Software is made up of thousands of lines of code which instruct the device what to do. It is common that within the many lines of code, there will be errors or vulnerabilities. Furthermore many devices and software come from the manufacturer with extra features enabled that you do not use. Vulnerabilities that lie within the code in each ‘extra’ feature can potentially offer additional openings or access points for cyber criminals. 

For Cyber Essentials, any services, software or applications that you are not using must be uninstalled. This includes features that came with your device/operating system that you do not want or require.

Any accounts on your devices and cloud services that are not used for day to day business must be removed or disabled under the Cyber Essentials standard. 

Most computers come with a ‘guest’ account enabled which allows anyone to freely access your device – you should disable it. 

If there is an account on your computer that is no longer used the Cyber Essentials standard requires that you delete it.

Autorun or autoplay is a feature that allows software to automatically open by itself when a USB is plugged into your device. 

It is important to disable autorun or autoplay on all operating systems and web browsers in order to avoid automatic installations of unauthorised, potentially malicious software. When autorun or autoplay is disabled, the user is prompted to give permission every time before software is allowed to run or play.  

As much as is reasonably practicable, technical controls and policies must shift the burden away from individual users and reduce reliance on them knowing and using good practices. 

Cyber essentials certification therefore requires that the organisation makes good use of the technical controls available on password-protected systems. The Cyber Essentials standard requires that :

• Passwords are either:
  • 8 characters and supported by multi factor authentication. 
  • 8 characters and supported by a deny list (blocking common passwords). 
  • 12 characters.
• Passwords do not have a maximum length. 

For mobile devices there needs to be a locking mechanism in place on each device to access the software and services installed. 

The Cyber Essentials standard requires either:

•  A unique 6 character or more password or pin number, or;
• A biometric method to unlock your devices.

Cyber Essentials requires that the ports that you have open, need to be understood and documented. 

Port 3389 is the port for Remote Desktop Protocol (RDP). Remote Desktop Protocol enables a user of a computer in one location to access a computer or server somewhere else. This is often used by technicians to support users and to carry out maintenance tasks.

Remote Desktop Protocol is a common attack route for ransomware and should only be used on internal networks. There is no good business reason to have this port open for external use as it is extremely hard to make secure.

Close or block the RDP port (3389) at the firewall so that it is not open for use across the internet.