UK Cyber Essentials Certification made easy with Endpoint Central

Controls 

Description (as mentioned in Cyber Essentials: Requirements for IT Infrastructure v3.1)

How Endpoint Central helps

Firewall

Requirements

You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality).

Information: Most desktop and laptop operating systems now come with a software firewall preinstalled; we advise that these are turned on in preference to a third-party firewall application.

For all firewalls (or network devices with firewall functionality), your organization must:

• Change default administrative passwords to a strong and unique password (see password based authentication) – or disable remote administrative access entirely

• Prevent access to the administrative interface (used to manage firewall configuration) from the internet, unless there is a clear and documented business need, and the interface is protected by one of the following controls:
  i) Multi-factor authentication
  ii) an IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach

• Block unauthenticated inbound connections by default

• Ensure inbound firewall rules are approved and documented by an authorized person, and include the business need in the documentation

• Remove or disable unnecessary firewall rules quickly when they are no longer needed.
  
  Make sure you use a software firewall on devices which are used on untrusted networks, such as public wifi hotspots.

Endpoint Central comes handy for admins to configure Windows Firewall for the end-users.

Secure Configuration

Requirements

Computers and network devices

Your organization must proactively manage your computers and network devices. You must regularly:

• Remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used)

• Change any default or guessable account passwords (see password-based authentication)

• Remove or disable unnecessary software (including applications, system utilities and network services)

• Disable any auto-run feature which allows file execution without user authorization (such as when they are downloaded)

• Ensure users are authenticated before allowing them access to organizational data or services

• Ensure appropriate device locking controls for users that are physically present

Device unlocking credentials

If a device requires a user’s physical presence to access a device’s services (such as logging on to a laptop or unlocking a mobile phone), a credential such as a biometric, password or PIN must be in place before a user can gain access to the services.

You must protect your chosen authentication method (which can be biometric authentication, password or PIN) against brute-force attacks. When it's possible to configure, you should apply one of the following:

• ‘Throttling' the rate of attempts, so that the number of times the user must wait between attempts increases with each unsuccessful attempt. You shouldn’t allow more than 10 guesses in 5 minutes

• Locking devices after more than 10 unsuccessful attempts.

• When the vendor doesn't allow you to configure the above, use the vendor’s default setting.

Technical controls must be used to manage the quality of credentials. If credentials are just to unlock a device, use a minimum password or PIN length of at least 6 characters. When the device unlocking credentials are also used for authentication, you must apply the full password requirements to the credentials described in ‘user access controls.’

Revoke administrative rights to unintended users and enforce the principle of least privilege using Endpoint Central.

Admins can prohibit users from installing unnecessary software and can create list of software which are allowed/ blocked in their IT environment.

Endpoint Central also can block executables feature, preventing the files from automatically getting executed. Endpoint Central also empowers admins to control the Child processes arising out of other applications. To ensure safe access to corporate application, Endpoint Central leverages enterprise SSO using kerberos protocol. Endpoint Central also leverages Certificate Based Authentication using SCEP

Endpoint Central enables administrators to set passcode policies for mobile devices running on Android, Apple, and Windows, ensuring end-users create strong passcodes for their devices. The policy enables admins to configure maximum number of failed  passcode attempts, maximum idle time allowed before auto-lock and many other configurations. 
 

Security Update Management

Requirements

You must make sure that all software in scope is kept up to date. All software on in-scope devices must:

• Be licensed and supported

• Removed from devices when it becomes unsupported or removed from scope by using a defined sub-set that prevents all traffic to / from the internet

• Have automatic updates enabled where possible

• Be updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
  i) The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
  ii) The update addresses vulnerabilities with a CVSS v3 base score of 7 or above
  iii) There are no details of the level of vulnerabilities the update fixes provided by the vendor

Please note: For optimum security, we strongly recommend (but it’s not mandatory) that all released updates are applied within 14 days of release.

*It's important that updates are applied as soon as possible. 14 days is considered a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.

Information: If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with a CVSS 3.0 score of 7 or above or are identified by the vendor as 'critical or high risk'. Caution: Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues then it must be installed within 14 days.

Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console. Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected. Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more. Endpoint Central provides a unified console for ITops and SecOps to manage and secure endpoints. Endpoint Central has role based access control so that security functions of the IT can be assigned to independent security experts.

Endpoint Central has a vulnerability age matrix and vulnerability severity summary, which can provide rich insights about the impact of patch implementation. Besides, Endpoint Central also provides comprehensive reports on vulnerable systems and missing patches in your IT. Endpoint Central also provides for testing and approving patches so that IT admins can test the patches within a small group of computers and later deploy them into your whole organization Endpoint Central provides comprehensive Patch support for Windows, Linux, and macOSs and Windows Server OS. It also can patch 1,000+ third party applications, hardware drivers, and BIOS. Endpoint Central's SLA for patches:

• Third-party updates are supported within 6-9 hours from vendor release.

