<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Finding Opportunities in the UK's New Minimum Cyber Security Standard

Posted: 18 July 2018

Finding Opportunities in the UK's New Cyber Security Minimum

The last week of June saw the release of yet another cybersecurity compliance standard aimed the UK's public sector departments. Not content with the strain placed on departments across the country by the GDPR (General Data Protection Regulation), The NCSC (National Cyber Security Centre) has developed a five domain standard, which all government organisations should be meeting or ideally surpassing.

Five Security Domains

The five security domains are identify, protect, detect, respond and recover; and are designed to create a minimum level of strength and capability for resilience, attribution and resilience within the UK public sector.

Cut to the chase and you are probably thinking, where are the opportunities?

Unlike the GDPR which aimed to remain risk-based and subjective, the minimum security standard has been created in an objective fashion. Opening the door for many a cybersecurity solution. Most of these requirements can be found in the protect security domain.

The Protect Security Domain

Access to sensitive data and key operational services shall only be provided to identified, authenticated and authorised users or systems. Such as:

  • Access to sensitive data and services should only be authorised for known and referenced individuals and systems.
  • Users accessing sensitive data and services must complete some form of authentication. In cases of high risk, so should the device or system accessing sensitive data or systems.

Systems which handle sensitive data or key operational services shall be protected from exploitation of known vulnerabilities.

To protect servers, network devices and centralised services:

  • Track and record all hardware and software assets; and their configurations.
  • Have a program of vulnerability detection and patching to prevent common exploitation based cyber attacks. Where this is not possible, mitigating controls such as network segregation should be undetaken.
  • Validate through regular testing that device configurations are optimal and secure.
  • Use the UK public sector DNS servers for name resolution to avoid DNS poisoning and redirection attacks.
  • Ensure that authoritative DNS changes can only be made by authenticated administrators.
  • Understand and record all IP ranges.
  • Where services are outsourced, understand and document the security responsibilities of both outsourced party and the department using the outsourced service.

To protect end-user devices such as smartphones and laptops:

  • Identify and record all end-user devices and removable media in use.
  • Manage end-user devices which have access to sensitive data and key operational services; and applies technical and security controls.
  • Run operating systems and software which are regularly patched and supported by the vendor.
  • Apply encryption at rest where physical security cannot be guaranteed, such as a smartphone which moves inside and outside the protected network environment.
  • Have the ability to revoke access or wipe an end-user device.

[You may also be interested to read "Artificial Intelligence will save Encryption from Irrelevance"]

To protect email deliver and access systems:

  • Use TLS 1.2 (Transport Layer Security) for sending and receiving email.
  • Have DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domainkeys Identified Mail) and SPF (Sender Policy Framework) records in place to reduce spoofing effectiveness..
  • Implement spam and mail filtering; and require DMARC for inbound mail.

To protect digital services:

  • Ensure web applications are not exploitable by common vulnerabilities, for example those listed by OWASP (Open Web Application Security Project).
  • Ensure the underlying infrastructure is secure, including verifying that the hosting environment is maintained securely and that you have appropriately exercised your responsibilities for securely configuring the infrastructure and platform.
  • Protect data in motion using TLS 1.2.
  • Regularly test for the presence of known vulnerabilities and common configuration errors.

Highly privileged accounts should not be vulnerable to common cyber attacks by:

  • Account segregation for anyone with a privileged account. Administrator accounts should not be used for tasks such as internet browsing or email receipt
  • Multi-factor authentication should be used wherever is technically possible. Including cloud accounts, department social media accounts and administrative accounts.
  • Passwords for privileged system accounts, social media accounts and infrastructure components must be changed from default values and should not be easy to guess. Passwords which would on their own grant extensive system access, should have high complexity.

[You may also be interested to read "Secure your accounts with a passphrase, not a password"]

Opportunities for IT Security Solution Providers

The opportunities for IT security solution providers are bountiful and include a number of possible solution types. Consider offering the following:

  • Asset management solutions.
  • Strong authentication solutions such as multi-factor authentication.
  • Vulnerability detection and patching solutions.
  • Encryption for sensitive data at rest.
  • Email security solutions which can authenticate outbound email and verify incoming.
  • Benchmarking solutions which can assess servers, network devices and end-user machines against known standards.
  • Privilege account management solutions.
  • Mobile device management solutions for end-user devices which leave the safety of the network boundary.

Interestingly the standard doesn't stop there. Government departments are encouraged to measure their third party suppliers against the standard, to ensure that they are procuring through routes which are also safe. Which widens the scope of the standard considerably.

Data Protection for Life GDPR Data Processing

Chris Payne on behalf of Infinigate UK
Posted by: Chris Payne
on behalf of Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts