Defence

It’s “only” essential but it can be bloody difficult!

mRr3b00t

Cyber Essentials Areas

Cyber Essentials is a minimum baseline standard for ensuring foundational cyber security considerations and controls are in place. It’s a good starting point, but by no means should it be “THE GOAL” and just because it has “Essentials” in its name, don’t think it’s easy to comply with. Whilst the standard isn’t outlandish with its requirements in the main, the reality between technical capabilities and being able to discover, audit and remediate security configurations in organisations is often nowhere near as simple as someone may tell you. The news here is that the standard has been extended to include some wider areas.

Useful resources

About Cyber Essentials – NCSC.GOV.UK

Questions | Readiness (iasme.co.uk)

Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf (ncsc.gov.uk)

Cyber-Essentials-Requirements-for-IT-infrastructure-3-0.pdf (ncsc.gov.uk)

Cyber Essentials Areas

  1. Your Organisation
  2. Scope of Assessment
  3. Boundary firewalls and internet gateways
  4. Secure configuration
  5. Device Locking
  6. Security update management
  7. Password-Based Authentication
  8. Malware protection

This essentially is context + 5 technical controls ( I count 6 but whatever!)

Key Areas of Consideration with the latest requirements

  • Cloud
  • Bring Your Own Device (BYOD)
  • Home Working Environments/Remote Workers
  • Thin Clients
  • MFA requirement expansion
  • And more (read the NCSC guidance!)

New Changes New Challenges

With the expansion and extension of scope to include areas such as CLOUD services and BYO when we start to delve into the reality in many organisations/networks we can start to highlight a range of discovery challenges.

IT Discovery and Security Posture Discovery Challenges

To audit an environment, you will need to either act as a “project manager” and rely on subject matter expertise or you will need a level of technical capability which covers:

  • Device Management and Configuration
  • Firewall Management and Configuration
  • Network Management and Configuration
  • Antivirus Management and Configuration
  • Cloud Services Auditing

You will likely need/want to have exposure and experience of:

  • Security Auditing
  • Configuration Baseline Auditing
  • Vulnerability Assessment and Management
  • Policy Reviews
  • Contract Reviews
  • Supplier Management/Assurance

Device Security Configuration

With the right toolsets deployed into an environment this challenge becomes far simpler, for example if an organisation has Microsoft Intune and Microsoft Defender for Endpoint (MDE) P2 and all the devices are managed (Corporate devices and Bring Your Own) the world of understanding device security is much simpler. However, without it, it’s quite bloody complex (depending on the size of environment in scope).

Cloud Services

Reviewing cloud services is likely easy to say, in practise it might be significantly more work than you may think. If you use Infrastructure as a Service, the guest/tenant workloads are in scope. This may be a mixture of having to understand cloud configurations, networking, server platforms and applications.

Think about how many cloud services are in use by your organisation, it might be a lot more than you think, I’ve just jotted down a few services which a small organisation may use:

  • Office 365
  • Azure
  • Web Provider
  • Adobe Cloud
  • Google Gloud
  • Zoom
  • Canva
  • WebEx
  • Xero/QuickBooks/Sage
  • Amazon AWS
  • Facebook
  • Twitter
  • Instagram
  • LinkedIn
  • Replicon
  • LogMeIn
  • AnyDesk
  • TeamViweer
  • Spotify
  • Netflix
  • Amazon
  • YouTube

It’s possible your organisation uses far more! There’s also an interesting question, how do you determine if a cloud service is “organisationally” used or if it’s a personal cloud service being used?

Bring Your Own

A fun challenge with BYO is that unless you have “Managed BYO” devices being able to audit if the devices meet the standard may present some very interesting challenges. I did a twitter thread on this the other day.

Home Networks

Home networks may also present significant challenges to audit, let alone ensure compliance is met.

A Step-by-Step Example Plan

Now this is quite high level, but it at least gives you an idea of the types of activity you may need to conduct.

Task

Effort (days) – example

Action Owner

Identify and Agree Scope

 

 

Self-Assessment Round 1

  

Discovery Scope Assets and Services

  

Audit Network

 

 

Audit PC Devices

 

 

Audit Mobile Devices

 

 

Identify Cloud Services

 

 

Audit Internet Facing Surface

 

 

Identify Gaps

 

 

Remediate Network

 

 

Remediate PC Devices

 

 

Remediate Mobile Devices

 

 

Remediate Cloud Services

 

 

Remediate Internet Facing Surface

 

 

Re-Audit

 

 

Schedule Assessment

 

 

Self-Assessment Round 2

  

Third Party Audit

 

 

Pass/Fail

 

 

Remediate

 

 

Estimate Days

  

Estimate Months

  

As you can see here, I’ve put in a starting point where I suggest completing a self-assessment (ROUND1) and then re-conducting this exercise again (ROUND2) this is to give you familiarity with the standard from the outset (it’s easier than just reading all the things by trying to apply it!) and it let’s you see the variance between pre-audit and post audit position. You will likely find in some cases significant variance (just a heads up!)

Summary

You can fill in the excel sheet within a day and “self-assess” based on assumptions. If you actually audit and collect evidence and want to assure your organisation is in compliance or if you are aiming for Cyber Essentials Plus then the level of effort required for cyber essentials is likely significantly more than people may expect (in my experience this has been the case, I’ve worked with Cyber Essentials for quite a few years now (I vaguely recall being at pre-CE event in 2013 in London) so hopefully my experience isn’t just an outlier. I’ve been reviewing environments for over 15 years (we don’t count further than that now because I start to run out of fingers and toes!) so hopefully my assessment of things provides some valid and useful food for thought. Cyber Essentials might cover foundational elements, but just getting a report on if you meet the standards across an enterprise isn’t a simple task unless you have very specific capabilities, after all, someone has reviewed every host-based firewall configuration and determined that the “Xbox” egress firewall rule on Windows Pro has an approved business case right, or that SMB ingress on the LAN between every device has a business case? What about ensuring you have restricted risky ingress and egress on the perimeter firewall? Can you connect to internet services on TCP 445? Is RDP exposed? Have you changed the default password on every device? (If you haven’t tested every device how would you know!).

There is a big difference between “thinking” and “knowing” in the cyber world, I’ll leave with the XKCD link, this sums up the world nicely 😉

https://www.explainxkcd.com/wiki/index.php/1339:_When_You_Assume

Hopefully this blog is useful, your Cyber E journey might be simple, but it might also be far more complex than you realise. Try thinking about CE across 6000 staff networks that aren’t “all green” the essentials becomes quite bloody hard to do sometimes!

Related articles

Copyright (c) Xservus Limited