A guide to the Cyber Essentials Self-Assessment Questionnaire

Transcription

1 A guide to the Cyber Essentials Self-Assessment Questionnaire Apply for certification at Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you by APMG International Cyber Essentials was always intended to be a set of basic but fundamental security requirements which, if implemented effectively, would reduce the risk of a successful cyber-attack by about 80%. It was targeted principally at small and medium enterprises whilst accepting that larger organisations should be doing these measures as well. The five basic Cyber Essentials controls are taken from the advice issued by Government Communications Headquarters (GCHQ), and also the 10 Steps to Cyber Security. Those 10 steps are a 1 P age

2 rather more complex set of controls that larger organisations (usually with their own IT departments and good security advisors) should be taking. The five areas for the basic Cyber Essentials controls are qualified by a set of questions that should be possible for most business owners and managers to answer - perhaps with some limited additional technical advice. This video series aims to help you to answer those questions and directs you to other sources of information should the need arise. General information It s essential that the appropriate information is provided as part of the general application for certification. This will include; the business name (together with any parent organisation), business size, a point of contact (usually the person completing the application form) and, most importantly, the scope of the system to be assessed and certified. It s critical that the scope is properly defined and usually the easiest and best way to do this is a simple block diagram. This diagram shows you a simple system and the red line highlights the extent of the assessment. It is important to note that the certificate will show a brief description of the system certified. The organisation s name can only be used on the certificate if all the IT systems in use in the organisation are within the scope of the assessment. The Five Controls 1. Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective. 2. Secure configuration ensuring that systems are configured in the most secure way for the needs of the organisation 3. Access control Ensuring only those who should have access to systems to have access and at the appropriate level. 4. Malware protection ensuring that virus and malware protection is installed and is it up to date 2 P age

3 3 P age 5. Patch management ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.

4 Question number 1 Questions to be answered for the APMG certification process Are there firewalls in place which protect all your devices? How to answer FIREWALLS What is a firewall? Where the firewall is located must be shown on the scope diagram mentioned here and be described in the accompanying scope statement. For very small organisations the access to the internet will be through a simple device often provided by your internet service provider (ISP) such as BT, TalkTalk, Plusnet, Virgin Media or similar. There will be a firewall and a router incorporated into that device and this will act as a filter to prevent attacks getting onto your system. This stops inappropriate traffic leaving your system. Usually the firewall will be configured by the service provider and often you will have little or no ability (or need) to change anything on it - away from the default settings. We will refer to this device as a firewall despite it being a combination of router and firewall. It is possible that in addition to the firewall at the point of access to the internet (or occasionally instead of), you may have installed firewalls as software on any device connected to your network. This is often done as part of the installation of antivirus and similar types of software. Including this in your description will be useful and help the assessor. If you have a more complex system, then you may have a separate firewall which you can set up, and this will need explaining in your application. In particular it is critical that the firewall is configured to prevent certain types of traffic coming into and leaving your network. Details of which protocols (or types of internet traffic) and services should be stopped, together with other configuration requirements, are in the detailed technical specifications for Cyber Essentials. 4 P age

5 3 4 Has the default administrative password on all firewalls (or equivalent devices) been changed to a password that is difficult to guess? Is it possible for a user to access the administrative interface of the firewall (or equivalent device) remotely? As mentioned previously, if your firewall has been provided by a commercial ISP then it is quite possible you will have no ability to change the administrator password set by the supplier, which will usually be quite a strong complex password anyway. If you can change the administrator password you should always do so and this can be checked through the control panel of the router. The control panel is usually accessed by opening a web browser and typing in the IP address of the firewall. This will often be or Note that this administrator password is not the same as the one you will have used to connect a device to the network perhaps through Wi-Fi. Once again if your firewall has been provided by an ISP then it is quite likely that they will have set this aspect up so they can administer your firewall remotely across the internet, without having to visit your premises, should you have problems with it. It is quite possible that you cannot alter this. However if you can change the setting on the control panel, it is required that it is set not to allow remote access to your firewall. This is usually achieved through the control panel. 5 If the answer to the previous question (4) is yes - have you implemented protection for the administrative interface in the form of a second authentication factor, such as a one-time token? This will usually be the way a commercial firewall is set up. When the ISP wants to connect to your firewall they will send you a connection request and will then often ask you to type in a code to allow the connection to be made. This is a type of two-factor authentication. 5 P age

