Question:

“Considering that we have segregated an outdated server running a legacy service onto a dedicated subnet, which is only accessible via a firewall that permits connections solely from specified users and devices within our internal network, would this level of security be sufficient to comply with organization-wide Cyber Essentials standards, or is it necessary to define an ‘all but one’ subset within the firewall rules? I have an inkling of the probable requirement, but I seek confirmation from an expert.”

Answer:

In the realm of cybersecurity, the segregation of outdated servers and services is a common practice to mitigate risks. The scenario presented involves an old server running an unsupported service, moved to its own subnet, with access strictly controlled by a firewall. This firewall only allows connections from explicitly authorized users and devices. The question at hand is whether this setup meets the requirements for Cyber Essentials certification or if further action is needed.

Cyber Essentials is a cybersecurity standard that outlines fundamental security controls to protect against common online threats. Compliance with this standard demonstrates a commitment to cybersecurity. One of the core requirements is the implementation of firewalls to manage the flow of traffic to and from the organization’s networks.

Assessing the Current Setup

The current measures—segregating the server onto a dedicated subnet and restricting access through firewall rules—are commendable. They align with the principle of ‘least privilege’, ensuring that only necessary connections are permitted. However, Cyber Essentials emphasizes not just the restriction of access, but also the need for regular updates and maintenance.

The Unsupported Server Issue

The primary concern here is the use of an unsupported server and service. Without regular updates and patches, these systems remain vulnerable to exploitation. Even with network segregation and firewall protection, the residual risk may be unacceptable.

Recommendations for Compliance

To enhance compliance with Cyber Essentials, consider the following steps:

1.

Upgrade or Replace

: Ideally, replace the outdated server and service with supported alternatives that receive regular updates.

2.

‘All but One’ Subset

: If upgrading is not feasible, defining an ‘all but one’ subset within the firewall rules can provide an additional layer of security, ensuring that even if a user’s credentials are compromised, the server remains protected.

3.

Regular Reviews

: Conduct frequent security reviews and risk assessments to ensure that the controls in place are effective and that no new vulnerabilities have been introduced.

Conclusion

While the current setup provides a significant level of security, it may not fully comply with Cyber Essentials due to the inherent risks of using unsupported systems. Taking additional steps to either upgrade the systems or enhance firewall rules can help in meeting the standard’s requirements. Ultimately, the goal is to establish a robust security posture that not only meets compliance standards but also adapts to the evolving threat landscape.