• Security updates are supported within 12-18 hours from vendor release.

• Non-security updates are supported within 24 hours from vendor release.

 User Access Control

Requirements

Your organisation must be in control of your user accounts and the access privileges that allow access to your organisational data and services. It’s important to note that this also includes third party accounts – for example, accounts used by your support services.

You also need to understand how user accounts authenticate and manage the authentication accordingly.
This means your organization must:

• Have in place a process to create and approve user accounts

• Authenticate users with unique credentials before granting access to applications or devices (see password-based authentication)

• Remove or disable user accounts when they’re no longer required (for example, when a user leaves the organisation or after a defined period of account inactivity)

• Implement MFA, where available – authentication to cloud services must always use MFA

• Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)

• Remove or disable special access privileges when no longer required (when a member of staff changes role, for example)  

Password-based authentication

All user accounts require the user to authenticate. Where this is carried out using a password, you should put in place the following protective measures:

Passwords are protected against brute-force password guessing by implementing at least
one of:

• Multi-factor authentication (see below)

• Throttling' the rate of attempts, so that the number of times the user must wait

• between attempts increases with each unsuccessful attempt – you shouldn’t allow

• more than 10 guesses in 5 minutes

• Locking accounts after no more than 10 unsuccessful attempts

Use technical controls to manage the quality of passwords. This will include one of the
following:

• Using multi-factor authentication (see below)

• A minimum password length of at least 12 characters, with no maximum length restrictions

• A minimum password length of at least 8 characters, with no maximum length

• restrictions and use automatic blocking of common passwords using a deny list.

Support users to choose unique passwords for their work accounts by:

• Educating people about avoiding common passwords, such as a pet's name, common keyboard patterns or passwords they have used elsewhere. This could include teaching people to use the password generator feature built into some password managers.

• Encouraging people to choose longer passwords by promoting the use of multiple words (a minimum of three) to create a password (such as the NCSC’s guidance on using three random words)

• Providing usable secure storage for passwords (for example a password manager or secure locked cabinet) with clear information about how and when it can be used. 

• Not enforcing regular password expiry

• Not enforcing password complexity requirements

You should also make sure there is an established process in place to change passwords promptly if
you know or suspect a password or account has been compromised.

Multi-factor authentication (MFA)

As well as providing an extra layer of security for passwords that aren’t protected by the other technical controls, you should always use multi-factor authentication to give administrative accounts extra security, and accounts that are accessible from the internet.

The password element of the multi-factor authentication approach must have a password length of at least 8 characters, with no maximum length restrictions.

There are four types of additional factor to consider:

• a managed/enterprise device

• an app on a trusted device

• a physically separate token

• a known or trusted account

Additional factors should be chosen so that they are usable and accessible. You might need to carry out user testing to decide what is best for your users. For more information see NCSC’s guidance on MFA.

Revoke administrative rights to unintended users and enforce the principle of least privilege using Endpoint Central.

Endpoint Central enables administrators to set passcode policies for mobile devices running on Android, Apple, and Windows, ensuring end-users create strong passcodes for their devices. The policy enables admins to configure maximum number of failed passcode attempts, maximum idle time allowed before auto-lock and many other configurations.

Zoho offers Zoho OneAuth for Multi Factor Aunthentication requirements. 

Zoho also offer Zoho Vault -  An enterprise password manager.



 

Malware Protection

Requirements

You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products, these options are built into the software supplied. Alternatively, you can purchase products from a third-party provider. In all cases the software must be active, kept up to date in accordance with the vendors instructions, and configured to work as detailed below:

Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers)

If you use anti-malware software to protect your device it must be configured to:

• Be updated in line with vendor recommendations

• Prevent malware from running

• Prevent the execution of malicious code

• Prevent connections to malicious websites over the internet.

Application allow listing (option for all in scope devices)

Only approved applications, restricted by code signing, are allowed to execute on devices. You must:

• Actively approve such applications before deploying them to devices

• Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature.

Endpoint Central has a built-in next gen antivirus engine (currently available as early access) that proactively detects cyber threats lke malware with its AI-assisted, real-time behavior detection and deep learning technology.

Apart from real-time malware detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats. If the next gen antivirus engine detects a suspicious behavior / malware in endpoints, it can quarantine those endpoints and, after a thorough forensic analysis, can be deployed back into production.

Endpoint Central also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service. If a file is infected with ransomware, it can be restored with the most recent backup copy of the file. Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications