Cyber Essentials: Why your
organisation should 'Get Badged'!
Title
VI-404576-TM
Version
Author
Issue Date
1
Michael Shuff
29 Jan 2015
Cyber Essentials: Why your organisation should 'Get
Badged'!
Page 1
Summary
Cyber Essentials is a UK Government initiative launched in June 2014 with industry backing. It
allows companies to gain one of two available Cyber Essentials badges. Certification became
mandatory from October 2014 onwards to be eligible for certain UK Government contracts.
There are five technical controls stipulated in Cyber Essentials Requirements:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
This white paper explains the reasoning behind Cyber Essentials and answers the question: Should
my company become badged?
Contents
1
2
3
4
5
6
Introduction ..................................................................................................................................... 2
What is the Cyber Essentials Scheme - and will Business buy in? ................................................... 3
2.1
How does the scheme operate? Is it a 'Standards framework'? ............................................. 3
2.2
What is the Government's purpose in fostering Cyber Essentials? ........................................ 3
2.3
Why is the UK Government promoting 'cyber security assurance'? ....................................... 4
2.4
So what is wrong with ISO27001 when setting higher standards? ......................................... 5
2.5
Does Cyber Essentials involve any form of Risk Assessment?................................................. 5
2.6
Why do we need Cyber Essentials if ISO27001 is an option?.................................................. 6
2.7
What types of cyber threat does Cyber Essentials hope to combat? ..................................... 7
Technical Requirements for Basic Protection from Cyber Attack ................................................... 8
Cyber Essentials Controls: what they are, and what they're not! ................................................... 9
4.1
'Control Themes' presented in the Cyber Essentials Requirements ..................................... 10
4.2
Secure configuration and User access control ...................................................................... 11
4.3
Malware protection and Patch management ....................................................................... 15
How does Cyber Essentials deal with cloud service provision?..................................................... 18
5.1
Who will test cloud services for compliance with Cyber Essentials? .................................... 18
Conclusions .................................................................................................................................... 19
1 Introduction
In 2014, the UK Government launched an initiative to improve
cyber security by encouraging companies doing business in the UK
to acquire a "badge" proving they met security requirements.
There are two levels of badge: "Cyber Essentials" and "Cyber
Essentials Plus". A badge is good for one year, and an external
certifying body independently awards certificates. The cost of
certification is modest: not more than £400 for the basic level and
Page 2
around £3,000 for the Plus level.
This white paper looks at the scheme and asks whether there is value in certification. The paper
considers why the UK Government did not re-use an existing information security standard such as
ISO/IEC 27001. Finally, with the increasing popularity of the Cloud, the paper asks whether Cyber
Essentials is appropriate for assuring the IT security of cloud-based applications.
2 What is the Cyber Essentials Scheme - and will Business buy in?
The Jury is assembling. What will businesses make of the Government's ideas on cyber security
controls, and is Cyber Essentials worth the cost?
The UK Government's Cyber Essentials Scheme
announced in April 2014 aims to drive awareness of
the risks posed by cybercrime, and help smaller
enterprises delivering products or services to the UK
public sector to defend their IT systems, networks and customers' data from attacks.
Government is widely encouraging its adoption and has made it mandatory for Central Government
contracts advertised after 1 October 2014 which feature characteristics involving handling of
personal information and provision of certain ICT products and services. Details are set out in Annex
A of the HMG Procurement Policy Note – Use of Cyber Essentials Scheme certification. Action Note
09/14 25 September 2014
2.1 How does the scheme operate? Is it a 'Standards framework'?
Briefly, no. Government has developed the Cyber Essentials Scheme with industry to provide a clear
statement of the basic technical controls that all organisations should implement to mitigate the risk
from common internet based threats. However, and despite words to the effect that it would be a
"kite-marked" standard, Cyber Essentials is a Scheme and definitely not a British Standard (BS).
The scheme's requirements fall within the context of the Government’s 10 Steps to Cyber Security.
The documentation so far produced by BIS maps the five Cyber Essentials controls to controls in the
ISO27001, ISAME and ISF Standards. The British Standards Institution (BSI) have collaborated on the
project (at least in the early stages), as has CREST, who (in their own words) "...were engaged by
CESG, the Information Security arm of GCHQ, to develop an assessment framework to support the
scheme, which forms a key deliverable of this strategy". Hence, based on the credibility of the
various partner organisations, we can assume that the Assurance Framework will offer, as BIS
suggests "a mechanism for organisations to demonstrate to customers, investors, insurers and
others that they have taken these essential precautions".
2.2 What is the Government's purpose in fostering Cyber Essentials?
To begin, more or less, at the beginning. In 2011, the UK Government launched The UK Cyber
Security Strategy - 'Protecting and promoting the UK in a digital world'. The strategy stated the
Government's declared aim to improve the information available to people buying security products
by encouraging the development of [sic erat scriptum] security ‘kitemarks’.
Page 3
BIS was tasked to work with domestic, European and global and commercial standards organisations
to stimulate the development of industry-led standards and guidance. This would help customers to
navigate the market and differentiate companies with appropriate levels of protection and good
cyber security products. Action 24 stated the aim:
Action 24: Encourage industry-led standards and guidance that are readily used and
understood, and that help companies who are good at security make that a selling point.
