1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cyber Essentials is a joke?

Discussion in 'Servers and Enterprise Solutions' started by TheOracle, 22 Jan 2020.

  1. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503

    My team are working on cyber essentials plus (site wide). It seems like a tick in the box exercise to me.

    We have been told that in order to pass, we must reduce the security on our RDS servers. Microsoft found a bug in RDP (credssp) about two years ago and patched it. Since then, the way the technology works means users must be authenticated at a certain stage prior to logging on. Due to this, if a users account has the "password change at next logon" flag set, they are unable to logon to RDS in order to change their password. Catch 22. It's well documented.

    The workaround is to reduce the security on RDS to make it work, negating the security fix Microsoft put on. Either that, or users must change it on a PC. Not ideal in this environment.

    am I missing something really obvious here?

    They also said every piece of software on all client machines (we have 4,000+) must be at the latest versions. Fortunately we use AppV so this isn't an issue for us, but I'd imagine it would be for most people.

    There are some other gems which have come out of this as well.
     
  2. ecksmen

    Wise Guy

    Joined: 25 Jun 2004

    Posts: 1,183

    Location: Cardiff

    Cyber Essentials + is a compliance standard and compliance adherance does not make you secure. Retro fitting technical controls without understanding the logic, or impact to business processes is a receipe for failure and this is why security is difficult and shouldn't be considered a joke.
     
  3. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503

    Completely agree
     
  4. LizardKing

    Sgarrista

    Joined: 18 Oct 2002

    Posts: 7,682

    Location: The Land of Roundabouts

    Is it for sure a major non-compliance? i'm pretty sure we have exceptions to some of the "must" sections. they got marked down as minors. admittedly we didn't go for the +.

    Any decent assessor should be able to accept some risk if its been documented/discussed properly.

    Alternatively, look into a different password solution :)
     
  5. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503

    Yeah, there's no way we're dropping any security. We'll have to come up with a workaround.
     
  6. Little_Crow

    Hitman

    Joined: 3 Oct 2007

    Posts: 772

    We've passed cyber essentials plus, so have been audited to death over this stuff.
    Our auditors were absolutely unwavering in sticking to their brief, even when we could show some of the methodology was fundamentally flawed - you might get luckier than we did.
     
  7. LizardKing

    Sgarrista

    Joined: 18 Oct 2002

    Posts: 7,682

    Location: The Land of Roundabouts

    Yeah auditors can be fickle creatures!
    Cyberessentials is a waste of time (pretty sure i've moaned about its nuisances in the past on these forums!) for anyone who has a proper understanding of what security is about vs like you said a tick boxing exercise that pleases the pen pushers.
    it also seems to me the departments who moan the most about security are the ones who want the badge the most.

    The ISO standards are far more valuable to a company imo.
     
  8. LuckyWig

    Associate

    Joined: 6 Jan 2012

    Posts: 21

    Most companies doing the assessments seem to just run through some scripts they didn't write without really understanding them and they nearly always miss things.

    For your RDS can't you do passwords resets through rdweb?
     
  9. InkZ

    Gangster

    Joined: 27 Sep 2006

    Posts: 462

    Yep, Rd web
     
  10. Django x2

    Capodecina

    Joined: 28 Sep 2008

    Posts: 13,149

    Location: Britain

    AppV, haha, that won't be a thing soon and you'll be back to square one.
     
  11. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503

    I hope not it’s been a life saver
     
  12. Vince

    Man of Honour

    Joined: 30 Oct 2003

    Posts: 9,843

    Location: Essex

    I was actually considering doing this with my team over the last year but haven't decided if it is worth it yet. Last year instead of signing up I went with a full scale pen test of the environment, outside in, I figured I would rather somebody see what they can do than tick some boxes. It also ended up being a requirement to winning some big business so felt like my work over the last 8 years was being very heavily scrutinised and put to an actual test, it was quite uncomfortable to come under testing and a lot of scrutiny on the tech decisions being made and why. It was a little bit in when waiting on the results I realised that id potentially just contracted and paid a company to possibly tell me and those that employ me that im crap at my job.
     
  13. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503

    Well I have stuck to my guns about the security, but managed to find a solution in the end. Required a couple of days coding but sorted it out.
     
  14. rotor

    Wise Guy

    Joined: 18 Sep 2012

    Posts: 2,165

    Cyber Essentials (or anything similar) has some pretty big positives:

    1) It highlights to (non-technical) management how difficult it is to keep an estate up to date, and how much effort is required to bring it up to date (when it is badly out of date). This should help with future head-count / budget requests related to running the environment
    2) It highlights to the technical managers and engineers how important it is to have centralised mechanisms for deploying and patching not just the OS but also all the apps. It will also help shift attitudes and priorities towards centralised (like Citrix) and/or web-based apps and app delivery mechanisms.

    In my view, it just focuses the mind of various layers of management, and that's a good thing.
     
  15. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503


    I agree with 1, but I have past experiences how management soon forget (especially when it comes to spending money)

    and we're already doing 2

    all in all, I do think it is a positive, but in no way once we get certified can we say we are secure (can anyone really say that these days)
     
  16. rotor

    Wise Guy

    Joined: 18 Sep 2012

    Posts: 2,165

    Oh I agree that management very quickly forget, but you can always bring it up to remind them (at opportune moments).

    As far as being secure, there is 100% no doubt that you are more secure than you were before! Having unpatched Javas and Adobe Readers and Microsoft Offices is a nightmare waiting to happen.

    I think purely from the awareness point of view, it's a winner. It's painful, and a lot of it can feel like lip service... But security is hard, and you have to attack it from many angles.
     
  17. whiskycycle

    Wise Guy

    Joined: 31 May 2004

    Posts: 1,432

    Location: The 'Toon, UK, in Europe

    Wonder if that includes not letting a fully managed Macbook (ManageEngine, Sophos Central, AD joined) connect to a corporate network "because we'll fail CyberEssentials if we connect it"?

    Hypothetically, of course.
     
  18. kefkef

    Mobster

    Joined: 18 Oct 2002

    Posts: 3,970

    Location: Somewhere on the Rainbow

    Working in the NHS there has been a push to CE+, thankfully they seem to have listened and that requirement is going to be dropped!

    Saying that, the Data Security Protection Toolkit which is mandatory is just as bad! Examples one section (shortened for ease of typing) "All software must be at the latest version" (mandatory Yes/No for a pass/Fail) then the next section says any software not at latest version needs to be managed by business risk!.....
     
  19. TheOracle

    Capodecina

    Joined: 30 Sep 2005

    Posts: 12,503


    I'd like to know from anyone running a large (10,000+ machines) network, who has answered that question truthfully and passed. By that, I mean can demonstrate with accurate reporting that their entire estate runs all software at latest versions. We're close, but it's not been an easy task, especially since we only have a handful of IT staff.
     
  20. rotor

    Wise Guy

    Joined: 18 Sep 2012

    Posts: 2,165

    I think the auditors will usually allow a small percentage to be out, but it’s pretty small. My point about it overall being a good thing is that it forces you to have systems in place rather than an ad hoc process that probably doesn’t get used that often.