Cyber Essentials Secure Settings Explained
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease.
Check the settings
So, you should always check the settings of new software and devices and where possible, make changes which raise your level of security. For example, by disabling or removing any functions, accounts or services which you do not require.
Your laptops, desktop computers, tablets and smartphones contain your data, but they also store the details of the online accounts that you access, so both your devices and your accounts should always be password-protected. Passwords - when implemented correctly - are an easy and effective way to prevent unauthorised users accessing your devices. Passwords should be easy to remember and hard for somebody else to guess. The default passwords which come with new devices such as ‘admin’ and ‘password’ are the easiest of all for attackers to guess. So you must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also help secure your device. If you would like more information on choosing passwords, look at the NCSC’s password guidance.
For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
Secure Settings What Cyber Essentials Requires
Cyber Essentials Certification requires that only necessary software, accounts and apps are used.
Applies to: email, web, and application servers; desktop computers; laptop computers; tablets; mobile phones; firewalls; routers.
Ensure that computers and network devices are properly configured to:
- reduce the level of inherent vulnerabilities
- provide only the services required to fulfil their role
Computers and network devices are not always secure in their default configurations. Standard, out-of-the-box configurations often include one or more weak points such as:
- an administrative account with a predetermined, publicly known default password
- pre-enabled but unnecessary user accounts (sometimes with special access privileges)
- pre-installed but unnecessary applications or services
Default installations of computers and network devices can provide cyber attackers with a variety of opportunities to gain unauthorised access to an organisation’s sensitive information — often with ease.
By applying some simple technical controls when installing computers and network devices you can minimise inherent vulnerabilities and increase protection against common types of cyber attack.
Requirements under this technical control theme
Computers and network devices
The Applicant must be active in its management of computers and network devices. It must routinely:
- remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won't be used)
- change any default or guessable account passwords to something non-obvious
- remove or disable unnecessary software (including applications, system utilities and network services)
- disable any auto-run feature which allows file execution without user authorisation (such as when they are downloaded from the Internet)
- authenticate users before allowing Internet-based access to commercially or personally sensitive data, or data which is critical to the running of the organisation.