Taking the Step Up to Cyber Essentials PLUS
Welcome to the fourth of our Cyber Essentials (CE) blog series. Here, Perspective Risk’s resident Cyber Essentials guru Tom Sherwood takes time out to talk all things Cyber Essentials PLUS. Let’s dive in!
What’s the Difference between Cyber Essentials and Cyber Essentials PLUS?
Probably the most important decision when considering Cyber Essentials is whether to go for the standard Cyber Essentials (CE) certification or take the plunge and opt for Cyber Essentials PLUS (CE+) certification. To make an informed choice, understanding the difference is key.
The CE+ Assessment includes all components from the CE basic assessment. To achieve certification, all test elements must be passed. The distinctions between the two levels are summarised below:
From our table, we can see that CE+ testing:
- has a greater depth of coverage and threat replication, which results in a higher level of assurance
- requires a visit your premises to conduct the additional testing components
- necessitates additional consultant time and travel, which will have a bearing on the cost
Why Cyber Essentials PLUS?
Given Cyber Essentials PLUS costs more to achieve and demands extra preparation and resource, why would you want it? In short, it affords you with a greater level of coverage and threat replication. And for those you do business with, it evidences that you take security seriously by having successfully controlled many of the key risks.
Attaining CE+ ensures:
- users have suitable privileges and that malicious or victim users cannot escalate their privileges, or access things they shouldn’t
- anti-virus measures are effective and suitably maintained
- mobile devices are protected in the event of theft and attack and;
- prevents successful execution of malicious files through phishing and social engineering attacks
The Limitations of Cyber Essentials and Cyber Essentials PLUS
It’s important to appreciate the limitations of CE and CE+ and be conscious that, while Cyber Essentials is definitely worthwhile, it should be considered a security starting point and not the end goal. Information security is a journey and can’t be reduced to a binary “yes, we’re secure” or “no, we’re not secure” viewpoint!
The level of assurance offered by CE, and even CE+, is no substitute for tailored, high-assurance penetration testing and security consultancy.
Cyber Essentials PLUS Testing Summary
Now that the value of CE+ is better understood, what’s involved? CE+ Testing has the following additional testing components, over and above the basic CE assessment:
- Authenticated Vulnerability Scanning of representative endpoints (representative user desktop and laptop builds)
- Email Attachment Checks (executable file types and dummy malware)
- Browser Download Checks (all web browsers, executable file types and dummy malware)
- Review of Mobile Devices (phones/tablets)
Preparing for the Cyber Essentials PLUS Test
While the above test components appear relatively straightforward, CE+ can be tricky, and a failure of any one component will result in a fail overall. To avoid the common pitfalls, I’ll take you through the test sections individually and explain what’s involved.
Cyber Essentials Key Controls Questionnaire (CE & CE+)
Explaining the Cyber Essentials Questionnaire
For both CE and CE+ a questionnaire must be completed. It gathers information on a wide variety of your organisation’s security policies and procedures and should be signed by an authorised signatory of the organisation being assessed. The questions are divided into sections and the answers are weighted and scored. Each section must be above a certain score to pass, and all sections require to be passed.
For both assessment types, be prepared to have your responses verified. The consultant will pick a question from each section and ask you to explain your answer or give supporting evidence.
How to Prepare for the Cyber Essentials Questionnaire
Organisations with moderately mature security policies and procedures should manage to answer the questions satisfactorily. The questions themselves provide guidance on what needs to be improved. Those answered in the negative will at least point to the work needed to reach CE standards.
Assuming your organisation has answered the questionnaire honestly, the spot checks verifying your responses should be straightforward, and the explanations and evidence requested easy to provide. If everything is in order, it shouldn’t be necessary to adjust any answers, negatively affecting your key controls questionnaire score.
Vulnerability Scanning of External Internet Facing Infrastructure (CE & CE+)
Explaining the Cyber Essentials Vulnerability Scan
Both CE and CE+ require an assessment of the target organisation’s business critical infrastructure via automated unauthenticated vulnerability scanning.
At Perspective Risk, we use Tenable’s industry leading Nessus scanner supplemented by web application scanning.
How to Prepare for the Cyber Essentials Vulnerability Scan
The scanners check for common infrastructure and web application vulnerabilities. Any finding with CVSSv2 scores of 7.0 or greater constitutes a failure. Common fails include the use of out-of- date or unsupported software and serious web application flaws.
Keeping your external estate up-to-date and protected using suitable firewalling should go a long way towards a good result. We recommend all web applications are tested regularly. However, if your website is built well, and no OWASP Top 10 flaws are present, there shouldn’t be a problem with CE web scanning.
