• Jim Seaman

Cybersecurity: Can you see the light at the end of your tunnel?

Updated: Jan 20


As a Small to Medium sized business, Cyber-security can seem very daunting, very expensive, extremely complex and almost like you are endlessly walking through a darkened tunnel.

  • At any time you have to be alert to an attacker to jumping out of the darkness and mugging you!

It need not be this way, as long as you focus on defending those assets that you deem to be the most important to your business and to ensure that you are applying the essential defensive measures.

That way, you can help to mitigate 80% of the most common types of cyber-attacks.

Cyber-security relates to those business assets that are deemed to be internet-facing:
word-forming element, ultimately from cybernetics (q.v.). It enjoyed explosive use with the rise of the internet early 1990s. One researcher (Nagel) counted 104 words formed from it by 1994. Cyberpunk (by 1986) and cyberspace (1982) were among the earliest. The OED 2nd edition (1989) has only cybernetics and its related forms, and cybernation "theory, practice, or condition of control by machines" (1962).
security (n.)
mid-15c., "condition of being secure," from Latin securitas, from securus "free from care" (see secure). Replacing sikerte (early 15c.), from an earlier borrowing from Latin; earlier in the sense "security" was sikerhede (early 13c.); sikernesse (c. 1200).

Opportunist cyber-criminals are constantly on the prowl, seeking to identify weaknesses in your internet-facing assets. Consequently, if you can prioritise your defensive efforts, based upon the perceived value of your internet-facing assets, you can start to see 'a light at the end of the tunnel',

Getting the basics right

Okay, so know we have an idea of where you might wish to focus your efforts, how do you identify what assets are internet-facing?

Opensource reconnaissance

Try looking at your business from the 'BADLANDS' (aka the Internet). This can be done as a manual process, using a variety of resources (Open Source Intelligence Methods and Tools

A Practical Guide to Online Intelligence) or as an automated process using a subscription service (such as SecurityScorecard).

Prioritise your Digital Footprint

Having identified what is internet-facing, take the time to carry out an impact analysis review of your digital footprint, to risk rank these assets - based upon the perceived impacts, should they be compromised.

  • Do you understand how the perimeter assets have connections to your high-value internal assets?

  • Do you understand these connections and the data/communication flows between assets?

  • Do you periodically audit your network assets, to confirm how they are connected?

  • Do you document your network assets (Asset Inventory, Data Flow Diagrams, Network Diagrams, etc.) and periodically compare this against the results of your periodic audits?

Get the essentials right

In order of priority, start laying your defences through the application of the Cyber-essentials 'Big 5':

1. Secure the gates (Office Firewalls and Internet Gateways).

Much like the a medieval castle, you should ensure that you have established gate controls (secure configured firewalls) to restrict the access/egress into, and within, your business.

Basic questions:

  1. Do you have firewalls (Gates) at the boundaries between your organisation’s internal networks and the internet?

  2. When you first receive an internet router or hardware firewall device (Gate) it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?

  3. Is the new password (Key) on all your internet routers or hardware firewall devices (Gate) at least 8 characters in length and difficult to guess?

  4. Do you change the password (Key) when you believe it may have been compromised? How do you achieve this?

  5. Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices (Emergency Exit) for which you do not have a documented business case?

  6. If you do have services enabled on your firewall (Emergency Exit), do you have a process to ensure they are disabled in a timely manner when they are no longer required (secured when not in use)? Describe the process.

  7. Have you configured your internet routers or hardware firewall devices (Gates) so that they block all other services from being advertised to the internet (Gate Guard)?

  8. Are your internet routers or hardware firewalls (Gate) configured to allow access to their configuration settings over the internet (Access Control List)?

  9. If yes, is there a documented business requirement for this access (Approved Access Control List)?

  10. If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings (ID Card and Challenge Phrase)? List which option is used.

  11. Do you have software firewalls enabled on all of your computers and laptops (Do your carriages have guards or have door locks)?

  12. If no, is this because software firewalls are not commonly available for the operating system you are using (Carriages are open top)? Please list the operating systems.

2. Secured by default (Secure Configuration).

When purchasing new IT assets, it is essential to ensure that these assets are 'Locked-Down' to help prevent an opportunist attacker from using the vendor default settings, to bypass your defences.

