Cyber Essentials Section 2 - Secure Configurations

The Cyber Essentials is a UK government-backed framework which is designed to assist organisations in protecting themselves against common threats.  The Cyber Essentials provides a basic cyber security foundation that can serve as a stepping stone to a more comprehensive zero-trust approach. The Cyber Essentials is built on 5 key components that, when implemented correctly, can reduce cyber risk.  The five key components are:

1. Firewalls and Boundary Devices
2. Secure Configurations
3. Access Control
4. Malware Protection
5. Patch Management

Tenable has released a series of reports that focuses on each of the five basic technical controls, which organisations can use to help strengthen their defences against the most common cyber threats.

Misconfigured systems are often easy targets for attackers.  The focus of this report is Section 2 - Secure Configurations which focuses on ensuring that computers and network devices are set up in the most secure method to reduce vulnerabilities and reduce organisations risk of exposure.    

Secure Configuration (also called security hygiene) is ensuring that devices and software are configured in the most secure way possible to reduce vulnerabilities and exposure to cyber threats.  Unused software or services can introduce exploitable vulnerabilities.  Default accounts and passwords are widely known and easy to exploit. The focus of this section applies to: servers, desktop computers, laptops, tablets, thin clients, mobile phones, IaaS, PaaS and SaaS.

A secure configuration is your first line of defense. Default configurations and installations are not always secure. Secure configuration begins with the identification and removal/disabling of unnecessary accounts, applications, and services, organisations can minimize vulnerabilities.

This report contains the following chapters:

• Software Inventory - The Software Inventory chapter displays results of installed software which has been identified with Tenable software enumeration plugins. 
• SEoL Software - The SEoL Software chapter displays results of end-of-life software which has been identified in the environment.  
• Compliance Result Summary by Plugins - This chapter assists an organization identify the Compliance plugins that are used most and prioritize the compliance patching efforts.
• Account Management - CSCv8 - This chapter provides organizations with information which specifically measures against the compliance standards related to the Center for Internet Security (CIS), Critical Security Controls, Version 8 (CSCv8) is a prioritized set of safeguards mapped to, and referenced by multiple legal, regulatory, and policy frameworks. While the CSC is not a replacement for EU Regulations like the NIS 2 or GDPR, the CIS Controls can help organizations comply with these regulations. The European Telecommunications Standards Institute (ETSI) has adopted and published the CIS Controls and several companion guides.