Do you know your Cyber Essentials?

According to a recent article on ZDNet almost every American was affected by at least one data breach in 2015. But Cyber Security is a global issue and here in the UK we are by no means immune to the endeavours of the hackers. In the Autumn of last year we were rocked by the news that a 15 year old had been arrested on suspicion of accessing the records (including some unencrypted credit card information) of 157,000 TalkTalk customers. No surprise that the mobile giant emerged from the crisis red-faced and £35m worse off. Meanwhile in gentile Harrogate cake lovers were shocked to discover that the cutely named Betty’s Tearoom had inadvertently allowed access to 122,000 customer records through what it obliquely called an ‘industry-wide software weakness’.

With barely a day going by without news of some malicious hacktivity or another it’s not surprising that Cyber Security has become a top priority for the UK Government. With a view to helping businesses protect themselves from cyber attacks the Government launched a scheme called ‘Cyber Essentials’ back in June 2014. The scheme provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats and offers a mechanism for organisations to demonstrate that they have taken these essential precautions. 

Getting accredited

We first became aware of Cyber Essentials last year when we started working with the Cyber Security Challenge, a Government and Industry funded series of national competitions, learning programmes, and networking initiatives designed to identify, inspire and enable the next generation of cyber security professionals. We’re working with the Challenge to develop a unique virtual world gaming platform through which the competitions can be delivered so, not surprisingly, the Challenge needed reassurance that our own data handling protocols and network security measures were up to the job. To this end we embarked on the process of achieving Cyber Essentials accreditation. 

Fast forward a few months and we are now very proud to announce that we are a ‘Cyber Essentials’ accredited agency. We’ve learnt a lot and in some cases have had to radically change processes and infrastructure in order to achieve accreditation, so we thought we’d share some of the joy and pain that we’ve been through and the things we’ve learned along the way.

Firstly you need to find a licensed Certification Body through which you will apply for accreditation. This was an easy choice for us as our regular collaborator Jay Abbott, runs Advanced Security Consulting, an IASME and CREST approved Certification Body. As well as being an all-round nice guy, Jay has worked with us on a number of projects, providing security advice and penetration testing. He’s also an advisor to the Cyber Security Challenge.

Once you’ve hooked up with a Certification Body you then need to work your way through a list of requirements, ticking off the ones that you already comply with (likely to be a short list) and then take actions to meet the ones that you don’t.

The process concentrates on improving security in the five key areas of Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and finally Patch Management. Complying with each of the five areas required extensive work across all our systems. Below are just some of the issues and solutions we encountered along the way. 

Boundary Firewalls and Internet Gateways

You need to make sure that your door to the outside world is securely controlled. Think of it as a catflap that only allows your cat and your cat’s certified friends through the door.

Our routers are our gatekeepers so we updated the firmware on each of our three routers and disabled some settings which are by default turned on but weaken your security. Amongst these is Universal Plug n Play (UPnP) which is a setting that allows devices on your network to automatically open required internet ports – great if you’ve got a particular piece of software that needs some specific ports opening to operate correctly… and also great if you’re a hacker wanting to secretly open ports and gain access to a network without the network owner knowing anything about it! WiFi Protected Setup (WPS) is another setting that you should turn off. WPS allows you to easily join your wifi network by pushing a button and entering a simple 8 digit pin. However a vulnerability allows hackers to brute force the pin and gain access through the back door.

For additional security our wifi access needed to be limited so we created an additional guest network for visitors to the studio and for use by employees using personal devices such as mobiles and tablets.

So far so good – except that on our first attempt we failed the accreditation because the measures we had taken weren’t secure enough. We hadn’t considered that the built-in firewalls in the routers were also accessible and configurable by our internet service providers which was a considerable security flaw. The only solution was to buy a dedicated firewall. After a lot of research we plumped for a Sophos xg85 from Complete IT Systems. It was a steep learning curve setting it up and we locked ourselves out a few times but thanks to the excellent telephone support from Sophos we managed to get there in the end. 

Secure Configuration

As we are less than 2 months in to our Cyber Essentials accreditation we haven’t yet been exposed to what I suspect will become a major and regular groan moment amongst the team. That is the point at which after 60 days you have to change all your passwords – that’s machines, web accounts, desktop software – everything.

