RESOURCE HUB
Penetration testing, put simply, is a general term referring to the practice of getting the 'good guys' to hack into your systems before the 'bad guys' find the same weaknesses. To learn more about Penetration Testing, why you should Penetration Test and what to test first, please download the testing brochure here.
The auditing and testing of information security is a challenge for most organisations, even those with established penetration testing.
In this Blue Paper, you will learn:
- How to establish the best testing programme for your environment
- Understand the different types of testing
- Reasons why you should test your security
With many organisations changing how they operate, there has been a significant move to remote working and additional reliance on technology. Now more than ever companies are seeing the need to employ a Chief Information Security Officer (CISO). However finding a CISO in this climate is tough; they're hard to come by and, if you can find them, can be very expensive too. The alternative is to consider the services of a Virtual Chief Information Security Officer (vCISO). Our virtual CISO is there to assist across a wide variety of senior management activities, including:
- Assessing current risks
- Supplier management
- Briefing stakeholders
- Assess technical and process compliance
- Formulate policy and process
- Training and awareness
- Certification management
- Assessing new projects and technologies
- GDPR advice
- Security service scoping and supplier selection
Cyber security is now firmly on the priority list for all organisations, either through their own history of breaches or seeing the impact they have on others.
As the cyber (and information) security field is now over two decades old, there have been many lessons learned over the years, and many of these are reflected in an ever growing list of standards and certifications. So, where do you start. Read our brochure to learn where to start, what standards and certifications you need for your business including Cyber Essentials, ISO 27001, PCI DSS & GDPR.
We have now all seen how a cyber security breach can cripple IT systems, and destroy organisational and individual management reputations. Therefore, it is important that senior management understand how well they are protected. Due to the technical nature of cyber security, all too often management feel in the dark about whether their protection is effective or not.
Cyber security presents many challenges to management. It is a new, fast-changing area of organisational risk, with few people that understand it: of these people, even fewer can communicate effectively to senior management.#ECSC's Cyber Security Review is designed to assess the key aspects of your IT security related infrastructure, processes and technical management capabilities, and balance these against the cyber threats that are most relevant to your business. Download our brochure for more information.
Cyber Essentials is a cyber security standard introduced by the UK government that aims to provide organisations, particularly smaller ones, with pragmatic and cost-effective protection against the most common cyber security threats.
In this Briefing, you will learn:
- The difference between Cyber Essentials and Cyber Essentials PLUS
- Frequently asked questions about the assessment process
ISO 27001 is an internationally recognised standard that sets out a best practice framework for an Information Security Management System (ISMS), helping organisations to protect important information by identifying risks and implementing relevant controls.
In this Blue Paper, you will learn:
- The importance of ISO 27001 to all organisations
- What to consider when implementing ISO 27001:2013
- Simple methodologies to meet your security requirements head on
In this Blue Paper, you will learn:
- To understand the benefits of developing an ISMS using ISO 27001
- How regulatory compliance can provide a competitive advantage
- How ISO 27001 can help you measure risk
In this Blue Paper, you will learn:
- How information security fits in the management structure
- What questions to ask your IT department
- Where to start with improving your information security
In this Blue Paper, you will learn:
- The activities that are needed to ensure a functioning ISMS
- Advice on personnel and culture in relation to the ISMS
- Common challenges of implementing an ISMS
Learn how compliance with ISO 27001 can help your organisation during alignment to the new GDPR regulations.
In this briefing you will learn:
- Which organisational and technical controls in ISO 27001 relate directly to GDPR requirements
- How ISO 27001 suggested controls and processes can help in other areas of GDPR compliance
In this Blue Paper, you will learn:
- The mandatory clauses of the standard
- An explanation of the new controls
- Information on modified and removed controls
While implementing ISO 27001 does take a large degree of effort from across an organisation, it can be easily achieved within desired timescales if properly planned and implemented well. This document aims to cover some of the more common pitfalls that we have seen organisations fall into, leading to significant delays and sometimes complete failure of implementation projects.
We have all seen how a cyber security breach can cripple IT systems, and destroy organisational and individual management reputations. So, when you suffer an incident, an immediate, calm, incident response, and expert management guidance is essential. When an incident hits, time is of the essence to limit the damage.
As you will understand, each incident is unique and requires a different response. However, with almost two decades of experience, ECSC has encountered the full range of attack scenarios, and has up-to-date knowledge of the latest attack trends. Read our brochure on Incident Response for insights into how to tackle an incident, understanding your risks and how we could help.
Recommended read to all organisations looking to move or having already moved traditional IT systems and services 'into the Cloud'. We will help you understand the risks, and how to manage them to avoid a costly cyber security breach, which can include ICO fines, reputational damage and even loss of trading.
This ECSC Blue Paper is designed to help non-technical senior managers, directors and business owners, both understand the cyber security risks inherent in many IT cloud services and identify potential improvements.
Cyber security incidents can emerge and escalate rapidly. Therefore, it is sensible to prepare and test a plan for how you deal with incidents, both from a technical and management perspective.
Want to test your business? ECSC Group plc and Broadcast Media Services Ltd (BMS) support clients during major incidents and, together, we have designed a range of exercises. Download for more information.
Understand how outsourcing your cyber security management to a specialist Security Operations Centre could benefit your organisation.
Your external Internet-facing systems, and perimeter network devices, are the first point of attack for many security breaches. They are subject to constant automated probing by hackers, looking for weaknesses either from misconfigurations or vulnerabilities.
So, how do you know what the hackers are seeing, and whether you look vulnerable and are therefore at immediate risk? Read our brochure to learn more.
