ThreatLocker and Cyber Essentials Compliance

Introduction

The Cyber Essentials is a list of baseline technical controls authored by the UK Government to assist any organisation in improving its cyber defense posture. The two certifications that can be achieved are Cyber Essentials and Cyber Essentials Plus. For Cyber Essentials, organisations need to submit a self-assessment questionnaire. To obtain Cyber Essentials Plus, the organisation must be audited by a certification body. For both certifications, the same requirements must be achieved.

For more information about the Cyber Essentials, to download the self-assessment questionnaire, and to view the most up-to-date guidelines, please visit https://cyberessentials.online/cyber-essentials/.

When configured correctly, ThreatLocker can assist your organisation in achieving compliance with the Cyber Essentials and Cyber Essentials Plus. We have made our best effort to outline the control areas that ThreatLocker supports. If a control is not listed below, ThreatLocker does not currently support that control.

Summary

Firewalls

“Every device that is in scope must be protected by a correctly configured firewall (or equivalent network device) … [and] the applicant organisation must routinely:"

“Change any default administrative password to an alternative that is difficult to guess – or disable remote administrative access entirely”

For organisations that use ThreatLocker Network Control, ThreatLocker can help meet this specification. ThreatLocker Network Control does not have a default administrative password.

“Prevent access to the administrative interface … from the internet, unless there is a clear and documented business need and the interface is protected by one of the following controls:

Multi-factor authentication
An IP allow list that limits access to a small range of trusted addresses combined with a properly managed password authentication approach”

ThreatLocker Network Control is managed exclusively through the ThreatLocker portal. Only administrators that have specific user permissions can make changes to Network Control. Access to the ThreatLocker portal can also be controlled by multi-factor authentication, geolocation, and specific IP addresses.

"Block unauthenticated inbound connection by default”

For organisations that use Network Control, ThreatLocker can help meet this requirement. Network Control should be configured with a default deny policy that will block inbound network connections unless those connections are specifically permitted by another policy. Organisations that do not have a default deny policy for Network Control will be alerted in the Health Center. Network Control can be configured to authenticate connections dynamically using Objects, so connections will be permitted to the specific machines, regardless of their IP address.

"Ensure inbound firewall rules are approved and documented by an authorized individual; the business needs must be included in the documentation”

For organisations that use ThreatLocker Network Control, ThreatLocker can help meet this requirement for the Network Control module. All Network Control rules are configured through the ThreatLocker portal. User permissions can be configured to only permit approved individuals to change Network Control settings/policies. There is a ‘Description’ box within each Network Control policy that can be used to document the business need for that specific policy.

"Remove or disable unnecessary firewall rules quickly, when they are no longer needed”

For organisations that use ThreatLocker Network Control, ThreatLocker can help meet this requirement for the Network Control module. Network Control policies can be quickly removed or disabled from the ThreatLocker platform.

Use a software firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots”

ThreatLocker Network Control can help meet this requirement. Regardless of the end user’s location or IP address, Network Control policies will be in effect.

Secure Configuration

"The applicant must be active in its management of computers and network devices. It must routinely:"

“Remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used)"

ThreatLocker Configuration Manager can help meet this requirement. Configuration Manager provides the ability to remove guest and administrative accounts on Windows computers from the ThreatLocker portal.

"Change any default or guessable account passwords … ”

ThreatLocker Configuration Manager can help meet this requirement. Configuration Manager enables admins to apply a unique rotating password to each Windows computer for their local admin account as well as set password complexity and rotation requirements from within the ThreatLocker portal.

"Remove or disable unnecessary software (including applications, system utilities and network services)”

ThreatLocker can help meet this requirement. ThreatLocker Allowlisting prohibits the use of any software not explicitly permitted on the Allowlist, essentially disabling any unwanted software.

