Security is at the heart of everything acambah do and we take cyber security very seriously. We wanted to ensure that the platform and solutions we provide to our customers meet the highest possible standards of security which is why we have undertaken the “Cyber Essentials Plus” certification.
A primary objective of the UK Government’s National Cyber Security Strategy is to make the UK a safer place to conduct business online and from 1 October 2014 all suppliers must be compliant with the new Cyber Essentials controls if bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services. Read more…
Our “Cyber Essential Plus” certification is provided by IT Governance who are a member of CREST, an international approved accreditation body under the UK Government Cyber Essentials scheme and our award covers the following scope:
Cloud hosted ECM, BPM and IDC infrastructure including firewalls, routers and end user devices.
To achieve our certification, we identified our environment both within our local offices and also within our hosted servers running on AWS. This was then verified by an external certification body, IT Governance, who also visited us to undertake an on-site assessment and internal scan. Finally, the various hosted services that we provide and our offices were externally scanned to check there were no vulnerabilities that would make us susceptible to cyber attacks.
CREST have identified the following fundamental technical security controls that an organisation needs to have in place to help defend against Internet-borne threats. Selected by industry experts, the controls contained within the scheme, reflect those covered in well-established standards, such as the ISO/IEC 27000 series, the Information Security Forum’s Standard of Good Practice for Information Security and the Standard for Information Assurance for Small and Medium Sized Enterprises.
Secure configuration refers to the security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary cyber vulnerabilities.
Web server and application server configurations play a key role in the security of a web application. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfill their intended function.
Some of these problems can be easily detected by rogue agents with common security scanning tools. Once detected, vulnerabilities can be exploited very quickly and result in the total compromise of a system or website, including databases and corporate networks.
Boundary firewalls and Internet gateways
Firewalls and gateways provide a basic level of protection where a user connects to the Internet. While antivirus software helps to protect the system against unwanted programs, a firewall helps to keep attackers or external threats from getting access to your system in the first place. The firewall monitors all network traffic and has the ability to identify and block unwanted traffic that could be harmful to your computer, systems and networks.
The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).
The best way to stay safe online is to only visit websites that you trust or that are known to be secure. In these cases, this behaviour reduces the strain on the firewalls by eliminating incidental encounters with malicious code, drive-by downloads, and so on.
Access controls and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts is essential for any cyber secure system or network. 88% of insider threat incidents included privilege abuse, according to the 2014 Verizon Data Breaches Investigation Report (DBIR).
User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.
The term ‘privilege creep’ has gained momentum as this problem has grown, and refers to the gradual increase in access privileges that accrue when users get promoted or change roles without the old ones being reviewed and removed.
Patch management is about keeping software on computers and network devices up to date and capable of resisting low-level cyber attacks.
Any software is prone to technical vulnerabilities. Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cyber criminals. Hackers can take advantage of known vulnerabilities in operating systems (OS) and third-party applications if they are not properly patched or updated.
According to the “Cloud Adoption and Risk Report” by Skyhigh Networks,a significant 18% of companies had at least 1,000 devices running Windows XP that were accessing public Cloud services. Windows XP reached its end of life in April 2014, which means that these devices may have been unpatched and vulnerable, exposing those organisations to risk.
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) and including options for virus removal will protect your computer, your privacy and your important documents from attack.
Firewalls don’t protect against malicious content on websites, but anti-malware suites on users’ workstations do. Hackers try to get malicious software onto trusted websites; while they used to favour getting it onto adult sites, this is no longer the preferred attack vector: placing malware on a blog, for example, is much more likely to be effective.
According to Malware research produced by AppRiver, “levels of spam and malware email traffic recorded during Q1’16 has already surpassed total levels documented during the whole of 2015, totaling at 2.3 billion malicious email messages, with 1.7 billion occurring in March alone.”