Official Cyber Security Advice | S1E2

Marc Briggs  0:00  
Welcome to DE:CODED, Series One, Episode Two - your weekly podcast providing in-depth insight into cyber security. Show notes, including any links mentioned in the show, are available at DecodedCyber.com.

Simon Edwards  0:11  
In this episode, we're going to focus on general security advice, and specifically Cyber Essentials, the security advice you've probably never heard of. But should. It looks simple, but as we'll see, you need to get into the detail to find the real value. So Marc, if you're new to security, or want to take another look at how you approach it, where would you start?

Marc Briggs  0:25  
Well, from a business perspective it's difficult to identify exactly where you'd get the best independent advice, because you can quite easily get sucked into marketing and sales, pitches from individual companies.

Simon Edwards  0:35  
Yeah, I guess if you're, if you're just a normal consumer home user, you're going to read computer magazines. There are a bazillion podcasts, blogs, and websites telling you how to be secure on the internet. Even magazine still in the news agents?

Marc Briggs  0:45  
Yeah, sure. I guess as a consumer, you're going to get your information through a multitude of means and you probably won't go hunting for it necessarily early, they come through advertisements that you're exposed to on the radio or the TV or on social media sites. And, and it's a little bit more organic you when you go in and buy your computer, you may get pushed these products,

Simon Edwards  1:44  
you won't know there's a problem until someone says have you got antivirus. And yeah, don't download stuff from BitTorrent without being super careful.

Marc Briggs  1:53  
Yeah, but it's for but for the people that are have responsibility within their jobs to make sure that their organization's are secure. They're not going to go to a magazine or read their Facebook newsfeed or anything like that, for this advice, where they get a go?

Simon Edwards  2:11  
Well, I think there are a couple of things that they consider when we did one of them, which is, well, first of all those international stuff isn't there. So you've got your ISO 27001 versions, one and two, and whatever, extremely expensive, very hard to sort out. But if you're a large retailer, then probably that's what you're going to do. But then if you're a smaller business that wants to work with a big business, you know, what do you do, you can't just follow the advice from,

Simon Edwards  2:36  
you know, WebUser magazine or whatever, no, you need a standard that both provides you confidence that you're doing everything that you should be doing. But also reassures your customers or clients that you're secure. And any data or information that you're processing that belongs to them is held securely as well. So that's what we're gonna be looking for.

Simon Edwards  3:09  
Yeah. And I think there hasn't been very much that it's been useful for a few years, or up until a few years ago, I should say, because when was it in the UK, maybe five, six years ago, the government came out with a thing called Cyber Essentials.

Marc Briggs  3:24  
Sure. And then now this is, this is a British thing there isn't.

Simon Edwards  3:28  
Yeah, and actually, when you talk to the American friends that we have, not only have they not heard of it, but they don't appear to have anything even similar, no initiatives from the DHS or anything in the US

Marc Briggs  3:39  
No, which is surprising, because as it will go through Cyber Essentials, in a little bit of detail, but it is to someone within the industry. A very common sense list of basics, which should be covered off in order that your your, to a large part secure from the majority of threats that are out there. But a lot of people just haven't got this covered.

Simon Edwards  4:05  
No, and common sense is not that's common, often. So when when we look at the Cyber Essentials criteria... I mean, is this like an ISO certification, where you have to have risk lists and matrices and that kind of business?

Marc Briggs  4:21  
No. Well, Cyber Essentials is what you want to make it I guess. Cyber Essentials is ultimately, if you want it to be a tick sheet, it can be a list of (however many there are) 20 topics and the boxes next to them - they've got a tick in them or not. And that can be it. You are Cyber Essentials compliant.

Simon Edwards  4:48  
So if I've got an antivirus and a firewall and encrypt my data, whatever that means, you know, if I don't look too carefully into each of those details, I can just say that I comply can I?

Marc Briggs  4:59  
That is it. That's exactly it. So, and that's a good example. So one of the criteria for Cyber Essentials is, "Is an antivirus installed on all hosts?"

Simon Edwards  5:13  
Which sort of antivirus? Which brand?

