November 14, 2019

Improving Cyber Essentials

The background

Over the past few years, the UK Government’s National Cyber Security Centre (NCSC) and their delegates have been doing excellent work improving cybersecurity for everyone. One such way that they have done so is via Cyber Essentials - a world-leading scheme designed to provide guidance and certifications to mitigate the most common cyber threats.

Astrix have been a Certification Body (CB) and providing certifications for Cyber Essentials (CE) and Cyber Essentials Plus (CE+) since 2016 so we have our fair share of experience with the scheme. In that time, we’ve concluded that it absolutely has value in ensuring that organisations have the essential and reasonably up-to-date controls in place but there are a number of basic ways that it could be greatly improved. (We stress “basic” because the NCSC are rightly keen to keep CE simple so we’ve kept that in mind.)

Given the planned changes around April 2020, we felt that now would be a good time to suggest our improvements, for the benefit of everyone. After all, this is exactly in line with our vision and our values.

Please note that, currently, each Accreditation Body (AB) creates their own Cyber Essentials (CE) questionnaire and Cyber Essentials Plus (CE+) test files for CBs to use with the applicants but we’ll be focusing on IASME’s now that they have been selected to be the sole Cyber Essentials Partner from April 2020.

Below is a list of links to each improvement section:

1. Cover phishing and spoofing

2. Update password requirements

3. Better align CE and CE+

4. Reduce CE+ assessor qualification requirements

5. Overhaul CE+ test files

6. Full cloud cover

7. Provide email and web hosting
   

In the NCSC’s blog post “We have the expertise, we're working on the data”, they said that they will only change the CE controls if they “will protect the majority of organisations, for the majority of the time, from the majority of attacks” which is perfectly reasonable.

Later in the same blog post, they went on to explain that this view had led them to form a “Cyber Essentials Jury” where industry experts reviewed recent significant breaches to determine whether the current controls were still adequate. We’ve consistently heard that they concluded that the current controls were indeed still adequate and, as such, there are no plans to enhance the controls / requirements.

Currently, the 5 Cyber Essentials controls are 100 % technology focused:

1. Secure your Internet connection

2. Secure your devices and software

3. Control access to your data and services

4. Protect from viruses and other malware

5. Keep your devices and software up to date

However, in the cybersecurity community, it’s widely known that one of, if not the, biggest problems are the users (through no fault of their own). One example of this is that it’s widely reported that approximately 90 % of successful breaches began with the following attacks which, just to reiterate, are not covered by CE:

• Phishing.
  
  This is a form of social engineering whereby communication (email, SMS, phone call, etc) is maliciously crafted in order to trick the recipient into doing things they wouldn’t ordinarily do. For example, giving the attacker sensitive / confidential information such as their password, financial informaiton, or an internal document.
  

• Spoofing.
  
  Often used as a phishing method, this is the act of manipulating communication systems to appear to be a source known / trusted by the recipient. The most common examples of spoofing are email addresses, display names (the sender name that appears on emails), and phone numbers.

What makes these attacks so common and dangerous is that they’re easy to automate, they’re highly successful, and they pave the way to be highly lucrative so the attackers try target as many people as possible for as long as possible.

Technology such as SPF and DMARC can and should be used to help to mitigate these problems. In fact, we wrote a lengthy blog post on exactly this topic: https://astrix.co.uk/news/2018/11/26/how-to-mitigate-email-spoofing

However, social engineering is fundamentally a people problem and, therefore, requires primarily a people solution. This is where Security Awareness Training (SAT) comes in - services that regularly train users on how to recognize and respond to threats.

So, as it stands to reason these mitigations “will protect the majority of organisations, for the majority of the time, from the majority of attacks”, we hope that CE will be updated to require them.

↑ Back to Index.

Currently, the questionnaire’s requirements relevant to passwords are effectively as follows:

• Ensure that passwords are not default, are of at least 8 characters, and are “difficult to guess”.

• Ensure that your systems do not restrict the length of passwords.

• Ensure that passwords are changed if it’s suspected that they have been compromised.

• Have a password policy available to users.

While this is decent practice, it is not in line with the NCSC’s own current best practices: three random words.

To us, it makes sense to simply update Cyber Essentials to match the NCSC’s recommendations.

↑ Back to Index.

While CE and CE+ are inherently linked, there are some disconnects between them which are exacerbated by (1) the questionnaire being written by the AB and much larger in scope but (2) the CE+ test specification being written by the NCSC and much smaller in scope. For example:

• Areas that need to be compliant for CE but aren’t mandated to be checked in CE+:

  • Boundary firewalls.

  • Software / endpoint firewalls.

  • Authentication policies (passwords, Two- / Multi-Factor Authentication, lockout, etc).

  • AutoRun policies.

  • Administrative and user account management and restrictions / privileges.

• Areas that need to be compliant for CE+ but can’t be obtained or checked in CE:

  • Public IP addresses or domain names.

  • Inbound email protection / security.

So, it’s far from uncommon to have a scenario where assessors will discover something during CE+ that is contrary to the given CE answers. While there are procedures to deal with these situations, they are not well-known and it would be better to try to avoid getting into these situations in the first place.

Now that there’s only one CE partner, we’re hoping to see these discrepancies reconciled.

