Click on the Question
Boundary Firewalls and Internet Gateways
Secure Configuration
Access Control
Malware Protection
Patch Management
Password-Based Authentication
Anti-Malware Software
Whitelisting
Sanboxing
1. Are there firewalls in place which protect all your devices?
What is a firewall?
Where the firewall is located must be shown on the scope diagram mentioned here and be described in the accompanying scope statement.
For very small organisations the access to the internet will be through a simple device often provided by your internet service provider (ISP) such as BT, TalkTalk, Plusnet, Virgin Media or similar.
There will be a firewall and a router incorporated into that device and this will act as a filter to prevent attacks getting onto your system. This stops inappropriate traffic leaving your system. Usually the firewall will be configured by the service provider and often you will have little or no ability (or need) to change anything on it - away from the default settings.
We will refer to this device as a firewall despite it being a combination of router and firewall.
It is possible that in addition to the firewall at the point of access to the internet (or occasionally instead of), you may have installed firewalls as software on any device connected to your network. This is often done as part of the installation of antivirus and similar types of software. Including this in your description will be useful and help the assessor.
If you have a more complex system, then you may have a separate firewall which you can set up, and this will need explaining in your application. In particular it is critical that the firewall is configured to prevent certain types of traffic coming into and leaving your network. Details of which protocols (or types of internet traffic) and services should be stopped, together with other configuration requirements, are in the detailed requirements for IT infastructure.
2. If there are not firewalls that protect all devices, are you using other network devices which restrict access to network services? If yes, please describe how these network devices are placed. If not applicable, please give justification
It is possible that in addition to the firewall at the point of access to the internet (or occasionally instead of), you may have installed firewalls as software on any device connected to your network. This is often done as part of the installation of antivirus and similar types of software. Including this in your description will be useful and help the assessor. Q10 also addresses this point and it would be sensible to provide a configuration diagram that shows the extent of the network over which you have control, and where on it the firewalls or their equivalent are located. As an example, if you share office space with other organisations and the internet is provided to you as part of the lease package, it is likely that you will have little control over the security of the internet access provided to you. In this case you should explain to the assessor the configuration of the devices you use that takes this potential vulnerability into account which is likely to include a firewall installed on each end point. This will also be important if the devices are used away from the main office location perhaps connecting through Wi-Fi.
3. Has the default administrative password on all firewalls (or equivalent devices) been changed to a password that is difficult to guess?
As mentioned previously, if your firewall has been provided by a commercial ISP then it is quite possible you will have no ability to change the administrator password set by the supplier, which will usually be quite a strong complex password anyway.
If you can change the administrator password you should always do so and this can be checked through the control panel of the router. The control panel is usually accessed by opening a web browser and typing in the IP address of the firewall. This will often be 192.168.0.1 or 192.168.1.1
Note that this administrator password is not the same as the one you will have used to connect a device to the network perhaps through Wi-Fi.
4. Is it possible for a user to access the administrative interface of the firewall (or equivalent device) remotely?
Once again if your firewall has been provided by an ISP then it is quite likely that they will have set this aspect up so they can administer your firewall remotely across the internet, without having to visit your premises, should you have problems with it. It is quite possible that you cannot alter this.
However if you can change the setting on the control panel, it is required that it is set not to allow remote access to your firewall. This is usually achieved through the control panel.
5. If the answer to the previous question (4) is yes - have you implemented protection for the administrative interface in the form of a second authentication factor, such as a one-time token?
This will usually be the way a commercial firewall is set up. When the ISP wants to connect to your firewall they will send you a connection request and will then often ask you to type in a code to allow the connection to be made. This is a type of two-factor authentication.
6. If the answer to the previous question (5) is no - have you implemented protection for the administrative interface in the form of an IP whitelist, which limits access to a small range of trusted IP addresses?
This would need to be undertaken via the control panel (or equivalent) and is likely to need a security expert to ensure this is done correctly.
7. Are unauthenticated inbound connections blocked by default?
This should be the way a commercial firewall is set up. You may be able to confirm this from the control panel.