Marc Briggs  5:15  
It doesn't matter.

Simon Edwards  5:17  
But they are all different aren't they?

Marc Briggs  5:19  
Well, you and I know they're different.

Simon Edwards  5:22  
Because that's literally what our job is, is to compare antivirus!

Marc Briggs  5:26  
But as long as you've got an antivirus, then you are meeting the requirements of Cyber Essentials. And if you look at it from the perspective of the authors of Cyber Essentials, they've got to keep it as simple and basic as they can in order not to technically outwit or omit anyone looking to achieve the the standards and make it accessible. They want just to bring the general standard of cybersecurity up just one or two notches, rather than bring it all the way up to the very best.

Simon Edwards  6:04  
So just having an antivirus is at least better than not having anti-virus.

Marc Briggs  6:08  
The assumption, I guess, coming from the people that produce Cyber Essentials is that there's enough of a quantity of people out there with no security at all that even having something is going to be better. And so at this point, having any antivirus product is good enough. And it's only when you start to question, well, "which antivirus do I want?" Then you start to realize that actually not all antivirus products are the same.

Simon Edwards  6:44  
right? So this could be like a kind of useful template to kind of start making your strategy for securing your business. But then for each of these items, you're probably going to have to dig a little deeper.

Marc Briggs  6:56  
I think so I think what you need to do is to see it as a as a starting point. It's the areas in which you need to be asking the questions to find out what's most appropriate for your business. So for firewalls, for example, the Cyber Essentials criteria is that the default settings are changed. Now, that's you just changing default settings...

Simon Edwards  7:27  
Wildly and randomly!

Marc Briggs  7:28  
... which would achieve the tick and therefore you're compliant. isn't good enough.

Simon Edwards  7:35  
What is the default settings are right? (laughs)

Marc Briggs  7:37  
Well, yeah, they might they might be

Simon Edwards  7:41  
I mean, remote access being restricted, that makes sense, because you should restrict remote access to whoever should have it or to no one.

Marc Briggs  7:50  
But unless you're told that, would you would well automatically know it it mean when you when you say it?

Simon Edwards  8:00  
It's a recipe, isn't it? You've got to go through this and ask yourself the question for each of these things. And actually, we went through Cyber Essentials, shortly after we formed our company. And that was done as a favor to some friends of ours who were doing the Cyber Essentials certification. We were like their first client to help them do it. And I thought, well, we'll just tick the boxes. And we're being very nice and helpful to our friends. But actually, it was really useful. And they asked questions that I wasn't initially even able to answer. And one of them was around password management. And they said, "Do you use complex passwords?" And of course, you I and the other guys running the security teams know about complex passwords? So I'm like, "Yes, we do." Of course we do. We use numbers and exclamation marks and the year date, that kind of thing. And then the next question was, "how do you enforce that choice of complexity?" And that was less clear. Because of course, if you and I sit down and make passwords, I'm going to trust that you're going to do it properly. And you're going to trust that I'm going to do it properly. But we've got, you know, a couple of dozen people next door. Well working from home right now. But you know what I mean? Yeah, and they have an opportunity to choose their own passwords,

Marc Briggs  9:17  
and how often they change those passwords as well. Yeah, it was another another category, that it we actually don't need to enforce a lot of these things because our friends at Microsoft have enabled that functionality for it.

Simon Edwards  9:32  
It's true that if you use Office 365, they will enforce complex passwords for you. The same with Google G Suite and a bunch of those other platforms so long as you're using them, you kind of can tick off a lot of these boxes automatically. But it's forced me to think about it. That's what I found interesting. ***

Marc Briggs  9:54  
Yeah. And I think that's what's in this case the UK Government wants you as an individual business owner or responsible for security within your organization wants you to do to spend some time thinking about security, not have it, keep dropping down the list of priorities, and just go through some what's on the face of it looks like a very simple one page tech sheets. But as you dig in and apply some intelligence to her, she realized that as he said, there are very useful processes that you can apply to your business, which don't affect your effectiveness to conduct your work, but increase your security dramatically from where you may have started.

Simon Edwards  10:37  
Yeah, and actually looking down the list, a couple of the items that kind of seemed quite throwaway. So there's one, which is no outdated, or unsupported software should be on the network. And you should have everything properly licensed. Well, it makes complete sense. But actually imagine the work involved in sorting that out even on a, so there's only the six of us. We're starting a new company, actually making sure that when you buy your laptop, you strip out all the rubbish bits of software that come pre installed, and make sure everything's up to date. Isn't that trivial? Is it

Marc Briggs  11:12  
It's nice, and it's the kind of thing that a lot of people will just be flummoxed by. How do I even do that? As a user? Because unless you're an IT, regular user or an or a security expert, then your computer is there to provide you the ability to do your work, which isn't security work. You need to take calls, write emails, produce reports, and it's not your responsibility? Or should it be your responsibility to make sure that there's no any there's no outdated or unsupported software? on that device? Xu and I, it makes sense. And it's a matter of course, but to a regular user, are they? Are they going to be motivated to do that?

Simon Edwards  12:04  
Yeah, and I think having policies, that sounds really boring when you say that doesn't having policies. But actually, if, again, if you're an individual person, or a very small company, you and I know what the policy is without it being written down. But you've got to kind of imagine what would happen if someone got run over by a bus, we have a new employee who has to do these things. You've got to write this stuff down and have a formal policy of what a good password looks like? Or how do we decide what software should be on those computers? And what shouldn't? And do we update immediately? Or do we test an update, because, you know, you've brushed on the point that we're here to actually do a job and not to just spend all our time worrying about security. So if a new Windows Update comes out a significant one, and we all put it onto our computers, and then none of us are going to do any work for the next 48 hours, clip things broken? That's no good as it

Marc Briggs  12:57  
but which then leads on to the point should this be the responsibility of your average user, within an organization to decide and to control when this is being done when they're changing the passwords, when they're when their security patches are being updated? Or should it be centralized? And should it be controlled by the administrator?

Simon Edwards  13:21  
And and how much agency do directors have? Because you and I have both worked with somebody who was provided with a secure laptop for going to a hostile environment. And his first request to me was to put I think it was iTunes on it, because he wants to listen to music when he was abroad. Yeah. So you can spend all your time securing everything. But if the directors want something else, do you say no?

Marc Briggs  13:45  
Yeah, yes, exactly. But then you could see, you could delegate the responsibility for security to an individual group of individuals. But then your point about directors is that in any organization, you've got to lead from the front. And if the directors aren't, aren't prioritizing security within the function of their everyday business, then this that the other people working for them aren't going to

Simon Edwards  14:15  
maybe just given iPads and tell them that because they're special, and directors, they get this really good hardware, but it's pretty locked down.

Marc Briggs  14:26  
So what do we think of Cyber Essentials? as a, as do we think that the five areas of firewalls, configuration, access control, patching and malware protection is sufficiently comprehensive? Is it robust enough?

Simon Edwards  14:47  
I think because it's quite high level it probably is, is probably like there are enough headings there. But there's an awful lot underneath each heading. So for example, there's no mention that I could see have to fat Turtle multi factor authentication, which would guess would come on to user access controls. But it's not listed. And maybe it says something about passwords and password policy is under secure configuration. So it's kind of disappointing to see one of the most what I think important and easy elements missing because it you know, we've we've done work before, haven't we, where we've gone into an organization and not just listed the risk matrix, we have the cost now that likelihood of the threat happening, and the impact of the threat happening. But then we made it three dimensional, and we looked into how easy is it to achieve the remediation. So you might have something that isn't very likely to happen, would have a kind of low ish impact. But it's so easy to handle, you might as well just knock it off

Marc Briggs  15:53  
your list, just get it done. Yeah. And an equally in that, in that scheme, you may have something with high impacts, but low likelihood. So it's a read in your risk assessment as a result, and therefore normally would be a high prioritize high priority to mitigate. But if it's very difficult to actually actually implement that change, do you want to start targeting that now? Or do you just knock the easy ones out of the park?

