Cyber Essentials is a cyber security certification that has been designed by the government to make it simple for organisations to protect themselves against common cyber threats.
Getting Cyber Essentials certified means you are protected against cyber-attacks whatever the size. Attacks can come in many forms. It’s crucial to ensure you are properly protected. There are two levels of certification, Cyber Essentials, and Cyber Essentials Plus, in this article, we’ll explore both levels of certification.
Your organisation must have Cyber Essentials Certification at either the basic or plus level
- You must be certified with an IASME certification body
- Your organisation must turnover under £20,000,000
- Your organisation must be domiciled in the UK
- The UK government’s Cyber Essentials scheme sets out five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification to prove their compliance.
- Access control
- Firewalls and routers
- Malware protection
- Secure configuration
- Software updates
Cyber Essentials Plus is a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks. It involves a technical audit of the systems that are in scope for Cyber Essentials by checking the Cyber Essentials controls have been applied as per the self-assessment.
Now let’s focus on Secure configuration: Secure configuration refers to security measures that are implemented when building and installing computers and network devices to reduce unnecessary cyber vulnerabilities”
Many tools are used today to mitigate vulnerabilities, none more so than Vulnerability scanning tools. Maintaining a list of Common Vulnerabilities and Exposures (CVEs) and their affected products is a good place to start, as these are known published vulnerabilities and VA is an automated way of gaining visibility and then it’s a case of patching to remediate. Similar to that of Malware and viruses, with a tool like EDR Endpoint Detection and Response.
The same can’t be said for Security Misconfigurations and ironically threat actors are clearly aware. The latest report from Microsoft Cyber Signals states that 80% of ransomware attacks are due to misconfigurations. It’s no surprise attackers are focusing on an area where today’s manual efforts are clearly failing. With no robust automated solution; your organisation has the potential to be littered with human errors and default settings.
Organisations rely heavily on Group Policy Objects (GPOs) to roll out security baseline policies, this provides an element of automation. However, there is no way to validate whether the device has received and implemented the policy. This leaves devices at risk of falling out of compliance.
Gytpol is the only robust automated solution for Security Configuration Management, helping monitor, identify and remediate risks caused by misconfigurations on endpoints, servers, on-premises, infrastructure, and cloud services
At Gyptol we are able to provide continuous monitoring of all your PCs, Servers, validation of all your group policy settings, and detect mismatches, missing GPO, or wrong values applied.
We are hyper-focused on the Security misconfigurations we know threat actors are exploiting. We map to the Mitre framework categorisation, ranking severity by high, medium, and low. We provide actionable intelligence to your organisation, identifying the risk and providing literature for the potential impact and the step-by-step process to manually remediate the misconfiguration.
We take this one step further and are even able to remediate with a single click, with zero impact, Once Gytpol identifies an issue, the operator can remove and or reduce the risk by using our remediation features. Which are as follows:
- Remediate on single devices, groups of devices, or the whole organisation.
- Shows usage on individual devices, allowing the operator to safely remediate impacted devices.
- Auto re-apply allows the issue to be automatically remediated for new and existing devices in the organisation.
- Revert capability to undo remediation back to the previous state.
- Audit reporting (i.e. who performed the remediation, reason, status of the remediation, etc.).
- Actions, Pending, and Finished Stopped Actions are all available in a user-friendly dashboard.
Having a centralised view of the configuration of your device allows organisations to ensure devices are configured correctly, which in turn reduces risk and ensures devices are CONTINUOUSLY compliant.
Ok so let’s tackle the newly published IASME Consortium Evendine Questionnaire spreadsheet
Secure configuration is an essential part of any framework and standard these days, particularly with CE+ the legwork required to demonstrate secure configuration is substantial.
According to the CE standard secure configuration applies to servers, desktop computers, laptop computers, tablets, mobile phones, thin clients, IaaS, PaaS, SaaS. Do remember we mentioned default settings? This is what we want to avoid. This is where Gytpol comes in.
Anyone that’s worked with group policy/SCCM/other management platforms will know that it’s not seamless and it’s quite difficult to ensure that whatever settings you’ve got are being deployed effectively to all devices.
Specifically, CE requires Computers and network devices; The applicant must be active in the management of computers and network devices. It must routinely:
- remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used)
- change any default or guessable account passwords (see password-based authentication)
- remove or disable unnecessary software (including applications, system utilities, and network services)
- disable any auto-run feature which allows file execution without user authorisation (such as when they are downloaded from the internet)
With Gytpol this is easy on your devices (PCs, laptops, and servers) that are domain connected or not. Gytpol provides continuous visibility and remediation on all devices, from anywhere, whether the devices are connected to VPN or not.
Further detail from National Cyber Security Centre, can be found here Cyber Essentials: Requirements for IT infrastructure
Get in touch to understand how we can help, or you can reach me directly at [email protected] or via LinkedIn.