Cyber Essentials Five Security Control Areas
The scheme requires the implementation of effective controls across five areas of standard organisational IT configurations which can help to reduce the vulnerability to cyber-attack. Further information is available from the Resources and Cyber Essentials Explained pages.
Boundary Firewalls and Internet Gateways
Boundary firewalls, internet gateways or equivalent network devices are used to protect against unauthorised access and disclosure from the internet. If these devices are not configured correctly cyber attackers can often gain access to computers with ease and access the information they contain.
A boundary firewall can protect against commodity cyber threats – that is, attacks based on capabilities and techniques that are freely available on the internet – by restricting inbound and outbound network traffic to authorised connections. Such restrictions are achieved by applying configuration settings known as firewall rules.
Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfill their role. Computers and network devices (including wireless access points) cannot be considered secure upon default installation. A standard, ‘out-of-the-box’ configuration can often include an administrative account with a predetermined, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed
but unnecessary applications (or services).
Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorised access to an organisation’s sensitive information, often with ease. By applying some simple security controls when installing computers and network devices (a technique typically referred to as system hardening), inherent weaknesses can be minimised, providing increased protection against commodity cyber attacks.
User Access Control
User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks. User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers.
When privileged accounts are compromised their level of access can be exploited resulting in large scale corruption of information, affect business processes and give unauthorised access to other computers across an organisation. To protect against misuse of special access privileges, the principle of least privilege should be applied to user accounts by limiting the privileges granted and restricting access.
Computers connected or exposed to the internet should be protected against malware infection through the use of malware protection software. Computers are often vulnerable to malicious software, particularly those that are exposed to the internet (e.g. desktop PCs, laptops and mobile devices, where available). When available, dedicated software is required that will monitor for, detect and disable malware.
Computers can be infected with malware through various means often involving a user who opens an affected email, browses a compromised website or opens an unknown file on a removable storage media. The scope of malware protection in this document covers desktop PCs, laptops and servers that have access to or are accessible from the internet. Other computers used in the organisation, while out of scope are likely to need protection against malware as will some forms of tablets and smartphones.
Any computer and network device that runs software can contain weaknesses or flaws, typically referred to as technical vulnerabilities. Vulnerabilities are common in many types of popular software, are frequently being discovered (e.g. daily), and once known can quickly be deliberately misused (exploited) by malicious individuals or groups to attack an organisation’s computers and networks.
Vendors of software will typically try to provide fixes for identified vulnerabilities as soon as possible, in the form of software updates known as patches, and release them to their customers (sometimes using a formal release schedule such as weekly). To help avoid becoming a victim of cyber-attacks that exploit software vulnerabilities, an organisation needs to manage patches and the update of software effectively.