Simon Edwards  16:24  
Well, I think looking at this checklist, it's not complete, but it's if you go through that, and you can take everything off without thinking about it. Brilliant, you're in a really great position, to think about things at greater depth, if you're not able to answer half of those things, then there's plenty of work still to be done. So it still got massive value. But I think that it's a lot less hard to get through this than an ISO 27,001. certification, sure, which we have done. And we did it super fast, because we were a small company at the time. But it was still really hard work. And you have to have policies for everything. Whereas here, it feels like a kind of lighter version of ISO 27,001. In my experience, you do the ISOs. Because you have to because your customers require you to there are reasons you have to do it. Whereas Cyber Essentials, I think it's good because it's achievable. No one's asking you to do it, really, the UK government wanted it to be a tick box. If you've got it, you can work with other companies. But actually, I think it's just a good general cyber hygiene checklist. So even a small business would benefit going through this, but I think CSOs at large companies should look at it too.

Marc Briggs  17:39  
Yep, it's a great way of just checking off that the the basics are done. And then if you can dig into each of the points that Cyber Essentials has raised, then you really get to know how your security network is designed and working for you. But is this it's I guess Cyber Essentials was designed to be accessible to the everyday user. So would you need a third party organization to come in and run your Cyber Essentials? testing for you?

Simon Edwards  18:15  
I don't think you do. The only time you would need it is if you buy into the rhetoric that you need a Cyber Essentials certificate to achieve your business goals. So you've got some potential customers who require you to have it, then I think it's worth doing it properly. Okay. There's a plus version as well, where you get penetration tested and things like that, too. But you can do all of those things on your own. And I don't, I never really understood the business model behind Cyber Essentials, we even looked into being involved as part of, you know, helping companies achieve it. And it almost felt a bit like a pyramid situation where one or two very big organizations make lots of money. And all the guys running around doing the work and helping people comply made peanuts. And then the people at the bottom during the certification paid a few 100 pounds for a badge they had to renew every year. And I do wonder how successful cyber Central's has been as a result of that, because you just don't actually need it. The budget itself.

Marc Briggs  19:19  
We've certainly never been asked for it. Have we? We're not in that we're perhaps not in the business where we work with a lot of other small businesses within the UK. So we're maybe not the best example. And we've done government work in some respects. And they haven't asked for it either. No, no.

Simon Edwards  19:38  
No. So we have been asked, right, so yes, we have Yes, because it can't I think it happened around the GDPR kind of time period. And some of the very large companies, platforms and big security companies, they would say have you got either ISO 27,001 or some other US based process that we didn't have access to because we're not in the US, or answer a bunch of these questions. And after doing the questions a couple of times, it just became clear that getting the certification was going to be the right thing to do. And then we just tick that box and move on.

Marc Briggs  20:14  
Because it, it not only enabled us to become a partner with some of our some of the organization's we work with because we meet their criteria. But it also enables us to take a hard deep look at how our security is set up. And if Cyber Essentials is able to identify areas which we wanted to improve on, then the ISO 27,001 certainly did. We set up policies as a result of 27,001, which we had practices around, but no hard policies?

Simon Edwards  20:48  
Well, I think in the early days for company or reacting circumstances a lot. So we didn't have a policy for what to do with old hard disks that we didn't want anymore, we would have come up with one once we needed to get rid of some but we didn't. And going through this certification, we ended up having a policy. And then we gave away a load of computers. And we were like, Oh, actually, we've got a policy to deal with the storage, because we're not about to give a bunch of civilians systems that have been facing cyber threats for the last three years, because God knows what kind of malware could have found its way into those computers. Yeah, do not want to be spreading that stuff. For us, it was less about losing business data and more about not harming the environment, the computing environment of other people.