Fast forward three years: then Universities and Science Minister, David Willetts, said at the launch of
the Cyber Essentials Scheme in June 2014:
"Cyber Essentials is an easy to use cost effective way to help businesses and the public sector
protect themselves against the risks of operating online. ... Organisations will now be able to
easily demonstrate they are cyber safe - reassuring their clients, boosting confidence and
profitability. I encourage all organisations to adopt it."
However, by the time of the launch hosted by the ICAEW IT Faculty at Chartered Accountants’ Hall in
the City of London, Cyber Essentials was less of a 'standards framework' in the sense of ISO27001,
and more an MOT test for cyber security hygiene. Gone was any reference to the "kite-marked"
cyber security standards concept heralded in the 2011 Strategy.
What remained was the idea that the cyber security control requirements would be 'readily used
and understood' and that they would be a selling point for organisations that are good at putting in
place effective security.
This is the Cyber Essentials Scheme; aptly named since the mandated controls are essential to secure
any IT system connected to the Internet.
2.3 Why is the UK Government promoting 'cyber security assurance'?
The Government ICT Strategy also sets out how Government is working to make its own critical data
and systems secure and resilient from cyber threat. This is important in understanding what is, I
suggest, the primary motivation for introducing the Cyber Essentials Scheme and why it is important
for the organisations supplying government to take notice.
Government is working with industry to develop rigorous cyber security and IA standards for ICT
products and services supplied to Government and its Public Services Network. In particular, they
are in the process of raising the standard of cyber security that Government can expect from
suppliers for sensitive defence equipment. Just as they already have in place certain requirements
on contractors’ physical security, the growth of services supplied to Government that use the
internet now means that it makes sense for them to look again at their cyber security requirements.
It is worth bearing in mind here that, these days, some of the companies providing services to
Government are frankly tiny compared say to the Big Four professional services firms or the likes of
Capita, Serco and G4S. They include organisations that qualify for membership of the Federation of
Small Businesses, classified in the business size categories of micro: 0-9 employees, small: 10-49
employees, and medium: 50-249 employees.
Then there is the issue of the patchy uptake of ISO27001 and other information security standards
by large organisations that would already be expected to have some knowledge or experience of
Page 4
cyber security. Just like their smaller counterparts, and despite the risks that they run, many it seems
have only a limited capability to implement the full range of controls necessary to achieve robust
cyber protection. The Cyber Security Strategy talks about modelling best practice on cyber security
in reference to Government's own ICT systems, in an effort to set strong standards among suppliers
to government to ensure they "raise the bar".
2.4 So what is wrong with ISO27001 when setting higher standards?
ISO27001 is seen as too complicated and costly for smaller organisations and, judging by the level of
uptake, and resisted by too many large organisations to be a realistic alternative to Cyber Essentials.
The simple piece of evidence for this assumption is that there were only 1,923 accredited certificates
issued to ISO27001 in the UK in 2013 from a total of 22,293 worldwide. However, at the start of
2014, there were 5.2 million businesses in the UK with small firms accounting for 99.3 per cent of all
private sector businesses. ISO27001 has been around for 10 years and its predecessor, BS 7799 was
published by BSI Group back in 1995. From a politician's viewpoint, this standard doesn't appear to
be popular with the majority of organisations - certainly when compared to ISO 9001 with a
respectable 44,985 certificates in the UK, and 1,129,446 globally.
Some would argue that ISO 9001 has been around a lot longer, hence the number of certificates
issued to date is markedly higher than ISO 27001.
ISO 9000 was first published in 1987. It was based on the BS 5750 series of standards, once again,
from BSI, that were proposed to ISO in 1979. Even so, if annual growth rates for ISO 27001 stick
around the 14% mark, as was the case in 2013, it will be 20+ years before ISO 27001 achieves a third
of the certificates issued to the ISO 9001 Standard on a global basis. Cyber criminals are not going to
wait around while this process continues.
As far as basic hygiene goes, I agree with the Government and GCHQ: businesses need a steer in
terms of IT controls and penetration testing - and they need it now, before the damage done by
cyber threats worsens.
With Cyber Essentials, any fears over certification costs are not justified. For example, ISAME
Consortium is offering a self-assessment route to certification against the Cyber Essentials Scheme
costing only £300 +VAT.
The price is right for smaller organisations with limited budgets for cyber security - assuming they
are serious about bidding for Government work.
Of course, meeting the scheme's requirements may cost them a lot more. Then so would a data
breach resulting from inadequate cyber security!
2.5 Does Cyber Essentials involve any form of Risk Assessment?
A question that I posed to BIS and GCHQ at the ISO27001 User Group in August this year. The short
answer was "We're doing that bit for you".
The slightly longer but no less controversial answer would appear to be: "Risk management is the
fundamental starting point for organisations to take action to protect their information. However,
Page 5
given the nature of the threat, Government believes that action should begin with a core set of
security controls that all organisations – large and small – should implement. Cyber Essentials defines
what these controls are." [From the Cyber Essentials Scheme, Summary, June 2014, Addressing the
Threat, page 3].
So, no requirement for a risk assessment. However, is that good
news?
