Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In the UK, the National Cyber Security Centre (NCSC) runs an information assurance scheme called Cyber Essentials. Our blog post series looks at each of the framework’s five focus areas and offers practical hints and tips on security requirements and value to organisations wishing to follow its advice.
Manufacturers vary in their approach to default “out-of-the-box” settings: some will lock systems down and you need to relax settings to make them work, while other vendors configure their products as open (for usability reasons) and it’s your job as the user to understand these settings and switch off ones you don’t require.
All software has vulnerabilities that need to be patched to keep secure. Microsoft Windows uses an auto-update feature to check which patches are required and suggests when to install them. If you don’t repair these known vulnerabilities, they could be exploited by hackers to gain unauthorised access to your information or launch a denial of service attack that targets your information’s availability. The problem is, it’s not just known vulnerabilities that hackers attack, they look for the most natural path to achieve their goals, which can also be from weak configuration.
To fulfil Cyber Essentials requirements for this mitigation strategy we’d recommend looking first at patching, this applies not just to your operating system; it’s every application running on the platform. A typical Windows PC will have dozens of non-Microsoft applications running on it, some for business reasons, some for entertainment and some of which you are unaware. When Microsoft Windows runs its auto-updater, it doesn’t tell you that your copy of Adobe Photoshop is missing a critical security patch or that you are running a third party web server on your laptop after testing a new development platform that you thought you deleted.
Patching – a critical part of cyber security management
When you start from a fresh build of Windows, we recommend that you catalogue all the software being installed and carry out regular checks on the vendors websites for updates and patch information. Usually, there is an option to set software systems to auto-update, however, they often don’t come with that feature enabled. It pays to switch these features on as soon as you can.
Microsoft has done a lot of work to secure their Windows operating systems, but they do still have vulnerabilities, so update them as soon as possible. Every operating system comes with software features you don’t need. It’s worth carrying out a review to establish what can be disabled or uninstalled, to remove the risk of them being exploited. Hackers can attack products with no known bugs, by misusing the service for their benefit – so if a feature isn’t required, we’d highly recommend switching it off!
Choosing secure settings on your mobile devices is equally as important as any other device in your business. In some cases, applications downloaded from app stores are not thoroughly security tested. The lack of software validation means you are exposed to applications that have malicious code inside games and utilities that allow hackers to access your phone while you use their software. In the age of cloud services, your mobile phone has the same access to all your business data that your desktop or laptop does, so you need to be careful about installing games and unnecessary applications.
The other risk to be aware of is that mobile phones often act as the second factor of authentication for more secure online services or even as the token for accessing your business network over a VPN. For this reason, they are sometimes more critical in terms of their security value (and value to a hacker) than your PC username and password, yet they are often more vulnerable to attack.
Many devices come with default passwords. Default passwords should be always be changed on installation. However, many organisations leave these as default, mostly for convenience, which leaves them vulnerable to hackers. Wi-Fi access points, routers and firewalls are often discovered as attack points for hackers, with default passwords or ones that are easily guessable.
The UK’s National Cyber Security Centre has an excellent guide for password usage and administration you could refer to when implementing a security regime for your business. You can access it here.
Multifactor authentication (MFA) is by far one of the best security controls you can introduce into your business, since the primary goal of hackers in the initial stages of an attack is to gain access to a user or administrator account, and for both to work, they need the username and password.
Multifactor authentication – a key security control
We would recommend the introduction of MFA into any business infrastructure, so that your workers require a second factor to access essential business data or critical business systems. Many organisations take a blanket approach to MFA where no access is permitted, be it internal or external, without using MFA.
Information security operates in a dynamic environment, what was patched with the latest updates yesterday, may not be covered today.
Monitoring for changes in your security posture is challenging and time consuming. However, it is vital if you want to keep your organisation as protected as possible. If you work for an organisation that is obliged to maintain compliance to regulatory standards, you may well have some insight into the size of the task.
Many organisations use monitoring technology to systematically review their security status. The number one benefit of this is that it alerts your organisation to any potential exposure. However, it also means that you have consistent measurement, a reduced reliance on scarce resources and the minimisation of any human error.
In this post we’ve looked at the Cyber Essentials requirement to secure your devices and software, explaining some of the key things to be aware of.
In future posts will will look at the remaining three baseline technical controls and explain how each one can play a vital role in determining an organisation’s security posture.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.