Cybersecurity: Secure configuration
Secure configuration refers to security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary cyber vulnerabilities.
Security misconfigurations are one of the most common gaps that criminal hackers look to exploit. According to a recent report by Rapid 7, internal penetration tests encounter a network or service misconfiguration more than 96% of the time. Both the SANS Institute and the Council on CyberSecurity recommend that, following an inventory of your hardware and software, the most important security control is to implement secure configuration.
Why is secure configuration important?
Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. In the case of a router, for example, this could be a predefined password, or in the case of an operating system, it could be the applications that come preinstalled.
It’s easier and more convenient to start using new devices or software with their default settings, but it’s not the most secure. Accepting the default settings without reviewing them can create serious security issues, and can allow cyber attackers to gain easy, unauthorized access to your data.
Web server and application server configurations play a crucial role in cybersecurity. Failure to properly configure your servers can lead to a wide variety of security problems.
Computers and network devices should also be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.
How to protect yourself
For computers and network devices, your organisation should routinely:
- Remove and disable unnecessary user accounts;
- Change default or guessable account passwords to something non-obvious;
- Remove or disable unnecessary software;
- Disable any auto-run feature that allows file execution without user authorisation; and
- Authenticate users before enabling Internet-based access to commercially or personally sensitive data, or data critical to the running of the organisation.
For password-based authentication, your organisation should:
- Protect against brute-force password guessing by limiting attempts and/or the number of guesses allowed in a certain period;
- Set a minimum password length of at least eight characters (but not a maximum password length);
- Change passwords promptly when the user knows or suspects they have been compromised; and
- Have a password policy that informs users of best practices.
View another Cyber Essentials control:
Speak to an expert
For more information about the Cyber Essentials Scheme, get in touch with one of our experts today.