6 6 If the answer to the previous question (5) is no - have you implemented protection for the administrative interface in the form of an IP whitelist, which limits access to a small range of trusted IP addresses? This would need to be undertaken via the control panel (or equivalent) and is likely to need a security expert to ensure this is done correctly. 7 Are unauthenticated inbound connections blocked by default? This should be the way a commercial firewall is set up. You may be able to confirm this from the control panel. If you need to configure your firewall you will need to ensure that the configuration does not limit or prevent legitimate business activities. 8 9 For any configured inbound firewall rules, are they approved and documented by an authorised individual, including a description of why each rule is needed? Are configured firewall rules removed or disabled when they are no longer This is a documentation requirement. The decisions you have made for the setup of the firewall and other similar devices must be appropriately defined, based on a solid risk assessment and approved by an appropriately senior person in the organisation. This documentation, along with any other similar documentation, must be kept up to date and routinely reviewed to ensure the decisions made continue to be appropriate. If your firewall is configured by default then you may not have control over this aspect of it. It s best to leave it to the ISP to ensure the device is maintained appropriately. 6 P age

7 10 needed? Do you have host-based (individual) firewalls on devices which are used on untrusted networks, such as public Wi-Fi hotspots? If you have made any special settings on the firewall, (to allow inbound access for example), then they should be deleted when they are no longer required to meet a business need. If your organisation allows staff to use mobile phones, tablets, laptops and the like then it is important that all those devices are as secure as the main devices in the office. Each will usually come with a firewall installed by default and it is important the setup of each device meets the security requirements of your main network (since it s likely you will be allowing them to connect to it). In particular, it s essential that any connection to a public Wi-Fi hotspot (for example in a railway station, hotel or coffee shop) is secure and this can be achieved by using a software firewall on a phone or tablet properly setup. Some makes of smart phone do this by default and most modern phones can be set up to do this through the settings on the device. SECURE CONFIGURATION P age Have all unnecessary or default user accounts been deleted or disabled? Have all passwords been changed from default or guessable to something nonobvious? The accounts set up on a computer or other devices connected to your network should only be those necessary for business use. There should not be a guest account (often set up by default on a computer) and there should be no unused accounts. A system administrator account can do this through the control panel on the computer or other device. Passwords are one of most common weaknesses in the cyber world. It is critical that they are changed from the default setting (the password setup on the device when it was bought new) and that strong passwords are set. Strong passwords should contain a mixture of upper case, lower case, numbers and special characters. It is also important that it is not a dictionary word or any other recognisable sequence of letters and/or number such as ABC123. Passwords should not be some information about yourself which is not too difficult to find or work out

8 such as a birthday, car registration or post code. The way passwords are selected and stored is important and it is acceptable to use a respected password manager application. Most browsers can now be used to store passwords securely. There are web sites and applications that will assess a password to determine how strong it is and using this to help staff select strong passwords is advisable. For more advice on passwords see the NCSC advice here: Has all software which is unnecessary for your organisation been removed or disabled? Have all auto-run features which allow file execution without user authorisation (for example, when they are downloaded from the Internet) been disabled for all media types and network file shares? Any software that is not required and used by the organisation should be removed by uninstalling it. This includes software that might have been used once but is no longer used or, where a new version has replaced an older version, the older version should be removed. Where it can t be removed for some reason, (perhaps due to licencing agreements), then it should be disabled such that only administrators could run it if necessary and appropriate. If you are unsure how to uninstall software or to disable its use you may need further technical advice from an expert. Programs should not be able to run without someone approving them. This might, on occasion be a user but more correctly it should be an administrator. The facility to autorun programmes is normally set within the control panel or the equivalent. 8 P age

9 15 16 Are external users authenticated before they are given Internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation? Are user accounts controlled through a creation and approval process? Anybody who can be given access to the network when not in the same physical location should have to provide some confirmation of who they are. This is done through methods such as two factor authentication. This might mean that they have to carry a token or other device which they use to obtain an individual code or PIN to enter the system., It can sometimes mean sending a text message to their mobile phone (or some other similar method). The system must not allow anyone to log in without some form of separate identification and authentication. Setting this type of system up will often require some expert assistance in order to avoid over-complicated or inappropriate systems. ACCESS CONTROL I.e. HR Manager approval, Line Manager Approval, IT Department Approval prior to a new starter being set up P age Are users required to authenticate before being granted access to devices and applications, using unique credentials? Are accounts removed or disabled when no longer Authentication is a second process to ensure that only authorised users gain access to the system. This can be done in a number of different ways. It could be through a combination of passwords and physical access controls such as staff passes. Without a staff pass allowing staff members into a building, people are not able to gain physical access to a system. Alternatively, a token is used to access the system in addition to a password. There are other ways this can be achieved and in each case, it is critical that the authentication details are unique to individual users. There must not, for example, be a general Temporary Staff access facility or anything similar used by a number of different individuals. Further technical advice may be needed, to set this up effectively. When staff members leave, their account should be locked to prevent continued access. After