Should we care that Government is stepping in to define what
'core security' should be like in your organisation (assuming that
you do some business with Government and want to continue
doing so in the future)?
Moreover, is the 'cyber threat' serious enough to justify a
Government Scheme?
Leaving aside the Media hype, I would recommend that you read Sir Iain Lobban, then Director
GCHQ, who contributed a thought-provoking article entitled "Countering the cyber threat to
business" to the Spring 2013 edition of the Institute of Directors Big Picture policy journal. Sir Iain
outlines for a business audience in non-technical terms the nature and scale of the threat to
businesses from cyberspace, why cyber security should be at the top of boards' agendas and the role
GCHQ is playing in helping counter the threats. You can read the full article in the Spring 2013 back
issue of Big Picture. Just follow the link on the IoD's website:
http://www.iod.com/influencing/big-picture/big-picture-archive/big-picture-spring-2013
In my view, the Cyber Essentials Scheme is long overdue. It is only designed to be a voluntary
undertaking for most organisations unless they fall within the categories listed in Annex A of the
Policy document (see above). Hence, it is unlikely to be taken as seriously as it should be by the
Boards of the UK's smaller enterprises, many of whom assume that they are too small to attract the
interest of professional cyber criminals. They miss the point that they can be a gateway to
confidential data held on their clients' computer systems. In addition, a great deal of today's
automated hacking software randomly identifies system vulnerabilities by attempting an intrusion
via the Internet and then exploiting IT security weaknesses. The fact that few people have spotted
your physical office address or that your company website attracts low numbers of visitors does not
make you safe.
Rather, the opposite is generally true, because your sense of security is completely false; therefore:
your cyber risk assessment processes and mitigation measures are likely to be equally unrealistic
when it comes to understanding the nature of the threats posed to data on your systems.
2.6 Why do we need Cyber Essentials if ISO27001 is an option?
In simple terms: not enough organisations are ISO 27001 certified, and, theoretically, the
management system framework - however valuable - allows organisations to opt out of controls
specified in Cyber Essentials.
Page 6
In practice, few if any organisations adopting ISO 27001 would be foolhardy enough to choose a
control set that does not cover the fundamental technical issues relating to internet security in
particular; however, that is a story for another day. Cyber Essentials is here to stay.
As stated, the UK Government clearly believes that ISO 27001 is simply too big and unwieldy a
Standard for most organisations to invest in accredited certification. In my experience, the fear
factor regarding ISO 27001 adoption, especially when it comes to the risk assessment aspect and the
selection of suitable information security controls, is not justified when the right expert help is
available. However, the basic technical control set defined in the Cyber Essentials Scheme does fill
an important 'gap in the market'; enabling organisations, particularly SMEs, to understand and
properly address the most important technical aspects of cyber security protection. It also fits nicely
into IASME’s wider governance approach to information assurance for smaller organisations. About
which, more later.
Even then of course, small organisations under 50 employees (including single employee
businesses), and even some medium-sized organisations, may need to obtain further guidance and
support to ensure the technical controls presented in these requirements can be implemented
adequately.
2.7 What types of cyber threat does Cyber Essentials hope to combat?
Cyber Essentials focuses on basic cyber hygiene. The theory is: your organisation will be better
protected from the most common cyber threats if you have a set of controls which, when properly
implemented, comply with the scheme's requirements. These controls will provide organisations
with protection from the most prevalent threats coming from the Internet. In particular, those
resulting from malware and hacking strategies which require low levels of attacker skill, and which
are widely available online.
The Scheme has two progressive levels: “Cyber Essentials” is an independently validated selfassessment submission, whilst “Cyber Essentials Plus” additionally requires a comprehensive,
independent technical assessment to validate that the selected security controls have been
implemented effectively.
Cyber Essentials is FREE to download and any organisation can use the guidance to implement the
five essential security controls, but some may want or need to gain independent assurance that they
have fully deployed the controls. Organisations that have been successfully independently assessed
or tested through the scheme’s assurance framework will attain a Cyber Essentials certification
badge. This will help you demonstrate to customers, partners or clients that your company takes
cyber security seriously - boosting reputations and providing a competitive selling point.
Therefore, to sum up this introduction to the Cyber Essentials Scheme:
Cyber Essentials is relatively inexpensive compared to implementing ISO 27001:2013 and does have
significant attractive features for SMEs. The most obvious being that not all of your competitors in a
particular market sector will be certified Cyber Essentials compliant and displaying the distinctive
badge. Those who do are saying that they are good at protecting client data at least at a basic level make that a selling point.
Page 7
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations
in the UK can implement and potentially build upon. Government believes that implementing these
measures can significantly reduce an organisation's vulnerability. However, it does not offer a silver
bullet to remove all cyber security risk; for example, it is not designed to address the more
advanced, targeted attacks and hence organisations facing these threats will need to implement
additional measures as part of their security strategy. What Cyber Essentials does do is define a
focused set of controls that will provide cost-effective, basic cyber security for organisations of all
sizes. As such, it has value.
3 Technical Requirements for Basic Protection from Cyber Attack
Standardised approaches to cyber security will be a feature of the IT world in 2015 and beyond.
There is simply too much cybercrime activity on the internet that traces back to organised gangs and
rogue Governments opposed to Western economic and geo-political dominance to ignore the
problem; even if red tape and tick boxes are not what the 'deregulators' say they want.