Before you can even think about effectively managing a potentially damaging cyber security breach, it is worth simply understanding what your detection capabilities really are.
Our brochure explores:
- How to deal with a security breach
- Knowing how you secure you are
- Finding technologies that deliver
- Recruiting and retaining the right expertise
- Detecting cyber security breaches
- Achieving cyber security standards
Protective monitoring or Security Information and Event Management (SIEM), is now considered an essential element of IT security provision. Results from security breach investigations show that ascertaining the nature of the breach is difficult without sufficient event data. In addition, if security event collection is accompanied by appropriate monitoring and alerting, the breach could have been detected and contained, or even prevented. Protective monitoring is an important element of your IT security protection and the prevention of a damaging incident. Download our brochure to find out more.
This 10 minute guide has been designed to help you understand SIEM, irrespective of your software choice.
Each ECSC Management Guide is carefully authored for a management audience, and designed for both the technically knowledgeable and also senior managers with an interest, but not necessarily a deep technical background.
The world of cyber security breach detection and response is fast-moving and filled with new marketing terminology - often used to describe old, or unproven, technology. So, it is worth understanding a little of what options are available and the latest trends.
By downloading this brochure you will learn how Nebula could enhance the cyber security of all organisations, regardless of size, existing technologies or budget.
To learn more about Nebula in detail, and discover the best fit for your organisation, please download the service specification guide here.
In this Blue Paper, you will learn:
- What is Self Assessment?
- Detail on each questionnaire
- The different types of questionnaire available
The standard applies to anyone storing, processing, or transmitting debit and credit card data. This brings not only merchants, but a wide range of service providers, within the scope of the standard. The standard is primarily being enforced by the acquiring banks - whom merchants ultimately send their transactions to, and receive payment from.
This Blue Paper is intended as an introductory document to help you understand the Payment Card Industry (PCI) Data Security Standard (DSS). The comments and advice are based on extensive consulting experience, and are designed to guide you in meeting the requirements, or making use, of the standard.
The Payment Card Industry Data Security Standard (PCI DSS) was published over 5 years ago, and in that time has undergone a series of revisions as technology, and information security best practises have developed.
In this Blue Paper we highlight how the latest version of the standard (PCI DSS version 3.0) has changed from previous versions, and look at the implications the changes may have on your organisation. You will learn:
- How to define your scope
- The implications of your usual business practices
- How to transition to the new version of the standard
PCI DSS is an Information Security standard which you MUST adhere to if you handle credit or debit cards as part of your business operations.
In this Blue Paper, you will learn:
- Who does and doesn't need to be PCI compliant
- Determining your level of compliance
- How to implement the standard with minimum complexity
Processing payment cards (credit or debit), is an essential function for many organisations. With card details being a particular target for criminals, your IT security must be high. PCI DSS was established in response to feedback from forensic investigations that follow breaches of card data.
The contents of the standard are a set of preventive measures that, if followed correctly, should prevent you from suffering a costly breach. This paper explores the difficulties when establishing a PCI DSS compliant environment and why outsourcing may be the best solution.
For organisations that handle payment card data, meeting all the requirements of PCI DSS is a significant challenge. Numerous technologies are available to outsource payment processing, which removes the need to meet many of these requirements. But, where this is not an option, it is extremely important to determine the areas of technology, policy and process to which the standard applies. This is known as the SCOPE. This paper explores the SCOPE and meeting PCI DSS twelve Requirement sections.
Breaches of customer card data are significant cyber incidents, treated seriously by the related banks, card brands and regulatory authorities. These incidents can lead to direct fines under the Payment Card Industry Data Security Standard (PCI DSS) enforcement and GDPR fines from the Information Commissioners Office (ICO) or equivalents across the EU.
Download our briefing document for more information on Payment Card ADC and how ECSC could help.
In this Blue Paper, you will learn:
- How large organisations can develop a global ISMS
- What are the key decisions required as part of implementing an ISMS
- Guidance on creating documentation
Presenting it services to the internet, whether hosted locally or within dedicated data centres, brings with it significant it security risks. many organisations are now realising that to comply to the required level of security, the architecture, configuration and ongoing management of hosted systems, also requires a level of skill and experience that you may not have in-house.
This paper explores how using an experienced, and trusted, Managed Security Service Provider (MSSP) can give you a level of security design, configuration, and monitoring that only the largest organisations can afford to recruit and retain.
Assessing your current level of security, and deciding whether this is appropriate is technically challenging - and that is why most people accept the need to involve a specialist third-party organisation to do this via 'penetration' testing. Many organisations are now realising that to comply to the required level of security, the architecture; configuration and ongoing management of hosted systems, requires a level of skill and experience that you may not have in-house.
Managed gateway solutions can take many forms, depending upon your requirements. In some cases, ECSC will design and commission the full gateway security architecture, helping you build an environment to meet your exact specification. This may involve firewalls, remote access, web and email filtering, intrusion detection systems, together with log analysis and alerting. Read our paper to find out more.
A fully managed security service from ECSC Group plc (ECSC) comes with the most comprehensive Service Level Agreement (SLA) in the industry. With ECSC you get much more than a single time limit on a 'response' that can be delivered by unqualified off-shore personnel. This document acts as a guide to your Standard SLA, and helps you understand how it relates to the day-to-day service your receive from the Security Operations Centre (SOC).
An Intrusion Detection System (IDS) is, as the name implies, an efficient and effective mechanism to detect attacks and malicious activity on your internal network. This ECSC Management Guide is designed to help you understand the critical elements in developing and maintaining an effective IDS.
Web Application Firewall (WAF) is, in our experience, the most important layer of defence against a wide range of attacks for your Internet-facing websites. Our quick 10 minute guide to protecting your web services explains what you need to consider to keep your servers secure.
Ariel, from the ECSC Group plc, gives you managed security and network event logging, analysis, alerting, and incident response. Ariel brings together log collection, archiving, analysis, and correlation, backed by security expertise. We make sense of complex data from a wide range of sources, and give you meaningful information so you can take necessary action.
This is a fully managed ECSC service, tailored to your risk profile, systems, and network environment, and encompassing all system updates, configurations, and ongoing management, analysis and reporting. Download this brochure to learn more.
Titania, from ECSC, gives you protection and performance management designed to protect systems exposed to the Internet. Titania is the direct descendant of the WAF solutions deployed by ECSC since 2000, that successfully blocked the first Internet worms 'Code Red' and 'Nimda'. Download this brochure to learn more.
Umbriel, from ECSC, gives you PCI DSS authentication and access control and allows ECSC to deliver solutions as a PCI DSS Level-1 Service Provider. Extended features include the management of time synchronisation, log review and File Integrity Monitoring (FIM). Download this brochure to learn more.
Understand the common misconceptions and grey areas around the new GDPR regulations and learn how these can be debunked.
In this briefing you will learn:
- What are the key milestones that are required to achieve compliance with GDPR
- Which documents and policies you are required to have under GDPR
This short ECSC Blue Paper is designed to guide you through the risks, good security principles, and defensible approach to managing the risks associated with home working.
Welcome to #6 in a series of helpful tips, should you ever find yourself victim of a cyber incident. Based on over 20 years of cyber incident response work, for clients of all sizes and sectors, ECSC is available 24/7/365 when you need it most.
Will Your Insurance Pay Out?
It is a good question, and you can only be sure by examining the terms of your policy.
As a warning, here are some exclusions we have come across that should raise alarm bells:
- 1. 'a hacker who specifically targets you alone' - does this mean you aren't covered when the latest outbreak affects thousands of systems?
- 2. 'any failure by a cloud/infrastructure provider' - your 'cloud first' strategy is now outside of your insurance.
- 3. 'any individual hacker within the definition of you' - legal speak for you not being covered for the inside threat.
- 4. 'the use by you of any software or systems that are unsupported by the developer' - oh dear, that single Windows XP device has just invalidated your insurance.
- 5. 'acts of foreign enemies, terrorism, hostilities or warlike operations (whether war is declared or not)' - if their loss adjusters (sorry, incident responders) find a source IP from Russia they might not pay!
If you think you'd benefit from the ECSC experts by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support. Additionally, all Incident Response Retainer Clients receive a 20% discount on our Incident Response rates.
To learn more please download our brochure here or call the team on 01274 736 223.
Welcome to #5 in a series of helpful tips, should you ever find yourself victim of a cyber incident. Based on over 20 years of cyber incident response work, for clients of all sizes and sectors, ECSC is available 24/7/365 when you need it most.
Watch your Anti-Virus
You may think that a virus (or other malware) being detected and wiped from a device is a pretty routine event. You might be right.
However, you may have just made the biggest mistake in your cyber security career, and you have in fact, just failed to spot a breach in progress that will become ransomware in the next 24 hours.
If you think about how a virus is introduced onto an IT system, it is usually linked to user behaviour, such as:
- visiting a dodgy website
- opening an even dodgier email attachment
- plugging in an untrusted (personal) device
So, when you see a virus being detected (and removed) by your AV, you might view this as normal and give it minimal attention. You'd be wrong.
Important check - context. Is it a 'user' device?
A virus removed from your Domain Controller in the middle of the night will likely not fit in the pattern or 'user' behaviour above. So, what has actually happened is that a hacker, already on your systems, is just being lazy and trying to compromise your domain with well-known malware to gain full administration access. Certainly not routine.
The lesson - check all AV malware removal from IT devices more carefully in future.
If you think you'd benefit from the ECSC experts by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support. Additionally, all Incident Response Retainer Clients receive a 20% discount on our Incident Response rates.
To learn more please download our brochure here or call the team on 01274 736 223.
Welcome to #4 in a series of helpful tips, should you ever find yourself victim of a cyber incident response. Based on over 20 years of cyber incident response work, for clients of all sizes and sectors, ECSC is your ideal partner when you need it most.
Disconnecting Yourself!
You are in the middle of a suspected breach. Your retained experts (you should have this in place) advise you to shut off your Internet connection(s) immediately.
Do you have the guts to ask for forgiveness rather than permission? You could be the hero, or perhaps the one out of a job? So, you play it safe by escalating up to the appropriate levels of management. Depending upon the day, time and availability of key management, this may take hours or even days...
Hackers are quicker than this, and ransomware is everywhere...
Additionally, having received the relevant permission, are the administrators required available? During one of our incident responses, the clients' firewalls were outsourced to a global provider, who 'helpfully' said they could respond 'within the 3-day firewall change SLA'. This needed a 3-minute response. Luckily, already being on-site, we could step in.
So, the key here is to have pre-authorised permission for the people in your organisation with the right knowledge and understanding to instigate an Internet disconnect. Along with having people available who have the access and skills to make it happen.
If you think you'd benefit from having ECSC experts by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support.
To learn more, please read our brochure here or call the team on 01274 736 223.