If it is convenient for you, it will be more than convenient for your opportunist attacker.

Basic questions:

  1. Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones (Changed the settings)? Describe how you achieve this.

  2. Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business (Least Privilege)?

  3. Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more (Changed the lock and keys)?

  4. Do all your users and administrators use passwords of at least 8 characters (Secure key)?

  5. Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet (Do you have a Travel Chest)?

  6. If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password (Is it kept locked and access restricted to authorised key holders?)?

  7. If yes, do you ensure that you change passwords if you believe that they have been compromised (If a key gets lost, do you change the locks?)?

  8. If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes (Does the lock prevent misuse of the incorrect keys?)?

  9. If yes, do you have a password policy (Key use manual) that guides all your users?

  10. Is "auto-run" or "auto-play" (uneccessary settings/services) disabled on all of your systems?

3. Gate Keeper (Access Control).

It is essential that access is strictly restricted, based upon legitimate business need to know/need to access requirements. The more people who are granted unnecessary access, the greater the chances of these people accidently leaving the gate ajar.

Basic questions:

User Accounts:

  1. Are users only provided with user accounts after a process has been followed to approve their creation (Added to the access control list)? Describe the process.

  2. Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password (controlled key issue)?

  3. How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation (Key management)?

  4. Do you ensure that staff only have the privileges that they need to do their current job (Key restrictions)? How do you do this?

Administrative Accounts

  1. Do you have a formal process for giving someone access to systems at an “administrator” level (Key management)? Describe the process.

  2. How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes) (Least Privilege)?

  3. How do you ensure that administrator accounts are not used for accessing email or web browsing (Restricted to the inner sanctums of the castle)?

  4. Do you formally track which users have administrator accounts in your organisation (Key register)?

  5. Do you review who should have administrative access on a regular basis (Key muster)

  6. Have you enabled two-factor authentication for access to all administrative accounts (Challenge response)?

  7. If no, is this because two-factor authentication is not available for some or all of your devices or systems (Operating in a 'Quiet Zone')? List the devices or systems that do not allow two-factor authentication.

4. Entry/Exit Searches (Malware Protection).

Everything coming into/going out of your castle, should be searched to ensure that no malicious payloads are coming in or unauthorised items are being smuggled out of your castle.

Basic questions:

  1. Are all of your computers, laptops, tablets and mobile phones protected from malware (searches/screening) by either:

A - having anti-malware software installed,

B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or

C - application sandboxing (i.e. by using a virtual machine)?

2. If Option A: Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access (on access searches)?

3. If Option A: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites (Perimeter searches)?

4. If Option B: Where you use an app-store or application signing, are users restricted from installing unsigned applications (Random searches)?

5. If Option B: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications (On demand searches)?

6. If Option C: Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network (Safe zone)? Describe how you achieve this.

5. Maintenance (Software Patching).

Maintenance is essential, ensuring that all updates (manufacturer's safety recalls) are applied in a timely manner, to ensure continued safe and secure operations.

Basic questions:

  1. Are all applications on your devices supported by a supplier that produces regular fixes for any security problems (Maintenance schedule)?

  2. Is all software licensed in accordance with the publisher’s recommendations (Manufacturer approved parts)?

  3. Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release (Braking system, after brake warning light comes on)? Describe how do you achieve this.

  4. Are all high-risk or critical security updates for applications (including any associated files and any plugins) installed within 14 days of release (Engine check, following Engine warning light coming on) ? Describe how you achieve this.

  5. Have you removed any applications on your devices that are no longer supported and no longer receive regular fixes for security problems (Change engine oil)?


By simplifying these mitigation controls and aligning them to real life/well-known examples, it is easy to imagine why an organisation would want to ensure that they have established their cyber-security essentials.

If these are not considered and applied, you can now imagine how these might significantly improve the opportunity for exploitation by a cyber-attacker and increase the risks to the business.

For any UK-based business, they are in the fortunate position where they can have their business safety/security checked and receive a certificate of good basic safety/security hygiene.

Not only will this certification process reduce the risk, but provides the business leaders with the UK Government stamp of approval, stating that against the submitted scope, the business is getting the basics right.

Cyber-essentials is an excellent place to start and will provide the light you need to make your way out of the dark tunnel.