8. For any configured inbound firewall rules, are they approved and documented by an authorised individual, including a description of why each rule is needed?
This is a documentation requirement. The decisions you have made for the setup of the firewall and other similar devices must be appropriately defined, based on a solid risk assessment and approved by an appropriately senior person in the organisation. This documentation, along with any other similar documentation, must be kept up to date and routinely reviewed to ensure the decisions made continue to be appropriate.
9. Are configured firewall rules removed or disabled when they are no longer needed?
If your firewall is configured by default then you may not have control over this aspect of it. It’s best to leave it to the ISP to ensure the device is maintained appropriately.
If you have made any special settings on the firewall, (to allow inbound access for example), then they should be deleted when they are no longer required to meet a business need.
10. Do you have host-based (individual) firewalls on devices which are used on untrusted networks, such as public Wi-Fi hotspots?
If your organisation allows staff to use mobile phones, tablets, laptops and the like then it is important that all those devices are as secure as the main devices in the office. Each will usually come with a firewall installed by default and it is important the setup of each device meets the security requirements of your main network (since it’s likely you will be allowing them to connect to it). In particular, it’s essential that any connection to a public Wi-Fi hotspot (for example in a railway station, hotel or coffee shop) is secure and this can be achieved by using a software firewall on a phone or tablet properly setup. Some makes of smart phone do this by default and most modern phones can be set up to do this through the settings on the device.
11. Have all unnecessary or default user accounts been deleted or disabled?
The accounts set up on a computer or other devices connected to your network should only be those necessary for business use. There should not be a guest account (often set up by default on a computer) and there should be no unused accounts.
A system administrator account can do this through the control panel on the computer or other device.
12. Have all passwords been changed from default or guessable to something non-obvious?
Passwords are one of most common weaknesses in the cyber world. It is critical that they are changed from the default setting (the password setup on the device when it was bought new) and that strong passwords are set. Strong passwords should contain a mixture of upper case, lower case, numbers and special characters. It is also important that it is not a dictionary word or any other recognisable sequence of letters and/or number such as ABC123. Passwords should not be some information about yourself which is not too difficult to find or work out such as a birthday, car registration or post code.
The way passwords are selected and stored is important and it is acceptable to use a respected password manager application. Most browsers can now be used to store passwords securely. There are web sites and applications that will assess a password to determine how strong it is and using this to help staff select strong passwords is advisable. For more advice on passwords see the NCSC advice here.
13. Has all software which is unnecessary for your organisation been removed or disabled?
Any software that is not required and used by the organisation should be removed by uninstalling it. This includes software that might have been used once but is no longer used or, where a new version has replaced an older version, the older version should be removed. Where it can’t be removed for some reason, (perhaps due to licencing agreements), then it should be disabled such that only administrators could run it if necessary and appropriate. If you are unsure how to uninstall software or to disable its use you may need further technical advice from an expert.
14. Have all auto-run features which allow file execution without user authorisation (for example, when they are downloaded from the Internet) been disabled for all media types and network file shares?
Programs should not be able to run without someone approving them. This might, on occasion be a user but more correctly it should be an administrator. The facility to autorun programmes is normally set within the control panel or the equivalent.
15. Are external users authenticated before they are given Internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation?
Anybody who can be given access to the network when not in the same physical location should have to provide some confirmation of who they are. This is done through methods such as two factor authentication. This might mean that they have to carry a token or other device which they use to obtain an individual code or PIN to enter the system., It can sometimes mean sending a text message to their mobile phone (or some other similar method). The system must not allow anyone to log in without some form of separate identification and authentication. Setting this type of system up will often require some expert assistance in order to avoid over-complicated or inappropriate systems.
16. Are user accounts controlled through a creation and approval process?
I.e. HR Manager approval, Line Manager Approval, IT Department Approval prior to a new starter being set up
17. Are users required to authenticate before being granted access to devices and applications, using unique credentials?
