An ITHC (IT Health Check) is a series of tests to ensure that your organisation is impenetrable to unauthorised persons. Specifically, organisations or individuals conduct an ITHC to confirm that they meet key requirements for PSN compliance.

Direct from the ITHC supporting guidance:

“Your ITHC should aim to provide assurance that your organisation’s external systems are protected from unauthorised access or change, and they do not provide an unauthorised entry point into systems that consume PSN services.

The internal systems should be tested to provide further assurance that no significant weaknesses exist on network infrastructure or individual systems that could allow one internal device to intentionally or unintentionally impact on the security of another.”

PSN compliance

Just to make sure we’re all up to speed, the PSN (Public Services Network) is a UK government network which was established to enable public-sector organizations to share resources easily. It is also used by commercial service providers to sell services so that they can be accessed safely and securely by public-sector organisations.

For obvious reasons, it’s extremely important to ensure that this network cannot be breached, which is why any person or organisation who wishes to access the PSN must first demonstrate that they meet all the requirements for PSN compliance.

ITHC Considerations

The ITHC will check your internal and external systems for significant weaknesses and potential entry points, and review your security configurations.

Internal systems

During the ITHC, your internal network should be scanned and manually analysed.

Consider the following:

• The build and configuration of all devices: laptops, desktops, phones, tablets.
• Don’t forget to factor in employees personal devices.
• Consider also, people external to your organisation who may have access to your internal systems, such as clients.
• The configuration of your wireless network
• Check that your OS, applications and firmware are updated with appropriate patches.
• Review network management security and internal security gateway configuration (including PSN)

External systems

Your ITHC should also entail scanning and analysing online systems such as:

• Email servers
• Web servers
• Firewalls
• Any systems you have in place to allow staff to connect into your organisation remotely, including VPN.

Passwords – your first line of defence

PSN Code of Connection (CoCo) compliance requires you to demonstrate that you have systems in place to secure password protected entry points.

With CoCo: 2. Authentication and access control, these include:

• Ensuring all passwords are changed from defaults
• Stopping password/account sharing
• Ensuring that high-privilege users such as administrators use different passwords across accounts
• Strengthen authentication by combining passwords with some other form of authentication, such as two-factor.
• Never store passwords as plain text, but ensure they are hashed using a cryptographic function capable of multiple iterations and/or a variable work factor. See how to change the Active Directory password hash method.

For a quick win to highlight the extent of the password problem in your organisation, it is recommended to audit your Active Directory users and passwords.

One simple method to complete this is with Specops Password Auditor, a free tool enabling you to export in a detailed or high level summary accounts identified with password vulnerabilities, including expired passwords, identical passwords or blank passwords, and compares password hashes on your systems against a regularly updated list of breached passwords so that you can alert affected users to update their password as soon as possible.

Find an appropriately certified ITHC testing partner

Central government customers must choose a partner who is accredited by the CHECK scheme. Non-government customers can also choose testing partners with CREST-approved ITHC services or the Cyber Scheme.

Work with your ITHC testing partner to resolve any issues that arise and you’ll not only meet PSN compliance, but crucially, you’ll be protecting your own organisation, your clients, and your employees.

Contributed by Jason Hart, Cyber Security Expert

The post ITHC (IT Health Check) and PSN compliance: an overview and considerations appeared first on IT Security Guru.

Among the many practical challenges is shoring up your cybersecurity defences. The several risks posed by furloughed and remote workers may not occur to many employers, so here’s a shortlist of challenges and actionable solutions for your organisation.

Suspicious emails lying dormant in inboxes

When your furloughed employees return to your workplace, it’s all systems go. Top of the agenda for many people is to clear that inbox, stat. But in the rush, your employees may fail to notice suspicious emails.

Worse still, many employees aren’t even aware of their personal responsibility to filter phishing emails. A 2021 phishing report by Proofpoint found that just over half of organisations provide company-wide cyber-security training, and consequently, only 63% of respondents within organisations were able to answer what phishing was correctly.

What to do: Prioritise security awareness training for your team and make sure you impress on your furloughed employees the continued importance of being vigilant against phishing emails. Consider disabling accounts until such time.

Resetting passwords on personal devices

How good are you at remembering your passwords? The better you are at creating strong, unique passwords, the less likely you are to remember them. Luckily, our clever devices have a way of remembering all of our passwords for us. Great, right? Well, only until you need to change devices.

Those who have switched to working from home are likely to also be using their personal devices to conduct business. What happens when they have forgotten their passwords? Password reset links, of course. But be warned that not all password reset links are made equal.

Some password reset solutions email your existing password to you or assign you a new unique password in plain text. In these instances, users are less likely to go to the effort of resetting their password. Another potential issue is password reset links that don’t expire. In both of the above scenarios, anyone with access to their email will also have access to the offending web application.

What to do: Employ multi-factor authentication (MFA) on password resets for sensitive business web apps. Users verify their identity with security questions, mobile verification codes, other digital identity providers such as LinkedIn or even fingerprint authentication.

You can also set a password expiration policy, requiring employees to regularly update their passwords. Enforce compliance requirements to prevent weak passwords.

Malware on personal devices

On the subject of personal devices, can you ensure that your employees have installed adequate antivirus software? You have strict policies in place to safeguard your employee’s work devices from malware, but you may not have paid the same consideration to malware threats outside of the office.

Are you willing to bet your company’s online security on the idea that your employees don’t illegally download content online? And even if you are that trusting, can you attest to the security-savviness of the family members that share their devices? According to a 2018 report by internetmatters.org, nearly one in ten children have been affected by malware. A pirated download of Peppa Pig could bring your company to its knees.

What to do: Domain isolation. In other words, restrict access to non-approved devices. Put further barriers in front of your most security-sensitive data. Make sure sensitive data is only visible to users who strictly need access to it.

Lack of access to onboarding and security awareness training

So far we’ve focussed on existing employees, but let’s not forget new hires and the importance of proper onboarding.

Listen, we all know that most employees are more interested in hearing about holiday allowances and Friday happy hour, but the security culture of your company is one of the most (if not the most) important part of the onboarding process.

What to do: Make sure that proper security training is not a footnote, but a core part of your new hires’ integration into your organization. Ensure that all new employees sign up for accounts on your security tools and are trained to use them effectively.

The bottom line

Don’t overlook the security threat posed by employees who are not in the office. Furloughed and remote workers may not consider how their working style could impede your company’s cybersecurity efforts.

Out of the traditional office environment, extra steps should be taken to educate new and existing employees on cybersecurity. If you aren’t already, it’s vitally important to start employing password policy best practices. Make sure all your employees respect the need to regularly update passwords and help by using tools to create strong, complex, and uncompromised passwords.

Contributed by Jason Hart, Cybersecurity Expert

The post Are your remote or furloughed employees a security threat? appeared first on IT Security Guru.