Cyber Essentials and Plus

Cyber Essentials is a cybersecurity certification scheme launched by the UK Government in 2014. It is designed to help organisations protect themselves against common cyber threats and improve their overall cybersecurity posture. The scheme is based on a set of five basic technical controls that organisations should implement to achieve a basic level of cybersecurity

Boundary firewalls and internet gateways

Boundary firewalls and internet gateways are crucial elements to protect an organisation’s network from unauthorised access and cyber threats. These components act as barriers between the organisation’s internal network and the external internet, controlling inbound and outbound traffic based on predetermined security rules.

To comply with the Cyber Essentials requirements related to boundary firewalls and internet gateways, organisations must implement the following measures:

Install and enable firewalls

Ensure a firewall is installed at the network’s edge, separating it from the public internet. Firewalls should also be deployed between different internal network segments if they have varying security requirements.

Configure firewalls and gateways securely

Default settings should be changed, and security policies should be defined to permit only necessary traffic. This includes blocking all unauthorised incoming connections and restricting outgoing connections to a minimum required set.

Regularly review and update firewall rules

Firewall rules should be periodically reviewed and updated to maintain the organisation’s security posture. This includes removing any obsolete or overly permissive rules.

Disable unnecessary services and ports

Only services and ports required for business operations should be enabled, while all others should be disabled to reduce the potential attack surface.

Implement a secure remote access solution

If remote access to the organisation’s network is necessary, a secure solution, such as a Virtual Private Network (VPN) with strong encryption, should be used. Access should be granted on a need-to-know basis and monitored regularly.

Regularly test and update firewalls and gateways

Firewalls and internet gateways should be updated with the latest security patches and firmware updates. Regular testing should be conducted to ensure that they continue to provide adequate security.

Secure configuration

Secure configuration is a critical aspect of the Cyber Essentials scheme. It ensures that the systems within an organisation are set up with proper security measures to minimise vulnerabilities and protect against cyber threats. To comply with the Cyber Essentials requirements related to secure configuration, organisations should follow these best practices:

Change default settings

Default usernames, passwords, and other system settings should be changed before deployment to prevent unauthorised access. Default accounts that are not needed should be removed or disabled.

Remove or disable unnecessary software, services, and features

Unneeded software, services, and features can increase an organisation’s attack surface. Removing or disabling these components can reduce potential entry points for attackers.

Implement the principle of least privilege

Users should be granted the minimum access required to perform their job functions. Administrative privileges should be restricted to a limited number of users, and access should be regularly reviewed and updated.

Use strong, unique passwords

Require strong, unique passwords for all user accounts, and enforce periodic password changes. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.

Keep systems up to date

Regularly apply security patches and updates to operating systems, software, and firmware. Establish a patch management process to ensure timely updates and minimise the risk of known vulnerabilities being exploited.

Harden systems according to best practices

Follow industry-standard guidelines and best practices for hardening systems, such as the Centre for Internet Security (CIS) Critical Security Controls or vendor-specific hardening guides.

Secure network devices

Configure routers, switches, and other network devices with appropriate security settings and keep their firmware current.

Implement secure backups

Regularly back up important data and store it securely, preferably offsite. Test backup and restore procedures periodically to ensure they function correctly.

 

Enable logging and monitoring

Configure systems to log security-related events and regularly review these logs to detect potential security incidents. Implement monitoring solutions to provide real-time visibility into system events.

Access control

Access control is an essential component of the Cyber Essentials scheme. It helps organisations manage who has access to their systems and data, thereby reducing the risk of unauthorised access and data breaches. To comply with the Cyber Essentials requirements related to access control, organisations should implement the following best practices:

Implement the principle of least privilege

Ensure that users have the minimum access required to perform their job functions. Limit the number of users with administrative privileges, and restrict access to sensitive systems and data on a need-to-know basis.

Use strong, unique passwords

Enforce strong, unique passwords for all user accounts, and require periodic password changes. Encourage password managers to help users securely store and manage their passwords.

Implement multi-factor authentication (MFA)

Wherever possible, use MFA to add an extra layer of security. This requires users to provide additional verification, such as a fingerprint or one-time code, in addition to their password when logging in.

Manage user accounts

Regularly review and update user accounts, removing or disabling those that are no longer required or have not been used for an extended period. Monitor account activity for signs of unauthorised access or suspicious behaviour.

Control remote access

If remote access to the organisation’s network is necessary, implement a secure solution, such as a Virtual Private Network (VPN) with strong encryption. Grant remote access on a need-to-know basis, and monitor usage regularly.

