Is your security up to scratch? How do you know? Would you like to know? Security is becoming more and more important each day and it's something I have a keen desire to keep on top of. Over at Report URI we recently had ourselves tested against a UK Government standard called Cyber Essentials.
Security at Report URI
I have to say we are quite fortunate on the security front at Report URI. I have several years of experience working in the security industry as a penetration tester and consultant, with many years prior as a hobbyist. We have Troy Hunt who's a Microsoft MVP for Developer Security, creator of Have I Been Pwned, prolific blogger and speaker on security. Then to top that off we have Michal Špaček who delivers training on secure development, does public speaking and blogging on a wide variety of security topics and generally likes breaking things. We're probably not your average group of early employees at a start-up but that's us. Despite all of that security knowledge between us, security is never something we take for granted.
Report URI had a full code audit in its early days and that really set things off in the right direction. Since then we've had our own penetration test conducted on our site and various other tests by our customers. One of the things that did surprise me is the frequency with which our customers ask to security test our systems, with it being most commonly requested by customers in the finance sector. Of course, we're more than happy to cooperate with arranging these tests and I only see 2 positive outcomes. Either they find an issue and we resolve it, making us stronger, or they don't find any issues and there's nothing to worry about.
On top of that we have a private bug bounty program (more on that soon), constant attacks against our site and friends and fellow researchers keeping an eye on things for us. All in all we're pretty happy with the effort that we put in to security, but we also recognise that security is a process and not a state. We want to constantly improve and that means we need to constantly learn and reaffirm our position. That's when Cyber Essentials came to mind.
Cyber Essentials
The Cyber Essentials scheme is run by the National Cyber Security Centre (NCSC) here in the UK, who are a part of GCHQ. In their own words:
Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.
There are two levels of certification, Cyber Essentials and Cyber Essentials Plus, with us going for the 'CE' which is the lower of the levels. To obtain the certification you must engage an accredited company to conduct the work. The first stage is a self-assessment questionnaire to gain an understanding of your organisations, your technology and your current security stance. After this you may liaise with a consultant form the company carrying out the certification to seek answers, clarification or guidance on how to improve. The final step is for the company assessing you to conduct a scan of your internet facing infrastructure. We identified the various services we have on various subdomains and submitted them to be analysed and tested. Assuming the answers to the questionnaire were satisfactory and that the testing of your infrastructure doesn't turn up any problems, you can be awarded the Cyber Essentials certification.
What Cyber Essentials isn't
CE is not a penetration testing engagement, a full security audit or anything of that nature. The clue, really, is quite literally in the name "Cyber Essentials". These are the essentials for any company to protect themselves and as a result, yes, they are pretty broad in some of the requirements. I've seen mockery of such schemes in the wider industry but taking a step back and looking at the bigger picture, I can really see how they provide value to the thousands of organisations that have few or even no security staff on the payroll. Here's a few things I found nice to do as an exercise during the CE test:
Inventory: we had to provide a list of external services that we have and where they are along with who they're hosted with. Do you think most companies have that kind of information to hand?
Service Providers: we had to provide a list of the external service providers we use and their certification/audit/compliance standards. Things like looking at our CDN and payment provider being PCI certified, ISO 27001 for our cloud service providers and so on. Do you know that about your providers?
General Security: we were asked questions about network segmentation, firewalls, default configurations, default credentials, software inventory, access control, malware and virus protection, backups, patch management and several other important areas.
Yes, some of this stuff may seem basic to many, but that's kind of the point. Cyber Essentials is the first step in a process, not the destination. Whilst we probably didn't need to go through CE I still felt there was some value in doing it. I had to stop and think for a few of the questions, check our documentation or quickly remind myself of exactly how we do something. Not only that but it's nice to know that we haven't gotten so carried away with what we're doing that we've forgotten the basics.
Last thing, a big thanks to Ken Munro at Pen Test Partners for taking my questions about Cyber Essentials and guiding us through the process! Hit them up if you're interested in getting Cyber Essentials certified.