PART I: REQUIREMENTS FOR BASIC TECHNICAL PROTECTION FROM CYBER ATTACKS
The controls set out in the Requirements are relevant to organisations of all sizes, but have been chosen for Cyber Essentials because they are relatively easy to implement for SMEs and protect against a wide variety of common cyber threats. But what are the common attacks that your organisation faces, and which the UK Government are so keen to protect against?
Types of attack
The image of the hacker in popular media is usually of a lone individual in a basement, tapping away at a keyboard, trying to break into a specific computer system. This targeted attack methodology is not how most attackers operate, which is lucky because it is difficult to keep out a motivated and expert cyber criminal who is deliberately targeting your organisation.
The good news is that most cyber attackers run their criminal enterprises like a business, and it is just not economical for them to go after their targets one-by-one. Successful cyber attacks in the UK generally rely on simple technology that is widely available on the web. Such attackers employ a scattergun approach, using vectors such as spam email to go after hundreds of organisations and individuals at once, and then opportunistically break into exposed networks – these are known as ‘commodity’ cyber threats. To break into a system, the attackers rely on poor technical security measures at target organisations and/or a lack of security awareness among staff – so addressing these issues goes a long way toward making your organisation secure.
The types of common attack can be split into five major categories:
1. Social engineering
Attackers ‘con’ employees into allowing them to access the organisation’s systems. Social engineering can be targeted – for example, the attacker might phone technical support, pretend to be a senior member of staff with a high level of access, and request that they change the password for the impersonated individual’s user account so that the hackers can log in later. It is also employed in low-tech attack methods – a common tactic is to send out spam emails with virus-bearing attachments, which, when opened, log keystrokes or otherwise accumulate data (Trojans). ‘Phishing’ is a type of social engineering attack which many of us have encountered at some point – emails purporting to come from an authoritative source (such as a bank or credit card company) are sent out, requesting that the recipient enter their login details. The criminal can then gain access to their account to siphon off funds.
2. Denial of service (DOS)
Attackers seek to overload a network with external communications requests to create a server overload, preventing the target from performing its normal functions. The requests which make up the attack usually come from computers which have been infected with malware – without their owners even being aware of it. The Cyber Essentials scheme helps prevent your computer being used in such an attack.
3. Brute force
Attackers attempt to discover a password by using a program which tries all possible combinations of letters, numbers and punctuation marks. If the target is using a weak password, such as the name of a favourite football team or a dictionary word, this process is a relatively easy way to break into a system. It is also possible for some login systems to be fooled into giving up the password – if you have chosen to let your computer ‘remember’ it after you have logged out, then the attacker can use this against you.
4. Physical attack
Attackers steal data by gaining physical access to your systems. They use tactics which range from breaking into office buildings and stealing servers or laptops, to masquerading as employees to gain access during working hours so that they can install malware or infected hardware.
5. Exploiting vulnerabilities
Attackers gain access to systems using vulnerabilities that have been discovered in applications and configurations.
Cyber Essentials provides protection against the first three types of attack, which involve the use of malware – hostile or intrusive software. It also helps you to repair vulnerabilities. Although it is not a requirement it may also be a good idea to make your office more physically secure as well – one sensible policy is to require staff to ask unfamiliar, unaccompanied visitors for identification, not just at reception but throughout the building.
The scope
The first step in becoming secure from such threats is to adequately scope which parts of your IT infrastructure need to be given a basic level of technical protection. This is defined firstly in terms of the business unit/ organisation and secondly in terms of the hardware and software used by that business unit, which will need to be made secure. The part of your IT infrastructure which stores and/or processes sensitive information will have to be included in the scope, but you can choose whether to have the rest of your organisation certified as well – this is an important decision to make up-front.
There is a helpful graphic in the Requirements which can be used to work out what is in scope, but the Assurance Framework goes into far greater detail on the subject and it is recommended that you consult that instead. This book examines scope in detail at the beginning of Part 2.
The five cyber security measures and implementing controls
The measures laid out in the Requirements have been chosen deliberately to protect against the low-tech attacks discussed above. Fully implementing these five key measures will put interlocking cyber security measures into place to defend your organisation.
The measures are:
1. Boundary firewalls and Internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
After you have determined the scope, the next step is to implement the controls that make up each measure.
It should be noted that it is sometimes legitimately impossible to implement a control; the Cyber Essentials scheme recognises this and allows you to create compensating controls, which should be defined and put in place prior to the auditing process.
Documentation
Before you start implementing the controls, you should have established an approach to documenting your progress which can be used with all five measures. Documentation is important to ensure that the rules are being applied consistently across your organisation, and is required under the scheme in certain cases. It will also help you to fill out the self-assessment questionnaire when trying for Cyber Essentials certification.
Your suite of documentation should be based on the controls and explicitly linked to the network and user devices which are in scope for Cyber Essentials. It should be easily accessible to every member of staff who can make changes to these devices. Rules should be put in place to ensure that whenever staff work on these devices they must consult the documentation...