The Five Core Controls of Cyber Essentials – Secure Configuration

Is it true that just 5 technical controls can help prevent most cyber attacks? What are these cyber security essentials and how do they work? Over #CyberSecurityAwarenessMonth we will explore each of the five controls in separate blog posts to find out more.

Set up your computer securely to minimize the ways a cyber criminal can find a way in.
Passwords are still currently the main method securing access to almost all our different accounts and files. They are the digital equivalent of locks and keys. Weak and guessable passwords as well as the habit of re-using the same password are the top reasons accounts get breached.

Use a strong, unique password
Cyber criminals can use powerful computers to guess people’s passwords and break into their accounts in what is called a Brute-force attack. The computer will try every combination of letter, literally working through the dictionary until they have found the words that work. Many of these brute-force programs are sophisticated enough to search logical substitutions such as ‘4’ for an ‘A’ , ‘I’ for ‘1’ etc. For this reason, it is recommended that you use a password that is more than 8 characters long and difficult to guess. Make sure that when you set up a new device, you change any default passwords.

The National Cyber Security Centre recommend that you use three random words which you can remember but do not naturally go together. The longer your password the better. It is particularly important that you use long passwords for your admin and other crucial systems’ accounts (i.e. email account, banking account). Do not share your password with anyone or leave it displayed.

One password- one account
Often when an online company is attacked all the customer information is stolen. Those username-password combination (credentials) are then quickly sold to criminals who will try those same user-name-password combinations on as many accounts as possible hoping to open up an access point for more crime. This is the reason you need a separate password for each online account.

Using a Password Manager
The good news is that you do not need to remember all those long and complex passwords. You can use a piece of software called a Password Manager. You may have noticed that your browser already asks you if you’d like it to create and store passwords for you. This is a browser integrated Password Manager and is safe to use for personal use, however there are some security issues linked to this kind of password manager.
For more sensitive data it is recommended that you use an independent, stand-alone password manager such as Last Pass or Dashlane. It is often as simple as downloading the Password Manager software from their website and signing-up with your email address. You will then only need to remember one really good complex password for the Password Manager itself and after that, the Password Manager will remember your user names and create and remember extremely secure passwords for each of your accounts.

Add a second layer of security to your password
The problem with passwords is two fold, we are being asked to create more and more passwords to carry out daily tasks and criminals are finding sophisticated as well as sneaky methods of guessing and breaking those passwords. This means that using a password on its own is not very secure. It is now considered best practice to enable 2 factor authentication (2FA) or multi factor authentication (MFA) to every account where this is an option. The extra forms of authentication can typically be something you have (a code sent to a separate device), something you know (a personal identification number PIN) or something you are ( a finger print or facial scan). This method is a way of further verifying your identity and ensures that if someone has acquired your password, they will be unable to access your account without also accessing your MFA source.

Unused software and accounts
Many devices and software come from the manufacturer with features enabled that you do not use. These are sometimes called ‘plugins’. The code in each ‘extra’ feature can potentially offer additional openings for cyber criminals to reach you. It is a good idea to permanently remove unused software by uninstalling it and delete guest accounts and any other unused accounts. Look out for features like default file share and disable them too.

Disable autorun
You can prevent software from automatically opening by itself by disabling Autoplay and Autorun. This will be effective in stopping malware from trying to secretly attack you. Instead, you will be notified that some software wants to run and you can check whether it is from a trusted source and scan for malware.

How can it help prevent a cyber attack?
Organisations should have a robust password policy. This will inform employees about how to avoid choosing obvious passwords (such as pet names, and personal information that would be easy to discover). It would also notify users to avoid reusing the same password, how to set up MFA and where and how they can store passwords eg which Password Manager to use.

Find out more about getting Cyber Essentials certified here.