, Routers, Switches and Wireless devices, if internet accessible and used to route communicates via the internet

Devices which do not need to be considered for the scope of Cyber Essentials:

• Mobile devices do not need to be considered in scope if only used for native voice, text or MFA authentication applications
• Internet Service Provider (ISP) routers
• Switches and Wireless devices, if not directly accessible via the internet
• Devices which cannot receive incoming connections from untrusted internet hosts, or create user-initiated outbound connections to the internet, or control the flow of data between devices and the internet.

Within Cyber Essentials there are also options to only define a subset of your organisation within scope rather than the organisation as a whole.

When segmenting your organisation into sections which are in-scope and sections which are out-of-scope, it is important to ensure that the two segments have a clearly defined network boundary, for example by Firewalls, Subnets or VLAN’s.

When defining a subset, the same scope definition requirements will apply to the segment of the organisation which is in scope and will always need to include some form of end user devices.

The Cyber Essentials assessment contains five key control areas:

• Access Controls
• Secure Configuration
• Updating Software
• Malware Protection
• Firewalls

Think you’re ready to certify against Cyber Essentials?

Preparation can help reduce costs and improve your chances of passing successfully the first time.

Work through our free Cyber Essentials Plus Checklist to get a full gap analysis report and expert recommendations. This will make sure your organisation meets all of the Cyber Essentials requirements and Cyber Essentials Plus requirements ahead of certification.

The Cyber Essentials Controls Introduction

Firewalls

Your organisations firewall will likely act as your gateway device to the internet and provide your devices with a level of protection from being directly targeted by internet-borne attackers.  The firewall should be carefully configured and managed, as a misconfiguration can inadvertently result in devices or services being directly accessible via the internet and an increased threat from attacks, such as Denial of Service, Brute Force Password Attacks and targeted attacks against known vulnerabilities in exposed services.

Regardless of whether your devices are protected by a network firewall or a software firewall, there should be a considered management strategy in place to ensure a set of consistent and key security controls are in place, including:

• Access to the firewall should be protected
• Default login accounts should be disabled or changed
• Vendor documentation should be reviewed to remove any insecure default settings
• Maintain a documented set of firewall rules with confirmed and approved reasons for each rule.
• Any services exposed through the firewall should have a documented business case for why they need to be accessible.
• Any changes to the set of firewall rules should be approved and records updated to reflect the changes.
• Conduct a Firewall Ruleset review and External Infrastructure assessment on a regular basis to ensure that the configuration, patching requirements and user accounts are all in line with expectations.

To manage organisation Firewalls in line with the Cyber Essentials requirements, the following documentation will apply if not already in place:

• Asset Management, to ensure that all devices in use by the organisation are logged.
• Device Build Policy, to ensure that the Secure Configuration requirements are initially applied
• User Management Policy, to ensure that accounts and permissions are correctly configured to access the Firewall.
• Credential Management Policy, to ensure that secure passwords are utilised to access the Firewall
• Patch Management Policy, to ensure that Firewalls are maintained with the latest available updates.
• Firewall Rule Management, to ensure that the creation, change and removal of Firewall rules is correctly managed and approved.

Secure Configuration

All devices which are in use within the organisation and under the Scope of Cyber Essentials will need to be configured to a secure standard.  It is often the case that devices have a number of default settings in place which are not configured to the most secure standard available.

Software can be preinstalled on devices, which is not necessary for business use, and devices often have default accounts setup for initial access, often with default and known credentials in use.

For any device which is being utilised by the organisation, a standard build process should be adhered to, ensuring that default and insecure options are removed.  Although the specifics for each device may vary, the following key principles should always be in place:

• Default login accounts should be disabled or changed
• Unnecessary software should be removed
• Maintain a documented set of software to be installed on devices
• Any software in use should have a documented business case for why it needs to be installed on devices
• Any changes/additions to this set of software should be approved and records updated to reflect changes
• Conduct a regular Vulnerability Assessment and Build Review of devices to ensure that secure configuration settings are applied as intended and no vulnerabilities or insecure settings are in place.

To manage the Secure Configuration of devices in line with the Cyber Essentials requirements, the following documentation will apply.

