I apologise now for the frequency, or lack of updates on the blog. I never said it would be THAT frequent however….
My latest blog is more to help the average IT manager that may find them self working in a business on a UK Government contract. The government wants to ensure that their supply chain lowers its risk by achieving a badge called Cyber Essentials. This accreditation is there to ensure that you can deal with at least 80% of the typical Cyber threats most businesses will come across. Cyber Essentials doesn’t deal with every threat eventuality and it doesn’t go into risk management such as ISO 27001 but it does give you some decent guidelines to work to and any business, big or small, should be working to these regardless whether you want to achieve the accreditation.
Cyber Essentials has two flavours, Basic and Plus. The only difference from the Plus is that you’re physically audited against the things you declared in the basic self-audit and it also includes a penetration test.
The scheme covers the following:
- Secure Configuration
- Building in controls & protection at the installation\roll out stage
- Boundary protection
- Putting in protection at the point of entry\exit to the internet
- Access Controls and Privilege Management
- User account management, passwords & segregation of duties
- Patch Management
- Keeping software updated & eliminate vulnerabilities
- Malware Protection
- Stopping known viruses etc from getting in the network
Do these and you’re well on the way to protecting yourself from most nasties. Consider that there was a failing in patch management that allowed Wannacry to hit the NHS so badly. The following paragraphs show the key points to consider:
- Identify all key business software –
- make sure that you keep a register of all the key business software that you use to keep the operations ticking.
- Remove unwanted\unused software that you don’t use –
- get rid of any crappy bloatware on laptops\desktops etc that could be a potential source of vulnerabilities.
- Vulnerabilities are patched before roll out –
- don’t roll out anything to live until you’ve run Windows updates and have removed any vulnerabilities such as default user name and passwords.
- Centralised logging
- Run a centralised system log tool so that logs live off the device and you can build alerting to issues.
- It doesn’t have to be expensive – Kiwi Syslog is a useful and cheap tool (https://www.kiwisyslog.com/kiwi-syslog-server)
- Back Up and Restore managed
- Ensure you’ve identified all your key data and servers and know how to quickly restore them.
- Test the restore!
- Use VLAN’s to segregate production & back up networks from higher risk office PC’s
- I’ll talk more about this later in vulnerabilities.
- Firewall in place at every point of exit\entry from internet –
- Makes sense. Does anyone not use a firewall?
- Firewall configuration is reviewed & open ports signed off –
- Get the config double checked with another pair of eyes so you don’t inadvertently introduce vulnerabilities
- Change control in place
- Make sure that you have a process that prevents anyone making off the bat changes to configuration
- Default users & passwords changed
- Default user and password is Admin\Admin? Hello bad guy, I’ve just made it easy for you.
- Access controlled to firewall (suggest by IP) & user access control list
- Prevent network access by only allowing authorised devices or IP’s and if possible, only from the internal network and not outside.
- Anti-spam and internet web filter in place
- The internet is where the bad stuff comes from. Slow it down with a web filter and prevent email viruses coming through with a spam filter.
Access Control and Privilege Management
- Requirement for staff checks and security training –
- Not just an IT thing this, your HR department needs to do some basic checks to ensure we’re not hiring bad guys but also, someone needs to train the users not click on dodgy links in emails; that’s best coming from IT as they’ll feel the pain when it happens
- Manage user accounts and in particular have a starter & leaver process to ensure correct permissions applied & terminated users deleted.
- Make sure your helpdesk gets notified when someone leaves or has a change of role. What happens to the guy in payroll that moved jobs to the warehouse but can still gain access to his pay?
- Audit the Active Directory and check for people that haven’t logged on for a while.
- There’s some really useful inexpensive tools on CJWDEV for the Active Directory.
- Run an AD report against the HR employee directory and make sure it matches.
- You know who has Admin access
- Anyone with Admin access has the potential to do a lot of damage. Make sure you know who including those with Local Admin Access.
- Elevated Privilege Staff (ie IT Administrators) must have separate accounts for Admin work and day-to-day work
- The IT department have the biggest potential to really screw up things in the network. Use separate accounts so that if you have to do something that requires Admin access then it’s more than a one-step click to having a bad day. A pain in the arse for the average Admin but it’s a requirement and it’s a sensible one.
- No local administrators by default
- Again, as above, if you need admin access then have a separate Admin account.
- Strong, complex passwords
- Password = Pa55word or even worse, password1? Hello hacker.
- No default passwords on the network on any devices
- As above in boundary protection, anything that has an admin logon on the network needs to have it’s Admin credentials changed before it goes live.
- Use Vulnerability Scanner –
- Nessus is an inexpensive but valuable tool. It has a friendly interface and also provides guidance on how to fix the vulnerability. It scans for missing patches, misconfiguration and default user names and passwords. (https://www.tenable.com/products/nessus-vulnerability-scanner)
- Patch at least all Critical and High vulnerabilities – it’ll tell you there’s a critical Windows patch so run the patch so you don’t get caught out like the NHS did with Wannacry.
- Non-patchable equipment is on Risk Register –
- You’ve identified the ones you can’t patch for various reasons so at least keep tabs on them, try and reduce the risk and tell your boss you need investment.
- Ensure every Windows device receives & applies updates
- Regularly patch all network equipment (Cisco, etc)
- Segregate end of life software and prevent access to and from internet such as Windows XP
- You’re running machinery that you can’t patch anymore so it’s a high risk. Don’t make it easy by allowing access to the internet or email on the device.
- Use VLAN’s to segregate stuff that can access the internet from stuff that is at higher risk from nasties on the internet.
- Use Anti-Spam\Web Filter\Anti-virus software
- Every device must have anti-virus installed
- Includes mobile devices and especially Android
- Must have regular automatic updates
- Register those that can’t have malware software installed and segregate from internet
- Most servers shouldnot browse the internet and especially if they don’t use anti-virus!
And that’s it. None of this is rocket science but there’s a lot of large businesses that don’t do this and likewise, there’s a lot of SME’s that don’t have structured IT departments and therefore don’t necessarily apply this type of thinking.
All viruses exploit vulnerabilities so do your best to make it hard for the virus writers.