Marc Briggs  21:33  
So we think Cyber Essentials as a, as much as people don't like just a check sheet, and a box ticking exercise, we think it's a good way to get organizations started on a journey to a robust cybersecurity policy. Yeah, I

Simon Edwards  21:53  
think it's the beginning of a conversation. And, you know, even if I was just gonna pick one thing out of here, the the malware protection, I'd say that an antivirus is installed on all hosts. Yep, can't disagree with that. But then I would be saying, Well, which one and then obviously being a security test, try to be directing people to our reports and saying, we'll have a look at the last couple of years worth because maybe product A has done particularly well this quarter. But maybe that's the first time it's done well, in three years. So have a look at how these things have done over a period of time. Look at other reports, there are a few other testers out there. And what you tend to find is that some antivirus products are consistent, Li good or consistently bad over time, or consistently average. So you know, if you're going to stick with what you're used to just have a little check and see if it's really the very best that you can afford. It might be free, but then some free ones are terrible, and some free ones are good. So double check. And similarly with host based firewalls as well, and VPN and all that kind of stuff that we, we we test and play with and, and advise on. But, you know, I'm just thinking, one of the big news stories of I know, the decade almost in terms of cybersecurity, has been the solar winds attack. And what I think relates that to this is to do with the supply chain. Because when we did our ISO certification, we had to answer questions about who would we allow to be our suppliers, and how do we vet them? and all that kind of things? Right? Yeah. It's really hard, isn't it? If If you say that, well, one of my suppliers is Microsoft, or Google, or some No one's going to criticize you for that you've almost got no choice. Yeah. But if they have somehow got an issue because of a supply chain attack, you know, where does where does the trust? Start and Stop?

Marc Briggs  23:53  
Yes, because you can't audit your supply chain, you can ask them questions. And if they don't answer them sufficiently, then you, you have the ability of changing your supplier, which a lot of people don't want to do just on that basis. But you equally don't have any way of confirming that what they're telling you is accurate unless they have got an award themselves, such as Cyber Essentials or an ISO, or anything like that. So how far How much do you trust your supply chain to actually deliver the standards, which you expect of them?

Simon Edwards  24:32  
Does? I mean, that almost feels like we just have to assume that we're all compromised. But actually, I don't think that's an unrealistic assumption. Because when you can't trust your supply chain, you kind of have to assume that you've been compromised. But then did we didn't did we ever assume that we hadn't been you know, do we walk around going? I'm a small UK business, and there's no way anyone's attacked us six For the I mean, that's pretty arrogant, isn't it? Yeah.

Marc Briggs  25:03  
I mean, there's got to be some level of trust. But at the end of the day, you can't unless it unless you've got control, you don't know, the level of compromise. So I think it's fair to say that if you've got a supply chain, you should treat it with a healthy level of suspicion, and assume a level of compromise, and then apply your security to what you're receiving from that supply chain appropriately, or don't just trust it blindly.

Simon Edwards  25:34  
And actually, that was part of the ISO certification. So this doesn't come into Cyber Essentials, but classifying information accordingly. So maybe if we had a genuinely secret piece of information, that doesn't go on our hard disks, you know, it's an extreme thing to not put something on a computer. But we've all kind of got used to the idea of paperless. You think back 15 years, when fax machines existed, of course, they could be read by by the governments of the world. But not everything made its way onto a computer's hard disk and wasn't connected to the internet. Whereas now because we're using Office 365, or G Suite, everything is on the cloud, unless you make a really conscious decision not to put it.

Marc Briggs  26:21  
Yes, you've got to try hard. And you've got to keep it away from a digital means of communication. And you have to set that up specifically these days. And actually, that raises, it raises a suspicion around what exactly you try to throw in a hide Well,

Simon Edwards  26:44  
a couple of years ago, the Russians pretty much saved the typewriter industry by putting a huge order and I think Olivetti are one of those companies was really close to going bust because no one was buying the stuff anymore. Yeah. And you think well, what are they typing? a postage stamp budgets going to have to go up this year, isn't it? If we're going to go paper again, if we're going to go paper? Yes.

Marc Briggs  27:05  
But then of course, we've got to rely on paper from all of our suppliers as well. And,

Simon Edwards  27:11  
yeah, well, there's all sorts of things we could talk about with printers, printers, putting secret codes onto paper so that the law enforcement can track it back. But then if you're not going to break the law, maybe that doesn't matter.