• Asset Management, to ensure that all devices in use by the organisation are logged.
• Software Management, to ensure that all software in use by the organisation is logged.
• Device Build Policy, to ensure that the Secure Configuration requirements are applied to each device
• User Management Policy, to ensure that accounts and permissions are correctly configured to access each device and service.

User Access Controls

For any account which is created, updated or removed, whether this is a user account, service account, or accounts provided to 3rd parties and contractors, a core set of security principles should be in place to reduce any potential for compromise.

Additionally, the permissions for each user account should be carefully considered with a principle of least privilege in place.

The following key security controls should be implemented for the management of all user accounts in use throughout the organisation:

• Only create, edit or remove accounts after a specific approval process has been followed
• Only assign the specific permissions which are necessary for any user account
• Administrator accounts should always be created as separate accounts, and never be a day-to-day usage account.
• Never setup single accounts for multiple users to share, always create unique accounts
• Maintain a documented list of user accounts and the assigned permissions
• Multi-Factor Authentication should be enabled wherever available, for login services that face the internet, particularly for cloud services this should always be in place.
• Ensure authentication is required to unlock, or access devices
• Enforce technical controls to enable secure password selection and educate and promote the selection of secure password choices for all of your users
• Ensure your accounts have a lockout policy in place to protect them from brute force password guessing attacks.
• Conduct a regular password analysis and phishing assessment against your users to ensure that users are suitably educated and adhering to the security guidelines as intended.

To securely manage User Accounts in line with the Cyber Essentials requirements, the following documentation will apply.

• User Management Policy, to ensure that accounts and permissions are correctly configured to access each device and service.
• Credential Management Policy, to ensure that secure passwords are in place and users suitably educated on the importance of choosing secure passwords.
• Account Usage Guidelines, to ensure that users are educated on the importance of secure account usage.
• User Account Management, to ensure that accounts in use throughout the organisation are logged

Malware Protection

Ensuring Malware Protection solutions are in place for your devices helps to prevent a large percentage of common attacks.

The Cyber Essentials requirements define three methods of securing devices against Malware:

• Having Anti-Malware software installed on your devices, where you can conduct on-access file scanning and web-page scanning
• Limiting the installation of applications to an approved set, where users are limited from installing applications, and may only make use of applications from an approved list
• Implementing an Application Sandbox, where users may run applications within the sandbox, and the sandbox is unable to access organisation data, sensitive content and other devices.

For the secure setup and management of Malware Protection solutions in line with the Cyber Essentials requirements, the following documentation will apply.

• Device Build Policy, to ensure that the devices are initially setup with a method of Malware Protection in place
• Patch Management Policy, to ensure that all malware protection software is maintained with the latest available updates.
• Software Management, to ensure that all malware protection software in use by the organisation is logged, reviewed and kept up to date

Secure Update Management

For any device which is being utilised by the organisation, a standard patch management process should be adhered to, ensuring that the latest available updates are applied.  This may be applied through automated updates, patch management solutions or manual updates, but should always be applied within 14 days, or sooner, of patch release, to avoid the potential exploitation from automated or targeted attacks.

• Configure automated updates wherever available for both operating systems and software
• Deploy patch management solutions where possible to log devices, installed software, and automatically deploy updates
• Maintain a documented list of all devices in use within the organisation, including the installed operating system and software.
• Maintain a regular review process for a continually changing sample of devices and software, to ensure that updates are being applied as intended and no single device is being overlooked.
• Conduct regular vulnerability scanning of devices to automate checks against updates being applied and ensure that no known vulnerabilities impact your systems.

To manage the secure patch management of devices in line with the Cyber Essentials requirements, the following documentation will apply.

• Patch Management Policy, to ensure that all devices are maintained with the latest available updates.
• Device Build Policy, to ensure that the devices are initially setup to a secure standard and receive ongoing and regular reviews
• Software Management, to ensure that all software in use by the organisation are logged, reviewed and kept up to date
• Asset Management, to ensure that all devices in use by the organisation are logged, reviewed and kept up to date

Final Word

Precursor have established a short readiness quiz which will help you identify your organisations current security status and if there is any room for improvement within your organisations current processes.

For anything else related to Cyber Essentials and security, please contact Precursor Security and our team will be happy to offer our help and services.

‍