"Disable any auto-run feature which allows file execution without user authorization (such as when they are downloaded from the internet)”

ThreatLocker can help meet this requirement. ThreatLocker Application Allowlisting will prevent any executables that are not included in the allowlist from running. ThreatLocker Configuration Manager can be used to disable autoplay for Windows computers as well as bock macros in downloaded MS Office documents.

"Ensure authentication of users before allowing access to organisational data or services”

ThreatLocker can help meet this requirement. ThreatLocker Storage Control can be used to control access to storage locations based on username, IP address, and/or application. ThreatLocker Network Access control can be configured to permit access to specific network resources, such as a fileserver, to only authenticated users.

"Ensure appropriate device locking controls for physically present users”

ThreatLocker can help meet this requirement. Regardless of whether a user is remote or physically present, for Windows computers with ThreatLocker installed, password complexity and automatic lock policies can be enforced using Configuration Manager. ThreatLocker Ops can be used to alert and respond to unsuccessful login attempts.

Malware Protection

“The applicant must implement a malware protection mechanism on all devices that are in scope. For each such device, the applicant must use at least one of the three mechanisms listed below:"

"Anti-malware software

The software must be configured to scan files automatically upon access.”

ThreatLocker can assist in meeting the above anti-malware software requirements. ThreatLocker Allowlisting automatically checks the hash of all files as they are opened, whether from a local folder or a network folder. Any hashes that don’t match a policy, and don’t have another rule set to permit them, will be blocked.

"Application allowlisting

Only approved applications, restricted by code signing, are allowed to execute on devices. The applicant must:

Actively approve such applications before deploying them to devices
Maintain a current list of approved applications. Users must not be able to install any application that is unsigned or has an invalid signature.”

ThreatLocker can assist in meeting all the above allowlisting requirements. ThreatLocker Allowlisting automatically blocks all applications unless explicitly permitted, based on hash or signatures. Any application that attempts to execute without a policy to permit it will be blocked and will require an administrator to approve it before it can be run. ThreatLocker automatically keeps a record of all applications in use in the environment. Administrators can quickly see what applications are actively being used, and which ones haven’t been used in a while so that polices for unused applications can be disabled if desired. Users will not have the ability to install any application that is not on the allow list.

"Application sandboxing

All code of unknown origin must be run within a ‘sandbox’ that prevents access to other resources unless permission is explicitly granted by the user. This includes

Other sandboxed applications
Data stores, such as those holding documents and photos
Sensitive peripherals, such as the camera, microphone and GPS
Local network access”

ThreatLocker can help meet the above sandboxing requirements. ThreatLocker Testing Environment is a clean, isolated VDI environment in which any unknown files that are requested can be run to evaluate behavior. This isolated VDI environment does not contain other applications outside of the basic Windows OS, preventing unknown code from interacting with other sandbox applications. The Testing Environment will prevent the unknown file from accessing any area outside of the VDI, such as sensitive peripherals, data stores, and the local network. The Testing Environment will provide visibility if the unknown file attempts to interact with data stores, through the use of canary files that hold simulated sensitive data within the VDI.

Security Update Management

“The applicant must ensure all in scope software is kept up to date. All software on in scope devices must be:”

"Licensed and supported”

ThreatLocker can assist in meeting this requirement. ThreatLocker Allowlisting blocks all unpermitted software by default. For applications that are no longer licensed and supported, if they were once permitted, disable the policy permitting them, and they will no longer be able to run in the environment.

"Removed from devices when it becomes un-supported or removed from scope by using a defined ‘subset’ that prevents all traffic to/from the internet”

ThreatLocker can assist in meeting this requirement. ThreatLocker Ringfencing can be applied to unsupported applications that are still required for business purposes to block the unsupported applications from accessing the internet.

Resources

National Cyber Security Centre (2021) Cyber Essentials: Requirements for IT infrastructure, cybersessentials.online. Version 3. Available at: https://cyberessentials.online/cyber-essentials-downloads/ (Accessed: March 18, 2023).