How to Pass Cyber Essentials - Part 3
Welcome to the third installment in the “How to Pass Cyber Essentials” series. In this post I am looking at one of the most important, and often the hardest to pass section of the questionnaire. Secure Configuration.
This section contains 18 questions and this is the most commonly failed section. So, lets take a look at the questions and get my view on them.
Question 9 - Unnecessary user accounts *
This should be really simple to answer “Yes always” to. If you do the following, then you are good:
Disable user accounts when users leave, go on long term sick, go on maternity/paternity leave or are otherwise not going to log in for the next 30 days.
Delete/remove user accounts that have been disabled for 90 days and the user is not coming back. For example, a leaver.
Delete any default accounts, or change their passwords
If you do these, then you can certainly answer “Yes always”.
Question 10 - Change default passwords *
We saw a very similar question in the Firewalls section. Basically you need to change any default passwords to something that meets your password policy.
Question 11 - Are passwords for users and administrators strong? *
If your passwords are 12 or more characters long and the strength of the password is technically enforced then you are good. For example, if you use Microsoft Active Directory and you set your password scheme to be 12 or more characters then you are good here. You can do the same within Office 365 and with Salesforce.
Passwords less than 12 characters long are not considered to be strong, as they can be broken in a matter of hours using modern password breaking techniques.
Question 12 - Has auto-run been disabled?
This should be easy for any competent IT support company to sort out for you.
Question 13 - Has unnecessary software been removed?
This used to be easy to comply with and answer “Yes always” to. But if you are using consumer versions of Windows 10 then removing all the faff that Microsoft likes to force on you is tough. If you can uninstall anything that is not required from your workstations, then it really helps your security by lowering the potential attack surface.
Question 14 - Does any installed software have management permission
Really what I am looking for here is that there is a register of software that is installed on workstations and that it has been reviewed and approved by management.
Question 15 - Is the personal firewall enabled *
I see a lot of No’s being answered to this question and when I look further they have endpoint protection and anti-virus installed. While you can use the native personal firewall on your chosen operating system, the chances are your end-point protection software has a firewall built into it. So do check.
Question 16 - Are workstations hardened *
I am looking for consistency across all of the workstation builds and a level of hardening of them. You can download hardening guides from CIS, and these are about the best you will get. Avoid the NCSC and CESG guides as these do not make it simple for average users.
More information on hardening can be found here: https://www.cisecurity.org/benchmark/microsoft_windows_desktop/
Question 17 - Active Directory *
This question is really looking to identify if you have any controls in place to manage systems and deploy patches and system hardening updates. So if you are using tools such as:
Red Hat Satellite
Windows Admin Center
Or anything similar then you can answer “Yes Always” to this question.
Question 18 - Proxy Servers *
This is probably one of my favorite questions. I see a lot of “Never” being answered to this and then when I look closer at the endpoint controls it becomes “Yes Always”. The answer is obviously “Yes Always” if your organisation uses a proxy server to filter web traffic. Solutions such as Squid, Barracuda and many of the Next Generation firewalls are proxy servers.
But so too is Trend Micros endpoint protect. And Symantec. The key is understand what your endpoint solution is doing. If the endpoint protection can restrict internet browsing and block sites then chances are you can answer Yes to this question.
Question 19 - Offline Backups *
What I am looking for here is that you have a way of storing your backups in a manner that would prevent a piece of malware from overwriting the backup with an encrypted version or a malicious user simply deleting them. There are many ways to do this, some are truly offline, others are now. Here are some of the ways I have seen, along with some of my ways, to answer “Yes always” to this question:
Time Access Backup. The backup is written to a location that is only connected to the network at a particular time.
Write Up Permission. This is very old school, but the only permission on the file share is to write a file to it. Overwrite, Modify and Delete are all forbidden.
Pull Only Backup. The backup is created on each machine by a scheduled job. The storage server then pulls the backup to the store. (This is how we backup at Hedgehog.)
Question 20 - Log Retention
Here I am looking for a policy on log retention. If you have a written policy then this is “Yes Always”. If you need a template version of a corporate log retention policy then one is available with our Cyber Essentials Policy Pack.
Question 21 - Retention of Log Files for Workstations and Servers
For the vast majority of organizations using modern operating systems going through Cyber Essentials, this should be Yes Always. Unless the workstation and server log file retention settings have been edited and changed, then the logs should be retained for at least 30 days, probably retained until they are overwritten due to disk space constraints.
Question 22 - Log files for relevant applications
For the vast majority of organisations using modern server and network application systems going through Cyber Essentials, this should be Yes Always. Unless the appliance/server log file retention settings have been edited and changed, then the logs should be retained for at least 30 days, probably retained until they are overwritten due to disk space constraints. It is, however, a good idea to have the logs copied to a separate log server. You do not need anything special here, just a separate Linux box listening for syslog data. If you need more information on how to do this, then check out our Tools/Remediation Guides for the article on building a separate log archive server.
Question 23 - Internet Access Logs *
This question is quite hard to answer “Yes always” to unless you have a dedicated web proxy server. However, in the main windows and Linux workstations do record a list of internet access in the browsing history and while this is not sufficient for “Yes always” it would be sufficient for “Sometimes”.
Question 24 - Mobile Device Management - Remote Wipe and Locking *
If you have mobile devices issued by the company, then this needs to be answered. With a lot of firms, if Office365 is being used then MDM (mobile device management) can be easily enabled and “Yes always” can be answered. Other solutions include:
Trend Micro Mobile Security
ManageEngine Mobile Device Manager Plus
Blackberry Enterprise Mobility Suite
and many others.
Question 25 - Mobile Device Management - Hardening *
The explanation for this question is the same as for question 24.
Question 26 - Remote Access to sensitive information requires authentication *
This is a great question, and one which I see answered as Yes all the time. What I am looking for here is that anywhere sensitive information is available on the internet, that good quality authentication is required.