Cyber Essentials is a joke?

[glenimp617]

My team are working on cyber essentials plus (site wide). It seems like a tick in the box exercise to me.

We have been told that in order to pass, we must reduce the security on our RDS servers. Microsoft found a bug in RDP (credssp) about two years ago and patched it. Since then, the way the technology works means users must be authenticated at a certain stage prior to logging on. Due to this, if a users account has the "password change at next logon" flag set, they are unable to logon to RDS in order to change their password. Catch 22. It's well documented.

The workaround is to reduce the security on RDS to make it work, negating the security fix Microsoft put on. Either that, or users must change it on a PC. Not ideal in this environment.

am I missing something really obvious here?

They also said every piece of software on all client machines (we have 4,000+) must be at the latest versions. Fortunately we use AppV so this isn't an issue for us, but I'd imagine it would be for most people.

There are some other gems which have come out of this as well.

 

[glenimp617]

Cyber Essentials + is a compliance standard and compliance adherance does not make you secure. Retro fitting technical controls without understanding the logic, or impact to business processes is a receipe for failure and this is why security is difficult and shouldn't be considered a joke.

Completely agree

 

[glenimp617]

Is it for sure a major non-compliance? i'm pretty sure we have exceptions to some of the "must" sections. they got marked down as minors. admittedly we didn't go for the +.

Any decent assessor should be able to accept some risk if its been documented/discussed properly.

Alternatively, look into a different password solution

Yeah, there's no way we're dropping any security. We'll have to come up with a workaround.

 

[glenimp617]

AppV, haha, that won't be a thing soon and you'll be back to square one.

I hope not it’s been a life saver

 

[glenimp617]

Well I have stuck to my guns about the security, but managed to find a solution in the end. Required a couple of days coding but sorted it out.

 

[glenimp617]

Cyber Essentials (or anything similar) has some pretty big positives:

1) It highlights to (non-technical) management how difficult it is to keep an estate up to date, and how much effort is required to bring it up to date (when it is badly out of date). This should help with future head-count / budget requests related to running the environment
2) It highlights to the technical managers and engineers how important it is to have centralised mechanisms for deploying and patching not just the OS but also all the apps. It will also help shift attitudes and priorities towards centralised (like Citrix) and/or web-based apps and app delivery mechanisms.

In my view, it just focuses the mind of various layers of management, and that's a good thing.

I agree with 1, but I have past experiences how management soon forget (especially when it comes to spending money)

and we're already doing 2

all in all, I do think it is a positive, but in no way once we get certified can we say we are secure (can anyone really say that these days)

 

[glenimp617]

Working in the NHS there has been a push to CE+, thankfully they seem to have listened and that requirement is going to be dropped!

Saying that, the Data Security Protection Toolkit which is mandatory is just as bad! Examples one section (shortened for ease of typing) "All software must be at the latest version" (mandatory Yes/No for a pass/Fail) then the next section says any software not at latest version needs to be managed by business risk!.....

I'd like to know from anyone running a large (10,000+ machines) network, who has answered that question truthfully and passed. By that, I mean can demonstrate with accurate reporting that their entire estate runs all software at latest versions. We're close, but it's not been an easy task, especially since we only have a handful of IT staff.

 

[glenimp617]

I think the auditors will usually allow a small percentage to be out, but it’s pretty small. My point about it overall being a good thing is that it forces you to have systems in place rather than an ad hoc process that probably doesn’t get used that often.

yeah I can imagine there’s some very dodgy networks out there

 

[glenimp617]

We got our cyber essentials plus certificate today

Can’t say I was impressed with the process, but we passed

 

[glenimp617]

Did you have any issues remediating workstations remotely? What about all the laptops for everyone working from home?

No, everything is handled automatically via SCCM and the laptops are on Microsofts always on vpn

The auditors setup a teams meeting and we simply shared the screen so he could check stuff

 

[glenimp617]

Microsoft normally supports products for 5 years or more, don't they? So you're saying you want your estate to stagnate for 5 years? An estate that remains untouched for 5 years is not a stable estate. New software products that your users might need come out in that time, and they will have compatibility requirements of their own (because the vendor will have only tested against modern OS releases). And because it's been untouched for so long, there is nobody in the company that actually knows how to update the estate (there are no practices, tools, procedures), and the users are used to their machines never being touched, so it would be super traumatic for them when you did do it, and then on top of all that, when you were finally forced to update things (at which point this has become bigger than Ben Hur), the change would be so big because you'd left it for so long, that it would be a shock to the employees and error-prone to deploy. Frequent small changes are far better than infrequent big changes, not only because there is less change in between updates, but because by doing more of them, you get better at testing and deploying them.

I think windows 10 is 18 months

Our estate is 4,000 client devices managed by four front line technicians. We manage with ease. So long as you have the back end setup right, that's key.

 

[glenimp617]

It's a laugh trying to get CE+ when all your infra is 8 years old - Erm i could update Java, but i need version xxxx for the old SAN GUI that doesn't work with anything newer.
Why are you on this version of ESXI? Well our servers don't support the latest version...

Don't worry, you'll pass. It's a complete joke. The auditor will simply tell you to ensure at least one machine has the latest java, and they'll basically run their tests on that one machine.

We were in the same boat. The dell equalogic sans require java 6, so.... and we still passed lol

 

[glenimp617]

Exactly, we’ll have equallogic until the end of days.... we’ve been trying to get rid of them for years. (But I do really like them...)

We went down from 4, to 1 and 1 compellent. The compellents are brilliant. Still, that one we do have means at least my machine needs java 6 lol