However, of course, by May 2015 we may be seeing an even tougher line emerging as UK politicians
across the parties spot the potential in messages that reflect the ordinary citizens' concerns about
data leaks and phishing scams. Criminal gangs today are trading personal identities wholesale.
The pendulum in America is swinging in favour of standards frameworks. On December 5, 2014, the
National Institute of Standards and Technology (NIST, part of the U.S. Commerce Department)
issued an update to its Framework for Improving Critical Infrastructure Cybersecurity. Since then,
the growing consensus among industry regulators and U.S. lawyers is that the Framework is
becoming the de facto standard for private sector cyber security as viewed [Source: 'CIOs Ignore the
NIST Cybersecurity Framework at Their Own Peril', Wall Street Journal: CIO Journal: December 18,
2014]. Cyber Essentials will go partway to addressing the cyber threats tackled by the framework;
but will the five technical Requirements of the UK scheme be sufficient to protect confidential data?
Perhaps more importantly, if the UK Government rejects ISO27001:2013, shouldn't they be aiming
higher than a low-cost Scheme designed only to address phishing attacks using malware infection
and hacking attacks that exploit known vulnerabilities in Internet connected servers and devices?
The answer, I suggest, could well be a simple 'yes'. However, politically it is difficult (impossible?) to
force the adoption of complex and often costly standards-based approaches in what is a fragile
economic recovery phase. One suspects though the U.S.A. and Europe will legislate by next decade
to compel standardisation and compliance through certification.
Watch this space!
Mandatory standardisation is what has happened in India. Under Sec 43A, the ITA (Information
Technology Act) defines what “Sensitive Personal Information” is; and the “Reasonable Security
Practice” that a company should follow to protect it. The current phrasing can easily be interpreted
to make adopting ISO 27001 a matter of legal compliance. While sub-rule 2 does allow for use of an
alternate ISMS that meets the requirements, 'reasonable' security practices involve the use of a
standards framework.
Page 8
The UK Data Protection Act says that: "Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data."
UK Law has yet to define exactly what the "appropriate" measures are, but one suspects that future
EU Regulations will do this in a similar way to India's ITA with reference to Standards.
At the moment, the Data Protection Act, made law way back in 1998 (since which time, a great deal
has changed in terms of technology and culture), means you must have appropriate security to
prevent the personal data you hold being accidentally or deliberately compromised.
In particular, you will need to:
 design and organise your security to fit the nature of the personal data you hold and the
harm that may result from a security breach;
 be clear about who in your organisation is responsible for ensuring information security;
 make sure you have the right physical and technical security, backed up by robust policies
and procedures and reliable, well-trained staff;
 and be ready to respond to any breach of security swiftly and effectively.
At this point, the observant among you will have spotted that the Cyber Essentials control themes
fall far short of these DPA requirements as defined by the Information Commissioner. Therefore, we
must recognise from the outset that whatever value Cyber Essentials Requirements bring to the
party, the existing requirements of UK Law mean that organisations must address other information
security requirements to comply with the Law.
So what will Cyber Essentials provide you with in terms of a control set?
And is it worth relying on in place of a more comprehensive cyber security or information security
standard like the NIST Framework or ISO 27001?
4 Cyber Essentials Controls: what they are, and what they're not!
Cyber Essentials might not stop a determined cyber-attack emanating from a rogue state, but it can
help to prevent your organisation being a soft target when it comes to automated hacking tools and
opportunists.
The Cyber Essentials Scheme is designed to assist every
UK organisation in defending against "the most common
forms of cyber-attack emanating from the internet using
widely accessible tools which require little skill from the
attackers". Firstly, specific types of attack are identified
and secondly the most basic technical controls an
organisation needs to have in place are described.
OK. What are the basic technical measures that the
Scheme promotes?
The control themes set out in the Cyber Essential Requirements document are relevant to
organisations of all sizes. The "exposed technology" is familiar to us all: i.e. computers that are
Page 9
capable of connecting to the internet, including desktop PCs, laptops, tablets and smartphones, and
internet connected servers including email, web and application servers.
The Government (almost certainly through evidence presented by the police and the secret work of
GCHQ and other national defence agencies?) has developed a detailed knowledge of the basic but
successful cyber-attacks against UK businesses and citizens of which, the large majority would have
been mitigated by full implementation of the controls under the following, selected categories.
4.1 'Control Themes' presented in the Cyber Essentials Requirements
To mitigate the threats identified in the Government's research, Cyber Essentials requires
implementation of the following controls for basic technical cyber protection:
Boundary firewalls and internet gateways
Objectives Information, applications and computers within the organisation’s internal
networks should be protected against unauthorised access and disclosure from the internet,
using boundary firewalls, internet gateways or equivalent network devices.
One or more firewalls (or equivalent network device) should be installed on the boundary of
the organisation’s internal network(s). As a minimum:
1. The default administrative password for any firewall (or equivalent network device)
should be changed to an alternative, strong password.
2. Each rule that allows network traffic to pass through the firewall (e.g. each service
on a computer that is accessible through the boundary firewall) should be subject to
approval by an authorised individual and documented (including an explanation of
business need).