Welcome to #3 in a new series of helpful tips, should you ever find yourself the victim of a cyber incident. Based on over 20 years of cyber Incident Response work, for clients of all sizes and sectors, ECSC is your ideal partner when you need it most.
The Dangers of Automated Response!
For the well informed, combined with bitter experience, you will know that systems that promise an 'automated' response to a breach are perhaps more effective in the vendor demo video than in real life. The first time a critical system (or Director's laptop) is disabled, then the system is turned off for good.
However, there is a much more dangerous consequence of automated response.
Let's say your latest end-point security solution (no names here), promises to remediate all breaches to make your life easier. So, you have a breach, all works wonderfully and the software stops the breach. You sleep easy.
However, where is the attack vector leading to this compromise? Was the attacker already on your network and have you just blocked one part of the attack? Having seen this automated response the attacker just varied their route and tactics and your domain controllers are now being compromised prior to a major #Ransomware deployment. Has your 'successful' automated response made you complacent?
In reality, response needs an expert human component to really understand the context of the breach and whether a wider response is needed.
If you think you'd benefit from having ECSC experts by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support.
To learn more, please read our brochure here or call the team on 01274 736 223.
Welcome to #2 in a series of helpful tips, should you ever find yourself victim of a cyber incident. Based on over 20 years of cyber incident response work, for clients of all sizes and sectors, ECSC is available 24/7/365 when you need it most.
So, are backups actually your vulnerability?
The better your backups, the more vulnerable they are.
Today we are discussing ransomware, and the typical attack methodology. To make it more likely that you are forced to pay, the hackers will target your backups before they deploy ransomware. They are looking to delete/encrypt/disrupt your backup systems to make recovery impossible.
So, if you have a shiny new backup system, permanently connected, integrated into your Windows domain and doing fancy replication and backup, then the likelihood is you're in trouble. You've made the hackers life easier, as the backups are a simple hop away from the domain controllers that they have just gained full administrative access to.
However, that old and quite embarrassing backup system, with tapes in the cupboard, is immune to attack. That ancient grandfather, father, son, system of tape rotation is likely to ensure you always have a recovery solution.
The key point here is to ensure you always have off-line copies; system and data backups that the hacker cannot access prior to ransomware deployment.
If you think you'd benefit from the ECSC experts by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support. Additionally, all Incident Response Retainer Clients receive a 20% discount on our Incident Response rates.
To learn more, please read our brochure here or call the team on 01274 736 223.
Welcome to the first in a new series of helpful tips, should you ever find yourself victim of a cyber incident. Based on over 20 years of cyber incident response work, for clients of all sizes and sectors, ECSC is available 24/7/365 when you need it most.
Ransomware's Biggest Secret
We all (think we) know what ransomware does - the hacker has gained administrative access to your critical IT systems, encrypts them, and demands a conversation regarding the cost of decrypting them. Your operation is crippled, your organisation faces financial disaster, and you find yourself updating your CV.
You hope you can recover your systems, and/or data, from backup and therefore don't have to pay the ransom; additionally most organisations have a policy of not paying ransoms at all (although in many cases these policies are later reversed when faced with failed recovery efforts).
So, what is the secret?
Well, in trying to recover your systems, you often just wipe the existing 'encrypted' systems. Big Mistake! Why? Well, contrary to what you might be led to believe, your systems may well NOT be encrypted. Yes, in many cases the hacker makes it look like they are, but specialists like ECSC can often successfully recover data from your systems.
Why is this the case? Well, encrypting systems takes a long time, and isn't really necessary for the attacker to convince you that you have lost everything. So, lots of ransomware malware only partially encrypts the data (just the file headers for example).
The lesson here is don't wipe your systems before specialist forensic experts have examined them to test the encryption level and extent - this doesn't take long as encrypted data looks very different to non-encrypted.
If you think you'd benefit from the ECSC experts by your side when you need them most, then the easiest solution is a low-cost Incident Response Retainer, giving you access to 24/7/365 remote and on-site guidance, advice and support. Additionally, all Incident Response Retainer Clients receive a 20% discount on our Incident Response rates.
To learn more, please read our brochure here or call the team on 01274 736 223.
The field of Information Security, technological threats and vulnerabilities changes constantly and as a result the ISO 27001 standard is periodically reviewed and revised to ensure it remains up-to-date whilst remaining appropriate and flexible enough for the vast range of organisations that currently conform to its requirements.
Within the next few months, a revised version of the standard will be published and a number of key changes have been already been identified.
Key changes include the variation in the structure of the Annex A controls. Rather than the 14 sections of the previous standard. The controls are now split across only four sections. None of the current controls have been removed altogether, rather they have been merged with others or renamed, and 11 brand new controls have been added giving a new total of 93 controls.
In summary:
- 114 controls have been consolidated into 93 controls
- 57 controls have been merged into 24 controls
- 23 controls have been renamed but practically remain unchanged
- There have been 11 new controls introduced
- 0 controls have been deleted or excluded
What does this mean?
For organisations with an existing certification to the 2013 standard, auditors will verify your transition through surveillance audits, adding days to cover the new controls and processes. However, you will have until 31 March 2023 to prepare for this transition.
For clients who are seeking ISO 27001 certification for the first time, you will be able to choose which version to certify to, until 31 March 2023 when all new certifications must be against the new version.
Hacker groups are continuing to attack organisations and compromise data resulting in mayhem for the organisations involved. For any organisation that takes card details, there is an added layer of impetus to ensure data security, in order to avoid any potential financial ramifications for their clients.
Any incident involving card data can lead to direct fines under the Payment Card Industry Data Security Standard (PCI DSS) enforcement and GDPR fines from the Information Commissioner's Office (ICO) or equivalents across the EU.
