Some screen shots from the publicly available Cyber Security Essentials literature
Really, this can all be summed up by looking at the Diagrams here.
Cyber Security Essentials really is about protecting the “low hanging fruit”. It is not good enough for an organisation that is trying to properly secure their network.
Cyber Security Essentials is NOT looking at DOS attacks, MITM attacks or Insider threats, which are probably the leading dangers to your organisation.
These are reasonable things to address
Cyber Security Essentials is not designed for Bespoke systems, just for “off the shelf” products.
PCI DSS says lock account out for 30 mins after 6 failed attempts, CSE (Communications Security Establishment) a Canadian Government service say 10 failed attempts.
PCI DSS Says minimum of 7 characters, CSE say 8.
Users are “expected to pick sensible passwords”??? Really, do you trust them to do that?
Never really thought this was good advice. Contradictory info to PCI DSS. I Would prefer to see complexity rules enforced and not enforce frequency changes.
Daily anti malware updates
White listing over Blacklisting for software. A White list always better.
White list = Deny all unless expressly allowed
Black list = Allow everything unless expressly denied = more management