10 required? any critical information required form record keeping, auditing or other use has been taken from the account it should either be deleted or disabled. This should be done by a system administrator though the control panel. 19 Has two-factor authentication been implemented, where available? Two factor authentication has been discussed previously. It involves the use of two different means of identifying individuals to provide them with access to the system - or to different parts of it. It s not always appropriate or possible to use this method, but senior management should have made a deliberate decision as to where it should be implemented, and where there is no need. 20 Are administrative accounts only used to perform administrative activities? In practice, this means no ing, web browsing or other standard user activities (that may expose administrative privileges to avoidable risks) should be undertaken on an administrator account. An administrator should have a separate, normal user account for everyday activity - such as ing and web browsing. 21 Are special access privileges removed or disabled when no longer required? Administrative accounts should be limited to named individuals who have a need to use such a highly privileged accounts, to undertake special administrator functions such as creating/deleting users, resetting passwords, changing firewall settings, adding new devices, etc. There may be certain circumstances when people need special, additional administrative permissions in order to carry out specific tasks or activities. Those should also be regularly and frequently reviewed (and cancelled or removed as soon as they are no longer needed). This can all be done through the user account section of the control panel. MALWARE PROTECTION 10 P age

11 22 Do you have either antimalware software, application whitelisting or application sandboxing on each of your devices? Anti-malicious software (also known as anti-malware, anti-virus or AV software) should be installed on all devices and endpoint including mobile devices where they connect to the internet and to the system in scope. This software will usually include the facility to whitelist software applications. This is a process whereby any software that s approved to be used on the system in question, is listed, and only that software can be run on the system. An alternative approach, used by some AV software and manufacturers such as Apple, is that when an application is run - it s in a separate area - quarantined from the rest of the system a process called sand-boxing. In either case the idea is to stop unauthorised software packages running on the system. 23 Please provide details of the software used. This is simply a note of what AV (anti virus) or other related software (scans, whitelisting, etc.) is installed on the system. PATCH MANAGEMENT 24 Is all software installed on computers and network devices in the scope licensed and supported? There must not be any pirated or other unauthorised software on the system. All software should have a licence and be supported in some way by the supplier even if there is a charge associated with that support. Freeware or open source software is quite acceptable but it is still under a support contract albeit at no charge and usually with much reduced service level agreement requirements P age Are all "critical" or "high risk" software patches applied within 14 days of release? Patching or updating software is one of the most critical controls. It is essential that all software patches are installed as soon as practical. The advice of the National Cyber Security Centre should be followed and this will usually mean patching immediately it is received. Many software packages will automatically patch and this should be enabled where possible for all software in use. Users should not be given the choice of patching but should be required to

12 patch as soon as possible. The NCSC advice can be found here: Guidance on updating your operating system can be found here: 26 If a vendor releases a patch for multiple issues as a single update which includes any "critical" or "high risk" issues, is it installed within 14 days? As for the previous question the general policy for patching should be to implement all and every patch as soon as possible after receipt or notification. The definition of critical and high risk can be found at the end of the document found here: Password-Based Authentication 27 Are systems accessible from the Internet protected against bruteforce password guessing by either: 1. locking accounts after no more than 10 unsuccessful attempts 2. limiting the number of guesses allowed in a specified time period to no more than 10 When a system is set up to allow people to log in when away, there must be a system in place to stop multiple attempts to gain access. This can be done in a number of ways but it s commonly done by limiting the number of attempts at getting a password correct, before the system locks the person out. Once accounts are locked, there needs to be an adequate way of re-enabling those accounts such that the user is not overly inconvenienced, but that security is not compromised. This system is best set up by an expert with appropriate technical knowledge in order to reach an appropriate compromise between usability, convenience and security. 12 P age