What to do if my card data is compromised?
Following any breach, it is important that you prevent any further data loss and invoke your [Incident Response Plan] and/or seek external expertise to help guide you through your incident.
VISA has recently created the VISA ADC programme which is designed for card breaches and replaces the PFI-Lite programme. If you happen to find yourself in a situation where you may have had a breach, ECSC meets VISA's requirements to perform an independent investigation.
For more information on how ECSC could help in these instances, read our briefing document on 'Account Data Compromise Service'.
Ransomware, the threat is real!
Unsurprisingly, Ransomware will continue to be an ongoing risk for businesses this year, having grown exponentially in recent years, with many organisations seeing a record number of attacks and paying out bigger ransoms than ever before.
A large part of the reason for the continued threat, is the apparent immunity status that these types of hackers are currently receiving from certain countries on the basis that no activity is taken against organisations within their jurisdiction.
Whilst the ICO reports that 219 incidents were recorded during Oct - Dec 2021, it is important to keep in mind that this will not reflect the true number of Ransomware attempts - only those actually detected and reported.
In some cases, systems and networks can be compromised and go unnoticed for days, weeks, months and even years, until the hacker decides to sell access to Ransomware groups; which is commonly found by the ECSC Incident Response Team.
While it's difficult to determine the motivation of Ransomware groups, financial gain is usually most common, with threat actors asking for between 10-20% of an organisation's current cash flow. In our experience, the attacked organisations that have had to make a payment do so because they see no choice, the alternative being to close their business.
The most common form of Ransomware that ECSC support our clients with is Ransomware as a Service (RaaS).
Ransomware IS a business
RaaS is a by-product of threat actors who utilise Ransomware frameworks in order to behave like a traditional organisation by extorting other companies.
Via this approach, RaaS lowers the barrier for entry for budding cyber criminals because they no longer need to be hackers themselves. This proliferation brings increased risk to all.
Using white-labelled Ransomware, threat actors will use their infrastructure to co-ordinate attacks. These attacks use human intelligence to bypass security measures which are in place and exploit existing security weakness, in order to achieve their goal; extortion. From ECSC's experience, key and targeted security controls which will help to detect Ransomware attacks at an earlier stage, will make a significant difference.
Can I prevent Ransomware?
Protection against Ransomware should not be a costly exercise, at ECSC we recommend that at least 10% of IT spend should be invested in cyber security.
One approach is to maintain a resilient and regularly reviewed cyber security policy, tailored to your industry and personal needs. Which should include:
- Multi-Factor Authentication (MFA) must be in use on all external authentications.
- Regular backups off-site and offline. Backups are always the main target by Ransomware threat actors. In most cases, this is the primary distinction between whether or not a ransom has to be paid. It is crucial, not only that you have sufficient backups but also adequate expertise to put these backups in place after an attack.
- Data Leak Protection (DLP) is easily bypassed by threat actors. Strong Firewall and Proxy policies on all network devices are key to reduce exfiltration and Command & Control back-doors(C2C).
- Anti virus software is not sufficient protection against Ransomware, however, it is key. Anti virus should detect abnormal activity and notify your SIEM solution.
- SIEM monitoring on all devices.
- Don't allow employees to use their own devices for work purposes. Bring Your Own Device (BYOD) has been the root cause of many Ransomware breaches.
- Regular security training for employees must include phishing.
- Policies in place for reporting any suspicious activity.
- Rigorous patching of external devices including network appliances.
- Frequent external vulnerability scanning
- Have an Incident Response Retainer & Plan in place. The earlier you contact your service provider for external support, the better. ECSC have 20 years experience in kicking out threat actors.
To review your Ransomware controls, take the ECSC Health Check - it only takes 5 minutes!.
HOME WORKING DEVICES ARE IN SCOPE, BUT MOST HOME ROUTERS ARE NOT.
Anyone working from home for any amount of time is classified as a 'home worker'. The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker's device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant organisation is in scope and must have the Cyber Essentials controls applied to it.
The use of a corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate firewall or virtual cloud firewall.
ALL CLOUD SERVICES ARE IN SCOPE
Cloud services are to be fully integrated into the scheme. If an organisation's data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user implements the control, depends on the type of cloud service.
WHY THE INCREASED FOCUS ON CLOUD SERVICES?
People commonly assume that cloud services are secure out of the box, but this is not the case. It is necessary for users to take responsibility for the services they use and spend time reading up and checking their cloud services and apply the Cyber Essentials controls where possible. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope for Cyber Essentials, but the new requirements now insist that organisations take responsibility for user access control and the secure configuration of their services, which would include securely managing access to the different administration accounts and blocking accounts that they do not need. Where the cloud service is in charge of implementing one or more of the controls (e.g. security update management or anti-malware), the applicant organisation has the responsibility to seek evidence that this is done to the required standard.
MULTI FACTOR AUTHENTICATION MUST BE USED FOR ACCESS TO CLOUD SERVICES
As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrator accounts and accounts when connecting to cloud services.
The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.
WHY?
There has been an increasing number of attacks on cloud services, using techniques to steal users passwords to access their accounts.
Multi-factor Authentication requires the user to have two or more types of credentials before being able to access an account. There are four types of additional factor that may be considered:
- A managed enterprise device
- An app on a trusted device
- A physically separate token
- A known or trusted account
THIN CLIENTS ARE IN SCOPE WHEN THEY CONNECT TO ORGANISATIONAL INFORMATION OR SERVICES
A thin client is a 'dumb terminal' that gives you access to a remote desktop. It doesn't hold much data, but it can connect to the internet.
