22nd June 2018
What are the common challenges public sector organizations face when trying to achieve public sector network (PSN) compliance?
SureCloud works with a significant number of the UK’s local authorities and public organizations, conducting IT Health Checks (ITHCs), and advising them on what they need to achieve and maintain to be PSN compliant.
In short, the PSN compliance framework requires organizations to meet Government Information Assurance (IA) requirements, which have been designed to provide an achievable and sensible baseline for ongoing security.
As a result of the work, the company is well placed to observe the common challenges that organizations are facing in securing their IT infrastructure, specifically when trying to achieve PSN compliance. Let’s take a look at some of these challenges and examine how we can overcome them.
One of the most common issues we see is a dependency on Windows Server 2003, despite Microsoft ending support for it on the 14th July 2015. We often see local government experience issues in migrating and removing Windows Server 2003 systems from their networks. These issues predominantly relate to the business requirements for certain legacy or niche business software, that is not supported on newer operating systems. The issue can be compounded by limited resources to perform the migrations without significant costs.
However, until systems can be upgraded or migrated to support Windows Server versions, there are a number of steps that organizations can take to harden their Windows Server 2003 deployments.
These include; removing unsupported software, regularly updating and patching third-party software, restricting the users or hosts that can connect to the server using access lists, limiting open ports to the wider network, and isolating the server from the rest of the network using segmentation.
While most organizations tend to be well versed in maintaining a standardized patching schedule for Microsoft operating systems and associated applications, they commonly overlook patches for third-party applications, such as Java Runtime or Adobe Reader. This can leave organizations vulnerable.
One of the biggest challenges arises when a third-party application has other third-party software pre-installed. In such cases, it may not be possible to update the individual component that has been identified as being vulnerable, without the main application vendor producing a patch or version update for their software.
In the case of business-critical applications, such as adult social care or a revenue and benefit systems, this can become a serious headache, as it may take months for the vendor to produce a patch, and even longer to arrange the business processes to accommodate the change of a business-critical application.
In these circumstances, if the vendor has provided an update to their application but you still are unable to implement this within a suitable timeframe, then a remediation statement with a plan to update, and a timeframe to do so, will contribute to a risk statement for your PSN submission.
Administrators can find the logistics of manually installing third-party patches and updates overwhelming, not least due to often lacking the required resources. Fortunately, there are numerous products on the market that can be implemented to address this as part of an existing Microsoft patch deployment methodology, such as System Centre Configuration Manager and Windows Server Update Service.
To adhere to the UK government wireless network guidance, organizations need to separate the public and corporate wireless networks, but far too often organizations fail to do this adequately. Adequate segmentation of these networks can often be achieved through the implementation of strict firewall rulesets, and ideally, a wireless management framework should be implemented where costs permit.
A management framework will also provide adequate logging capabilities, along with traffic and device management. These should be configured in line with best practices. Where possible, look to implement full physical segregation.
A serious challenge facing organizations aiming to maintain PSN compliance appears when a vulnerability is found on an external facing business critical appliance. These often present the biggest threat as they are public facing services that may be exploitable remotely, and any outages of these critical systems for maintenance may not be possible on a regular basis.
The single easiest way to address this is to implement a robust patching process and procedure for infrastructure items, as well as agreeing a regular outage period with internal change and risk teams.
Critical infrastructure should also be regularly tested for the purposes of disaster recovery fail-over. Alternatively, consider a contract with a supplier that has the necessary skill and resources who can maintain the critical infrastructure for you.
With so many different areas to address for a successful PSN submission, it can be extremely difficult to know where to focus and where to spend any budget that may be available.
One of the biggest challenges facing the security of an organization with a limited budget is identifying which products will give the best protection and which of those represent the best value for money. Solutions to consider to help address this include SIEM, real-time network analysis tools and intrusion prevention and detection systems.
It is the responsibility of any public sector organization to ensure that they are meeting their obligations set out in the PSN framework. But by addressing these challenges and by taking some relatively simple steps they can ensure that they are achieving compliance without it becoming overly complex and costly. Finally, and a keynote is that any guidance detailed in this piece still needs to be independently approved by your PSN auditor.
Sourced by Luke Potter, Cybersecurity Practice Director for SureCloud.
Find out about our Cybersecurity Services here.
Photo via Information Age.
About Luke Potter
Luke oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognized cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.
SureCloud provides Governance, Risk & Compliance (GRC) applications and Cybersecurity services that give our customers certainty – of risk management/compliance, of cybersecurity, of having answers today and tomorrow. Established in 2006, SureCloud is headquartered in the United Kingdom and has offices in the United States. SureCloud has more than 400 customers throughout the UK and US from the Retail, Financial Services, Government and other sectors.