Separate user and administrative accounts

Users with administrative privileges should have separate accounts for their regular and administrative tasks. This helps to prevent accidental changes or unauthorised access to sensitive systems.

Train employees on security awareness

Provide regular training on access control best practices, password management, and other security topics. Educate employees about the risks of phishing attacks and how to identify and report them.

 

Monitor and log access

Configure systems to log access events and regularly review these logs to detect potential security incidents. Implement monitoring solutions to provide real-time visibility into access events.

Malware protection

Malware protection is a key component of the Cyber Essentials scheme. It helps organisations defend against various types of malicious software, including viruses, worms, ransomware, and other threats that can compromise systems, steal data, or disrupt operations. To comply with the Cyber Essentials requirements related to malware protection, organisations should implement the following best practices:

Install antivirus and antimalware software

Ensure that all systems, including servers, desktops, and laptops, have antivirus and antimalware software installed. Choose reputable and trusted security solutions that provide comprehensive protection.

Keep security software up to date

Regularly update antivirus and antimalware software with the latest virus definitions and signatures to ensure protection against newly discovered threats. Configure the software to update automatically, if possible.

Enable real-time scanning

Configure the antivirus and antimalware software to perform real-time scanning, continuously monitoring systems for signs of malware activity and blocking threats before they can cause damage.

Regularly scan systems for malware

In addition to real-time scanning, schedule regular full system scans to detect and remove any malware that may have slipped through the real-time protection.

Implement email security measures

Use email security solutions to filter out spam, phishing emails, and messages containing malicious attachments or links. Train employees on how to recognise and report phishing attempts.

Control the use of removable media

Limit the use of removable media, such as USB drives, to reduce the risk of malware being introduced to the network. Implement policies and technical controls to manage removable media, and scan all media for malware before allowing it to be used on organisational systems.

Keep operating systems and applications up to date

Regularly apply security patches and updates to operating systems, software, and firmware to close known vulnerabilities that malware could exploit.

Restrict software installation

Limit the ability of users to install new software on their devices and maintain a whitelist of approved applications to prevent unauthorised or potentially malicious software from being installed.

 

Educate employees about malware risks

Provide regular training on malware risks, safe internet browsing practices, and identifying and reporting suspicious files or activity.

Patch management

Patch management is a vital component of the Cyber Essentials scheme. It helps organisations keep their systems, software, and devices up to date, reducing the risk of exploitation by cyber threats that target known vulnerabilities. To comply with the Cyber Essentials requirements related to patch management, organisations should implement the following best practices:

Establish a patch management policy

Develop a comprehensive policy outlining the organisation’s approach to patch management, including roles and responsibilities, procedures, and timelines for applying patches and updates.

Inventory and prioritise systems

Maintain an up-to-date inventory of all hardware and software assets within the organisation. Identify and prioritise critical systems, applications, and devices that require more immediate attention when patches are available.

Monitor for updates and vulnerabilities

Regularly monitor vendor websites, security bulletins, and other trusted sources for information on new patches, updates, and vulnerabilities that affect your organisation’s systems and software.

Assess and test patches

Before deploying patches, assess their relevance to your environment and test them in a controlled environment, if possible, to ensure they do not introduce new issues or incompatibilities.

Schedule and deploy patches

Establish a schedule for applying patches based on their criticality and the organisation’s risk tolerance. Deploy patches in a timely manner, adhering to the schedule and prioritising critical updates that address high-risk vulnerabilities.

Automate patch management when possible

Use patch management tools and software to automate the process of monitoring, testing, and deploying patches, streamlining the process, and reducing the risk of human error.

Manage exceptions

Develop a process for managing exceptions when patches cannot be applied immediately, such as when they are incompatible with existing systems or require extensive testing. Implement compensating controls or workarounds to mitigate the risks associated with the unpatched vulnerability.

Track and report on patch management activities

Keep records of all patch management activities, including identifying, assessing, testing, and deploying patches. Regularly report on the organisation’s patch management performance and compliance with the established policy.

Educate employees and raise awareness

Provide training and awareness programs to educate employees on the importance of patch management and their role in maintaining up-to-date systems.

By obtaining the Cyber Essentials certification, organisations can demonstrate to their customers, suppliers, and partners that they have implemented basic cybersecurity measures. The certification process typically involves a self-assessment questionnaire followed by an external vulnerability scan conducted by a certification body. Two certification levels are available: Cyber Essentials and Cyber Essentials Plus. The latter involves a more in-depth assessment, including hands-on technical testing of an organisation’s systems.

Related Post