ALL SERVERS INCLUDING VIRTUAL SERVERS ON A SUB-SET OR A WHOLE ORGANISATION ASSESSMENT ARE IN SCOPE
Servers are specific devices that provide organisational data or services to other devices as part of the business of the applicant.
DEFINITION OF A 'SUB-SET' AND ITS IMPACT ON SCOPE
A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. Use of individual firewall rules per device are no longer acceptable.
DEFINITION OF 'LICENSED AND SUPPORTED'
Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular patches or updates. The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.
ALL SMART PHONES AND TABLETS CONNECTING TO ORGANISATIONAL DATA AND SERVICES ARE CONFIRMED IN SCOPE WHEN CONNECTING TO A CORPORATE NETWORK OR MOBILE INTERNET SUCH AS 4G AND 5G.
However, mobile or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope.
DEVICE LOCKING
Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device.
PASSWORD-BASED AND MULTI-FACTOR AUTHENTICATION REQUIREMENTS
When using passwords,one of the following protections should be used to protect against brute-force password guessing:
- Using multi-factor authentication
- Throttling the rate of unsuccessful or guessed attempts
- Locking accounts after no more than 10 unsuccessful attempts
Technical controls are used to manage the quality of passwords. This will include one of the following:
- Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions
- A minimum password length of at least 12 characters, with no maximum length restrictions
- A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
People are supported to choose unique passwords for their work accounts. New guidance has been created on how to form passwords. It is now recommended that three random words are used to create a password that is long, difficult to guess and unique.
There is an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.
ACCOUNT SEPARATION
Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks),
THE SCOPE OF AN ORGANISATION MUST INCLUDE END-USER DEVICES
If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loop-hole where organisations were able to certify their company without including any end user devices. Cyber Essentials must now include end point devices.
ALL HIGH AND CRITICAL UPDATES MUST BE APPLIED WITHIN 14 DAYS AND REMOVE UNSUPPORTED SOFTWARE
All software on in scope devices must be:
- Licensed and supported
- Removed from devices when it becomes unsupported or removed from scope by using a defined 'sub-set' that prevents all traffic to/from the internet.
- Have automatic updates enabled where possible
- Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:
- The update fixes vulnerabilities described by the vendor as 'critical' or 'high risk'.
- The update addresses vulnerabilities with a CVSS v3 score of 7 or above.
- There are no details of the level of vulnerabilities the update fixes provide by the vendor.
Previously, there was a set criteria that the vulnerabilities which had to be applied had to meet which were laid out in the requirements. These criteria have now been dropped and organisations need to apply all high and critical updates on all their systems. This is raising the bar because organisations can no longer be selective about which patches they apply and leave themselves weak and vulnerable.
The reason for these changes can be illustrated by a high profile example this year. A vulnerability in the Microsoft Exchange System came out very publicly and was reported by numerous news outlets. That attack went from being a complex state actor attack to a commodity attack within seven days. It was commoditised into a ransomware attack only 12 hours later. This proves that a high complexity attack can be commoditised in hours and for this reason, all high and critical updates, need to be applied within 14 days, both for Cyber Essentials and Cyber Essentials Plus.
GUIDANCE ON BACKING UP
Backing up your data is not a technical requirement of Cyber Essentials, however there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.
TWO ADDITIONAL TESTS HAVE BEEN ADDED TO THE CYBER ESSENTIALS PLUS AUDIT
Test to confirm account separation between user and administration accounts.
Test to confirm MFA is required for access to cloud services.
HOW THE CHANGES WILL WORK
There will be a grace period of one year to allow organisations to make the changes for the following requirements:
MFA FOR CLOUD SERVICES
The requirement will apply for administrator accounts from January 2022. The MFA for users requirement will be marked for compliance from January 2023.
THIN CLIENTS
Thin Clients need to be supported and receiving security updates, the requirement will be marked for compliance from January 2023. The new question will be for information only for first 12 months.
SECURITY UPDATE MANAGEMENT
Unsupported software removed from scope will be marked for compliance from January 2023.
The new question will be for information only for first 12 months.
If your organisation registers and pays for Cyber Essentials certification before 24th January 2022, you will be assessed on the old Cyber Essentials question set and have up to six months to complete your self-assessment.
Please be aware that the Cyber Essentials Readiness Tool will be updated with the new requirements for the 5 technical controls on 24th January 2022. If you would like to use the tool for guidance on the old question set, please access the guidance before 24th January 2022.
The pandemic has forced most organisations to modernise and adapt to incorporate new technologies, processes and ways of working. In most cases, organisations have had to do this at speed in order to meet demand and to be able to continue to operate.
Combined with more bad news in the media regarding cyber threats and increased activity, including phishing attacks, ransomware and data breaches to name a few, protecting your information should be at the forefront of your information security.
Protecting your information
The security industry is continuously developing new technologies that help organisations defend against all threats. Understanding and doing the basics well, in a controlled and managed way, will help protect against attacks. All too often we see organisations with "all the latest tech" but with the basics missing or poorly managed, meaning their cyber resilience is lacking.
So what is cyber resilience?
Cyber resilience is the ability to prepare for, respond to and recover from cyber attacks.
Cyber resilience helps an organisation protect against cyber risks, defend against and limit the severity of attacks, and ensure its continued survival despite an attack. It is now commonly accepted that it's no longer a matter of 'if' but 'when' an organisation will suffer a cyber attack, however, this does not have to be the case. To help plan for cyber resilience there are four basic stages that need to be met.
