Building on Cyber Essentials
For most business, it can be hard to know where to begin with IT security. Most of us return to the old favourites:
- a robust firewall
- some antivirus scanning
- policies that steer people towards secure use
But how much is enough? What does fundamentally good security look like? And, as the threat landscape changes fast, how should patching application vulnerabilities factor into your day-to-day defence?
The Cyber Essentials scheme, developed by the UK government and industry, sets out a range of clear controls to protect against the most common cyber attacks. There are two levels to the scheme – Cyber Essentials, involving a self-completion questionnaire, and Cyber Essentials Plus which includes an on-premise assessment.
As you’d expect, application vulnerabilities play an increasingly significant role in the framework that these assessments follow.
Cyber Essentials is a framework that’s really two things at once.
For companies that supply the public sector, it’s a list of minimum security obligations they need to comply with. For everyone else, it’s an opportunity to check and self-assess your baseline security and get certified to build customer confidence.
The framework covers five key areas:
- Boundary firewalls and internet gateways to keep data safe as it comes into and out of your network
- Secure configuration that reduces your exposure
- Access control that determines who can access what, and how
- Malware protection that protects against viruses, spyware, and worms
- Patch management that closes the vulnerabilities in your software
Of course, these are areas that most IT teams already prioritise. But while you’re probably already patching out of date software, it’s your approach and methodology that could be letting you down.
Are you patching beyond the baseline?
In the Cyber Essentials framework, the government suggests you apply all patches within 30 days and, for security patches, within a window of 14 days. Even those example timelines could be hard to keep up with if you’re manually finding applications and installing the appropriate updates.
Worse, the guidance misses a few key practical issues.
First, it makes the assumption that you know every third-party application that’s installed on your network. If you’re running services across multiple locations, with growing use of Bring Your Own Device (BYOD), there’s a good chance your visibility is less than perfect.
What’s more, it’s a simplification to think that all security patches are equally critical. In fact, the nature of an application vulnerabilities varies hugely – from minor weaknesses with no real exploit to serious issues that could offer an attacker complete access to your core systems. There’s a need to prioritise on a more granular level if you’re going to protect against the most serious vulnerabilities first.
In addition, end-of-life and non-supported software should ideally be removed from the network entirely – or at least from any devices that can connect to the internet. In a world where businesses are built around legacy software, it can be hard to keep up with an ever-changing landscape.
The baseline within the Cyber Essentials framework is a good starting point, but the most effective remediation goes further. Unfortunately, manually patching makes that incredibly difficult to achieve.
Automating your patch management
The truth is that manually patching doesn’t give you the comprehensive visibility you need to find every application, or the insight and intelligence you need to prioritise your response. It takes automated application discovery, real-time threat intelligence, and highly automated patching to really secure your infrastructure.
So you can meet the expectations of Cyber Essentials – and go beyond them to achieve security you can depend on.