A large part of cyber security relates to the configuration of your devices. Secure Configuration measures can be implemented when building or installing computers and network devices. These measures are aimed at reducing unnecessary cyber vulnerabilities.
Why is Secure Configuration important?
Security misconfigurations are an easy target for criminal hackers, and these types of breaches are becoming more common as bad actors look for gaps to exploit.
Attackers are essentially looking for systems that have default settings because they are often immediately vulnerable. Many manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible, so an attacker can quickly exploit a new system, then start making changes.
Therefore, Secure Configuration is important so you can not only identify misconfigurations that make your systems vulnerable but can also identify “unusual” changes to critical files or registry keys.
What are the risks of not having a Secure Configuration plan?
The UK government’s Cyber Essentials Scheme highlights the importance of implementing Secure Configuration. If you are not continuously monitoring for threats, you cannot identify a breach in time to prevent issues. You then lose the advantage of being able to mitigate the damage of an attack.
Of course, it is easier and more convenient to start using new devices or software with their default settings, but it’s not the most secure. Accepting the default settings without reviewing them can create serious security issues, and can allow cyber attackers to gain easy, unauthorised access to your data.
Any web servers or applications that are not properly configured will pose a long list of potential security problems. Computers and network devices that are not correctly configured to minimise the number of inherent vulnerabilities will be left open to easy attack.
What are the challenges when implementing Secure Configuration?
Some of the biggest software implementation challenges are actually fairly easy to resolve if you go in with the right strategy.
Varying expectations
There can often be a lot of elements to a security plan in an organisation. Between managers, stakeholders, and staff there might be different expectations or priorities. By defining the outcomes, you want, and discussing with your service provider, you can enjoy a much smoother process and prevent some common security issues.
Data Integrity
When setting up software and looking for Secure Configuration, you will need to check the quality of your data that is to be migrated. We want to ensure no data is lost, that privacy is upheld, and that data is not compromised.
People
It is also important to reduce the risk of human error and human efficiency. People need to be trained and upskilled in any new software or applications. To fully prepare staff for any changes, you can also look at ways to discuss the benefits for them in their tasks, and how it will improve the efficiency and quality of their work.
That way, when it’s time for them to start learning how to use the new software they will embrace it and learn correct procedures, rather than risk further issues.
Protecting your end users by managing Secure Configuration requirements
The best way to manage Secure Configuration is to look at the life cycle of your computers and network devices.
- Do not just accept the default settings without reviewing them - this can create serious security issues, and can allow cyber attackers to gain easy, unauthorised access to your data
- Ensure you disable any auto-run feature that allows file execution without user authorisation
- Authenticate users before enabling Internet-based access to commercially or personally sensitive data, or data critical to the running of the organisation
- Remove and disable unnecessary user accounts
- Change default or guessable account passwords to something non-obvious
- Remove or disable unnecessary software
Protect your business
Want to know more about the Cyber Essentials requirements? Our team at The Missing Link can offer you the expertise and support needed to achieve Cyber Essentials certification or Cyber Essentials Plus certification.
For practical help with your certification and cyber security, please get in touch with our expert team at The Missing Link or for more information about Cyber Essentials such as Malware Protection, User Acess Control or Patch Management, click here.
If you liked this article, you may also like:
Cyber Essentials decoded: Malware Protection
Cyber Essentials decoded: Firewalls and User Access Control
Cyber Essentials decoded: Patch Management