3. Unapproved services, or services that are typically vulnerable to attack (such as
Server Message Block (SMB), NetBIOS, tftp, RPC, rlogin, rsh or rexec), should be
disabled (blocked) at the boundary firewall by default.
4. Firewall rules that are no longer required (e.g. because a service is no longer
required) should be removed or disabled in a timely manner.
5. The administrative interface used to manage boundary firewall configuration should
not be accessible from the internet.
In situations where the administrative interface needs to be accessible from the internet
(e.g. because it is supported by a remote administrator or external service provider) the
interface should be protected by additional security arrangements. This could include using
a strong password, encrypting the connection (e.g. using SSL), restricting access to a limited
number of authorised individuals, and only enabling the administrative interface for the
period it is required.
Commentary:
Basic stuff, sure, but necessary and often misunderstood. Firewalls are not always properly
configured. Tools used by penetration testers can, and often do, find default passwords and
common passwords that are an easy target for a dictionary attack. And just like operating systems
and servers, if you don’t keep your firewall regularly patched or filtered for the latest known
vulnerabilities, or even configured to monitor for irregular patterns in traffic, then you've spent
money (sometimes a lot of money) giving yourself and your organisation a false sense of security.
Page 10
Patching is dealt with by Control 5: Patch Management - albeit in a general way that doesn't provide
you with much of a checklist to work from. The problems with new network technology like wireless
networks and remote access devices that can be used to circumvent network perimeter security
devices like firewalls and IDS, are not specifically addressed here either; and as every IT manager
worth their salt knows to their cost, the days of feeling at ease behind boundary firewalls are gone.
Control 1 is important though in ensuring that what protection firewalls can provide is properly
configured. For example, that strong passwords (>8 characters, numbers and systems) are used and
changed every 60 days, that traffic is monitored and controlled, and that those services which are
'...more vulnerable to attack than others' are blocked at your office firewall assuming there's no
business case for permitting access.
4.2 Secure configuration and User access control
The second Cyber Essentials Requirement references 'secure configuration'. At this point, I am
reminded of The Security Configuration Benchmarks that are distributed free of charge to propagate
their worldwide use and adoption as user-originated, de facto standards.
The CIS Benchmarks are described as "consensus-based,
best-practice security configuration guides both developed
and accepted by government, business, industry, and
academia". The Benchmarks are recommended technical
control rules/values for hardening operating systems,
middleware and software applications, and network devices.
There are used by thousands of enterprises as the basis for
security configuration policies and the de facto standard for
IT configuration best practices. Download here: https://benchmarks.cisecurity.org/about/
How does the CES Requirement 2 compare with the CIS Benchmarks?
2. Secure configuration
Objectives Computers and network devices should be configured to reduce the level of
inherent vulnerabilities and provide only the services required to fulfil their role.
Computers and network devices cannot be considered secure upon default installation. A
standard, ‘out-of-the-box’ configuration can often include an administrative account with a
predetermined, publicly known default password, one or more unnecessary user accounts
enabled (sometimes with special access privileges) and pre-installed but unnecessary
applications (or services).
Default installations of computers and network devices can provide cyber attackers with a
variety of opportunities to gain unauthorised access to an organisation’s sensitive
information, often with ease. By applying some simple security controls when installing
computers and network devices (a technique typically referred to as system hardening),
inherent weaknesses can be minimised, providing increased protection against commodity
cyber attacks.
Page 11
Basic technical cyber protection for secure configuration
Computers and network devices (including wireless access points) should be securely
configured. As a minimum:
1. Unnecessary user accounts (e.g. Guest accounts and unnecessary administrative
accounts) should be removed or disabled.
2. Any default password for a user account should be changed to an alternative, strong
password.
3. Unnecessary software (including application, system utilities and network services)
should be removed or disabled.
4. The auto-run feature should be disabled (to prevent software programs running
automatically when removable storage media is connected to a computer or when
network folders are accessed).
5. A personal firewall (or equivalent) should be enabled on desktop PCs and laptops,
and configured to disable (block) unapproved connections by default.
Commentary:
For SME organisations employing <50 people, among the first things that I would definitely
recommend checking are the default configurations of routers, including converged wireless routers
with access points (AP) and often an Ethernet switch, which offer little security in their default
setting.
Wireless routers are very common in micro-businesses and home office set-ups in particular; hence I
would have named these devices by saying:
Computers and network devices (including wireless routers/wireless access points) should
be securely configured ...
It is good practice to begin 'hardening' your configuration by ensuring that your router is secure as
this is one of the best initial lines of defence. Consult the user’s guide, which will direct you to a
predefined URL or IP address where you can do the following:




Configure the wireless network to use WPA2-AES encryption for data confidentiality.
Change the default login username, if permitted (refer to the user’s guide), and password.
(The default passwords are published in manufacturer’s publications and are readily
accessible.)
Conduct MAC address filtering (a form of whitelisting, or identifying wirelessly connected
computers you trust).
Change the default wireless SSID.
I would also have stressed that many wired networks base their security on physical access control,
trusting all the users on the local network, but if wireless access points are connected to the
network, anybody within range of the AP (which typically extends farther than the intended area)
can attach to the network. Your security stance will be compromised if it is easy to attack your
network using unencrypted wireless access points.
