Thriving Through the Cyber Assessment Framework

Threat actors are taking advantage of misconfigurations on various devices, such as PCs, laptops, and servers. So much so that according to Microsoft, 80% of successful ransomware attacks are a result of misconfigurations.

This issue was brought to light recently when Microsoft itself fell victim to a data breach caused by a misconfiguration, resulting in the leak of 2.4TB of data. This highlights the importance of properly configuring devices to reduce the risk of exploitation by threat actors.

Frameworks for security

In response to this breach, Microsoft simply stated that the problem was caused by an unintentional misconfiguration on an endpoint. It’s no wonder that the UK's Government Cyber Security Strategy for 2022 to 2030 emphasizes the need for all public sector organizations to achieve cyber resilience.

And though it may seem so, it's not a vague ambition. It's meant as a sort of answer to the EU's 2018 Network & Information Systems Directive. And in classic British fashion it aims to tell the rest of the continent, "anything you can do, we can do better."

In line with the guiding strategy document, governing bodies and institutions are advised to ensure the configuration security of their productivity tools.

Government will work with its primary providers of productivity suites to further develop baseline security configurations for government organisations to follow and adapt. Doing so will ensure that all government organisations understand how to configure their productivity suites to provide a baseline level of cyber security, which will dramatically reduce common risks caused by misconfiguration.

Further to the point, the government is setting verifiable goals with clear deadlines. For example, by 2025 they aim to complete their first pass at strengthening critical functions against cyberattacks. (Think uptooling, improved hygiene, and stricter operating policies) By 2039 it'll be put up or shut up, as all government organizations (including local institutions) must demonstrate resilience to known vulnerabilities and attack paths.

Specific goals are a great first step, but a specific plan for achieving them is a necessary second step. And that where the National Cyber Security Centre (NCSC) comes in, having developed the Cyber Assessment Framework (CAF) to support the nations' security goals.

Overseeing the framework's implementation across local and central government entities is the Department for Leveling Up, Housing, and Communities (DLUHC). It's a responsibility that the body takes very seriously, going as far as to develop their own companion framework called the B4 Cyber Assessment Framework (CAM).

Secure by design and conscientious configuration

For the purposes of this article, we will focus largely on the principles of "secure by design" and "conscientious configuration" as outlined in CAF and in CAM.

Secure by design refers to the practice of integrating security measures and considerations into the design and architecture of software and systems from the very beginning of their development. 

Key aspects of a secure by design approach include:

• Proactive security: instead of reacting to security incidents, practitioners should anticipate potential issues and work to prevent them. 
• Principle of least privilege: systems should be designed to operate with the minimum level of user rights and permissions necessary.
• Attack surface minimization: disable unnecessary services, features, or code to minimize the functionality exposed to potential attackers.
• Regular security audits and updates: systematic scrutiny and routine research to assess and address new threats and vulnerabilities.

Conscientious configuration is the practice of continuously monitoring and managing your device, system, and service settings to ensure that they remain smartly and securely configured, whilst supporting business continuity.

When that monitoring and management is absent or otherwise lacking, misconfigurations will occur.  Examples of misconfigurations include:

• Risky default settings not changed
• Human errors in making configuration settings
• Exposed passwords
• Group policies not applied on endpoints
• Non-patchable vulnerabilities (when you cannot patch)

CAF and CAM guidance

CAF guidance suggests the following measures be taken to ensure the design and configuration security of essential network and information systems:

• Actively manage and maintain security configurations, patching, and updates for assets that require careful configuration for maintaining the security of the essential function.
• Ensure all platforms conform to secure, defined baseline builds or the latest known good configuration version for that environment.
• Manage changes effectively in the environment, including secure and documented network and system configurations.
• Regularly review and validate network and information systems for expected, secured settings and configurations.
• Restrict software installation to permitted software only.
• Ensure standard users cannot change settings that would impact security or business operations.
• Ensure the operation of automated decision-making technologies is well understood and decisions can be replicated

For CAM, we find the following guidance:

• Your infrastructure should follow secure-by-design principles for optimal protection, including network topology and server hardening.
• Ongoing patching and configuration changes are necessary to maintain secure design principles.
• Secure by design should include appropriate skill sets, network segregation, simple data flow, recoverability, and content inspection.
• Secure configuration involves knowing configurable items, using baseline and last known good builds, managing change, validating software, white-listing software, and managing automated decisions.

GYTPOL as the gold standard for configuration security

GYPTOL offers a comprehensive solution to address the misconfiguration issues that organizations face. Our solution provides a centralized view of all devices, supporting a secure by design approach and conscientious configuration.

Key capabilities includes: 

• Policy validation (GPO, Intune, AD) 
• Endpoint visibility and risk mapping (based on pervasiveness, severity, likelihood of attack, required functionality, etc.)
• Down-line dependency shielding (so you can act without fear of unintended consequences)
• Push-button remote remediation (and one-click roll-back) 
• Vulnerability protection for the unpatchables (SMBv1, Log4, Follina, Print Nightmare, etc.)  
• Compliance enablement (CIS, NIST, etc.) 

It's robust and scalable, allowing organizations to quickly identify gaps and remediate them - removing headaches and reinvesting time savings. No more costly and partial manual methods. GYTPOL ensures your environment is hardened and your Group Policy/InTune is applied. 

We understand the unique challenges that healthcare and public sector organizations face with stretched IT resources and budgetary restrictions. Our solution emphasizes actionable automation rather than mere intelligence - enabling organizations to focus on their core business while we take care of their cybersecurity needs.

Get in touch to hear more about how GYTPOL is helping organizations tackle configuration security and comply with CAF and CAM guidance. Or register here for a free trial.