Preparing for Cyber Essentials: The Scan
The Cyber Essentials Scan
Hello and welcome to the third of our Cyber Essentials (CE) blog series, where we help you improve your chances of Cyber Essentials certification.
As an external certifying body, we encounter common errors which can result in a disappointing fail. In our previous post we provided guidance on the Cyber Essentials Questionnaire. Here our Cyber Security pro Abdul Ikbal discusses the next stage: the Cyber Essentials scan.
What is the Cyber Essentials Scan?
The Cyber Essentials scan is an external vulnerability scan of your Internet facing IT assets. It’s performed remotely by a CREST accredited certifying body.
The scan is designed to check that your organisation has limited its exposure to common cyber attacks.
What is the Cyber Essentials PLUS Scan?
If you are applying for Cyber Essentials Plus, the certifying body will also undertake an on-site assessment of other IT assets, such as your employees’ desktops, laptops and mobile devices.
The assets you need to think about are listed in our post on the CE Questionnaire, a link to which is at the top of this post.
Preparing for the Cyber Essentials Scan and What to Expect
It sounds obvious, but do read the technical questions carefully and ensure you have listed all your appropriate assets and correct settings in the self-assessment questionnaire. If you don’t (it happens), the CE and /or CE PLUS scans will identify them.
Not declaring all of your assets could at best slow the process and at worst cause it to be abandoned because the necessary protocols for testing were not set up in time.
Your certifying body will appoint an account manager to schedule the scan and make the key arrangements with you.
At Perspective Risk, we perform the remote scan the night before the manual assessment begins, which in our experience is the most efficient approach.
Authority to Test
It’s your responsibility to ensure that any third parties hosting your externally available infrastructure, e.g. Amazon’s AWS and Microsoft’s Azure platform, are notified that a security assessment will be taking place.
They will have set processes for granting authorisation and access to your certifying body. Take care to check what their notice period is before booking the date for the scan.
You will need to provide your third party hosts with the certifying body’s IP addresses, i.e. where the scans will originate from. We provide this to you in the questionnaire.
In our years of experience, the majority of Cyber Essentials fails are due to patching issues. So that you don’t trip up, see that your operating systems and third party software such as Apache, PHP etc., are patched ahead of the scan.
Also, ensure that banners do not disclose version numbers as these are on many occasions left as old versions even if you have upgraded.
Ensure that your infrastructure is locked down. Unnecessary services not for public consumption should and need not be exposed to the wider Internet. Where services are legitimately required, they should be restricted to trusted IP addresses only.
Confirm that default / common usernames are not used for typical login services. As a prompt, typical login services are listed below:
- Web based login pages
- Router logins
- Switch and other network device login pages
- WordPress and other CMS logins
- Login pages offered for customers
- SQL Services
The full list – together with common user names and passwords to avoid, can be found in the CREST Cyber Essentials PDF below.
The CREST Cyber Essentials standard lists the credentials which will be checked (again see below). At Perspective Risk, we check these and other common credential sets to provide you with the best assurances.
Cyber Essentials Further Reading
CREST PDF Cyber Essentials PLUS Common Test Specification
If you would like our help with Cyber Essentials or CE PLUS certification, feel free to reach out to us and join the many other satisfied customers who have passed CE with our guidance.