Get Cyber Essentials certified – Secure Configuration

The second of the 5 controls – Secure configuration – involves configuring devices and software settings for maximum security. This is easier said than done and involves a ‘no stone left unturned,’ proactive approach to IT management.

Don’t assume the default setting is the most secure – it usually isn’t

The ‘factory settings’ applied to hardware and software are most designed be as unrestrictive as possible – allowing users to configure settings from a blank-canvas basis. The result is that programmes and hardware in their default settings are often fairly insecure. For example, a new device might come pre-loaded with a number of programmes that you don’t intend to use, a software programme might feature a default ‘admin’ password that is publicly known, and user accounts may have administrative permissions activated by default. To become Cyber Essentials certified you’ll have to reconfigure these settings in favour of configurations which enforce higher standards of security.

The risks of a poorly configured system

Ensuring the most secure settings are applied across your IT landscape is a task that requires constant attention. As employees come and go, as services fall in and out of use and as new hardware is acquired or repurposed you’ll have to be alert to ensure that devices and systems are kept as safe as possible at all times. A poorly configured system is a Cyber Criminal’s dream, and they’ll be keen to exploit every security loophole they can find.

Some of the risks of a poorly configured system include:

• Unauthorised Changes. Poor permissions/access management can lead to unauthorised changes by individuals within or outside of your business. Such changes could compromise security and present opportunities for hackers. Sensitive data could be corrupted, stolen or misplaced if document permissions are not carefully managed.
• Vulnerable Software. Cyber Criminals are constantly on the prowl for vulnerabilities in proprietary software. To seal-up these security weak points it’s important to install ‘patches’ regularly. Failing to do so leaves security loopholes open for longer, which hackers will be keen to take advantage of.
• An attacker will be met with minimal resistance. If a cybercriminal gains access to your system you want them to be met with as much resistance as possible. An attacker could cause massive damage in a poorly configured system by:
  • Gaining access to extremely sensitive data such as payment information, biometric data or intellectual property.
  • Exploiting overly generous user privileges.
  • Taking advantage of unnecessary functionality.
  • Introducing malware using ‘plug and play’ devices.
  • Pre-configuring a route of entry for future attacks.

Make life tough for the Cyber bad guys – 9 ways to configure your system securely

Only use supported software. Discontinue the use of unsupported software programmes. This means software that is no longer being updated and patched by the vendor. While unsupported software may continue to work, there is no longer a team dedicated to creating and launching security updates meaning security loopholes will remain open for hackers to exploit.

Establish a software update policy. Draw up policies relating to the installation of important, security-critical software updates. Create clear guidelines for how quickly updates should be installed and ensure steps are taken to minimise the risk posed by non-patchable security vulnerabilities.

Create a Software and Hardware inventory. It’s important to have an overview of all the hardware components and software that exist within your network. Consider establishing a database to record details of hardware and software – you might want to populate it with additional information such as: location, purpose, version and patch status. Such a database can be useful for identifying system components that are unnecessary and spotting those that shouldn’t have been installed in the first place.

Establish secure configuration guidelines. Specify the basic security standards that all software must be configured to.  Any required deviations from these basic standards should be noted.

Carry out vulnerability scans. Review your network’s resilience by regularly performing vulnerability scans to flag-up potential security concerns. Set target times for rectifying any issues highlighted by these scans.

Disconnect unnecessary peripherals and disable removable storage. Removable storage media (Flash drives, portable hard drives etc) are becoming less common in today’s workplace, so consider disabling ports and prohibiting their use if your staff rarely use them. Additionally, consider disconnecting unnecessary peripheral devices that are no longer in use and uninstall the corresponding driver software.

Draw up an applications ‘whitelist’ and apply execution controls. You should establish a list of safe, permitted applications – to which programmes can be added and taken off as business needs change. ‘Execution controls’ should be used to prevent the unauthorised launching of software not on the ‘approved’ list.

Grant administrator permissions sparingly. Only grant employees the ability to change system settings if such abilities are absolutely essential to their job role.

‘Admin accounts’ should have restricted functionality. System administrator accounts or ‘superuser’ accounts are a high-value target for cybercriminals. Hacking such an account could give a cybercriminal unbridled, system-wide access resulting in unthinkable damage. Admin accounts should therefore feature the bare essentials in terms of functionality, in order to minimise routes of entry for hackers.

Conclusion

Configuring every facet of your IT infrastructure for maximum security is no easy feat. It’s a task that requires attention to detail and a methodical approach to ensure every app, service and hardware component is configured in the most security-optimal way. Begin a dialogue with your IT provider/department today to ensure your system configuration is Cyber Essentials ready.

Here at 4TC, we can help your business with all aspects of cybersecurity.

Our expertise covers a wide range of bases, from proactive maintenance and Backups to full-network anti-virus and managed anti-spam solutions.  We provide managed services, project management and advice to ensure the businesses we work with remain out-of-bounds to Cybercriminals.