Principle: B4 System Security
Network and information systems and technology critical for the operation of essential functions are protected from cyber attack. An organisational understanding of risk to essential functions informs the use of robust and reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems.
This means utilising protective security measures to minimise the opportunities for an attacker to compromise the security of networks and information systems supporting essential functions. This includes the secure design, management and the secure configuration of a system throughout its lifecycle.
Where vulnerabilities are identified they should be patched, or, where patching is not possible, additional security measures should be implemented to fully mitigate the vulnerability risk.
Limiting functionality and ensuring secure configuration of systems will contribute to managing potential vulnerabilities arising from features in hardware and software. Your Pre-Production, Production, Development and Test environments should all be considered as part of your system definition and the associated risks proportionately mitigated against.
The planning and execution of an attack should be identified and appropriately protected.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the CAF requirements of the relevant Government Profile under this principle.
- Departments shall adopt the NCSC’s Protective Domain Name Service (PDNS) and register for Web Check. See the available tools section below for more information. This requirement originated in a letter to Permanent Secretaries from the Cabinet Secretary in June 2017.
Guidance
- You should design the systems and networks operating or supporting the operation of essential functions to make compromise difficult, avoid disruption and reduce the impact of compromise. Guidance on this can be found within the NCSC’s Secure Design Principles.
- The Central Digital and Data Office (CDDO) has developed the Secure by Design principles for government which will enable organisations and programme delivery teams to adopt a common approach to securing digital services that ensures appropriate and proportionate cyber security measures are embedded within the delivery of digital services from the start of life.
- NCSC’s Architecture and configuration supplements its Secure Design Principles and will help you apply security configurations to your servers and devices to reduce your attack surface. It provides additional links for further reading on implementing configurations such as disabling macros, enabling email security controls (such as DMARC) and making use of Mobile Device Management (MDM) solutions.
- NCSC’s Device Security Guidance will assist you in effectively administering and managing devices across your network. It will help you choose devices with platform-specific security configurations and discuss how to connect, maintain, monitor and retire these devices securely. It also discusses patch management with guidance on preparing for installing updates, utilising automatic updates where suitable and ensuring that the impact of a defective update is minimised through backup and test processes.
- The NCSC’s Vulnerability Management guidance states how system design, configuration and management can reduce the likelihood of vulnerabilities being accessed or exploited. It also provides steps for the establishment of a vulnerability management process which includes the use of automated vulnerability scanning, vulnerability testing and developing a process for effectively prioritising and mitigating exploits.
- You should take steps to prevent malware from being delivered to, run on or spread from devices. NCSC guidance on Mitigating Malware and Ransomware Attacks provides controls to restrict programmatic and service access, promote a ‘Defence in Depth’ approach to architecture and minimise the potential impact of malware.
- NCSC’s Secure development and deployment guidance will provide you with principles for the development, storage, validation and deployment of code. It encourages the secure design of continuous integration and continuous deployment (CICD) pipelines and infrastructure as well as the development of clean and maintainable code to minimise the risk of code exploitation or manipulation.
- You should regularly test to fully understand the vulnerabilities of your networks and information systems. The NCSC’s guidance on penetration testing provides detail on the types of testing and test process steps. It will help pick a test regime which is most suited to your organisation’s requirements and provides a model example. Where tests are facilitated, organisations should engage early with the NCSC’s Incident Management function to ensure they are aware and that all engagements are scoped appropriately.
- You should treat domains as a valuable digital asset. Following Cabinet Office guidance on Keeping your domain name secure. You should manage domains securely by putting accountable and responsible owners in place and making sure that contact details are kept up-to-date. Domains used for UK public sector services should be registered in a UK namespace wherever possible, with ownership officially documented. Any public sector services with domains registered in namespaces outside of the UK pose a risk and should be reviewed carefully to ensure that all relevant laws and risks are understood. You should also consider implementing Domain Name System Security Extensions (DNSSEC) if appropriate to your organisation and capability.
Available tools
- The Protective Domain Name Service (PDNS) is an NCSC Active Cyber Defence (ACD) tool offering. It acts as a recursive resolver, which looks up answers to DNS queries, filtering and preventing access to domains known to be malicious. Crucially, DNS provides data around the operation of your network and gives visibility and allows NCSC to actively identify emerging threats. Additionally, the NCSC offers outreach support to resolve any issues. All government departments are required to use this tool.
- The NCSC’s Early Warning Service is an NCSC ACD free service which will notify your organisation if it detects a potential cyber attack on your network. It utilises NCSC information feeds in combination with the domain names and IP addresses you provide to detect potential incidents, network abuse activity as well as vulnerabilities and open ports. Organisations will be provided with daily threat reports and weekly vulnerability alerts which can be used to identify and mitigate cyber risks. All government departments should consider using this tool, or, where not architecturally possible, adopt a suitable alternative.
- Web Check is an NCSC ACD vulnerability scanning tool which will scan your organisation’s submitted URLs to identify website vulnerabilities including software version and site misconfiguration. A dashboard provides users with a view of all identified vulnerabilities which are categorised by risk and priority. All government departments are required to use this tool.
- The Vulnerability Disclosure Toolkit will assist your organisation in the development of a vulnerability disclosure process. It encourages clear channels of communication for vulnerability reporting and references the use of security.txt files as a means of advertising these channels.
- All gov.uk domains used by your organisation should be signed up to the Registry Lock service. This service prevents unauthorised changes being made to .gov.uk domain records and to contact details in the gov.uk registry and will notify any relevant teams when changes to these records are made.
- CDDO’s Domain Management team monitors public sector namespaces for vulnerabilities. Departments may respond to alerts from the Domain Operations team (support@domains.gov.uk), notify the team of registered domains for monitoring and provide approval for any additional monitoring requirements.
- In addition to internally arranged penetration testing, organisations may consider engaging with Government Security Group’s Red Team within the Cabinet Office on its cyber attack simulation offerings (GBEST and GCASE). Its new hybrid model encompasses both cyber and physical elements. Contact gsgcyber@cabinetoffice.gov.uk for more information.
- Frameworks such as MITRE ATT&CK identify possible ways of disrupting an attacker at different stages of the attack chain which should be factored into system architecture and configuration.
Enhanced profile guidance
- You should implement an effective change management process which involves assessing the security impact of a change and ensuring all configuration versions are documented. The NCSC’s Cloud Security Guidance Principle 5: Operational Security provides detail in section 5.4 Configuration and change management on the ideal change management lifecycle, outlining security considerations and possible approaches. Further detail on configuration and change management can be found within section 6 of the NCSC’s Technology assurance guidance.
Further information
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.