Top 7 Things Series: Part 4 – Sensitive Applications

Sensitive Applications

Internet facing services also known as Sensitive Applications

Play Video

Here is part 4 of the Cyber Essentials blog series: Top 7 things you need to know before you start your assessment – Internet facing services also known as Sensitive Applications

Internet facing applications also known as Sensitive Applications

Let’s start with what is a sensitive application – from a Cyber Essentials perspective.

This is any service or application that you provide from an office or other location within scope of your assessment that offers some form of “password based authentication” that is also internet facing (namely can be accessed outside of your office network). Typical examples include

  • VPN’s,
  • Remote Desktop Services
  • and other web based login pages for instance Email, CRM systems etc.
  • and also Any applications/services that you also offer to your clients

Typically the controls do not apply to cloud based services, however we would advise you consider only platforms that are able to informally meet the required controls – as this dictates good practice which reduces your cyber risk.

Let’s look at the questions

Focusing on the actual assessment there are a number of controls that you need to met – Starting at Question A5.5 which asks :-

Do you run software that provides sensitive or critical information (that shouldn’t be made public) to external users across the internet?

If you answer Yes, this then open up a further 4 questions around password best practices namely:-

  • Minimum password length of 8 characters, with no maximum
  • Not a guessable password for instance 12345678, etc
  • You have some form of policy in place to instruct all users to change their password if the system has been infected with a virus/malware
  • A Password prompt which is designed to prevent repeated password guessing – also known as brute force lockout. So accounts are locked out
    • after 10 or fewer unsuccessful login attempts,
    • or you have implemented a limit to the the number of login attempts to no more than 10 within five minutes
  • Finally, do you have a basic password policy to help staff/clients etc determine what is a good password – for example
    • non-guessable,
    • not to use the same password across multiple accounts,
    • passwords can’t be written down
    • and where they can be stored, for example within a password manager

Final Words

Just before we finish, remember these controls only apply to services/applications where access/authentication is provided via password authentication only.

For instance

  • if you use a VPN with Certificates – they are excluded.
  • This also applies if you have enabled two factor authentication
  • or locked down password based authentication to a set of ip addresses

So in summary, if you do offer internet based password authentication systems to your staff or clients, ensure you meet the required Cyber Essentials controls.