Password Guessing of Exposed Authentication Services (CE & CE+)
Explanation of Cyber Essentials Common Authentication Services
In addition to the automated vulnerability and web scanning discussed, manual testing is involved to perform password guessing against common authentication services. Your consultant will attempt to access your exposed services using a set list of usernames and passwords.
Services include web authentication forms, VPN, remote administration such as SSH, SNMP and Telnet, and databases such as MySQL (sharp intake of breath if you’ve got Telnet or databases listening on the internet). At the time of writing, the list comprises 22 usernames and 26 passwords giving a total of 572 combinations per service.
How to Prepare for the Cyber Essentials Common Authentication Services
Passing this test is easy – ensure any exposed services are configured with strong and non-trivial passwords and you should be fine!
Authenticated Vulnerability Scanning of Representative User Endpoints (CE+ Only)
Explaining the Cyber Essentials PLUS Authenticated Vulnerability Scan
For the CE+ assessment, the vulnerability scanning is taken up a notch by scanning a sample of end user devices (laptops and desktops). These scans are carried out from an authenticated perspective, so administrator level credentials must be provided. This allows for a more in depth audit of the operating system. Commonly, the scans include checks of operating system and third party software patch levels, as well the anti-virus solution.
How to Prepare for the Cyber Essentials PLUS Authenticated Vulnerability Scan
This is one of the more difficult areas of the CE+ assessment, as the vulnerability scanners often reveal patches that have been missed, or out of date and unsupported software that falls within CE’s prescribed list. Java, Adobe Reader and Adobe Flash are common culprits, but be sure to keep web browsers and Microsoft Office up-to-date too.
Other no-nos include unsupported operating systems such as Windows XP, user accounts with admin privileges and shared user accounts. All missing OS patches greater than 30 days old will result in a CE+ failure, ditto anti-virus definition files more than 7 days out of date and anti-virus engine versions superseded more than 90 days ago.
Email Attachment Checks (CE+ Only)
Explaining the Cyber Essentials PLUS Email Attachment Checks
As part of the additional testing for CE+, several emails are sent to a representative user account created for the assessment. The emails contain a variety of attachments, some of which are common executable file types, and some of which are benign malware that should be picked up by anti-virus solutions. The list of executable file types and browser download checks can be found within the CE+ test specification referenced.
The consultant will send the emails to the ‘victim’ account and try to access them, thereby replicating a phishing type attack. Successful execution of the attachments within 2 distinct actions – the ‘2 Click Rule’ -constitutes a fail. If the consultant is prevented from easily executing or accessing the files the test is passed.
How to Prepare for the Cyber Essentials PLUS Email Attachment Checks
Broadly, there are two ways to pass this test. Firstly, executable file types or those containing known malware/viruses can be blocked at the network boundary and so not delivered to end users at all. Alternatively, users can be prevented from trivially executing the files, and accessing the malware files is prevented through on-access scanning.
Browser Download Checks (CE+ Only)
Explaining the Cyber Essentials PLUS Browser Download Checks
Similar to the email attachment checks, the consultant will attempt to execute a set of harmless executable files and dummy malware. A full listing of executable file types can be found within the CE+ test specification referenced.
All installed web browsers will be tested, and attempts made to download files to the host machine’s file system and run them directly from within the browsers. Testing is again subject to the misleadingly named ‘2 Click Rule’ which limits the number of actions the ‘attacker’ (thankfully your friendly testing consultant) can undertake when attempting to access the files.
How to Prepare for the Cyber Essentials PLUS Browser Download Checks
Similar to the email attachment checks, the user can be prevented from downloading potentially dangerous file types, or prevented from running/accessing them once downloaded. If a file can be more easily run from within a web browser (rather than downloading it to the test machine’s file system) that’s fair game, as this test replicates a worst case scenario.
Review of Mobile Devices (CE+ Only)
Explaining the Cyber Essentials PLUS Review of Mobile Devices
The CE+ testing for mobile devices is surprisingly straightforward. For normal devices, such as phones and tablets, only patch checking and device password / PIN code locks are assessed. For the purposes of this assessment, note that professional tablets running desktop class operating systems, e.g. the Microsoft Surface Pro, are classed as laptops, not mobile devices.
How to Prepare for the Cyber Essentials PLUS Review of Mobile Devices
Ensure devices are configured with a PIN code or password – devices with no passcode will result in a CE+ fail. Also take care that the devices have the latest version of the operating system and that all applications are kept up to date.
All operating system and application store updates released more than 7 days prior to the assessment must be installed in order to pass the Patch Management key control component of the mobile device testing.
Cyber Essentials PLUS Further Reading and Next Steps
PDF download: CREST Cyber Essentials PLUS Common Test Specification
If you would like our help with CE or CE PLUS certification, feel free to reach out to us and join the many other satisfied customers who have passed CE and CE+ with Perspective Risk’s guidance.