Cyber Essentials, a minimum baseline for all businesses
Multi factor authentication (MFA) must be used for access to cloud services
As well as providing extra protection for passwords that are not protected by other technical controls, multi factor authentication should always be used to provide additional protection to administrator accounts and user accounts when connecting to cloud services.
No matter how an attacker acquires a password, if multi factor authentication is enabled on the account, it will act as a safeguard on the account.
The password element of the multi-factor authentication approach must have a password length of at least eight characters with no maximum length restrictions.
Why the change?
There has been an increasing number of attacks on cloud services, using techniques to steal or brute force a user's passwords to access their accounts. Thin clients are a type of very simple computer holding only a base operating system which are often used to connect to virtual desktops. These are confirmed as being in scope when they connect to organisational data or services.
Password-based and multi-factor authentication requirements
When using passwords, one of the following protections should be used to protect against brute-force password guessing:
• Using multi-factor authentication
• Throttling the rate of unsuccessful or guessed attempts.
• Locking accounts after no more than 10 unsuccessful attempts.
Technical controls are used to manage the quality of passwords. This will include one of the following:
• Using multi-factor authentication in conjunction with a password of at least eight characters, with no maximum length restrictions.
• A minimum password length of at least 12 characters, with no maximum length restrictions.
• A minimum password length of at least eight characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
People must be supported to choose unique passwords for their work accounts. New guidance has been created on how to form passwords. It is now recommended that three random words are used to create a password that is long, difficult to guess and unique. There must be an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.
What is a brute force attack?
Brute force attacks use trial and error to guess passwords and encryption keys. Powerful computers are used to target a login page where they try many different combinations of characters until the correct combination is found to crack the password or encryption key. Depending on the length and complexity of the password and the power of the computer used, cracking the password can take anywhere from a few seconds to many years. Modern computers have advanced in power and capability to the point where an eight-character alphanumeric password can be cracked in just over two hours.
All high and critical updates must be applied within 14 days and remove unsupported software.
All software on in scope devices must be:
• Licensed and supported
• Removed from devices when it becomes un-supported or removed from scope by using a defined 'sub-set' that prevents all traffic to/from the internet.
• Have automatic updates enabled where possible
• Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:
– The update fixes vulnerabilities described by the vendor as 'critical' or 'high risk'
– The update addresses vulnerabilities with a CVSS v3 score of 7 or above
– There are no details of the level of vulnerabilities the update fixes provide by the vendor
Why the change?
Previously, there was a set criteria that the vulnerabilities which had to be applied had to meet, which were laid out in the requirements. These criteria have now been dropped and organisations need to apply all high and critical updates on all their systems. This is raising the bar because organisations can no longer be selective about which patches they apply and leave themselves weak and vulnerable. The reason for these changes can be illustrated by a high-profile example this year. A vulnerability in the Microsoft Exchange System came out very publicly and was reported by numerous news outlets.
That attack went from being a complex state actor attack to a commodity attack within seven days. It was commoditised into a ransomware attack only 12 hours later. This proves that a high complexity attack can be commoditised in hours and for this reason, all high and critical updates, need to be applied within 14 days for Cyber Essentials,
Guidance on backing up
Backing up your data is not a technical requirement of Cyber Essentials because the scheme focuses on measures to prevent an attack as opposed to aspects to allow recovery after an attack. However, with the recognition of the vital importance of backup, there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.
How the changes will work
There will be a grace period of one year to allow organisations to make the changes for the following requirements: MFA for cloud services, thin clients and security update management.
Help and support
If you need help preparing your organisation for Cyber Essentials, there is a free online tool that helps you gauge your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. The Cyber Essentials Readiness Tool includes a series of guidance documents to help you understand the five controls and how they apply to your business.
Your answers to the readiness tool questionnaire will inform the tailored guidance and step by step action plan which will be presented to you when you reach the end of the readiness tool.
For in depth and bespoke support, contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licenced to certify against Cyber Essentials and are available to offer consulting services to help you achieve your certification.
IASME is an organisation based in the Malvern hills, Worcestershire that helps businesses improve their cyber security, risk management and counter fraud, through an effective and accessible range of certifications. From April 1 2020, IASME became the National Cyber Security Centre’s Cyber Essentials Partner, responsible for the delivery of the scheme.
https://iasme.co.uk/cyber-essentials/
Pages
Related Features
Partners
 |
 |
 |
 |
 |
 |
 |
 |
digital issue
