The volume of security-related regulations and compliance requirements in the UK and Europe continues to grow. Regional examples include the GDPR, the EU Cybersecurity Strategy, the EU Cybersecurity Act, the recently revised Network and Information Systems Directive (NIS2), the Digital Operational Resilience Act (DORA) and the EU-Wide Cybersecurity Certification Scheme. There are also country-level requirements. For instance, in the UK, there is the UK Cyber Essentials certification scheme. This list will continue to become larger, and at the same time, the risks will also continue to escalate.
Organisations must find ways in which to keep pace with this environment and, if they have not already done so, prioritise putting a solid compliance foundation in place. The IT department has a huge role to play in ensuring that compliance is always up-to-date (increasingly referred to as ‘continuous compliance’) rather than relying on quarterly-to-annual reviews from the organisation’s GRC, compliance or security teams.
Yet, even in today’s more security-aware world, IT departments are still not addressing this fundamental requirement sufficiently. However, while it can appear daunting to build a compliance strategy, a multitude of proven tools and techniques exist that can make it more manageable. And, by making compliance a core part of IT infrastructure, then it becomes easier to be up-to-date and organisation-wide.
UK Cyber Essentials
Let’s take the UK Cyber Essentials, which is designed to provide confidence that organisations are protecting themselves against the most common cyber threats, as an example of what is commonly required to be compliant.
The scheme which is required for some public sector contracts, has two tiers: Cyber Essentials and Cyber Essentials Plus. Both tiers require the same security controls to be enforced by the organisation. The main difference with the ‘Plus’ tier is that it further includes an independent audit of a company’s systems by a technical specialist, as part of engaging on some contracts, including Ministry of Defence contracts. Recertification each year is mandatory, and a list of certified organisations is publicly accessible on the NCSC website.
Five areas of compliance
The UK Cyber Essentials gives applicant organisations crystal clear guidance, with five requirements for certification. The first of these is to secure the configuration of firewalls: every in-scope device must be protected by a correctly configured firewall (or equivalent network device). Tasks include:
· Instigating complex passwords.
· Preventing access to the administrative interface from the Internet.
· Blocking unauthenticated inbound connections by default.
· Removing or disabling permissive firewall rules quickly.
· Using a host-based firewall on untrusted networks.
Also, inbound firewall rules must be approved and documented by an authorised individual.
The second requirement is to ensure the secure configuration of the network by removing and disabling unnecessary user accounts, changing any default account passwords, removing or disabling unnecessary software, and authenticating users before allowing internet-based access to sensitive data. In addition, any auto-run feature (which would enable file execution without user authorisation) must be disabled.
The third requirement is user access control, which covers control of user accounts with access to organisational data and services by managing access privileges and account authentication.
Fourth is malware protection, encompassing anti-virus and other software being kept up to date (at least daily), the configuration of software to scan files and web pages automatically, and prevention of connection to malicious websites. Only approved applications should be allowed on devices.
Fifth and finally, security update management requires that all software installed on in scope devices is supported and licensed, and removed from devices when that support ends. It also strongly recommends that security-related patches and updates be applied within 14 days of release.
The challenge
These requirements demonstrate that the UK Cyber Essentials is a robust set of guidelines and includes actions that are also applicable to other regulations and compliance initiatives. However, despite being launched in 2014, it is estimated that only 14 per cent of UK organisations are following the Cyber Essentials (CE) certification scheme, meaning that they may be lacking basic security hygiene, and missing out on an opportunity to engage with potential government customers.
So why is this the case? The challenge for many organisations is the effort involved, such as ensuring that every server has the correct settings and the time to manage patches. Compliance can feel like a drain on already limited IT resources: assigning sufficient time to compliance can be challenging, compared to focusing on more immediate firefighting.
Best practice
There are ways in which IT teams can better manage compliance, even in situations where the volume of nodes continues to scale and the number of available skilled resources is limited. Applying and enforcing settings server-by-server or department-by-department is massively time-consuming. While it is possible to manually configure one or two servers or desktops, what about 50 servers at once, or 100 or 1000? Also, settings are not a one-time activity; they must be constantly maintained. Automation is necessary for security at scale, permitting what is called ‘continuous compliance’.
Greater security is often cited as an advantage of — and motivation for — a shift to cloud computing. It might surprise readers to learn that security risks can still create havoc for cloud-based systems. Managing firewall rules, software lifecycle management, and application change control are examples of necessary components of a security vulnerability program. As with on-premise systems, identifying configuration drift and determining alignment to policy in these and many other areas remains a critical best practice. Moving servers to or from the cloud may involve additional security, including encryption of data in flight, as well as reconsideration of best-practice standards and a shift in who is responsible for applying and upholding them.
Desired-state automation
A further consideration is to adopt an agent-based approach to compliance monitoring, often referred to simply as ‘desired state’ automation. Taking the analogy of a supermarket, it is comparable to constantly checking that everything on the shelves is correctly placed and labelled. Problems are identified quickly, which constrains the scope and eliminates any subsequent scramble to sort things out. The same is true with technology. Imagine hundreds or thousands of servers with a multitude of configuration elements on each of them. If not reviewed frequently, chances are that these servers will quickly fall out of compliance. If that condition of non-compliance remains for any period, it increases the possibility of exploitation and can negatively impact the function of the device.
However, IT environments are often checked for compliance only every few weeks or months, or perhaps not at all. An agent-based solution overcomes this by placing a compliance agent on top of the operating system, to ensure the server’s status is being checked far more frequently, for instance, once an hour. Subsequently, the IT environment remains in a ‘desired state’, and by automating the process, the errors and oversight that often result from human involvement are eliminated. Furthermore, the time to carry out an audit is significantly reduced because all the data (or trusted facts) are continuously collected by the agent.
Automated compliance scanning, monitoring, and enforcement means that security and regulatory policies are adhered to across the entire infrastructure, whether on-premise, cloud-based, or a hybrid environment of both. It may be that one of an organisation’s existing IT infrastructure solutions already has the option to add a compliance module, which will reduce the amount of additional effort required to create a continuous compliance environment.
Be standards-based
Continuous compliance is far more effective when built on a foundation of industry-recognized security standards or benchmarks, such as those published by the Center for Internet Security (CIS). When choosing an IT infrastructure compliance solution, consider one that integrates with — and continuously scans against — the latest industry benchmarks and standards. Leaning on established standards prevents IT teams from having to reinvent the wheel, and increases the confidence they are also building on a solid foundation of experience, rather than having to become security experts which, after all, is not typically their area of specialist knowledge.
That said, risk management programs should always include on-going user education and training (such as mock phishing exercises) to keep staff informed. The threat landscape evolves constantly and yet we expect staff to forever keep security top of mind from the short security class they took during onboarding. This can lead to not following established security protocols (assuming any are in place) and errors in judgement.
The human risk factor cannot be under-estimated. Verizon’s 2022 Data Breach Investigations Report* determined that 82% of breaches involved a human element, including phishing, password discovery or disclosure, and simple mistakes. While there can be a tendency to blame missteps on end-users, the human element involved in server configuration by a busy administrator can also be the cause.
IT teams are already stretched thin, so finding ways in which security and compliance can be implemented without having a major impact on their working days is vital. Continuous compliance through automation, making the most of established standards, and working towards having a constant ‘desired state’ in an IT environment is the foundation that minimises additional workload while creating peace-of-mind.
*https://www.verizon.com/business/en-gb/resources/2022-data-breach-investigations-report-dbir.pdf