Authentication is a second process to ensure that only authorised users gain access to the system. This can be done in a number of different ways. It could be through a combination of passwords and physical access controls such as staff passes. Without a staff pass allowing staff members into a building, people are not able to gain physical access to a system. Alternatively, a token is used to access the system in addition to a password. There are other ways this can be achieved and in each case, it is critical that the authentication details are unique to individual users. There must not, for example, be a general “Temporary Staff” access facility or anything similar used by a number of different individuals. Further technical advice may be needed, to set this up effectively.
18. Are accounts removed or disabled when no longer required?
When staff members leave, their account should be locked to prevent continued access. After any critical information required form record keeping, auditing or other use has been taken from the account it should either be deleted or disabled. This should be done by a system administrator though the control panel.
19. Has two-factor authentication been implemented, where available?
Two factor authentication has been discussed previously. It involves the use of two different means of identifying individuals to provide them with access to the system - or to different parts of it. It’s not always appropriate or possible to use this method, but senior management should have made a deliberate decision as to where it should be implemented, and where there is no need.
20. Are administrative accounts only used to perform administrative activities?
In practice, this means no emailing, web browsing or other standard user activities (that may expose administrative privileges to avoidable risks) should be undertaken on an administrator account. An administrator should have a separate, normal user account for everyday activity - such as emailing and web browsing.
21. Are special access privileges removed or disabled when no longer required?
Administrative accounts should be limited to named individuals who have a need to use such a highly privileged accounts, to undertake special administrator functions such as creating/deleting users, resetting passwords, changing firewall settings, adding new devices, etc. There may be certain circumstances when people need special, additional administrative permissions in order to carry out specific tasks or activities. Those should also be regularly and frequently reviewed (and cancelled or removed as soon as they are no longer needed). This can all be done through the user account section of the control panel.
22. Do you have either anti-malware software, application whitelisting or application sandboxing on each of your devices?
Anti-malicious software (also known as anti-malware, anti-virus or AV software) should be installed on all devices and endpoint including mobile devices where they connect to the internet and to the system in scope. This software will usually include the facility to whitelist software applications. This is a process whereby any software that’s approved to be used on the system in question, is listed, and only that software can be run on the system. An alternative approach, used by some AV software and manufacturers such as Apple, is that when an application is run - it’s in a separate area - quarantined from the rest of the system – a process called ‘sand-boxing’. In either case the idea is to stop unauthorised software packages running on the system.
23. Please provide details of the software used.
This is simply a note of what AV (anti virus) or other related software (scans, whitelisting, etc.) is installed on the system.
24. Is all software installed on computers and network devices in the scope licensed and supported?
There must not be any “pirated” or other unauthorised software on the system. All software should have a licence and be supported in some way by the supplier even if there is a charge associated with that support. Freeware or open source software is quite acceptable but it is still under a support contract albeit at no charge and usually with much reduced service level agreement requirements.
25. Are all "critical" or "high risk" software patches applied within 14 days of release?
Patching or updating software is one of the most critical controls. It is essential that all software patches are installed as soon as practical. The advice of the National Cyber Security Centre should be followed and this will usually mean patching immediately it is received. Many software packages will automatically patch and this should be enabled where possible for all software in use. Users should not be given the choice of patching but should be required to patch as soon as possible. The NCSC advice can be found here
Guidance on updating your operating system can be found here.
26. If a vendor releases a patch for multiple issues as a single update which includes any "critical" or "high risk" issues, is it installed within 14 days?
As for the previous question the general policy for patching should be to implement all and every patch as soon as possible after receipt or notification.
The definition of critical and high risk can be found on the page here
27. Are systems accessible from the Internet protected against brute-force password guessing by either: A- locking accounts after no more than 10 unsuccessful attempts or B- limiting the number of guesses allowed in a specified time period
When a system is set up to allow people to log in when away, there must be a system in place to stop multiple attempts to gain access. This can be done in a number of ways but it’s commonly done by limiting the number of attempts at getting a password correct, before the system locks the person out. Once accounts are locked, there needs to be an adequate way of re-enabling those accounts such that the user is not overly inconvenienced, but that security is not compromised. This system is best set up by an expert with appropriate technical knowledge in order to reach an appropriate compromise between usability, convenience and security.
