Cyber Essentials is a joke?

Soldato
Joined
30 Sep 2005
Posts
16,527
My team are working on cyber essentials plus (site wide). It seems like a tick in the box exercise to me.

We have been told that in order to pass, we must reduce the security on our RDS servers. Microsoft found a bug in RDP (credssp) about two years ago and patched it. Since then, the way the technology works means users must be authenticated at a certain stage prior to logging on. Due to this, if a users account has the "password change at next logon" flag set, they are unable to logon to RDS in order to change their password. Catch 22. It's well documented.

The workaround is to reduce the security on RDS to make it work, negating the security fix Microsoft put on. Either that, or users must change it on a PC. Not ideal in this environment.

am I missing something really obvious here?

They also said every piece of software on all client machines (we have 4,000+) must be at the latest versions. Fortunately we use AppV so this isn't an issue for us, but I'd imagine it would be for most people.

There are some other gems which have come out of this as well.
 
Associate
Joined
25 Jun 2004
Posts
1,276
Location
.sk.dkwop.
Cyber Essentials + is a compliance standard and compliance adherance does not make you secure. Retro fitting technical controls without understanding the logic, or impact to business processes is a receipe for failure and this is why security is difficult and shouldn't be considered a joke.
 
Soldato
OP
Joined
30 Sep 2005
Posts
16,527
Cyber Essentials + is a compliance standard and compliance adherance does not make you secure. Retro fitting technical controls without understanding the logic, or impact to business processes is a receipe for failure and this is why security is difficult and shouldn't be considered a joke.

Completely agree
 
Soldato
Joined
18 Oct 2002
Posts
8,116
Location
The Land of Roundabouts
Is it for sure a major non-compliance? i'm pretty sure we have exceptions to some of the "must" sections. they got marked down as minors. admittedly we didn't go for the +.

Any decent assessor should be able to accept some risk if its been documented/discussed properly.

Alternatively, look into a different password solution :)
 
Soldato
OP
Joined
30 Sep 2005
Posts
16,527
Is it for sure a major non-compliance? i'm pretty sure we have exceptions to some of the "must" sections. they got marked down as minors. admittedly we didn't go for the +.

Any decent assessor should be able to accept some risk if its been documented/discussed properly.

Alternatively, look into a different password solution :)

Yeah, there's no way we're dropping any security. We'll have to come up with a workaround.
 
Associate
Joined
3 Oct 2007
Posts
795
Any decent assessor should be able to accept some risk if its been documented/discussed properly.

We've passed cyber essentials plus, so have been audited to death over this stuff.
Our auditors were absolutely unwavering in sticking to their brief, even when we could show some of the methodology was fundamentally flawed - you might get luckier than we did.
 
Soldato
Joined
18 Oct 2002
Posts
8,116
Location
The Land of Roundabouts
Yeah auditors can be fickle creatures!
Cyberessentials is a waste of time (pretty sure i've moaned about its nuisances in the past on these forums!) for anyone who has a proper understanding of what security is about vs like you said a tick boxing exercise that pleases the pen pushers.
it also seems to me the departments who moan the most about security are the ones who want the badge the most.

The ISO standards are far more valuable to a company imo.
 
Associate
Joined
6 Jan 2012
Posts
21
Most companies doing the assessments seem to just run through some scripts they didn't write without really understanding them and they nearly always miss things.

For your RDS can't you do passwords resets through rdweb?
 
Soldato
Joined
28 Sep 2008
Posts
14,123
Location
Britain
My team are working on cyber essentials plus (site wide). It seems like a tick in the box exercise to me.

We have been told that in order to pass, we must reduce the security on our RDS servers. Microsoft found a bug in RDP (credssp) about two years ago and patched it. Since then, the way the technology works means users must be authenticated at a certain stage prior to logging on. Due to this, if a users account has the "password change at next logon" flag set, they are unable to logon to RDS in order to change their password. Catch 22. It's well documented.

The workaround is to reduce the security on RDS to make it work, negating the security fix Microsoft put on. Either that, or users must change it on a PC. Not ideal in this environment.

am I missing something really obvious here?

They also said every piece of software on all client machines (we have 4,000+) must be at the latest versions. Fortunately we use AppV so this isn't an issue for us, but I'd imagine it would be for most people.

There are some other gems which have come out of this as well.

