I thought about doing a step by step bash script or CLI walkthrough but decided to go with the high levels steps. If we wanted to ensure our Linux servers are configured in alignment with Cyber Essentials what are the main areas we need to consider? For this I’m using Ubuntu Server as a base, I’ve not gone through every line in the standard but these should be in line with the 5 areas and fit within the Cyber Essentials theme. As always there are many ways to skin a cat! (don’t skin cats they are frens!). Anyway hope this is useful.Read more “Cyber Essentials for Ubuntu Servers”
When it comes to digital technology, we have to consider many things.
Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:
- What does a typical consumer care about?
- What security and privacy considerations could be made?
A typical consumer may be about:
- WIFI Coverage
- Ease of Use
- Ease of Support/Troubleshooting
- What happens if it breaks?
- Can I stop my kids messing with it? (Probably not so why bother)
Measuring Compliance with standards is easy right?
Checking an environment configuration is one of those things where it’s easy to say and harder to do. If we take the cyber essentials standard and look at the requirements, they are quite different from say the CIS baselines. This alone makes for some fun, let’s investigate this further:
CIS baselines are based on a specific component e.g., Windows Server or Windows client and is contextually aware of roles: e.g., Domain Controller vs Member Server.
Is this registry key set?Read more “Measuring Cyber Essentials: Windows Security Configuration”
So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.Read more “Cyber Essentials Readiness”
It’s “only” essential but it can be bloody difficult!mRr3b00t
Cyber Essentials Areas
Cyber Essentials is a minimum baseline standard for ensuring foundational cyber security considerations and controls are in place. It’s a good starting point, but by no means should it be “THE GOAL” and just because it has “Essentials” in its name, don’t think it’s easy to comply with. Whilst the standard isn’t outlandish with its requirements in the main, the reality between technical capabilities and being able to discover, audit and remediate security configurations in organisations is often nowhere near as simple as someone may tell you. The news here is that the standard has been extended to include some wider areas.Read more “The Challenges of Cyber Essentials Audit and Compliance Activities”