Stage 1 - Manage and Protect
The first stage of any cyber resilience programme involves being able to identify, assess and manage the risks associated with network and information systems, including those across the supply chain. It also requires the protection of information and systems from cyber attacks, system failures and unauthorised access.
Stage 2 - Identify and Protect
The second stage of any cyber resilience programme depends on continual monitoring of network and information systems to detect anomalies and potential cyber security incidents before they can cause any significant damage.
Stage 3 - Respond and Recover
Implementing an incident response management plan will help you continue to operate even if you have been hit by a cyber attack and get back to business as usual, as quickly and efficiently as possible.
Stage 4 - Governance and Assure
The final stage is to ensure that your programme is overseen from the top of the organisation and built into business processes and procedures. Over time, it should align closely with your wider business objectives.
Having robust measures in place will not only protect your information but allows you to evidence to your clients that you take data security seriously and that their information is secure.
If you need any help with your journey to become cyber resilient, call 01274 736223.
Sector: Insurance
Client Challenge
As an insurance company, operating across three continents, the client was having regular security incidents involving the compromise of user desktop and laptop devices. These were being caused by a combination of user behaviour and weaknesses in IT management.
Although the client engaged with ECSC security consultants to understand the root-causes of these incidents and to improve internal processes, they also wanted to improve the speed of response to incidents.
The client had already purchased a vendor log collection and alerting system. However, this was being managed by a single person, so response to alerts was dependent upon that single person's working hours - not satisfactory when cyber security breaches can lead to loss of personal data. Reasonable progress had been made on the logging system configuration, although too many alerts were being generated for the client to be able to correctly identify the most important events.
In addition, where an internal security issue was uncovered, the response required (usually to isolate the device from the network) was again dependent upon IT teams that didn't cover 24/7/365.
ECSC Solution
Although in most cases, ECSC's technologies offer significant security functionality and cost benefits, in the instance where a vendor solution has only recently been purchased, its retention can make sense. In this case, the existing vendor system was also on ECSC's Select Vendor List. This means that ECSC has extensive experience in its configuration, and will continue to support it from the ECSC Security Operations Centres (SOCs) in the UK and Australia.
ECSC helped to improve the configuration of the vendor logging solution, and integrated it into the ECSC SOCs 24/7/365 monitoring, alert and response systems. This meant that the client received significantly less alerts, as ECSC engineers only highlighted significant events that needed investigation.
Where ECSC delivers a 24/7/365 monitoring and alerting solution, escalation to the ECSC incident response team normally only happens infrequently, in response to serious issues that cannot be managed by the client's own IT (or security) function. However, for this client, with regular user device compromises, a pre-agreed incident response to access the network and isolate compromised devices was put in place.
This meant that rapid response to incidents could be carried out 24/7/365 by the ECSC SOC Engineers without having to wake an on-call engineer within the client's organisation. If this happened during the night or weekend, devices were then secured, with communication to the relevant IT support desk for the start of their next working day.
In addition to alerting, reporting, and incident response to support the client technical teams, ECSC also delivered regular senior management briefings to help the leadership team understand the current security issues, and root-causes. This was an important communication to gain management support for ongoing cyber security improvements.
Key Benefits
- 24/7/365 SOC monitoring and incident response
- Vendor system integrated with ECSC technologies
- Custom incident response to isolate compromised internal devices
- Consultancy support to identify root-causes and reduce repeat incidents
Sector: Public Sector Service Provider
Client Challenge
Among our clients, it is reassuring to find that cyber security is increasingly becoming the responsibility of the most senior level of the business. Of course what our clients are finding is that cyber security is also becoming a priority to their own clients, with many insisting they comply to a range of standards before they can be considered as a potential supplier.
In this instance, a mid-sized public sector service provider, dealing with a number of public sector contracts, needed to achieve CE certification to meet specific assurances for a number of clients before they could make a coveted pre-approved supplier list.
This organisation had limited IT resource and certainly no cyber security team to understand exactly what was required of them; what they did understand was that their competitors, as early adopters to the CE scheme, were gaining market advantage by demonstrating their cyber security protection.
ECSC Solution
Cyber Essentials projects are generally quite short, tailored to the size of the organisation. The main focus is on cyber security breach prevention, and doing sensible things that are known to work. It doesn't normally involve significant investment in new security systems and never requires additional staffing.
A focus on the external Internet firewall uncovered significant vulnerabilities associated with systems that shouldn't have been exposed to potential hackers. This was a good example of IT 'making it work', without knowledge of the security implications. These weaknesses were corrected, with an appropriate firewall configuration quickly developed by ECSC and implemented.
As most CE clients have not undertaken in-depth cyber security penetration testing, they are often unaware of technical vulnerabilities. The CE requirement for vulnerability scanning is a great starting point to show where technical weaknesses are present. The remediation of these vulnerabilities usually involves the introduction of a more rigorous approach to system patching and secure system configuration. This process helps the IT team understand the importance of these processes in breach prevention.
Further analysis also showed many legacy access controls, with previous users retaining access with weak password controls. These were quickly corrected, as ex-employees can pose a significant risk.
Through introducing these controls, the senior management team started to understand the importance of the improvements, and appreciated the cost-effective approach of CE. They are now looking at a wider ISO 27001 certification programme, to give wider control of information security. This will help with their future GDPR compliance and open up further sales opportunities.
