Cyber Essentials is a government-backed, industry supported scheme designed to provide businesses with a set of measures that help them understand and guard against common forms of cyber-attacks. The scheme highlights the five most common issues businesses face, and gives a set of basic controls. This blog takes a look at the benefits of being Cyber Essentials compliant and how to go about achieving this.
Why be certified?
At its simplest, Cyber Essentials certification shows your organisation is committed to basic safety. Buyers are increasingly cyber-security-conscious and are likely to be assured by a government-backed certification that proves your commitment. By being certified, you demonstrate to your customers, employees, regulators, suppliers and stakeholders that data is safe in your hands, despite the ever-changing IT landscape.
Achieving Cyber Essentials also provides businesses with sound, commercially viable benefits and a competitive advantage, acting as a powerful marketing tool. Not only do insurers, investors and auditors take the certification into account when assessing a business’s risk profile, but commercial supply chains outside of those working with public bodies (Cyber Essentials compliance is a mandatory requirement for all government suppliers and public service contracts) have also started to realise that it is in their best interests to work with companies that have at least a basic level of cyber-security.
Privileged Access Management for Cyber Essentials compliance
1. Boundary firewalls and internet gateways
Cyber Essentials states that the default administrative password for any firewall or equivalent network device should be changed to an alternative, strong password. To meet this requirement, the PxM Platform can be used to:
- Change the default administrator password and manage the password lifecycle
- Securely store and encrypt the administrator password
- Use the maximum password complexity supported by the firewall
- Automatically refresh the password in accordance with the organisation’s password management policy
- Inject the privileged password on behalf of the administrator when access to the firewall is required.
Where management of the firewall is outsourced to a third-party organisation, the PxM Platform can also help control access to critical infrastructure. It does this by obfuscating the administrative password, tying access to a valid change ticket, limiting access to a time window, and presenting the third-party administrator with access only to the tasks they are authorised to carry out. Furthermore, the PxM Platform can record third-party sessions, acting as a useful audit tool.
2. Secure Configuration
Cyber Essentials recommends that systems must be configured securely to reduce the level of inherent vulnerabilities. For example, most computer and network devices come with a standard configuration which includes an administrative account and user accounts, all of which will have standard passwords. These default configurations provide cyber attackers with an opportunity to gain unauthorised access. Cyber Essentials requires unnecessary administrative accounts be removed or disabled, and that any default password for a user account should be changed to an alternative strong password.
The PxM Platform can help secure configuration by automatically scanning and detecting user accounts on all critical infrastructure devices. Accounts are flagged for attention, giving administrators the option to delete, lock, approve or manage those accounts going forward. Moving accounts into a managed status also ensures that the passwords are changed and refreshed to maximum supported complexity.
3. User access control
Cyber Essentials denotes that companies must control who has access to systems and at what level, paying particular attention to the risk posed by privileged accounts (accounts used to gain access to critical infrastructure). The standard documents seven steps to protect against the misuse of privileged credentials:
- All user account creation should be subject to a provisioning and approval process
- Special access privileges should be restricted to a limited number of authorised individuals
- Details about special access privileges should be documented, kept in a secure location and reviewed on a regular basis
- Administrative accounts should only be used to perform legitimate administrative activities, and should not be granted access to email or the internet
- Admin accounts should be configured to require a password change on a regular basis
- Each user should authenticate using a unique username and strong password before being granted access
- User accounts and special access privileges should be removed or disabled when no longer required or after a pre-defined period of inactivity.
Whilst achievable, the real challenge in meeting these steps is in how to do it in an effective manner.
Acting as a proxy between administrators and the servers they administer, the PxM Platform is primarily used to store privileged credentials and manage the full lifecycle of passwords, removing the need for passwords to be known, changed and controlled by administrators.
The PxM Platform can also be used to provision and deprovision individual administrator accounts, and access policies can be built to only grant access for specific users to specific accounts.
The PxM Platform’s Privileged Task Automation functionality allows organisations to control administrative access so that only specific, pre-defined and limited tasks can be executed, avoiding granting full direct access to systems.
Because the PxM Platform operates as a proxy for all privileged access, all administrative connections are tracked and audited with the ability to report against exactly who has what access at any given point in time.
Cyber Essentials states that administrative accounts should not be used to gain access to the internet, and so to prevent this a dual account model must be implemented. The PxM Platform builds on this principle by providing the ability to automatically translate from standard to privileged accounts, and vice versa, for a user access session.
The PxM Platform can be configured to grant each privileged user their own unique admin accounts with the associated passwords being refreshed as often as desired. Dormant accounts can be flagged for attention and subsequent removal.
As you can see, when access is controlled with Osirium’s PxM Platform, localised instances of malware, and even the most sophisticated phishing attempts become blunted. For more information on how the PxM Platform can help you achieve Cyber Essentials certification, download our white paper, or visit us at our IDM ‘18 stand.