AppV, haha, that won't be a thing soon and you'll be back to square one.
 
Man of Honour
Joined
30 Oct 2003
Posts
13,229
Location
Essex
I was actually considering doing this with my team over the last year but haven't decided if it is worth it yet. Last year instead of signing up I went with a full scale pen test of the environment, outside in, I figured I would rather somebody see what they can do than tick some boxes. It also ended up being a requirement to winning some big business so felt like my work over the last 8 years was being very heavily scrutinised and put to an actual test, it was quite uncomfortable to come under testing and a lot of scrutiny on the tech decisions being made and why. It was a little bit in when waiting on the results I realised that id potentially just contracted and paid a company to possibly tell me and those that employ me that im crap at my job.
 

Deleted member 138126

D

Deleted member 138126

Cyber Essentials (or anything similar) has some pretty big positives:

1) It highlights to (non-technical) management how difficult it is to keep an estate up to date, and how much effort is required to bring it up to date (when it is badly out of date). This should help with future head-count / budget requests related to running the environment
2) It highlights to the technical managers and engineers how important it is to have centralised mechanisms for deploying and patching not just the OS but also all the apps. It will also help shift attitudes and priorities towards centralised (like Citrix) and/or web-based apps and app delivery mechanisms.

In my view, it just focuses the mind of various layers of management, and that's a good thing.
 
Soldato
OP
Joined
30 Sep 2005
Posts
16,527
Cyber Essentials (or anything similar) has some pretty big positives:

1) It highlights to (non-technical) management how difficult it is to keep an estate up to date, and how much effort is required to bring it up to date (when it is badly out of date). This should help with future head-count / budget requests related to running the environment
2) It highlights to the technical managers and engineers how important it is to have centralised mechanisms for deploying and patching not just the OS but also all the apps. It will also help shift attitudes and priorities towards centralised (like Citrix) and/or web-based apps and app delivery mechanisms.

In my view, it just focuses the mind of various layers of management, and that's a good thing.


I agree with 1, but I have past experiences how management soon forget (especially when it comes to spending money)

and we're already doing 2

all in all, I do think it is a positive, but in no way once we get certified can we say we are secure (can anyone really say that these days)
 

Deleted member 138126

D

Deleted member 138126

Oh I agree that management very quickly forget, but you can always bring it up to remind them (at opportune moments).

As far as being secure, there is 100% no doubt that you are more secure than you were before! Having unpatched Javas and Adobe Readers and Microsoft Offices is a nightmare waiting to happen.

I think purely from the awareness point of view, it's a winner. It's painful, and a lot of it can feel like lip service... But security is hard, and you have to attack it from many angles.
 
Soldato
Joined
18 Oct 2002
Posts
4,032
Location
Somewhere on the Rainbow
Working in the NHS there has been a push to CE+, thankfully they seem to have listened and that requirement is going to be dropped!

Saying that, the Data Security Protection Toolkit which is mandatory is just as bad! Examples one section (shortened for ease of typing) "All software must be at the latest version" (mandatory Yes/No for a pass/Fail) then the next section says any software not at latest version needs to be managed by business risk!.....
 
Soldato
OP
Joined
30 Sep 2005
Posts
16,527
Working in the NHS there has been a push to CE+, thankfully they seem to have listened and that requirement is going to be dropped!

Saying that, the Data Security Protection Toolkit which is mandatory is just as bad! Examples one section (shortened for ease of typing) "All software must be at the latest version" (mandatory Yes/No for a pass/Fail) then the next section says any software not at latest version needs to be managed by business risk!.....


I'd like to know from anyone running a large (10,000+ machines) network, who has answered that question truthfully and passed. By that, I mean can demonstrate with accurate reporting that their entire estate runs all software at latest versions. We're close, but it's not been an easy task, especially since we only have a handful of IT staff.
 

Deleted member 138126

D

Deleted member 138126

I'd like to know from anyone running a large (10,000+ machines) network, who has answered that question truthfully and passed. By that, I mean can demonstrate with accurate reporting that their entire estate runs all software at latest versions. We're close, but it's not been an easy task, especially since we only have a handful of IT staff.
I think the auditors will usually allow a small percentage to be out, but it’s pretty small. My point about it overall being a good thing is that it forces you to have systems in place rather than an ad hoc process that probably doesn’t get used that often.
 
Back
Top Bottom