Key Benefits
- Achieving a standard to support sales expansion
- Giving increasing confidence to existing customers
- Raising levels of cyber security protection
- Gaining management support and increasing understanding
Sector: University
Client Challenge
A university invited organisations to quote to carry out a penetration test. The university had put together an initial scope of work stating their expectations for the exercise.
Universities have thousands of student users who require access to their network, in addition to hundreds of employees and support functions requiring varying levels of access, and multiple and remote users, meaning they are faced with a huge task when it comes to their cyber security. Their networks need to be accessible for long hours and, because of the nature of their student user-base, unusual activity is hard to pin-point.
As part of the initial project, ECSC conducted some research into the university and found data containing vital contact information for 3000 users, including phone numbers and email addresses, accessible to anyone from the Internet. This was alarming for our tester to discover, knowing the implications from an access perspective; however, is not unusual for large organisations.
The university chose ECSC to carry out their penetration test based on the quotation and ECSC's long standing security credentials. Having worked with a number of UK universities to help improve their cyber security, meant we had a greater understanding of their network complexity and user needs.
ECSC Solution
Penetration tests are carried out by an accredited security tester according to a scope defined by the client; we helped the university to further refine the scope of their testing project and developed an understanding of their specific network complexities.
ECSC carried out further investigation, using the previously acquired contact details to conduct a 'Brute Force attack' against multiple external portals. The sheer number of usernames already available gave our tester a high chance of gaining access; the ECSC tester gained access easily to an account where the privileges were then escalated. Full control of the university network was then gained, including access to over 100,000 hashed passwords. The hashes were put through a password cracking process and within the allocated testing time over 60,000 were cracked.
Had this easily exploitable vulnerability been identified by a malicious attacker rather than in the course of a penetration test commissioned by the university, the resulting reputational damages, financial losses and fines imposed by regulatory bodies could have been catastrophic. The remediation activity required to reduce the risk of this happening included:
- A review of information storage, process and access rights
- Putting protective measures in place regarding access to contact information
- Educating users on the use of more complex passwords
- Re-testing to ensure remediation activities have been effective
ECSC continues to work with the university to improve their cyber security posture. By developing a relationship with this client we help to ensure the most effective use of budget and prioritise areas of improvement.
Key Benefits
Sector: Professional Services Organisation
Client Challenge
An organisation that provides secure professional services to blue chip clients was concerned that they were susceptible to a data breach, and weren't sure where best to focus their efforts in improving security. While they had capable IT staff in place, the focus was predominantly based on 'making things work' rather than 'making things secure'.
They also found it difficult to make a case to the board for the budget and resources required to support cyber security. The technical output from security assessments that were being conducted, such as penetration testing, was difficult to translate into language that their board could understand, and was not sufficient to provide any clarity as to how best to improve security based on a prioritised approach.
ECSC Solution
ECSC was engaged in 2015 to conduct an initial Cyber Security Review in order both to identify deficiencies in the organisation's cyber security defences, and to help determine a plan to achieve an appropriate level of security in the coming years.
The outcome of the review showed that there were significant gaps that needed to be addressed, and while security was being considered in pockets of the business, there was no consistent approach. Using the priority recommendations in our report, the organisation had a clear plan of action for improvement, and the board had a clear picture of where the organisation was and where it needed to be.
Since that initial review, ECSC has been engaged to perform a repeat exercise every year. With each review, areas that have been addressed can be reviewed, and a new plan of action agreed for the following year. The findings of the review form a prominent part of board reporting, giving the board assurance that data is being protected and demonstrating the significant progress the organisation has made.
Key Benefits
- An understanding of gaps in the organisation's Cyber Security countermeasures.
- A framework through which to focus improvement activities, and measure the effects of security initiatives undertaken.
- The ability to report at board level on progress made, and on required future activities.
- An assurance that their data, and that of their clients, is being adequately protected.
Sector: Rail Franchise
Client Challenge
For a rail franchise, card payments usually come through one of four routes:
- Online ticket sales
- Automated station ticket machines
- Station ticket counters
- On-train ticket and refreshment sales
The ECSC client had outsourced its online sales to a certified provider, but this still left the remaining payment 'channels', each of which needed to communicate across the rail company's IT network, including multiple stations.
Unfortunately, investigation by ECSC QSAs showed that there was significant PCI DSS non-compliance within the payment card systems, and significant security vulnerabilities. As these were supplied as part of long-standing third-party management contracts, the ability to make these compliant, and secure, was going to be difficult and time consuming, leaving a significant risk of a serious breach.
The UK rail model requires each rail franchise to be run as a separate entity that can be handed over to the next franchise owner. This means that most IT departments are limited in size, and security expertise, and don't have the staffing to meet 24/7/365 security monitoring requirements of the PCI DSS.
ECSC Solution
The ECSC client had outsourced its online sales to a certified provider, but this still left the remaining payment 'channels', each of which needed to communicate across the rail company's IT network, including multiple stations.
This solution involved managing perimeter security devices, including firewalls, an Intrusion Detection System (IDS), and log collection, together with network switch management.
Each device was built, and fully documented, to the PCI DSS requirements, and ongoing management processes aligned to the standard. This allowed the client to increase their overall compliance level, prevent a serious data breach, and demonstrate compliance progress to their bank.
Each component was then monitored and managed by the ECSC global 24/7/365 Security Operations Centres. These currently operate from the UK and Australia, giving 'follow the sun' hands and eyes support.
Key Benefits
- Non-compliant, insecure payment systems isolated and protected
- 24/7/365 SOC monitoring and incident response
- System designed by PCI QSAs
- Delivered and managed by a PCI Level-1 Certified Service Provider
