The 5 Controls of Cyber Essentials – Secure Configuration

While this is a fairly easy concept to understand, ensuring compliance with this control means breaking down your network into its component parts and fine-tuning each part to be as secure as possible – a task that can seem daunting to the uninitiated.

 

Typically, factory-fresh software or hardware features default settings designed to enable maximum usability rather than maximum security. It’s common for devices to come with pre-installed software that you’ll never use, the default ‘admin’ password may be available online and you could encounter pre-configured user accounts featuring administrator-level permissions.

For Cyber Essentials compliance, you’ll have to rigorously replace such settings, and configure devices to ensure maximum security in a way that also considers your business’ needs.

 

Applying and maintaining secure settings requires you to be on your guard! You’ll have to regularly review system settings, be proactive when it comes to maintenance and make continuous changes to settings as your business develops. A poorly configured system can have disastrous consequences.

Managing permissions is important to avoid unauthorised access (by individuals within or outwith your organisation) to sensitive data, confidential information and system settings. Unauthorised access could result in data theft/loss, malware intrusion or deliberate or accidental changes to security settings which could present future opportunities for cybercriminals.

Patch management is vital to keep hackers at bay. Failure to deploy security fixes leaves software vulnerabilities exposed for longer, leading to an increased chance of a devastating cyber attack.

Upon gaining access to a network, carelessly configured security settings act as ‘open doors,’ giving intruders free-rein to inflict maximum damage. A hacker could exploit a weakly configured system by:

Gaining access to and stealing high-value data such as bank details or intellectual property.

Taking advantage of unnecessary functionality

Introducing malware via ‘plug and play’ devices, such as USB sticks.

Exploiting generous user privileges to set up a path of entry for future cyber attacks.

 

Make sure you’re using software that is vendor-supported. If you’re using old, unsupported programs that are no longer being maintained by the vendor in the form of updates, you could be leaving your business exposed to cyber-attacks, as hackers are always keen to exploit vulnerabilities in outdated software.

It can be helpful to create a policy document relating to the installation of security-related updates (patches). This document should include target timeframes for the deployment of new fixes, and stress the importance of minimising risk in situations where a vulnerability cannot be patched.

Creating an inventory of all the hardware and software components of your network is a good basis from which to begin configuring your network for maximum security. Consider recording details such as location, purpose, version and patch status to aid in system maintenance efforts.

Draw up a set of rules which set out how software programs should be set up to ensure maximum security. You might want to include a rule that requires unnecessary apps, services and functionality to be removed or disabled or one that mandates the use of multifactor authentication wherever it’s available. Use these rules as a basis for configuring all software programmes and make a note of any special cases where these rules cannot be enforced.

Vulnerability scanners are widely available tools that are useful for identifying weak points across networks, applications, devices as well as online services. Consider running such a scan regularly as part of your cybersecurity routine.

Consider disabling ports to discourage the use of removable media such as flash drives. Such devices are common vectors of transmission for malware, so restrict the use of them if you can.

Similarly, peripheral devices should be disconnected and driver software uninstalled when they are no longer required.

Create a list of secure, trusted applications that are required to perform business functions. Then use this list to identify the apps in your system that are either unnecessary or unauthorised and remove them accordingly.

You should also apply ‘execution controls’ to prevent the launching of software that isn’t on the approved list.

Extend administrative privileges to users on a ‘needed-to-perform-job-role’ basis. The vast majority of your team shouldn’t need such privileges anyway, so only assign such rights to members of your team responsible for your IT and perhaps a few senior management positions.

An admin account is an ultimate prize for the cybercriminal, so reduce the chances of such an account being hacked by limiting functionality to the bare essentials.

 

At 1-fix, we take a realistic approach to technology – ensuring our client’s systems are best protected.

If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take. If you have any questions, concerns or would like to discuss how we might help you with your regulatory challenges, we’d love to chat. Please click the banner below to book a call, or contact us straight away on 0118 926 0084 or by email to info@1-fix.com.

Thank you for reading.