ZORB software helps businesses align with multiple Cyber Essentials controls

Quick Summary → Many businesses I talk with have implemented, or are in the process of implementing a cybersecurity certification such as Cyber Essentials or ISO27001. They are eager to understand just how ZORB can be utilised to meet the technical controls described in these frameworks. This article explains how ZORB can be applied to all five Cyber Essentials controls and help you achieve certification.

NCSC Cyber Essentials LOGO

Image courtesy of the NCSC

Why ZORB aligns with Cyber Essentials

ZORB is a software application that helps businesses eliminate data theft. We achieve this by preventing the transmission of data, until it can prove that it comes from a trusted application and going to a trusted destination. Our software installs into a Microsoft operating system, so does not require any overhaul of existing IT infrastructure.

 

Cyber Essentials does not mandate the need for data theft prevention in itself. It does, however, endeavor to prevent multiple ways in which data can be maliciously exfiltrated from systems. The requirements document tends to lean towards reducing the opportunity for incoming threats – with emphasis on inbound protection tools such as firewalls, antivirus, user access controls.

 

However, it is important to also consider outbound controls as they often complement inbound controls. If inbound protection systems are evaded, outbound protection tools might just save your business from a data breach. For example, should an attacker bypass user access controls to become an administrator and install a tool to exfiltrate data, ZORB becomes your last line of defence by recognising a data theft attempt and preventing that data from being transmitted.

 

Let’s consider how this applies to the requirements outlined in the five technical control themes.

 

Cyber Essentials Requirements Document (Section D)

Section D of the requirements document describes five technical control themes:

1)  Firewalls

This theme aims to ensure “that only secure and necessary network services can be accessed from the internet”. It states that:

    • An organisation with control over its network should use a boundary firewall to “restrict the inbound and outbound network traffic.”
    • An organisation that doesn’t have control over its network “must configure a software firewall on the device.”
    • “For cloud services, you can achieve this using data flow policies.”

 

All hardware and software firewalls provide the ability to set both inbound and outbound traffic policies. Inbound traffic policies restrict the capabilities of incoming threats. Outbound traffic policies reduce the risk of intentional data exfiltration. Yet many organisations chose to only set inbound policies. This could be for many reasons, but outbound policies are a lot more complex and time-intensive to configure. They also require constant maintenance. A single misconfiguration in a firewall policy could prevent legitimate traffic from going to its destination.

 

ZORB contributes to this control by overcoming these outbound configuration challenges, to provide equivalent functionality of an outbound firewall (albeit with more granular control and stronger protection) without the upkeep overheads.

 

ZORB allows you to demonstrate:

    • Organisations with a boundary firewall have restricted outbound network traffic at the device level.
    • Organisations without a boundary firewall have restricted outbound network traffic at the device level.
    • Outbound data flow policies have been implemented for cloud services

 

2)  Secure configuration

One aim of this theme is to “reduce vulnerabilities in computers and network devices that allow unauthorised access to sensitive information.” Vulnerabilities due to hardware or software weaknesses, or device misconfiguration are exactly what a hacker targets to gain access to a network or a device. The emphasis is on REDUCING vulnerabilities. Indeed, it may not be possible to entirely eliminate all vulnerabilities. Some vulnerabilities may not have been identified by the vendor. Or a patch might not have been made available yet. Even with the best will in the world, engineers make mistakes in configurations.

 

ZORB contributes to this control by protecting outbound data when vulnerabilities are unpatched, unknown, or have yet to be identified. Should a device become compromised, we prevent data exfiltration by monitoring where data has come from and where it is going.

 

ZORB allows you to demonstrate:

    • Should a SaaS product be vulnerable, data is only sent to the SaaS provider and no other third-party.
    • For remote/hybrid workers, data is only sent via the VPN (to the HQ or SaaS provider) and the VPN is not being bypassed, or data redirected to a third-party.

 

3)  Security update management

This aims to “ensure that devices and software are not vulnerable to known security issues for which fixes are available”.

 

This is sound advice – provided that the update request has been poisoned. This is a common technique where an attacker redirects the request for an update to a malicious third-party masquerading as the legitimate vendor.

 

ZORB contributes to this control by validating the legitimacy of update requests.

 

ZORB allows you to demonstrate:

    • Updates are requested from the legitimate vendor and have not been poisoned.
    • Where a security update is not yet available, sensitive business information is not being sent to malicious third parties.

 

Risk-Free Trial

Protect Your Data,

Intellectual Property and Reputation

4)  User access control

Here the focus is on user account authorisation, accountability and least privilege to reduce the risk of information being stolen or damaged.

 

ZORB does not provide any support for user based access control. However, should access controls be bypassed, ZORB can reduce the risk of data breach.

 

ZORB allows you to demonstrate:

    • To compliment user access control, the risk of information being stolen has been reduced by only transmitting data to legitimate destinations should access controls be bypassed.
    • Should software be implemented by a malicious actor, any attempts to transmit data via this application will be blocked by default, as this application is not on the approved trust list of applications allowed to transmit data

 

5)  Malware protection

The aim of this theme is “to restrict execution of untrusted software, from causing damage or accessing data.”

 

As mentioned above, many organisations concentrate on stopping inbound threats by using firewalls and antivirus software. However, incoming threats can evade inbound protection tools. So, malware protection requires a two-fold approach – in the first instance, to prevent malware from running on a device. But if it does manage to install, then preventing malware from exfiltrating data.

 

ZORB contributes to this control by preventing certain types of malware from exfiltrating data. Specifically, we prevent RATs, botnets and some ransomware from connecting to their command-and-control server to register or upload exfiltrated data.

 

ZORB allows you to demonstrate:

    • Protection against data upload to the C2C server should malware (botnets, RATs, some ransomware) evade antivirus
    • A list of approved applications that are permitted to upload data to the Internet.

 

Cyber Essentials Requirements Document (Section E)

Cyber Essentials provides additional guidance in section E:

Backing up your data

Backups are crucial in the event of an attack where data is damaged, such as ransomware. Today, many applications automatically backup to the cloud. But how to ensure that data is backed up (manually or automatically) to the trusted storage provider? If an outlook .OST file was backed up to the wrong destination, the user’s entire email history could be disclosed.

 

ZORB allows you to demonstrate:

    • Backup data is going to the authorised online storage provider only, and not to a third-party.

Zero trust and Cyber Essentials

As more services are migrated to the cloud or SaaS, Zero Trust Architectures (ZTAs) are being implemented to allow secure remote access and data sharing.

 

We apply zero trust to outbound data. By default, all outgoing data is treated as untrusted and is automatically blocked. Only when the data can be proven to be trusted (i.e. from a trusted source to a trusted destination) is the data allowed to be transmitted from the device.

 

Conclusion

ZORB can help meet several controls for Cyber Essentials (or ISO27001).  Cyber security is about protection-in-depth. This means using multiple best-in-class protection tools. If one tool is evaded, there is backup protection behind it. In some cases, ZORB might not meet the specific control requirements but is complementary to other tools that do.

 

This article aims to be high-level view on how ZORB can help you meet the requirements for Cyber Essentials. I plan to provide a more detailed document soon. Contact me if you want to receive this document when it is available.

About the Author

Dr Mark Graham, CEO of ZORB Security

Dr. Mark Graham has spent over 30 years in cybersecurity.  He completed his PhD in malware detection in Cambridge, UK where he also lectured in Information Security, Cybercrime, and Pen-Testing.  He is a co-founder of ZORB Security which specialises in eliminating data theft.

Try a live demo of ZORB

See ZORB in action using real time, live data

SANDBOX