Whilst Cyber Essentials is fairly vague about what constitutes a strong password policy we have elected to change our passwords every 60 days to a new unique password, that hasn’t been used in the last 300 days, for each service. That password must contain a mixture of alphanumeric characters and be a minimum 8 characters. Personally I use my own secret formula to generate secure passwords but truly random secure passwords can be generated by using a service like strongpasswordgenerator.com.

It’s surprising and daunting in equal measure just how many passwords you have when you come to list them. Add to that the problem of trying to remember long, often meaningless, alphanumeric strings and we realised that we needed a secure system for storing passwords. After much research we settled on Zoho Vault as it is simple and easy to use and unlike many other password storage systems allowed us to force a change after 60 days.

Computer hardware and software isn’t secure out-of-the-box. Often default passwords are used so we had to make sure that all of these were changed to a unique secure password. We also had to remove any unnecessary or unused user accounts on all services.

To ensure that each networked machine was secure we first checked that personal firewalls were enabled on each machine. We then needed to make sure that machine passwords were forced to change every 60 days. After some digging we found that for our Macs there is a way to do this programmatically using command line instructions in Terminal, whilst on our Windows machines we were able to do this by changing the password policy settings – a rare example of something being easier to do on a Windows machine than on a Mac!

Access Control

We realised that we didn’t have a policy for who had access to what within our studio but it is a requirement of Cyber Essentials (and, when you think about it, common sense housekeeping) that access to administrative accounts is limited to named individuals.

Once we’d formulated an Access Policy we then drew up a list of staff with admin privileges. This is now securely stored in an encoded file and reviewed quarterly.

We also needed a policy for leavers to ensure that passwords and access details were changed promptly on leaving. This was of course something we did before going through the Cyber Essentials accreditation but it had never been enshrined in a written policy.

Malware Protection

Who says Macs don’t get viruses? Once we had installed anti-virus protection on every machine we were amazed to find the number of Trojan Horses and other viruses that the software detected on first use, and now continues to detect on its daily scans. We did a lot of research comparing the various anti-virus programs and in the end we settled on ESET NOD32.

As with our Firewall issue we were caught out by this one and failed on our first submission. What we hadn’t considered is that we all use our phones to collect business emails. This means that they need to be protected by anti-virus software too. 

Fortunately none of us had Jailbroken phones as this would also have resulted in a fail.

Patch management

It is a requirement of accreditation that all software should be kept up-to-date and that security patches should be installed promptly when they become available. However past experience has taught us that it is best to wait a while when there is a major new Mac OS release. Occasionally the first release can cause unexpected problems with software running on the system and an immediate auto-update could cause havoc. However when this occurs problems are widely reported by the Mac community and are fixed with a patch soon after release. Now, to comply with Cyber Essentials, we will wait no more than 14 days before upgrading – hopefully allowing time for any unexpected problems to be identified and fixed. 

Was it worth it?

Cyber Essentials is designed to be a low cost way for SMEs to gain cyber security accreditation –we paid just £300 to our Certification Body to register for the scheme. However you shouldn’t ignore the additional costs associated with complying with the requirements as they can soon mount up. We spent over £1000 on software and hardware and around 120 hours doing research, changing settings, testing and re-testing, writing policies, installing software, configuring hardware and preparing our submission.   

So, was it worth it? Undoubtedly. Only by going through the process do you realise how woefully insecure most business networks are. It’s all too easy for small businesses like ours to think that it’s only the big guys that are targets for attack. But we handle sensitive client data and the security of our network is business critical. Data theft or a malware infection could be disastrous and whilst the steps we’ve taken do not guarantee that we won’t be the victims of cyber crime we are certainly much better protected than we were prior to embarking on the process.

Aside from the obvious benefits of improved security there is also a strong commercial case for achieving Cyber Essentials accreditation as many Government contracts, particularly those dealing with personal data, now require tendering organisations to be validated by the scheme. Recently we successfully applied to be on the Government’s Digital Outcomes preferred supplier list and I have no doubt that having Cyber Essentials accreditation contributed to this. In our new business conversations we now always talk about our Cyber Essentials badge and what it means. Whilst our clients and prospects may not have heard of the scheme they are reassured and impressed when we talk to them about it – and that could make the difference between them choosing to work with us or with one of our competitors! 

Finally…

The research, learning and implementation required to get us through Cyber Essentials was all carried out by Rich Jones, one of our Developers. He felt the pain for everyone else’s gain…