The Five Cyber Essentials Controls

Cyber Essentials Technical Key Controls

There are five Cyber Essentials controls that need to be implemented by every organisation seeking Cyber Essentials certification.

The five key controls aim to provide broad Cyber Security measures to your business to ensure you maintain protection against the vast majority of common cyber attacks through a combination of technical controls and business policies.

Although Cyber Essentials isn’t intended to protect your company from every possible attack and all cyber criminals, it does aim to protect from a variety of common cyber threats, such as:

• Protection from common attack strategies such as the delivery of Malware software through Phishing
• The potential of account compromise through common techniques, such as brute force password guessing attacks
• The protection of your IT systems from current security threats through rigorous patch management

The following article details each of the five controls that make up the Cyber Essentials scheme and describes how your organisation can implement each control to ensure you can achieve and maintain your Cyber Essentials certificate.

To achieve or maintain your Cyber Essentials Certification, contact our team or review any further information available here.

Firewalls Key Control

The Key Controls Purpose

The firewalls key control aims to ensure all of your organisations IT Systems have a barrier of protection from the internet and that the barrier is configured securely to provide a consistent level of protection to all Cyber Essentials certified companies.

The Key Controls Requirements

• Each of the network devices that are included within your Cyber Essentials scope must be protected by a firewall, which can include your laptops, servers, virtual devices, and cloud services.
• The firewall protection can be implemented using physical firewalls, but it can also be managed through software firewalls for users who often work remotely or from home.
• The firewall in use must be securely configured, which can be managed through the following:
  • Changing default passwords and configuring secure passwords and MFA where possible
  • Restricting access to the administrator interface through the use of MFA or an IP Whitelist, which limits the potential for remote administrative access, or disabling all remote administration services.
  • Maintaining a list of approved firewall rules, which only allow access to necessary services
  • Blocking all other services that are not part of the approved list

Secure Configuration Key Control

The Key Controls Purpose

The secure configuration key control aims to ensure all of your IT Systems are configured to a secure standard through the management of your user accounts, software, and device settings.

This allows all of the devices incorporated into the scope of Cyber Essentials to maintain a similar level of protection and avoids weaknesses or holes within your security posture.

The Key Controls Requirements

• All of your devices, virtual devices, and cloud services must be configured with secure settings that are in line with the Cyber Essentials requirements.
• Unauthorised access should be prevented, and each of your systems should require user authentication before being allowed access to the device itself as well as private company data and services.
• Your systems should all have appropriate account lockout features enabled, if not relying on MFA, to ensure that repeated attempts by attackers to guess your passwords result in the accounts becoming locked or login attempts restricted.
• Any unnecessary user accounts, which can include default admin or guest accounts, should be removed or disabled where possible.
• All default passwords must be changed to a secure standard, which aligns with the Cyber Essentials Password Requirements.
• Any unnecessary software, which can include default or built-in software provided with the operating system, should be removed or disabled where possible.
• Any devices that include an auto-run feature should have this option disabled, as this allows files to execute automatically without user input, such as when downloading a file from an email attachment or within the browser.

Security Update Management Key Control

The Key Controls Purpose

The security update management key control aims to ensure your devices continue to maintain a consistent level of protection against the latest emerging threats.

As many updates that are released for your operating systems and software contain security fixes to address newly identified vulnerabilities, it is important to apply these updates quickly to avoid a device or account compromise from the most recent security issues.

The Key Controls Requirements

• All of the operating systems and software that are included within the Cyber Essentials assessment must be licensed and supported by the vendor to ensure regular updates will be made available.
• Where operating systems and software become unsupported over time, these must be upgraded to a currently supported version or removed from the scope of assessment through appropriate segmentation controls, as defined in the Requirements for IT Infrastructure document.
• Ideally, automatic updates should be enabled for all of your software and systems, although this is not a necessity if updates can still be consistently applied within the required timeframe.
• Updates that address vulnerabilities that are considered Critical or High-risk must be applied within 14 days after they are released and made available.

User Access Key Control

The Key Controls Purpose

The user access control aims to ensure that each of the accounts used by your business are configured with secure credentials and are assigned the necessary permissions for users to carry out their roles.

User access controls help to minimise the risk and likelihood of account takeover attacks, which are often targeted by cyber attackers.

