Thriving Through the NCSC CAF: Ensuring Secure Configurations at Scale

Threat actors are taking advantage of misconfigurations on various devices, such as PCs, laptops, and servers. So much so that according to Microsoft, 80% of successful ransomware attacks are a result of misconfigurations.

This issue was brought to light recently when Microsoft itself fell victim to a data breach caused by a misconfiguration, resulting in the leak of 2.4TB of data. This highlights the importance of properly configuring devices to reduce the risk of exploitation by threat actors.

Strengthening Public Cyber-Security: A Strategic Response

In response to the breach, Microsoft simply stated that the problem was caused by an unintentional misconfiguration on an endpoint. It’s no wonder then that the UK's Government Cyber Security Strategy for 2022 to 2030 emphasizes the need for all public sector organizations to achieve cyber resilience.

And though it may seem so, it's not a vague ambition. It's meant as a sort of answer to the EU's 2018 Network & Information Systems Directive. And in classic British fashion it aims to tell the rest of the continent, "anything you can do, we can do better."

In line with the guiding strategy document, governing bodies and institutions are advised to ensure the configuration security of their productivity tools.

Government will work with its primary providers of productivity suites to further develop baseline security configurations for government organisations to follow and adapt. Doing so will ensure that all government organisations understand how to configure their productivity suites to provide a baseline level of cyber security, which will dramatically reduce common risks caused by misconfiguration.

Further to the point, the government is setting verifiable goals with clear deadlines. For example, by 2025 they aim to complete their first pass at strengthening critical functions against cyberattacks. (Think uptooling, improved hygiene, and stricter operating policies) By 2039 it'll be put up or shut up, as all government organizations (including local institutions) must demonstrate resilience to known vulnerabilities and attack paths.

Specific goals are a great first step, but a specific plan for achieving them is a necessary second step. And that's where the National Cyber Security Centre (NCSC) comes in, having developed the Cyber Assessment Framework (CAF) to support the nation's security goals, with the aim to help organizations assess and improve their cybersecurity posture.

CAF is a high-level cybersecurity framework that was developed to help organizations assess and improve their cybersecurity posture. It is structured around four overall security objectives and 14 cyber security principles or outcomes, giving organizations a structured, outcomes-based approach to managing risk and improving resilience.

Overseeing the framework's implementation across local and central government entities is the Department for Leveling Up, Housing, and Communities (DLUHC). It's a responsibility that the body takes very seriously, going as far as to develop their own companion framework called the B4 Cyber Assessment Model (CAM). 

Secure by Design and Conscientious Configuration

For the purposes of this article, we will focus largely on the principles of "secure by design" and "conscientious configuration" as outlined in CAF and in CAM.

Secure by design refers to the practice of integrating security measures and considerations into the design and architecture of software and systems from the very beginning of their development. 

Key aspects of a secure by design approach include:

• Proactive security: instead of reacting to security incidents, practitioners should anticipate potential issues and work to prevent them. 
• Principle of least privilege: systems should be designed to operate with the minimum level of user rights and permissions necessary.
• Attack surface minimization: disable unnecessary services, features, or code to minimize the functionality exposed to potential attackers.
• Regular security audits and updates: systematic scrutiny and routine research to assess and address new threats and vulnerabilities.

Meanwhile, conscientious configuration is the practice of continuously monitoring and managing your device, system, and service settings to ensure that they remain smartly and securely configured, whilst supporting business continuity.

When that monitoring and management is absent or otherwise lacking, misconfigurations will occur.  Examples of misconfigurations include:

• Risky default settings not changed
• Human errors in making configuration settings
• Exposed passwords
• Group policies not applied on endpoints
• Non-patchable vulnerabilities (when you cannot patch)

The Gap Between Guidance & Get-It-Done In NCSC CAF and CAM

CAF guidance suggests the following measures be taken to ensure the design and configuration security of essential network and information systems:

• Actively manage and maintain security configurations, patching, and updates for assets that require careful configuration for maintaining the security of the essential function.
• Ensure all platforms conform to secure, defined baseline builds or the latest known good configuration version for that environment.
• Manage changes effectively in the environment, including secure and documented network and system configurations.
• Regularly review and validate network and information systems for expected, secured settings and configurations.
• Restrict software installation to permitted software only.
• Ensure standard users cannot change settings that would impact security or business operations.
• Ensure the operation of automated decision-making technologies is well understood and decisions can be replicated

For CAM, we find the following guidance:

• Your infrastructure should follow secure-by-design principles for optimal protection, including network topology and server hardening.

• Ongoing patching and configuration changes are necessary to maintain secure design principles.

• Secure by design should include appropriate skill sets, network segregation, simple data flow, recoverability, and content inspection.

• Secure configuration involves knowing configurable items, using baseline and last known good builds, managing change, validating software, white-listing software, and managing automated decisions.

However, CAF and CAM do not provide direct implementation details or guidelines, requiring organizations to define specific metrics and actionable remediations on their own in order to ensure compliance.

Monitoring CAF compliance can be complex, as organizations need to translate high-level guidelines into actionable security measures. This involves defining the exact parameters to be measured, evaluating configurations, as well as identifying and enacting security upgrades across systems.

It may be helpful to leverage compliance assurance tools like GYTPOL to continuously detect and remediate misconfigurations and deviations from various cyber security frameworks, including CIS Benchmarks, HIPAA, Cyber Essentials, MITRE, NIST 800-53, NIST CSF, PCI, and more. In cases like these, it's important to take help where you can find it. 

The Gold Standard for Configuration Security

GYPTOL maps CAF outcomes to CIS Benchmarks, giving users a direct path to translate principles into real-world practices. GYTPOL emphasizes actionable automation rather than mere intelligence — enabling organizations to focus on their core business while we take care of their cybersecurity needs. Providing a centralized view of all devices, GYTPOL supports a secure by design approach and conscientious configuration.

Key capabilities includes: 

• Policy validation (GPO, Intune, AD) 
• Endpoint visibility and risk mapping (based on pervasiveness, severity, likelihood of attack, required functionality, etc.)
• Down-line dependency shielding (so you can act without fear of unintended consequences)
• Push-button remote remediation (and one-click roll-back) 
• Vulnerability protection for the unpatchables (SMBv1, Log4, Follina, Print Nightmare, etc.)  
• Compliance enablement (CIS, NIST, etc.) 

Since GYTPOL already converts CIS controls to specific benchmarks (checks and action paths) that can be automated from within the platform, this new mapping extends that same functionality to the Cyber Assessment Framework.  

This functionality is especially useful on account of GYTPOL’s ability to remediate non-compliant configurations without disrupting operational systems. By checking dependencies, GYTPOL ensures that remediation actions won’t cause downtime or break workflows anywhere downstream.

Additionally, GYTPOL allows organizations to easily revert changes if necessary, providing flexibility and control.

With GYTPOL, organizations can ensure they meet CAF’s high-level objectives across the very granular day-to-day realities of their network and endpoint operations. All with the push of a button and without ever endangering system stability or business continuity.