Guide to the UK government cyber essentials scheme

The results of the latest cyber threat reports and surveys have denominated 2013 as the year of major breaches. The media naturally focuses on the big stories of massive data breaches or coordinated state attacks which leave in their wake a trail of lawsuits, customer data losses and political conflicts. However that’s not the entire spectrum of the cyber security landscape, nor does it reflect the full damage of attacks in cyber space. The SME landscape has its own perils and it suffers just as much as the large corporate domain. The difference is you don’t often hear about it.

Security and compliance is a sore subject for most small and medium sized enterprises. PCI-DSS for example can be a long and painful process for small retailers that are left feeling understandably frustrated at the end of an 80 page document heavy with technical jargon. The next challenge to look forward to is the abundance of guidance and industry bodies, but with no single place to check against a simple number of guidelines.
Currently the UK cyber security environment is not regulated by compulsory compliance policies. While industry specific frameworks are in place – PCI-DSS for retail, STIG for military, NERC for energy – no clear guidance exists for ensuring organizations operate in a cyber-safe manner for their benefit as well as for the benefit of their customers.

The Cyber Essential Scheme, the new best-practice guidance emitted by the UK government in response to industry demands of a better cyber security policy for the business landscape, was released on the 7th of April 2014. The project follows a call for evidence which concludes that cyber security standards should be internationally recognized, promote international trade, allow systems to exchange and use information efficiently and be auditable.

5 points of the cyber essentials scheme:

1. Boundary firewalls and internet gateways
The objective is to restrict unauthorized access from the internet by configuring firewall rules, internet gateways or other network devices.

What to look for?
Default admin passwords, firewall rules, blocking of vulnerable services (like NetBIOS, SMB, tftp, RPC etc), updates for firewall rules and restricted access to the admin interface for the boundary firewall should assist with securing inbound and outbound network traffic.

Case in point
The Target breach was achieved through a third-party vendor. Limited access was not enabled on the POS network; hence the attackers gained access to the contractor’s credentials, which managed environmental controls remotely, and from there it was only a matter of time until the hackers infiltrated the payment processing systems across the entire network.

2. Secure configuration
Is default-mode safe-mode? Whether it’s a computer, a network, or a phone the “out-of-the-box” mode is never safe, which is why stronger authentication is required.

What to look for?
Removing unnecessary user accounts – especially any with special access privileges – and pre-installed unnecessary software, changing default passwords, disabling the auto-run feature to prevent code being executed without user knowledge and consent and installing a personal firewall.

Case in point
When the Winter Olympics were taking place in Sochi, the NBC News’ ran a story on how the reporter’s phone and test computers were hijacked “before we even finished our coffee’. Later, the story was proved a hoax, as a combination of risky user behaviour (clicking unknown links, visiting suspicious websites) and default security settings left intentionally on the two test laptops.

3. User access control
User accounts with special access should be assigned only to authorised individuals and granted with only minimum level of access to applications, computers and networks. User privilege is essential to manage, in order to avoid abuse. Privilege abuse makes up for 88% of insider threat actions, according to the latest Verizon DBIR (Data Breaches Investigation Report).

What to look for?
Accounts should be subject to approval, restrict access to a need-to-know basis, details of special access clearance should be documented and reviewed, for a clean track record and auditing procedures. Admin accounts should be used only for administrative tasks and isolated from internet or email. Authentication should require a unique username and a strong password which should be changed on a regular basis. Updated removal or disabling of special privilege accounts when necessary.

Case in point
Last year’s most prominent case of user privilege abuse was the U.S. government contractor Edward Snowden. With unauthorized SSH keys and falsified digital certificates, Snowden managed to access and steal NSA documents without setting off the alarms across the network, and the NSA is not an isolated case. These type of practices have already been reported in the wild. Under the context of trust abuse and special access threats, every enterprise is a sitting target.

4. Malware protection
Viruses, worms, spyware can infect any device with an internet connection, thus any organization should have malware protection software.

What to look for?
Malware protection software should be configured to scan files automatically upon access (downloading, opening files, or accessing web pages) as well as regular automatic scans. Regular updates should be installed, either through manual or centralized configuration. Website blacklisting should be employed to prevent suspicious connections.

Case in point
The Google Drive scam was a very convincing phishing scam targeting Google Docs and Google Drive users. It consisted of a simple email with a request to view a shared document on Google Drive. The link led to a fake Google login page, which looked almost identical to a real one, because the fake page was hosted on Google’s servers and benefited from Google’s SSL certification, to make it look even more convincing. But once the user entered their credentials, a PHP script stored them on a compromised server.

With a configured list of blacklisted websites and up to date detection software, this type of scam would not pose much a problem to an organization.

5. Patch management
Any software is prone to technical vulnerabilities. Once discovered and shared publicly theses vulnerabilities are quickly exploited by cyber criminals, or organized groups.

What to look for?
Ensuring that the software is licensed and supported in order to receive continuous updates. Updates and security patches should be installed in a timely manner. Software which is no longer supported should be removed from the computer or network.

Case in point
The end of support for Windows XP announced as early as 2007 still came as an unpleasant surprise to dedicated users and cost-weary businesses. But loyal home-users and organizations will have to make the migration very soon, as security threats loom over the unprotected OS when the next patches are released for the other versions of Windows.

A lifeline to SMEs
The butterfly effect in the cyber market can be even less than a delicate wing batting in Brazil; it can be a weak admin password to a third party vendor with peripheral access to a SCADA system powering the energy grid for a middle-sized country.

International affairs think-tank Atlantic Council in association with Zurich Insurance Group released recently a report which warns of parallels between the global cyber scene and the financial meltdown from 2008. It argues that “on the internet, it has been easier to attack than to defend’ because the internet was founded on trust, not security. However, as the internet became increasingly complex, highly interconnected and widely available the risks escalated rapidly.

The report ends with best practice recommendations resonating with the ones found in the Cyber Essentials program. As it stands the UK does not have any cyber security certification, no reference point to measure against and no single agreed guidance to look up to. The Cyber Scheme initiative is the first step to a one-for-all policy, with the only hope that it will not turn to represent yet another compliance headache for SMEs, but an actual support line for the business sector.

CREST, working with CESG the information security branch of GCHQ has developed an assessment framework which is now available for consultation. The full scheme along with the assessment framework and the accreditation badge will be available in summer 2014.