Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In the UK, the National Cyber Security Centre (NCSC) runs an information assurance scheme called Cyber Essentials. Our blog post series looks at each of the framework’s five focus areas and offers practical hints and tips on security requirements and value to organisations wishing to follow its advice.
Manufacturers vary in their approach to default “out-of-the-box” settings: some will lock systems down and you need to relax settings to make them work, while other vendors configure their products as open (for usability reasons) and it’s your job as the user to understand these settings and switch off ones you don’t require.
All software has vulnerabilities that need to be patched to keep secure. Microsoft Windows uses an auto-update feature to check which patches are required and suggests when to install them. If you don’t repair these known vulnerabilities, they could be exploited by hackers to gain unauthorised access to your information or launch a denial of service attack that targets your information’s availability. The problem is, it’s not just known vulnerabilities that hackers attack, they look for the most natural path to achieve their goals, which can also be from weak configuration.
To fulfil Cyber Essentials requirements for this mitigation strategy we’d recommend looking first at patching, this applies not just to your operating system; it’s every application running on the platform. A typical Windows PC will have dozens of non-Microsoft applications running on it, some for business reasons, some for entertainment and some of which you are unaware. When Microsoft Windows runs its auto-updater, it doesn’t tell you that your copy of Adobe Photoshop is missing a critical security patch or that you are running a third party web server on your laptop after testing a new development platform that you thought you deleted.
Patching – a critical part of cyber security management
When you start from a fresh build of Windows, we recommend that you catalogue all the software being installed and carry out regular checks on the vendors websites for updates and patch information. Usually, there is an option to set software systems to auto-update, however, they often don’t come with that feature enabled. It pays to switch these features on as soon as you can.
Microsoft has done a lot of work to secure their Windows operating systems, but they do still have vulnerabilities, so update them as soon as possible. Every operating system comes with software features you don’t need. It’s worth carrying out a review to establish what can be disabled or uninstalled, to remove the risk of them being exploited. Hackers can attack products with no known bugs, by misusing the service for their benefit – so if a feature isn’t required, we’d highly recommend switching it off!
Choosing secure settings on your mobile devices is equally as important as any other device in your business. In some cases, applications downloaded from app stores are not thoroughly security tested. The lack of software validation means you are exposed to applications that have malicious code inside games and utilities that allow hackers to access your phone while you use their software. In the age of cloud services, your mobile phone has the same access to all your business data that your desktop or laptop does, so you need to be careful about installing games and unnecessary applications.
The other risk to be aware of is that mobile phones often act as the second factor of authentication for more secure online services or even as the token for accessing your business network over a VPN. For this reason, they are sometimes more critical in terms of their security value (and value to a hacker) than your PC username and password, yet they are often more vulnerable to attack.
Many devices come with default passwords. Default passwords should be always be changed on installation. However, many organisations leave these as default, mostly for convenience, which leaves them vulnerable to hackers. Wi-Fi access points, routers and firewalls are often discovered as attack points for hackers, with default passwords or ones that are easily guessable.
The UK’s National Cyber Security Centre has an excellent guide for password usage and administration you could refer to when implementing a security regime for your business. You can access it here.
Multifactor authentication (MFA) is by far one of the best security controls you can introduce into your business, since the primary goal of hackers in the initial stages of an attack is to gain access to a user or administrator account, and for both to work, they need the username and password.
Multifactor authentication – a key security control
We would recommend the introduction of MFA into any business infrastructure, so that your workers require a second factor to access essential business data or critical business systems. Many organisations take a blanket approach to MFA where no access is permitted, be it internal or external, without using MFA.
Information security operates in a dynamic environment, what was patched with the latest updates yesterday, may not be covered today.
Monitoring for changes in your security posture is challenging and time consuming. However, it is vital if you want to keep your organisation as protected as possible. If you work for an organisation that is obliged to maintain compliance to regulatory standards, you may well have some insight into the size of the task.
Many organisations use monitoring technology to systematically review their security status. The number one benefit of this is that it alerts your organisation to any potential exposure. However, it also means that you have consistent measurement, a reduced reliance on scarce resources and the minimisation of any human error.
In this post we’ve looked at the Cyber Essentials requirement to secure your devices and software, explaining some of the key things to be aware of.
In future posts will will look at the remaining three baseline technical controls and explain how each one can play a vital role in determining an organisation’s security posture.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.