'Control' in management means setting standards, measuring actual performance and taking
corrective action. Control is a continuous process.
Page 12
I would have added to the Cyber Essentials Requirements that you should remove unnecessary
software and disable nonessential services, and modify unnecessary default features to eliminate
opportunities for attack, on a continuous basis. Your system technology is constantly evolving and
new software/software upgrades can introduce security vulnerabilities - see below. Only through
system hardening measures can you hope to maintain an optimum level of protection when
connected to the internet; and even then unmitigated vulnerabilities will be exploited by the
hackers.
From the initial installation onwards, review the features that came enabled by default on your
computer and disable or customise those you don't need or plan on using. As with nonessential
services, be sure to research these features before disabling or modifying them. Recent operating
systems are configured more securely by default and are preferred. However, all systems should be
continuously hardened. Besides the operating system, some user-installed applications provide
network services to communicate with other devices. In many cases these services are required for
the intended operation of the device, and are therefore permitted. However, some applications
install gratuitous network services that are either not required or are configured to provide network
access when only local access is required. Hence, it will not be enough to apply this requirement
once a year or every 6 months and still be confident that you have these issues under control. Cyber
security is not a steady state.
The next topic is access control. In computer security, general access control includes authorisation,
authentication, access approval, and audit.
Cyber Essentials Control 3. User access control adopts elements of this definition in the
Requirements, including a regular review of special access privileges. It stops short though of calling
the process an 'audit'.
3. User access control
Objectives User accounts, particularly those with special access privileges (e.g.
administrative accounts) should be assigned only to authorised individuals, managed
effectively and provide the minimum level of access to applications, computers and
networks
User accounts with special access privileges (e.g. administrative accounts) typically have the
greatest level of access to information, applications and computers. When privileged
accounts are compromised their level of access can be exploited resulting in large scale
corruption of information, affected business processes and unauthorised access to other
computers across an organisation.
To protect against misuse of special access privileges, the principle of least privilege should
be applied to user accounts by limiting the privileges granted and restricting access.
Basic technical cyber protection for secure configuration
User accounts should be managed through robust access control. As a minimum:
1. All user account creation should be subject to a provisioning and approval process.
2. Special access privileges should be restricted to a limited number of authorised
individuals.
Page 13
3. Details about special access privileges (e.g. the individual and purpose) should be
documented, kept in a secure location and reviewed on a regular basis (e.g.
quarterly).
4. Administrative accounts should only be used to perform legitimate administrative
activities, and should not be granted access to email or the internet.
5. Administrative accounts should be configured to require a password change on a
regular basis (e.g. at least every 60 days).
6. Each user should authenticate using a unique username and strong password before
being granted access to applications, computers and network devices.
7. User accounts and special access privileges should be removed or disabled when no
longer required (e.g. when an individual changes role or leaves the organisation) or
after a pre-defined period of inactivity (e.g. 3 months).
Commentary:
The first step towards securing a small business network - or indeed any other kind of computer
network - is to understand what vulnerabilities an attacker is likely to exploit. You put yourself in the
position of an attacker. What is your primary task once you have 'infiltrated' (i.e. got into) a
network? It is not really a brainteaser question: just ask yourself what you would do in the real world
to gain access to valuable data assets?
Your job the moment you are in the system is to initiate escalation of privileges, which is how an
attacker attempts to gain more access from the established foothold that they have created. After
an escalation of privileges has occurred, there is little left in the system's defences to stop an
intruder from whatever intent that attacker has. Attackers employ many different mechanisms to
achieve an escalation of privileges (too many for this post!), but primarily they involve compromising
existing accounts, especially those with administrator equivalent privileges.
In most cases the bad guys need hours to compromise (>75% of the cases) where the good guys
rarely get their job done in less than months (incredibly, only about 25% of the breaches are
detected in days or less). [Source: The 2014 Verizon DBIR Report: Time-to-Compromise vs. Time-toDiscovery]
After an attacker has compromised a network to the point where a critical account with high
privileges is compromised, the entire network can never be considered as completely trustworthy
again unless it is flattened and completely recreated. Therefore, the level of security for all manner
of accounts is a very important aspect of any network security initiative.
In the words of Microsoft Developer Network: "The matter of managing the security for all account
types in a network is very important to managing risk for a midsize business network. Internal and
external threats must be taken into account, and the solution to these threats must balance the
need for security with the functionality a midsize business demands from their network resources."
As a small business grows, the number of all types of accounts increases, and so too do the number
of exploitable vulnerabilities. However, this is often forgotten in the priorities set by management in
the commercial pressure to expand.
Personally, I consider the control themes in this Requirement to be one of the most useful aspects of
Cyber Essentials. Administrative accounts should only be used to perform legitimate administrative
activities, and should not be granted access to email or the internet. SMEs and quite a few large
Page 14
organisations need to understand the cyber risks associated with administrative, service,
application-related, and default accounts.
At this point it is worth remembering that the National Security Agency (NSA) is the font of
information security wisdom for the US defence and intelligence communities. Yet, despite this
obvious reason for cyber security, NSA's network security was apparently so weak that a single
administrator was able to hijack the credentials of a number of NSA employees with high-level
security clearances and use them to download data from the agency's internal networks - so the
problem really exists.
