Steve Mair, Senior Cyber Security Consultant
Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to “do something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of where to start.
My response to them is generally along the same lines, and I thought I’d share it with you now. This blog post is aimed at those with only a limited knowledge of cyber security.
As far back as 2012, the UK government produced the 10 Steps to Cyber Security as part of a campaign to make the UK a safe place to do business. The steps were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.
This article sets out the requirements of the 10 Steps to Cyber Security—some may overlap as there are some very blurred lines.
1. Set up a Risk Management regime
This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be difficult – it could just be your top 5 or 10 risks to start with.
For example, if your business relies exclusively on internet orders (e.g. as a retail outlet), then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.
You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.
2. Secure Configuration of your systems
All this really means is that you need to make sure that:
- Your systems are patched appropriately
- Anti-virus / anti-malware software is installed, updated and running
- You have an inventory of the equipment you have and what software is installed on it
- Where possible you’ve documented a standard build for all your devices.
Let’s look at those in turn, as it all sounds very complicated:
Patches: Software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important. One of the reasons the Wannacry ransomware outbreak hit people so hard was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected. That’s just one example of what can go wrong if you don’t keep patches up to date.
Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.
Antivirus software: Similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing daily, it’s a good idea to install these updates as they come out i.e. daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically and are well worth considering.
As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.
Inventory: If you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines.
Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.
Documented standards: We’ve covered this above, but it basically means that when a new machine is bought, your IT team/support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.
3. Network Security
There are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:
One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network. They then report back to you with details of the vulnerabilities they found and how these can be fixed/remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: a penetration test is one way of ensuring that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
Last and not least in this section is the requirement to monitor and test security controls. Monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you need to monitor/measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.
4. Malware Prevention
Much of this is covered within the Secure Configuration step above, but what we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software.
For example, what happens when a virus is detected. Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process)? It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.
5. Removable Media Control
This requires specific policy statements about the use of removable media: do you allow it or not? Are only specific users in specific roles allowed to use it? Etc. This step also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlined in step four above.
6. User Education and Awareness
Training is a very important part of the controls which help protect our businesses. It forms a part of many regulatory frameworks, but we shouldn’t just do it because the regulations or contracts we work to require it.
Within the 10 Steps, the guidance suggests that once you’ve produced all your policies and processes you ensure that those are described within the training you provide. It helps to maintain awareness of cyber risks and, at the very least, should mean that all staff are aware of what is expected of them.
Many companies have for years run this as a kind of a ‘tick box’ exercise, where people simply rush to the end as fast as possible just so they can say they’ve completed it for another year. That adds no value. The employee gains nothing and the business is not better protected – but it may be sufficient to meet our regulatory, legal or contractual obligations.
Good awareness training should help to inform and change behaviour, to make it easier for people to do the right thing than the wrong thing. It should help explain the risks of certain actions in a way that matters and affects the individual; it should answer the “what’s in it for me?” question. Humans are the weakest link in any security solution, so we should help them get it right by helping them understand what’s at stake. Many good training solutions now include gamification, or “what would you do?” type scenarios. Get the attendees actively involved in the training, rather than passively clicking ‘next’ to get to the next screen.
7. Managing User Privileges
This simply means restricting access to the highest privilege type of account to as few people as possible. You should also monitor user activity if possible, looking out for unusual activity, such as logging in at strange times of the day or large file transfers out of your business. This also involves looking at audit logs, which you may need help with.
User accounts on most computers fall into two areas:
- Standard user cannot run new programs, install software on their machine etc, because their access rights (user privileges) don’t give them carte blanche access to the device.
- Administrator (also known as admin, superuser, root etc.) account has full access to be able to run any software, to remove components, and to run administrative tools such as reformatting drives. This is very powerful and, as a result, users with this level of access should be restricted as much as possible.
It is good practice to give most users standard user accounts because, for the most part, they should not need to install software or make significant changes to their machines. It’s also good practice to review who has what level of access on a regular basis, and make sure that people only have access to systems and data that they need for their job. For example, someone working in a technical team doesn’t need access to payroll data, and someone working in HR doesn’t generally need to be able to install new software on a server.
This step is not only about how you deal with an incident when it occurs, but about being prepared for one when it happens. You’ll notice that I’ve said ‘when’ rather than ‘if’. Statistically, if you’ve not had an incident then you will soon, so it helps to be prepared.
The key areas to bear in mind are:
Ensure that you have a documented incident response process— i.e. you know what to do and who to contact. For example, where would you relocate your business/staff to if your offices were unavailable due to fire, flood or a chemical spill? How would you contact staff to tell them where to go and when? Are all staff required or just one or two? What equipment will they need and how would they access your systems? If you’re using a shared recovery office, how are you guaranteed space? What would you do if your office systems were infected by ransomware? This is all part of Business Continuity or Disaster Recovery Planning.
Once you’ve got your plans in place, test them. You should aim to test them at least once a year. Some companies do a full test where they actively notify people and try running their business from the recovery offices for a day and some run a table top exercise. Both work, and both have their risks and benefits.
Just as your business will likely have fire marshals, first aiders and health and safety experts, make sure staff are trained in what to do in the event of an incident. The training doesn’t have to be onerous and many businesses will include it as part of their User Education and Awareness activities described in step six above.
Where you find a criminal incident, it should be reported to law enforcement via Action Fraud – http://www.actionfraud.police.uk. You may also choose to inform your local police force.
This step covers more than just user account management. There are a couple of things to look at when dealing with this step:
Establish (and document) a strategy for monitoring—ideally include it in your overall Information Security Policy. Monitoring may also include email and internet use as well as systems and networks: if it does, then you need to make your staff aware that this is the case.
Monitoring of systems and networks should be continuous—you’ll need a way of identifying anomalies/unusual behaviour. This may be through log analysis or software which helps to visualise the data, which make the anomalies stand out.
Though the guidance doesn’t specifically mention it, I’d suggest that your monitoring should also include details around key indicators, change management etc. For example, if you have a policy that requires all laptops to be encrypted, then you should check regularly to ensure that they are and report on those that aren’t. Or if you have a policy of removing user access when they leave the organisation, you should check to ensure that is happening on a regular basis.
10. Home and Mobile Working
Make sure that your Information Security Policy includes a section on mobile working. Do you allow it or not? If you do allow it, what are the rules, how is data protected? Do you allow users to use their own devices, or do you provide laptops, tablets, smartphones etc. What security is in place to protect the data, both at rest and in transit (i.e. when being sent across networks, do you use Virtual Private Networks, encryption, two factor authentication etc.)? Make sure you’ve documented what your security baseline is and ensure that is being complied with through regular monitoring as discussed in step nine.
Make sure that users know what is and isn’t allowed, what is acceptable behaviour and what is expected for them if they are working from home or on the road. This is a great topic to include in step six, your User Education and Awareness.
As you can see, these steps are relatively straightforward and there is a degree of overlap between them. For the most part, it all boils down to how you protect your data, how you ensure the data cannot be tampered with and how you get access to it in the event of an incident. In Information Security terms, this is known as the CIA triad—Confidentiality, Integrity and Availability. Make sure you’ve documented your requirements and communicated them with staff on a regular basis and review your requirements regularly too.
How PGI can help
PGI’s Information and Cyber security teams have in-depth experience in supporting organisations of all sizes and types to identify and implement pragmatic, cost effective solutions to manage their cyber risk. Contact us to talk about how we can help: email@example.com or via phone: +44 (0) 845 600 4403