↑ Back to Index.

In October 2019, it was announced that the NCSC have decided to increase the CE+ assessor requirements so that each CB must have at least one assessor who has one of the following qualifications:

• CREST Registered Penetration Tester

• CREST Certified Infrastructure Tester

• TigerScheme Team Member (CTM/QSTM)

• TigerScheme Team Leader (CTL/SST)

• Cyber Scheme Team Member (CSTM)

• Cyber Scheme Team Leader (CSTL)

• EC-Council Certified Security Analyst (ECSA): Penetration Testing

• Offensive Security Certified Professional (OSCP) - GCHQ-certified training

While this may seem like a good thing on the surface, it’s important to remember that the CE scheme was designed to be “achievable” (basic and cost-effective) so we and many others think this is a mistake for the following reasons:

• Every single qualification is at least closely related to penetration testing and, as such, is very specialized and expensive. As a result, this will likely hurt the scheme in one or more of the following ways:

  • Smaller CBs will decide to cease performing CE+ assessments, thereby reducing assessor supply and increasing assessment cost.

  • CBs that decide to get their assessors qualified and continue performing CE+ assessments will choose or be forced to increase their pricing in response, thereby increasing assessment cost.

  • Assessors who do get qualified may choose to leave for better-paying and/or more engaging work, thereby reducing assessor supply and increasing assessment cost.

• There seems to be no good reason to incur this extra cost, time, effort, and potential risk because there are currently no plans to change the CE+ test spec before April 2020 and, even if there were, it should be a higher assessment / certification with its own requirements - CE+ shouldn’t be a penetration test.

• Adoption of CE+ is already low which is part of the reason why the NCSC want to massively increase adoption but the above factors will likely stunt this.

An analogy we couldn’t help but think of is McDonald’s having to train their chefs to near-Michelin star level.

Even though we at Astrix actually stand to benefit from this, staying silent wouldn’t be in line with our vision or our values so we hope that the NCSC change their minds on this.

↑ Back to Index.

The CE+ test files are intended to provide assessors with a way of testing the protections in the applicants’ endpoints (PCs, for example).

The CE+ test specification says that the test files should be “representative of all the file types that Applicants are likely to encounter, in advance” and must include:

• Executable file types (“both native binaries and scripting languages“).
  “The user should at least see a warning and a prompt that allows them to decide whether or not to proceed.“

• Malware test files “which contain inert malware samples”.
  ”Anti-malware should detect these and block the user from accessing them.”

• “Documents and spreadsheets — but which contain inert malware samples”.

• Container file types (“such as .zip and .gz”).

The test files were last updated on 2018/06/21 and the following is our opinion on them:

We’ve seen so many assessors erroneously use this guidance and these files, it’s not good for anyone.

Also, other file types that are much more common in general and much more commonly used as attack vectors are not included. For example, CMD (alternative to BAT), PDF, JS (JavaScript), VB (Visual Basic), JAR (Java), etc.

We hope that new, more suitable files will be created and released soon.

↑ Back to Index.

In the olden days, organisations used applications and services that tended to be physically on-premises. As a result, attacks were more difficult to automate because the systems weren’t always remotely accessible and if they were remotely accessible then they were inherently more difficult to discover, slower to access, and not straight-forward to identify.

Nowadays, a large and ever-increasing percentage of organisations have migrated to cloud services (mainly Software as a Service (SaaS) but also Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)) as there are many very good reasons to do so. However, a major downside is that they are continually and successfully attacked because:

1. They’re a prime target as they contain so much data from so many organisations.

2. They are widely known.

3. They are inherently (almost) always online and easily accessible from anywhere by anyone.

4. Most of the security controls need to be set by the organisation, not the provider, which tend to be lax, to say the least.

5. Data breaches that expose credentials and fuel the resulting attacks (such as credential stuffing and password spraying) continue to rise exponentially.

In terms of CE and CE+, this is a problem because currently only IaaS is allowed to be included in the assessment scope. So, for example, if an organisation uses Office 365 (as many do) and there are poor security controls in place then we’re not allowed to fail their CE / CE+ application for it.

We hope that at least SaaS will be included in the scope of assessments in the near future.

↑ Back to Index.

The CE+ test specification | section “Internal testing” (page 7) says the following (emphasis added by us):

“You will need:

• to be able to send arbitrary emails to an account operated by the Applicant — that is, you need an external email system that performs no filtering and is not blacklisted

• test files, hosted on an external website owned by the Certification Body (see Appendix B: Types of test file) — you may need to have the Applicant arrange access to this site, perhaps adding it to their whitelist”

We’ve seen so many CBs get this wrong (using free / public email providers, using another CB’s web hosting, not securing the connections, etc) that it would be much simpler and more consistent if the NCSC or IASME used a portion of the certification fees to provide CBs with email and web hosting for the purposes of carrying out CE+ testing.

↑ Back to Index.

Sign-off

Once again, we would like to stress and reiterate that NCSC and their delegates already do great work. We wrote this post with the intentions of wanting to effect change for the good of everyone and we’d be more than happy to work with NCSC, IASME, and anyone else to achieve this.

Feel free to subscribe to our newsletter to be automatically notified of future posts. Until next time! 😊