The last week of June saw the release of yet another cybersecurity compliance standard aimed the UK's public sector departments. Not content with the strain placed on departments across the country by the GDPR (General Data Protection Regulation), The NCSC (National Cyber Security Centre) has developed a five domain standard, which all government organisations should be meeting or ideally surpassing.
Five Security Domains
The five security domains are identify, protect, detect, respond and recover; and are designed to create a minimum level of strength and capability for resilience, attribution and resilience within the UK public sector.
Cut to the chase and you are probably thinking, where are the opportunities?
Unlike the GDPR which aimed to remain risk-based and subjective, the minimum security standard has been created in an objective fashion. Opening the door for many a cybersecurity solution. Most of these requirements can be found in the protect security domain.
The Protect Security Domain
Access to sensitive data and key operational services shall only be provided to identified, authenticated and authorised users or systems. Such as:
- Access to sensitive data and services should only be authorised for known and referenced individuals and systems.
- Users accessing sensitive data and services must complete some form of authentication. In cases of high risk, so should the device or system accessing sensitive data or systems.
Systems which handle sensitive data or key operational services shall be protected from exploitation of known vulnerabilities.
To protect servers, network devices and centralised services:
- Track and record all hardware and software assets; and their configurations.
- Have a program of vulnerability detection and patching to prevent common exploitation based cyber attacks. Where this is not possible, mitigating controls such as network segregation should be undetaken.
- Validate through regular testing that device configurations are optimal and secure.
- Use the UK public sector DNS servers for name resolution to avoid DNS poisoning and redirection attacks.
- Ensure that authoritative DNS changes can only be made by authenticated administrators.
- Understand and record all IP ranges.
- Where services are outsourced, understand and document the security responsibilities of both outsourced party and the department using the outsourced service.
To protect end-user devices such as smartphones and laptops:
- Identify and record all end-user devices and removable media in use.
- Manage end-user devices which have access to sensitive data and key operational services; and applies technical and security controls.
- Run operating systems and software which are regularly patched and supported by the vendor.
- Apply encryption at rest where physical security cannot be guaranteed, such as a smartphone which moves inside and outside the protected network environment.
- Have the ability to revoke access or wipe an end-user device.
[You may also be interested to read "Artificial Intelligence will save Encryption from Irrelevance"]
To protect email deliver and access systems:
- Use TLS 1.2 (Transport Layer Security) for sending and receiving email.
- Have DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domainkeys Identified Mail) and SPF (Sender Policy Framework) records in place to reduce spoofing effectiveness..
- Implement spam and mail filtering; and require DMARC for inbound mail.
To protect digital services:
- Ensure web applications are not exploitable by common vulnerabilities, for example those listed by OWASP (Open Web Application Security Project).
- Ensure the underlying infrastructure is secure, including verifying that the hosting environment is maintained securely and that you have appropriately exercised your responsibilities for securely configuring the infrastructure and platform.
- Protect data in motion using TLS 1.2.
- Regularly test for the presence of known vulnerabilities and common configuration errors.
Highly privileged accounts should not be vulnerable to common cyber attacks by:
- Account segregation for anyone with a privileged account. Administrator accounts should not be used for tasks such as internet browsing or email receipt
- Multi-factor authentication should be used wherever is technically possible. Including cloud accounts, department social media accounts and administrative accounts.
- Passwords for privileged system accounts, social media accounts and infrastructure components must be changed from default values and should not be easy to guess. Passwords which would on their own grant extensive system access, should have high complexity.
[You may also be interested to read "Secure your accounts with a passphrase, not a password"]
Opportunities for IT Security Solution Providers
The opportunities for IT security solution providers are bountiful and include a number of possible solution types. Consider offering the following:
- Asset management solutions.
- Strong authentication solutions such as multi-factor authentication.
- Vulnerability detection and patching solutions.
- Encryption for sensitive data at rest.
- Email security solutions which can authenticate outbound email and verify incoming.
- Benchmarking solutions which can assess servers, network devices and end-user machines against known standards.
- Privilege account management solutions.
- Mobile device management solutions for end-user devices which leave the safety of the network boundary.
Interestingly the standard doesn't stop there. Government departments are encouraged to measure their third party suppliers against the standard, to ensure that they are procuring through routes which are also safe. Which widens the scope of the standard considerably.