Marc Briggs  27:23  
Yeah, exactly. Exactly. Yeah, you only need to hide from so many people. And that's the bad guys.

Simon Edwards  27:31  
Well, yeah, and actually, that's a good point that, again, some of the work that we do not in the labs, but elsewhere, we have to be a little bit covert about things. And you sometimes have to remind yourself that your opponent isn't the police or the government. So it is okay to be traceable to a certain degree if you're not trying to evade tax or, or, you know, rip off banks or whatever.

Marc Briggs  27:53  
Yeah, that's right. And so you just have to, you just have to use your, your intelligence, you have to look at security from both your perspective and the attackers perspective, and work out what configuration is going to be best for you using a number of different security products.

Simon Edwards  28:14  
So given that thought, I'm a normal office worker. And I'm quite convinced that my company's doing what it needs to do. So I'm concerned about my own privacy. Now. I'm maybe I'm a CSO, but I'm worried about the Mac I've got at home, or whatever. Am I just never gonna get any targeted attacks? Because I'm not a person of interest?

Marc Briggs  28:35  
No, there's a good chance that you should assume that you're going to get a targeted, targeted attack against you, no matter who you are. And

Simon Edwards  28:46  
but what why would they spend the effort singling me out?

Marc Briggs  28:50  
Because you might be the gateway into something bigger. So you might not think that you're particularly important within your company. But if you're the designer, for the card, or for Jaguar, you may think, Well, I'm not going to get targeted because the people who get targeted at Jaguar are going to be the executives, or board level, they, they've got all the information, but it but if I'm, if I'm the designer for the car door, then I've got access to systems which given to the bad guys, they can move laterally, within then they can move up within the Jaguar system and get where they want to go.

Simon Edwards  29:32  
So it's a bit like a supply chain attack, but using an employee rather than the supplier to get in. Yes, I was thinking a little bit more about how, as an individual, so like, the Jaguar guy may not care too much about Jaguar, but he might care about his own money. And there are types of targeted attack which aren't as targeted. So for example, if I want to get into jagua, I might look for an employee on LinkedIn and target that person but if I want to get some Once money, and I know that they're part of the talk, talk breach, then I can call or email, a few 100 people that I know have been affected by that. And my social engineering attempts should be more than usually successful, because I'm going to know something about them probably know their name, possibly their email address. I will definitely if I'm going to send them an email. And the fact that they have at some point had an account with talktalk.

Marc Briggs  30:27  
Yeah, absolutely. And that information is out there.

Simon Edwards  30:31  
So I'm not going off to Fred Exactly. I'm going off to a group of people. And Fred is one or this happens to be one of them. But I've

Marc Briggs  30:37  
got enough information about Fred, that he thinks that it would appear on the face of it, like it's a targeted attack. Yeah. Because you know, more information than just that it's a person.

Simon Edwards  30:51  
And then we get that's getting beyond antivirus to a point. But then my understanding and relatively limited experience and actually being targeted like this, is they will in the end, try and put some kind of malware on your system, which stayed, you would hope that an antivirus product would kick in and say Hang on a minute.

Marc Briggs  31:08  
Yeah, that's when you're relying on the last line of defense. Yeah,

Simon Edwards  31:13  
someone wants described antiviruses like a bulletproof vest. So if someone sat there with a sniper rifle, and they were really intent on getting you, then it's not going to help, but when stuffs happening around you, and there's various bits of shrapnel and other things, generally in your environment, making things uncomfortable. It's it should nine times out of 10 save your life.

Marc Briggs  31:34  
Yeah. This analogy I've not heard of before, but yeah, I can see how it works. Yeah. Okay, so we're giving thumbs up to Cyber Essentials, basically, aren't we? I think

Simon Edwards  31:45  
It's a really good first step. Yeah.

Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. If you want to join the DE:CODED community, and access private content, including our monthly executive briefings, apply at DecodedCyber.com/circle.

And that's it. Thank you for listening. And we hope to see you again soon.