The Key Controls Requirements

• A controlled and documented method should be in place to create/change/remove your user accounts, which ensures that authorised individuals are approving the accounts which are in use.
• Your accounts should only be assigned the permissions necessary for their role, which can include limiting access to software, folders, files, and services.
• Where administrator accounts need to be created, they should be completely separate accounts from those used for day-to-day tasks, such as accessing emails or using a web browser.
• Your users should be educated and trained on the appropriate usage of their accounts. This is particularly important where users have access to an administrator account, as these should only be used for specific and necessary tasks, such as installing software or making configuration changes.
• Each of your accounts should be configured with a unique set of credentials, and these should not be shared or reused within the business.
• Your users should be educated and trained on the importance of selecting secure credentials for their accounts and encouraged to use methods to select secure passwords, such as those defined in the NCSC’s three random words guidance.
• Where MFA options are available, these should be enabled, and for any Cloud Services that are included within the assessment scope, these services must have MFA enabled.
• User accounts should be protected from potential brute force password guessing attacks, where criminal hackers attempt multiple password logins to identify valid credentials. This can be managed through MFA but can also be managed by limiting the number of login attempts that can be made.
• In the unfortunate event that your accounts have become compromised, or you suspect an account compromise, a documented process should be in place that defines how your business can act quickly to disable access to accounts, devices, and systems, limiting the potential impact of a compromise.

Malware Protection Key Control

The Key Controls Purpose

The malware protection key control aims to provide an additional layer of protection to each of your systems.

In the event malicious software is able to access your devices, your malware protection measures should prevent the software from being able to run and impact your IT Systems.

The Key Controls Requirements

• Your devices and cloud services included in the Cyber Essentials scope must each be protected by a malware protection measure.
• The protection measure used can be Anti-Malware software but could also be an Application Allow-List.
• Where Anti-Malware software is used, the following standards must also be maintained:
  • Anti-Malware software can only be used for Windows and MacOS devices, and other operating systems or phones must rely on an approved Application Allow-List.
  • Built-in operating system software can be used, such as Windows Defender, or third-party software can be used, provided the software fulfills each of the other requirements.
  • It should be kept up to date and in line with the vendor recommendations, which may differ from the 14-day Cyber Essentials scheme.
  • The software must be able to prevent file execution from known malware running on your devices
  • The software should restrict access to malicious websites and web pages.
• Where an Approved Application Allow-List is used, the following requirements must be met:
  • An application allow-list can be maintained for all in-scope devices as an alternative to Anti-Malware software and where necessary when software cannot be used, such as with phones.
  • Each application that is used on devices must be actively approved before being installed on your devices.
  • A current documented list of approved applications must be maintained.
  • Users should be prevented from executing and installing any applications that are unsigned or present invalid signature files.

Cyber Essentials Vs Cyber Essentials Plus

The Cyber Essentials scheme provides two certification levels, Cyber Essentials and Cyber Essentials Plus.

Although the key controls and security requirements do not change between certification levels, the Cyber Essentials work that a qualified assessor must carry out to verify any provided information does change.

Cyber Essentials involves a questionnaire that applicants complete and is reviewed and graded by a qualified assessor. However, the certification does rely on the applicants providing accurate information regarding their devices and cyber security measures.

Cyber Essentials Plus can only be conducted after first completing the Cyber Essentials self-assessment questionnaire. The standard involves a series of practical vulnerability tests and a technical audit conducted by a qualified assessor to verify that the information provided in the initial questionnaire is valid and accurate.

As Cyber Essentials Plus involves a series of tests and checks that review the applicant’s devices and services, it is considered a more robust form of assessment and is often required by an increasing number of suppliers and organisations to verify a company’s security standards.

However, due to the increased level of review and assessment, Cyber Essentials Plus is a more expensive assessment process. Cyber Essentials prices often start around £320, whereas Cyber Essentials Plus can start around £1,500.

Maintaining Cyber Essentials Certification

Cyber Essentials and Cyber Essentials Plus are both annual certification schemes, which require the certification process to be passed once a year.

The ongoing Cyber Essentials requirements ensure that companies continue to apply each of the Cyber Essentials controls to their devices and services as the systems they make use of change over time.

The continued certification scheme also verifies the security measures to protect the business from the latest developing threats.

Conclusion

The Cyber Essentials controls are part of the UK Government scheme, developed with the National Cyber Security Centre (NCSC) and partnered with the IASME Consortium, to provide an achievable cyber security certification standard that all businesses can align with,

The Cyber Essentials Controls define a minimum baseline of security, which is intended to protect businesses from the majority of all cyber attacks.

The certification is split into two standards, Cyber Essentials and Cyber Essentials Plus. Although the five controls do not change between standards, the method to verify the controls does change.

Companies that can incorporate each of the five controls receive the following benefits for their business:

• Reduced risk within your business through protection methods that address the vast majority of all cyber attackers
• Using the Cyber Essentials logo and branding material to advertise that they maintain a strict set of cyber security standards,
• Evidence that they have taken proactive action to secure their business and data from the most likely cyber attacks
• Procure additional business by meeting supplier requirements that require security standards to be in place.
• Bid on additional government contracts that require the Cyber Essentials scheme has been passed

Where you have any further questions regarding different cybersecurity solutions or the Cyber Essentials certification program, our consultants are available to address any concerns you may have.