Cyber Essentials Part 2 – Secure Configuration

This is the second in a five-part series covering the government backed Cyber Essentials scheme, which is designed to set a base standard for cyber security in organisations. It deals with five specific areas:-

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Patch management

These key areas form the bedrock of security for IT systems. All organisations should ensure these the five basic areas are covered either by their in-house IT team or their external IT partner. Over the next few weeks I will cover each of the topics in turn.
In Part 1 I covered firewalls. This time I cover Secure Configuration.
This area is concerned with ensuring that networks, devices and systems are all configured in a secure manner. For instance, changing default configurations. This would include elements such as: –

• Making sure default admin passwords are changed.
• Removing unnecessary software (bloatware) from PC’s, tablets, mobiles.
• Going back to firewalls and routers, ensuring that you evaluate the default configuration to make sure it blocks traffic from the Internet to you network.
• Disable auto-run features for DVD’s and USB sticks to protect from malicious or unwanted software automatically being executed.

Passwords
You should also, where possible, create policies to force users to have strong passwords. Passwords that contain a mixture of: –

• Upper case characters
• Lower case characters
• Numbers
• Symbols
• At least 8 characters

Again, where possible, if there are a number of failed login attempts in a short space of time a user account should be locked out.
You also need to have written policies in place. Policies that advise staff what level of password you require in all systems, where passwords can be stored, where passwords cannot be stored (on post it notes on the screen), etc.
One thing which may surprise you is that regular changing of passwords is no longer recommended. If users have too many systems with passwords that change on a regular basis they end up writing them all down and that leaves a different type of security issue. Imagine a screen with loads of passwords stuck to it on post-it notes. Believe me it is not that hard to imagine – I have seen it many time. If a user leaves their PC unattended you have a security vulnerability and potential data protection breach. This is the current advice from the UK National Cyber Security Centre.
https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
You could get your staff to check the strength of their passwords on this site. https://www.security.org/how-secure-is-my-password It was recommended by a cyber security adviser from Warwickshire County Council who advised it is a safe site to use and doesn’t track the passwords you enter. You should be aiming for passwords that would take at least 10,000 years to crack.
At Reach I.T. Management we take the security of our client’s system seriously. We use things like group policies to apply password requirements, we always remove bloatware from the PC’s we set up, and we never install a piece of networking equipment without changing the default admin passwords. We take care of these things so you don’t have to think about them.
If you want to discuss how we could help you with any of the above then please do call me on 01788 440024 or fill in the contact form on our website.
Next time I will cover User Access Control