The second of the 5 controls – ‘Secure Configuration’- involves the application and maintenance of the most secure setting on all devices and software in your network. Implementing this control involves taking a proactive approach to the management of your IT system.
Whenever you invest in a new piece of hardware or a software package, the default settings are usually designed to allow unbridled usability and maximum convenience. A device may come with pre-installed programmes that you don’t intend to use, the default ‘admin’ password may be publicly available and it may feature pre-configured user accounts with administrator-level permissions activated by default. In order to achieve Cyber Essentials accreditation, you’ll have to bin all these default setting in favour of more rigorous security standards that consider your business needs while keeping sensitive data secure.
The risks of poor security configuration
Ensuring system configurations are as secure as possible is a task that requires continuous attention. Neglecting systems could lead to security vulnerabilities that cybercriminals will be keen to exploit. A careless approach to system configuration can lead to:
- Unauthorised Changes. If you fail to manage permissions effectively, systems could be changed by individuals within or outside of your organisation. Such changes could result in data loss or present opportunities for hackers.
- Software Vulnerabilities. Poor patch management can provide a path of entry into your network for cybercriminals.
- Security vulnerabilities caused by weak configuration. An attacker could run riot in a poorly configured system by:
- Accessing confidential, high-value data that features no access restrictions.
- Taking advantage of overly generous user privileges.
- Exploiting functionality that is unnecessary.
- Using equipment such as USB drives to introduce malware or corrupt data.
- Setting up a ‘back door’ for future attacks.
9 ways to ensure secure system configuration
Implementing the most secure system set up requires a holistic approach that covers many bases. Here are some key considerations:
- Use Supported Software. Ensure you only use software programmes that continue to be supported by the vendor under the license agreement. If the vendor no longer supports your operating system or a certain piece of software then they won’t be producing patches to close security loopholes.
- Deploy a Patch Management policy. Create policies relating to the installation of security-critical patches and updates. Define the target timeframes for the implementation of fixes so that administrators are compelled to install updates in a timely manner. If a security vulnerability cannot be fixed using a patch, ensure steps are taken to minimise the likelihood of it being exploited.
- Keep a record of all hardware and software used. Create and maintain a database featuring all hardware and software within your network. Record additional information such as physical location, purpose, version and patch status. This inventory can be used to identify underutilised or unauthorised network components.
- Optimise all software for maximum security. Establish a base set of guidelines for the secure configuration of all software. Functionality, applications and services that are not required should be removed and any variation from the ‘base guidelines’ should be noted.
- Run frequent vulnerability scans. Use vulnerability scanning tools on a regular basis to identify and rectify vulnerabilities across all your network devices. Set a target time frame for putting right any vulnerabilities exposed by these scans.
- Restrict the use of removable media and deactivate unnecessary peripherals. If your users don’t require the use of removable storage devices for example, then prohibit there use by disabling ports. Similarly, if devices are connected to unnecessary peripherals then disconnect these unnecessary devices and uninstall any associated software.
- Create an approved applications list and enforce execution controls. Draw up a ‘whitelist’ of secure, permitted applications – adding and withdrawing items as business needs change. Additionally, implement ‘execution controls’ to prevent the running of software not on the ‘whitelist.’
- Assign configuration privileges to as few employees as possible. Assign permissions based on the level of accessibility that is required to fulfil each job role. Most employees shouldn’t be granted permission to change, install or delete software for example, so such permissions should be reserved for a select few.
- Restrict the functionality of ‘Privileged’ user accounts. This may seem counter-intuitive, but applying email/internet restrictions to an administrative account reduces the opportunity for hackers to achieve network-wide access by attacking a single vulnerability.
While it may seem a lot to take in, the Secure Configuration control is regarded as a foundation upon which businesses should seek to build more elaborate cyber defences designed to counter more advanced threats. A key step towards Cyber Essentials accreditation, start a conversation with your IT partner to ensure your network is securely configured.
We save companies time, money, and valuable resources, making sure more than just an internet search is performed before an investment is made. We take the time to understand the business and requirements, then look at the market and provide options that will are fit for purpose and pre-scoped.
Call Us Today: 0113 3720200 or send us an email: enquiries@YorCyberSec.co.uk