13 guesses within 5 minutes 28 Do you enforce a minimum password length of 8 characters? This will normally be set up in the security settings for the system. The administrator will set this up and a satisfactory compromise must be achieved between usability, convenience and security. Advice on good passwords issued by the National Cyber Security Centre should be followed. 29 Do you enforce a maximum password length? Once again this will normally be setup in the security settings for the system. The administrator will set this up and a satisfactory compromise must be achieved between usability, convenience and security. There should not be a maximum length limitation on passwords, although sometimes there are technical reasons for this being the case. If there is a limit set this must be fully explained to the assessor. In general, longer is better. Advice on good passwords issued by the National Cyber Security Centre should be followed Are passwords changed when it is suspected they are compromised? Users of the system must be told to change passwords when they believe, or think, that the account or passwords have been compromised. Advice on changing passwords has been issued by the National Cyber Security Centre in a number of different documents. They are available here: 31 Do you have a password policy that meets the requirements as set out in Cyber Essentials You must have a password policy authorised by a senior member of staff that has been implemented effectively across the organisation. The password policy is a properly authorised document that must tell users: 13 P age

14 Requirements: Password Authentication? How to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet) Not to choose common passwords this could be implemented by technical means, using a password blacklist Not to use the same password in multiple places, at work or at home Where and how they may record passwords to store and retrieve them securely for example, in a sealed envelope in a secure cupboard If they may use password management software if so, which software and how Which passwords they really must memorise and not record anywhere Anti-Malware Software 14 P age

15 32 Is the software kept up to date, with signature files updated at least daily? The AV or other similar software should be set to update automatically and this should normally be done on at least a daily basis. 33 Does the software scan files automatically upon access? When an external storage device such as a USB thumb drive is inserted into a computer or other device it should automatically be scanned for virus and other malware. This is a setting in the AV or similar software. An alternative would be to lock all USB ports so that nothing will work if plugged into it. 34 Are webpages automatically scanned on access through a web browser? When a user goes to a web page on the internet or elsewhere, the page should be scanned for malware. This might be done as part of the AV software or may require an additional piece of anti-malware software such as a scanner Are connections prevented to malicious websites on the Internet, unless there is a clear, documented business need and you understand and accept the associated risk? Are only approved applications allowed to run on devices? Some web sites are deemed unsafe for a number of reasons. Anti-malware and similar software should stop a user going to those sites. This can also be achieved by the settings in the browser. Where there is a good, documented business need to access an insecure web site this can be added to the software or browser as an exception. The process of defining those web sites which can be accessed by users whilst preventing access to all others, is called Whitelisting. This process can also be used to define which applications can be run and which cannot. Whitelisting This is a further statement that only those applications approved to run on the system, are allowed to do so. It should not be possible to install unauthorised software on the system, nor for any software that installs itself to be allowed to run. The measures above address this 15 P age

16 through anti-malware and scanning software and the security settings in the browser. Setting the browser security level can be part of the solution but there are other methods too, including whitelisting as described above. This may require the assistance and advice of an appropriately experienced technical expert. 37 Does the whitelisting process use code-signing This is a way of setting up whitelisting (as described previously). Code signing requires the software to be approved though the recognition of an approved code signature. This may require expert help to set up and maintain. 38 Do you actively approve applications before deploying them to devices? There should be a governance process in place that explains how new software is obtained, tested, approved for use, installed and maintained. This process should be explained for the assessor. 39 Do you maintain a current list of approved applications? As a result of the process just described, there should be an approved list of applications that are permitted to be installed and run on the system. That does not necessarily mean that all the applications should be available and used by all users. If you are using whitelisting then there will be a common list. Sandboxing 16 P age

17 40 Is all code of unknown origin run within a 'sandbox' that prevents access to other resources unless permission is explicitly granted by the user? Sandboxing is used to put a new piece of software or application inside a secure, logical enclosure that prevents it from accessing or harming other parts of the system. If there is a need to run new, unauthorised or untested software it should be sandboxed. If this is not practical for some reason, there must be a clear business need documented and all steps taken to ensure the software is prevented from damaging the system, as far as possible. More information on the Cyber Essentials scheme and the measures it requires organisations to take can be found online in a number of places including: Useful links for further help: CyberEssentials@apmgroup.co.uk Glossary: NCSC Password advice: The NCSC advice on patching or updating software can be found here: Guidance on updating your operating system can be found here: The definition of critical and high risk can be found at the end of the document found here: P age

18 18 P age