22 Apr A deeper look at the Cyber Essentials Certification – Firewalls

Cyber Essentials and Cyber Essentials Plus are a set of basic – but fundamental – security requirements which, if implemented correctly, can protect your organisation against 80% of common cyber attacks. Cyber Essentials is a government-backed scheme aimed at small to medium businesses.

We covered the ‘five controls of Cyber Essentials’ in a previous blog series, which acted as an introduction to cyber security and Cyber Essentials (it gave basic information around cyber security in general and explained what a Firewall is). If you would like to study this information before moving on, here is the link: https://www.netcomtech.co.uk/cyber-defences-cyber-essentials-what-is-it/.

The five areas for the basic Cyber Essentials controls are qualified by a set of questions that should be possible for the majority of business managers and business owners to answer – with some technical advice along the way.

For the remainder of the blog, we will take a look at how the general application process for certification will begin, at some of the questions asked in the ‘Firewall’ section of the Certification and assist you in not just implementing what they are asking for but also maintaining those practices long after you have achieved certification.

The first steps to certification

When applying for certification it is essential that you provide the appropriate information, which will include:

1. The business name (together with any parent company)

2. The business size

3. A point of contact (usually the person applying for certification)

4. The scope of the system to be assessed and certified

Yes, number 4 – the scope of the system – sounds difficult, but it is critical. You must properly define it and have the diagrams written/drawn out ready for assessment.

We will now take a look at the questions you will be required to answer regarding Firewalls within your organisation.

Questions regarding Firewalls

• Are there firewalls in place which protect all your devices?

Unfortunately, a simple ‘yes, there is’ won’t suffice. For small businesses access to the internet will be through a simple device often provided by your internet service provider (ISP) (such as BT, TalkTalk, PlusNet, etc). Within the device there will be a Firewall already incorporated, acting as a filter to prevent attackers getting into your systems and prevent them from leaving your systems too. Often you will have little or no ability to change anything on the device. This type of device is considered to be a Firewall but technically it is a router with a Firewall working on it.

You can also implement Firewalls as software on any device connected to your network. If you have implemented this as part of the installation of antivirus and similar types of software, it is beneficial to include this in your description with the assessor.

If you have more complex systems, on the other hand, you may have a separate Firewall which you can set up. It will need to be configured in such a way that it prevents certain types of traffic coming into and leaving your network.

• Are unauthenticated inbound connections blocked by default?

This is the aim of a commercial Firewall; you may be able to confirm this from the control panel. If you need to configure your Firewall you will need to ensure that the configuration does not limit or prevent any of your legitimate business activities.

• Are configured Firewall rules removed or disabled when they are no longer needed?

If your Firewall is configured by default, then you may not have control over this aspect of it. In this case, it’s best to leave it to the ISP to ensure the device is maintained appropriately as opposed to messing with it yourselves and perhaps invalidating your warranty.

If you have made any special settings on the Firewall (to allow inbound access, for example), then they should be deleted when they are no longer required to meet a business need. If this is not done there is a risk of there being lots of specific settings that confuse and jeopardise the security of your entire system.

• For any configured inbound Firewall rules, are they approved and documented by an authorised individual, including a description of why each rule is needed?

This is a requirement – the setups for the Firewalls and other similar devices must be appropriately defined, based on a solid risk assessment and approved by an appropriately senior person in the organisation. This documentation MUST be kept up-to-date at all times and routinely reviewed to guarantee that the decisions made continue to be appropriate.

These are just some of the requirements in the Firewall section of the Cyber Essentials Certification question list. In the next blog in the series, we will cover a few questions from the secure configuration section.

Helping you achieve a cyber secure future – Netcom

Our team of experts can guide you into a future with IT as a powerful ally. We pride ourselves in developing a relationship with our clients and ensuring they prosper from the technology and plans decided upon between us during our discussions, and introduced for them, to get the most from their IT. We can guide you to achieve the Cyber Essentials Certification with flying colours! Contact us now and find out how we can help you.