Cyber Essentials and the Importance of Secure Configuration
Published: August 7th, 2019
Author: Bill Kaewwilai
Categories: Cyber Security
Have you ever been denied access to a website or been unable to open a file at work? Has there ever been in a situation where you have had to change your password so often that you ended up just adding a single number or letter to the end of the original password?
Arguably one of the most important topics covered by Cyber Essentials is that of secure configuration. It is listed in the SANS Top 20 Critical controls to implement1. The challenge is to ensure that all devices are secure while ensuring that the user experience isn’t so poor that you or your employees try to find workarounds.
What is secure configuration?
Secure configuration is the practice of securely configuring devices to minimize risk. This is achieved by ensuring that systems have been correctly configured to mitigate vulnerabilities and that, thereafter, this is continually maintained. The process of secure configurations is an on-going one and it becomes a time-consuming responsibility to oversee the implementation and maintenance of as the number of users, devices and software increases.
Generally, it is advised that organisations should configure their devices and systems according to the principle of secure defaults. This is the idea that all devices and systems should enable all security measures. This can often reduce the usability of the device or software in question, as users have to adhere to security requirements such as entering a password or having to click “run” every time they open a file. These settings should be turned on by default but ultimately it is your decision if you wish to opt out of some of the security controls to simplify the use (at the cost of increasing the risk)2.
The importance of secure configurations
Securely configuring your devices, software and hardware is vitally important as they ultimately dictate which risks your organization’s information security system is exposed to. One of the chief benefits of secure configuring your assets is that it is absolutely free (except for the hours you have to put in to maintain it). There is no required or specific software or hardware you purchase, you just have to make sure that all software and hardware you do purchase and use is configured correctly.
The main risk that secure configuration often mitigates is employee negligence. A study in 2018 by Shred-it (Information Security Company) reveals that 47% of business leaders stated human error had caused a data breach at their organisation3. Clicking a phishing link, using unauthorized USB, and accessing dodgy websites amongst other things can cause malware to infect your computer systems. With secure configurations you can block downloads, disable unauthorized USBs and block dodgy websites to reduce the risk of an employee mishap.
NCSC’s Guidance (Cyber Essentials)
As stated before, maintaining secure configurations is an on-going process that often involves a number of departments. Organisations have to be diligent in ensuring that all systems and devices are periodically checked to make sure that they still meet the requirements of your organisation. Secure configuration comprises a very large and very important section of your information security, here are some tips and controls from the NCSC’s “10 steps” and Cyber Essentials to consider while setting up a new device or system.
- Principle of least functionality: This principle requires you to disable or remove all unnecessary functionality from your computer systems including: unnecessary ports, protocols and services4. For example, removing the functionality to run all programs except from a set of approved programs (this is also known as application white listing)5 or disabling auto run features on removable media to mitigate the risk of malware being automatically ran on a computer system.
- Principle of least privilege: This principle requires you to disable or remove all unnecessary privileges from user accounts such as access privilege or privilege to change system settings6.
- Change all default passwords on devices, servers and systems. It is widely known that hardware bought from vendors often have the default username such as username: Admin and password: Password.
- Use a strong password, passwords should be impossible to guess. For more guidance on how to pick a strong password, read the following guide: https://www.apomatix.com/blog/5-password-tips-for-smes/7.