The administrator referred to here was, allegedly, Edward Snowden!
[Source: Sysadmin security fail: NSA finds Snowden hijacked officials’ logins, Ars Technica, Sean
Gallagher - Aug 29 2013, 10:40pm GMTDT].
Perhaps it isn't just the smaller enterprises that need Cyber Essentials?
4.3 Malware protection and Patch management
Malware protection software is a necessary cyber security
requirement. We all have knowledge of malware threats in one
form or another and experience teaches us to be wary of certain
links and email attachments.
Cyber Essentials starts with the assumption that computers
connected to the internet are vulnerable to attack from malware
and therefore malware protection is seen as a key feature of
basic cyber hygiene requirements.
4. Malware protection
Objectives Computers that are exposed to the internet should be protected against malware
infection through the use of malware protection software.
Malware, such as computer viruses, worms and spyware, is software that has been written
and distributed deliberately to perform unauthorised functions on one or more computers.
Computers are often vulnerable to malicious software, particularly those that are exposed to
the internet (e.g. desktop PCs, laptops and mobile devices, where available). When available,
dedicated software is required that will monitor for, detect and disable malware.
Computers can be infected with malware through various means often involving a user who
opens an affected email, browses a compromised website or opens an unknown file on a
removable storage media.
Basic technical cyber protection for malware
The organisation should implement robust malware protection on exposed computers. As a
minimum:
1. Malware protection software should be installed on all computers that are
connected to or capable of connecting to the internet.
Page 15
2.
3.
4.
5.
Malware protection software (including program code and malware signature files)
should be kept up-to-date (e.g. at least daily, either by configuring it to update
automatically or through the use of centrally managed deployment).
Malware protection software should be configured to scan files automatically upon
access (including when downloading and opening files, accessing files on
removable storage media or a network folder) and scan web pages when being
accessed (via a web browser).
Malware protection software should be configured to perform regular scans of all
files (e.g. daily).
Malware protection software should prevent connections to malicious websites on
the internet (e.g. by using website blacklisting).
The scope of malware protection in this document covers desktop PCs, laptops and servers
that have access to or are accessible from the internet. Other computers used in the
organisation, while out of scope are likely to need protection against malware as will some
forms of tablets and smartphones.
Website blacklisting is a technique used to help prevent web browsers connecting to
unauthorised websites. The blacklist effectively contains a list of malicious or suspicious
websites that is checked each time the web browser attempts a connection.
Commentary:
Cyber Essentials assumes that 'robust malware protection' will help to protect your system. That
protection comes from 'malware protection software' (the Objectives section avoids the outdated
term 'antivirus').
The aim of course is to protect against human nature and the inevitable introduction of commonly
found types of malicious software to a system. There's no mention here of highly sophisticated,
targeted, zero-day and persistent advanced malware threats that Advanced Malware Protection
(AMP) for Networks is designed to provide - at a price few could afford.
Malware is commonly spread by people clicking on an email attachment or a link that launches the
malware. Therefore, the best general advice to any organisation is: tell your staff about the risks
before you get infected!
Don’t open attachments or click on links unless you’re certain they’re safe, even if they come from a
person you know. Some malware sends itself through an infected computer. While the email may
appear to come from someone you know, it really came from a compromised computer.
Relying purely on your malware protection software is not a good idea. You should take steps to
raise staff awareness of the external threats, and what steps they can take as individuals to avoid
malware infection.
Personally, I would like to have seen a reference to training employees in cyber security awareness
and incident reporting rather than total reliance on software tools: both are important in reducing
the risk of data breach.
Page 16
Likewise, there should be a 'health warning' about advanced persistent threats to dispel the notion
that Cyber Essentials controls are effective against 100% of the malware attacks perpetrated by
determined hackers.
However, what Control 4 attempts to do is probably a realistic goal for 'essential security' given the
limited aims of Cyber Essentials certification.
And so, finally, we arrive at the fifth and final Cyber Essentials Control:
5. Patch management
Objectives Software running on computers and network devices should be kept up-to-date
and have the latest security patches installed.
Any computer and network device that runs software can contain weaknesses or flaws,
typically referred to as technical vulnerabilities. Vulnerabilities are common in many types of
popular software, are frequently being discovered (e.g. daily), and once known can quickly
be deliberately misused (exploited) by malicious individuals or groups to attack an
organisation’s computers and networks.
Vendors of software will typically try to provide fixes for identified vulnerabilities as soon as
possible, in the form of software updates known as patches, and release them to their
customers (sometimes using a formal release schedule such as weekly). To help avoid
becoming a victim of cyber attacks that exploit software vulnerabilities, an organisation
needs to manage patches and the update of software effectively.
Basic technical cyber protection for patch management
Software should be kept up-to-date. As a minimum:
1. Software running on computers and network devices that are connected to or
capable of connecting to the internet should be licensed and supported (by the
software vendor or supplier of the software) to ensure security patches for known
vulnerabilities are made available.
2. Updates to software (including operating system software and firmware) running
on computers and network devices that are connected to or capable of connecting
to the internet should be installed in a timely manner (e.g. within 30 days of
release or automatically when they become available from vendors).
