View
153
Download
0
Category
Preview:
Citation preview
© NEXOR 2016 ALL RIGHTS RESERVED
An industry supported certification scheme
developed by the UK GovernmentDesigned as a baseline
Designed to thwart more
than 80% of common attacks
Enables access to the public sector supply chain
Cyber Insurance
INTRODUCTION TO CYBER ESSENTIALS
© NEXOR 2016 ALL RIGHTS RESERVED
GROWTH OF CYBER ESSENTIALS
Data as of July 4th, 2016.
From public web sites of respective organisations
© NEXOR 2016 ALL RIGHTS RESERVED
Boundary Firewalls and Internet Gateways
Secure Configuration
User Access Control
Malware Protection
Patch Management
CYBER ESSENTIALS – CATEGORIES
© NEXOR 2016 ALL RIGHTS RESERVED
“To implement these requirements,
organisations will need to determine the
technology in scope,
review each of the five categories and
apply each control specified.
Where a particular control cannot be implemented
for a sound business reason
alternative controls should be
identified and implemented.”
COMPLY OR EXPLAIN…
© NEXOR 2016 ALL RIGHTS RESERVED
Boundary Firewalls and Internet Gateways
Secure Configuration
User Access Control
Malware Protection
Patch Management
CYBER ESSENTIALS – CATEGORIES
o Securing the perimeter Network layer device
Configuration management
o Where is the boundary?: Home Workers?
Cloud Services?
Mobile Devices?
o RECOMMENDATION Many firewalls will do more
Switch these elements on
© NEXOR 2016 ALL RIGHTS RESERVED
Boundary Firewalls and Internet Gateways
Secure Configuration
User Access Control
Malware Protection
Patch Management
CYBER ESSENTIALS – CATEGORIES
o Reduce the attack surface
o Configuration Management
Default Accounts
Applications
Auto-run
Personal Firewalls
o RECOMMENDATION Asset register
• Who owns / administers them?
Document and audit the configuration
© NEXOR 2016 ALL RIGHTS RESERVED
Boundary Firewalls and Internet Gateways
Secure Configuration
User Access Control
Malware Protection
Patch Management
CYBER ESSENTIALS – CATEGORIES
o Making it harder for malware to persist
o User Management Joiner / Mover / Leaver
Least Privilege
Passwords
o Admin accounts Only when needed
o RECOMMENDATION Have a robust J/M/L process
© NEXOR 2016 ALL RIGHTS RESERVED
Boundary Firewalls and Internet Gateways
Secure Configuration
User Access Control
Malware Protection
Patch Management
CYBER ESSENTIALS – CATEGORIES
o Neutralising known malware
o Protection Requirement All devices
• Including phones etc.
Up to date
Regular full scan
• Daily?
Browse protection
o RECOMMENDATION Firewalls have capability here too
– use it
Outside of Cyber Essentials
© NEXOR 2016 ALL RIGHTS RESERVED
Boundary Firewalls and Internet Gateways
Secure Configuration
User Access Control
Malware Protection
Patch Management
CYBER ESSENTIALS – CATEGORIES
o Plugging known weaknesses
Operating Systems
Applications
o Licensed / supported
o Apply updates ASAP
o Remove unused software
o RECOMMENDATION Monitoring updates have been
applied is key to success
© NEXOR 2016 ALL RIGHTS RESERVED
APPROACHES
• Self Assess
• Monitor
• Resolve
• Certify
• Working Groups
• Processes
• Policy
• Gap Analysis
Plan Do
CheckAct
© NEXOR 2016 ALL RIGHTS RESERVED
RIZIKON
o Follows a Cyber Essentials question set
o Provides quantitative evidence and specific
recommendations
o Can be used to submit to some CBs
o Available from Qonex
© NEXOR 2016 ALL RIGHTS RESERVED
o Do Cyber Essentials First, then…
o “Tests of the systems are carried out by an external certifying body, using a range of tools and techniques”
External test
Internal test
o RECOMMENDATION If you have the skills, run your own vulnerability test before engaging a
certification body
A high percentage of companies fail CE+ first time
Basic software is available for free
CYBER ESSENTIALS PLUS
© NEXOR 2016 ALL RIGHTS RESERVED
o Outsourced services (including Cloud) Where is your data
What controls are implemented
What accreditation
o Mobile phones – especially BYOD Configuration management
Malware protection
o Frequency of password changes 60 days versus CESG latest guidance
o Frequency of malware scans Practicality on SAN / NAS?
COMMON AREAS OF DEBATE
© NEXOR 2016 ALL RIGHTS RESERVED
The Cyber essentials categories are “technical”.
To be effective the implementation is not about the technology…
o Documented policy & scope
o Asset Register
o Processes Joiner / mover / leaver
Configuration / change management
Monitoring / internal audit
Annual reminder of administrator responsibilities
COMMON THEME - GOVERNANCE
© NEXOR 2016 ALL RIGHTS RESERVED
The Cyber essentials categories are “technical”.
To be effective the implementation is not about the technology…
o Documented policy & scope
o Asset Register
o Processes Joiner / mover / leaver
Configuration / change management
Monitoring / internal audit
Annual reminder of administrator responsibilities
Incident Response
COMMON THEME - GOVERNANCE
© NEXOR 2016 ALL RIGHTS RESERVED
o Doing the Cyber Essentials is…
… Essential
o Certification is your business choice
Start with a gap analysis
Engage the business to resolve issues
Build into business-as-usual processes
SUMMARY
Recommended