© NEXOR 2016 ALL RIGHTS RESERVED

ACHIEVING CYBER ESSENTIALS

COLIN ROBBINS

© NEXOR 2016 ALL RIGHTS RESERVED

An industry supported certification scheme

developed by the UK GovernmentDesigned as a baseline

Designed to thwart more

than 80% of common attacks

Enables access to the public sector supply chain

Cyber Insurance

INTRODUCTION TO CYBER ESSENTIALS

© NEXOR 2016 ALL RIGHTS RESERVED

ASSESSMENT APPROACH

© NEXOR 2016 ALL RIGHTS RESERVED

GROWTH OF CYBER ESSENTIALS

Data as of July 4th, 2016.

From public web sites of respective organisations

© NEXOR 2016 COMMERCIAL IN CONFIDENCE

ACHIEVING CYBER ESSENTIALS

© NEXOR 2016 ALL RIGHTS RESERVED

o RECOMMENDATION Identify key systems

Draw your network

SCOPE

© NEXOR 2016 ALL RIGHTS RESERVED

Boundary Firewalls and Internet Gateways

Secure Configuration

User Access Control

Malware Protection

Patch Management

CYBER ESSENTIALS – CATEGORIES

© NEXOR 2016 ALL RIGHTS RESERVED

“To implement these requirements,

organisations will need to determine the

technology in scope,

review each of the five categories and

apply each control specified.

Where a particular control cannot be implemented

for a sound business reason

alternative controls should be

identified and implemented.”

COMPLY OR EXPLAIN…

© NEXOR 2016 ALL RIGHTS RESERVED

Boundary Firewalls and Internet Gateways

Secure Configuration

User Access Control

Malware Protection

Patch Management

CYBER ESSENTIALS – CATEGORIES

o Securing the perimeter Network layer device

Configuration management

o Where is the boundary?: Home Workers?

Cloud Services?

Mobile Devices?

o RECOMMENDATION Many firewalls will do more

Switch these elements on

© NEXOR 2016 ALL RIGHTS RESERVED

Boundary Firewalls and Internet Gateways

Secure Configuration

User Access Control

Malware Protection

Patch Management

CYBER ESSENTIALS – CATEGORIES

o Reduce the attack surface

o Configuration Management

Default Accounts

Applications

Auto-run

Personal Firewalls

o RECOMMENDATION Asset register

• Who owns / administers them?

Document and audit the configuration

© NEXOR 2016 ALL RIGHTS RESERVED

Boundary Firewalls and Internet Gateways

Secure Configuration

User Access Control

Malware Protection

Patch Management

CYBER ESSENTIALS – CATEGORIES

o Making it harder for malware to persist

o User Management Joiner / Mover / Leaver

Least Privilege

Passwords

o Admin accounts Only when needed

o RECOMMENDATION Have a robust J/M/L process

© NEXOR 2016 ALL RIGHTS RESERVED

Boundary Firewalls and Internet Gateways

Secure Configuration

User Access Control

Malware Protection

Patch Management

CYBER ESSENTIALS – CATEGORIES

o Neutralising known malware

o Protection Requirement All devices

• Including phones etc.

Up to date

Regular full scan

• Daily?

Browse protection

o RECOMMENDATION Firewalls have capability here too

– use it

Outside of Cyber Essentials

© NEXOR 2016 ALL RIGHTS RESERVED

Boundary Firewalls and Internet Gateways

Secure Configuration

User Access Control

Malware Protection

Patch Management

CYBER ESSENTIALS – CATEGORIES

o Plugging known weaknesses

Operating Systems

Applications

o Licensed / supported

o Apply updates ASAP

o Remove unused software

o RECOMMENDATION Monitoring updates have been

applied is key to success

© NEXOR 2016 COMMERCIAL IN CONFIDENCE

APPROACHES TO

CYBER ESSENTIALS

© NEXOR 2016 ALL RIGHTS RESERVED

APPROACHES

• Self Assess

• Monitor

• Resolve

• Certify

• Working Groups

• Processes

• Policy

• Gap Analysis

Plan Do

CheckAct

© NEXOR 2016 ALL RIGHTS RESERVED

RIZIKON

o Follows a Cyber Essentials question set

o Provides quantitative evidence and specific

recommendations

o Can be used to submit to some CBs

o Available from Qonex

© NEXOR 2016 ALL RIGHTS RESERVED

o Do Cyber Essentials First, then…

o “Tests of the systems are carried out by an external certifying body, using a range of tools and techniques”

External test

Internal test

o RECOMMENDATION If you have the skills, run your own vulnerability test before engaging a

certification body

A high percentage of companies fail CE+ first time

Basic software is available for free

CYBER ESSENTIALS PLUS

© NEXOR 2016 ALL RIGHTS RESERVED

o Outsourced services (including Cloud) Where is your data

What controls are implemented

What accreditation

o Mobile phones – especially BYOD Configuration management

Malware protection

o Frequency of password changes 60 days versus CESG latest guidance

o Frequency of malware scans Practicality on SAN / NAS?

COMMON AREAS OF DEBATE

© NEXOR 2016 ALL RIGHTS RESERVED

The Cyber essentials categories are “technical”.

To be effective the implementation is not about the technology…

o Documented policy & scope

o Asset Register

o Processes Joiner / mover / leaver

Configuration / change management

Monitoring / internal audit

Annual reminder of administrator responsibilities

COMMON THEME - GOVERNANCE

© NEXOR 2016 ALL RIGHTS RESERVED

The Cyber essentials categories are “technical”.

To be effective the implementation is not about the technology…

o Documented policy & scope

o Asset Register

o Processes Joiner / mover / leaver

Configuration / change management

Monitoring / internal audit

Annual reminder of administrator responsibilities

Incident Response

COMMON THEME - GOVERNANCE

© NEXOR 2016 ALL RIGHTS RESERVED

o Doing the Cyber Essentials is…

… Essential

o Certification is your business choice

Start with a gap analysis

Engage the business to resolve issues

Build into business-as-usual processes

SUMMARY

© NEXOR 2016 ALL RIGHTS RESERVED

MORE INFORMATION…

www.qonex.com

info@qonex.com

0115 952 0500

http://cybermatters.info

@QonexCyber

www.linkedin.com/company/Qonex