3. Out-of-date software (i.e. software that is no longer supported) should be
removed from computer and network devices that are connected to or capable of
connecting to the internet.
4. All security patches for software running on computers and network devices that
are connected to or capable of connecting to the internet should be installed in a
timely manner (e.g. within 14 days of release or automatically when they become
available from vendors).
Commentary:
Reasonable steps in a sensible approach. I particularly like the reference to removal of out-of-date
software. If you don't need it, get rid of it - fast! There's no point in leaving redundant, unpatched
application software on a system to help the hacker in their job. De-cluttering improves security.
Page 17
Defining time limits for applying software updates - i.e. within 30 days of release or automatically
when they become available from the vendor, - and, for security patches, 14 days or automatically,
for software running on computers or network devices, is, I think, a useful security benchmark.
Less helpful, there are no specific remarks about patching and updating Firewalls, IDS and NIDS
(Network Intrusion Detection Systems) that often get a low priority in relation to applying OS
patches but are in constant need of attention and monitoring. The alternatives to doing this yourself
or building a dedicated in-house team are: (a) outsourcing to a systems security or networking
company experienced at dealing with installations and on-going configurations of devices on a daily
basis; or (b) using cloud services from public cloud providers like Google Inc. and Amazon Inc. to host
services and applications, thereby side-stepping with the need for a complex, time-consuming and
expensively-owned network architecture.
But how then do you provide assurance that external service providers, especially for cloud services,
comply with Cyber Essentials requirements?
5 How does Cyber Essentials deal with cloud service provision?
As the Cyber Essentials Scheme Assurance Framework document states:
"Many organisations use cloud services or other externally provided IT services."
Cloud services of course vary considerably. Cyber Essentials applies in different ways depending on
whether the applicant retains responsibility for implementation of the relevant set of controls, or
whether the cloud service provider has the responsibility. If externally provided IT services are
included within the scope of a Cyber Essentials assessment, then:
For Cyber Essentials, the organisation will need to attest that its service provider’s system
delivering that service meets the Cyber Essentials requirements for which the service
provider is responsible. Existing evidence (such as that provided through PCI certification of
a cloud service and appropriately scoped ISO 27001 certifications) may be considered as part
this process.
For Cyber Essentials Plus, the organisation will need to ensure that its service provider’s
system delivering that service is tested as meeting the Cyber Essentials requirements for
which the service provider is responsible.
[Source: Cyber Essentials: Assurance Framework, [PDF] June 2014, section on Cloud Services,
p. 10].
5.1 Who will test cloud services for compliance with Cyber Essentials?
Penetration testers and ethical hackers are increasingly used to evaluate the security of cloud-based
applications, services, and infrastructures. In my view, the popularity of penetration testing (“pen
testing”) will increase as public cloud services change the world of physical server-based IT into a
virtual one. The type of cloud will dictate though whether pen testing is possible. For the most part,
Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) clouds will permit pen testing.
Page 18
However, Software as a Service (SaaS) providers are not likely to allow customers to pen test their
applications and infrastructure, - even if they are applying for cyber Essentials - with the exception of
third parties performing the cloud providers’ own pen tests for compliance or security.
Infrastructure as a Service (IaaS) providers (such as Amazon, Rackspace, or ElasticHosts) can offer
your organisation use of their "bare metal" infrastructure to develop and deploy applications on any
platform or OS (almost). They do not usually provide automatic OS updates, however.
Even for the Cloud users, Patch Tuesdays could remain part of the landscape!
6 Conclusions
These are the key messages that you should take away:

Cyber Essentials is not a ‘kite mark’ or a standard, but the badge could still be of significant
commercial value for companies doing business in the UK

It is called “Essentials” for a reason: do not expect the control set to be exhaustive compared
to e.g. ISO / IEC 27001:2013. Think of it as following the “80/20 rule”

The scheme looks most suited to SMEs. The cost is not exorbitant and the time commitment
is ‘do-able’. Larger organisations might look to ISO 27001 instead

Badging is for your company and its internal IT systems. The scheme is not very applicable to
any form of IT or software-as-a-service (SaaS)

Cloud service providers should look elsewhere (for example, the UK Government’s Cloud
Service Security Principles)

The decision not to include risk assessment in Cyber Essentials is a risk in itself

The advice is free and worth reading. Especially if you augment it with other free resources
such as the Security Configuration Benchmarks

When evaluating your network for vulnerabilities, don’t overlook the internet router /
wireless access point as a primary point of attack

Training staff is as important as badging the organisation. Don’t overlook it!
Page 19
Company Information
Registered Office :
Cognidox Limited
St John’s Innovation Centre
Cowley Road
Cambridge CB4 0WS
UK
Registered in England and Wales No. 06506232
Email
[email protected]
Telephone
+44 (0) 1223 911080
Smart Document Management
CogniDox helps teams in Engineering, Marketing, Sales, Operations and other
departments to capture, share and publish product and design documentation.
This easy-to-use tool helps break down the barriers to find information, share
solutions and enjoy a faster, more productive development workflow inside your
company. In addition, CogniDox helps you manage and publish documents and
other content to licensed customers. It reduces technical support load and
accelerates your customers' time to market.
www.cognidox.com
Page 20