28. Do you enforce a minimum password length of 8 characters?
This will normally be set up in the security settings for the system. The administrator will set this up and a satisfactory compromise must be achieved between usability, convenience and security. Advice on good passwords issued by the National Cyber Security Centre should be followed.
29. Do you enforce a maximum password length?
Once again this will normally be setup in the security settings for the system. The administrator will set this up and a satisfactory compromise must be achieved between usability, convenience and security. There should not be a maximum length limitation on passwords, although sometimes there are technical reasons for this being the case. If there is a limit set this must be fully explained to the assessor. In general, longer is better. Advice on good passwords issued by the National Cyber Security Centre should be followed.
30. Are passwords changed when it is suspected they are compromised?
Users of the system must be told to change passwords when they believe, or think, that the account or passwords have been compromised. Advice on changing passwords has been issued by the National Cyber Security Centre in a number of different documents. They are available here
31. Do you have a password policy that meets the requirements as set out in Cyber Essentials Requirements: Password Authentication?
You must have a password policy authorised by a senior member of staff that has been implemented effectively across the organisation.
The password policy is a properly authorised document that must tell users:
- How to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet)
- Not to choose common passwords — this could be implemented by technical means, using a password blacklist
- Not to use the same password in multiple places, at work or at home
- Where and how they may record passwords to store and retrieve them securely — for example, in a sealed envelope in a secure cupboard
- If they may use password management software — if so, which software and how
Which passwords they really must memorise and not record anywhere
32. Is the software kept up to date, with signature files updated at least daily?
The AV or other similar software should be set to update automatically and this should normally be done on at least a daily basis.
33. Does the software scan files automatically upon access?
When an external storage device such as a USB thumb drive is inserted into a computer or other device it should automatically be scanned for virus and other malware. This is a setting in the AV or similar software. An alternative would be to lock all USB ports so that nothing will work if plugged into it.
34. Are webpages automatically scanned on access through a web browser?
When a user goes to a web page on the internet or elsewhere, the page should be scanned for malware. This might be done as part of the AV software or may require an additional piece of anti-malware software such as a scanner.
35. Are connections prevented to malicious websites on the Internet, unless there is a clear, documented business need and you understand and accept the associated risk?
Some web sites are deemed unsafe for a number of reasons. Anti-malware and similar software should stop a user going to those sites. This can also be achieved by the settings in the browser. Where there is a good, documented business need to access an insecure web site this can be added to the software or browser as an exception. The process of defining those web sites which can be accessed by users whilst preventing access to all others, is called Whitelisting. This process can also be used to define which applications can be run and which cannot.
36. Are only approved applications allowed to run on devices?
This is a further statement that only those applications approved to run on the system, are allowed to do so. It should not be possible to install unauthorised software on the system, nor for any software that installs itself to be allowed to run. The measures above address this through anti-malware and scanning software and the security settings in the browser. Setting the browser security level can be part of the solution but there are other methods too, including whitelisting as described above. This may require the assistance and advice of an appropriately experienced technical expert.
37. Does the whitelisting process use code-signing?
This is a way of setting up whitelisting (as described previously). Code signing requires the software to be approved though the recognition of an approved code signature. This may require expert help to set up and maintain.
38. Do you actively approve applications before deploying them to devices?
There should be a governance process in place that explains how new software is obtained, tested, approved for use, installed and maintained. This process should be explained for the assessor.
39. Do you maintain a current list of approved applications?
As a result of the process just described, there should be an approved list of applications that are permitted to be installed and run on the system. That does not necessarily mean that all the applications should be available and used by all users. If you are using whitelisting then there will be a common list.
40. Is all code of unknown origin run within a 'sandbox' that prevents access to other resources unless permission is explicitly granted by the user?
Sandboxing is used to put a new piece of software or application inside a secure, logical enclosure that prevents it from accessing or harming other parts of the system. If there is a need to run new, unauthorised or untested software it should be sandboxed. If this is not practical for some reason, there must be a clear business need documented and all steps taken to ensure the software is prevented from damaging the system, as far as possible.