Introduction
Having securely configured devices is a key component of cyber security best practice. This reduces risk and aims to ensure devices are not vulnerable to attack. Whether an organisation is pursuing Cyber Essentials, Cyber Essentials Plus, or just looking to be secure, having a secure configuration for devices is a crucial step. In this article we explain why security configurations are so important, make considerations and provide key notes, give tips and recommendations, and review an example scenario to show how the Cyber Essentials requirements can be applied.
Why Secure Configurations Are Important
Default configurations are not always secure. Standard (out of the box) configurations can include many weaknesses, including default passwords, unnecessary user accounts, and pre-installed / unused applications – these can allow attackers to gain unauthorised access. By applying some simple technical controls, it’s possible to reduce these risks and protect against common types of attacks.
Secure Configuration in Cyber Essentials
To meet Cyber Essentials certification requirements, organisations must regularly:
- Remove/disable unnecessary user accounts, such as guest and administrative accounts that are not being used
- Change any default or guessable passwords, to a unique and secure alternative
- Remove or disable unnecessary software, including applications, utilities, and services
- Disable auto-run / auto-play functionality, to prevent malicious software from running automatically and without user interaction
- Ensure users are authenticated before allowing them access to organisational data and services, to restrict access to authorised personnel.
- Ensure appropriate device locking controls, to restrict access when someone is physically present
Considerations and Key Notes
When reviewing secure configuration of devices, please consider:
- Default passwords are major security risks – attackers use these all the time
- Easy to guess and reused passwords are a major security risk – attackers try to use these too
- Unnecessary or unused software should be removed to reduce risk and also reduce ongoing maintenance to keep up to date
- Stopping auto-run / auto-play is important for downloads too – it reduces the risk of malicious software running automatically
- Biometric controls (like face-id) are considered to be much more secure than using standard passwords alone – passwords can be guessed and/or stolen
- Implementing ways to slow down and block password guessing helps stop hackers, ‘device lockouts’ and ‘throttling’ (delaying login prompts and fully locking devices if a number of failed attempts takes place) really help
Key Notes
- Ensure ‘throttling’ the rate of login attempts (so the wait time increases) and/or device locking (after no more than 10 failed attempts) is configured for each of your devices. If the vendor does not allow this configuration, ensure the vendor default settings are in place
- If using PIN to unlock a device, ensure the PIN is a minimum of 6 characters
Example Scenario
Organisation ABC are using Windows laptops to access organisational data.
- For Organisation ABC, focus is on the secure configuration of windows laptops
- Check and remove unused and/or unnecessary software
- Check local user accounts – disable any that are not required or are not being used
- Ensure unique accounts are available to all users – no accounts being shared
- Check and change any default passwords that may be in place
- If local accounts are being used check throttling / lockout settings
- Make sure ‘autoplay’ setting is turned to ‘off’ – consider this for all software (including operating system and browser)
- Check ‘screen lock’ settings to ensure automatic locking of device after a set time
- Use ‘windows key + L’ to lock the screen when you are away from the device
- Set the laptop with biometrics, a pin of at least 6 characters, or a password of at least 12 characters (if not using multi-factor authentication or a way to block common passwords)
Tips and Recommendations
- Regularly review and remove unused software
- Consider vulnerability assessment and/or patch management tools to help automate systems checks for vulnerabilities – and address findings
- Turn on features like face-id and biometric to unlock devices
- Change the default password on ISP routers
- Seek guidance and support from an NCSC Cyber Advisor for implementation of the technical controls (such as RB Consultancy Ltd)
For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials.
How We Help
At RB Consultancy Ltd we support organisations to improve cyber security and to meet Cyber Essentials and Cyber Essentials Plus requirements. As NCSC assured service providers and IASME certification body:
- We explain the importance of secure configurations
- We help ensure devices are set up securely
- We explain why the Cyber Essentials questions are being asked and how they intend to protect organisations in different ways
- We ensure secure configuration settings and processes align with Cyber Essentials guidelines
- We assess and issue organisations with Cyber Essentials and Cyber Essentials Plus certifications
Conclusion
Secure configurations are a critical component of cyber security and Cyber Essentials certification, helping to protect your business from cyber threats. Insecure configurations can leave your organisation vulnerable. By implementing best practices and ensuring compliance with Cyber Essentials technical controls, organisations can significantly reduce their cyber risk. If you need any assistance with secure configuration settings, or Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only and should not be taken as legal advice.