*The Cyber Essentials scheme changed on the 24th Jan 2022. We’ve written a new guide to Cyber Essentials Plus certification to reflect these changes*.
Cyber Essentials scheme is a Government-backed scheme launched in 2014 that helps organisations to implement fundamental security controls to protect against basic cyber attacks. The scheme offers the standard Cyber Essentials certification which is a prerequisite to the more advanced, Cyber Essentials Plus certification.
Cyber Essentials Plus is the highest level of certification offered and provides a hands-on technical verification of the controls implemented as part of the basic certification. In this article we’ll explore what the Cyber Essentials Plus certification involves, why you should certify and what you can do to ensure you pass.
What Does the Cyber Essentials Plus Certification Involve?
While the baseline Cyber Essentials certification is a self-assessed evaluation of your basic security controls, the Cyber Essentials Plus certification provides a hands-on evaluation of these controls by a qualified security professional. The following activities are carried out as part of the Cyber Essentials Plus assessment:
External Network Vulnerability Scan
All internet facing IP addresses within scope are evaluated by a vulnerability scanner (here at Predatech we use Nessus Professional). This scan aims to find potential areas of weakness on your external network perimeter that attackers may be able to exploit. This allows you to remediate the weaknesses to ensure they can’t be exploited by an attacker in future. An evaluations will also be conducted on the internet facing services identified to check that basic security controls have been implemented.
Credentialed Vulnerability Scan
A small sample of devices will be chosen, and these devices will be subjected to an authenticated vulnerability scan that uses admin credentials to conduct a thorough analysis of vulnerabilities. Like the external network vulnerability scan, this allows you to understand the weaknesses that attackers may be able to exploit and helps you to better secure your devices.
Testing System Malware Protections
The assessor will review the malware protections in place, which may include ensuring your anti-virus software and malware signatures are up to date. If you have mobile phones in scope, the assessor will make sure that your device will not run unsigned and potentially malicious software.
Testing Email Client Defence Against Executables/Malware
The assessor will send a series of files to the device’s email and attempt to open each file, one by one, to see if any of the files can be executed without prompting an express warning. The idea behind this test is to make sure that if a malicious executable file is sent by an attacker, the file won’t be execute without displaying a prompt or warning, helping you thwart phishing attacks that involve malicious attachment. These tests will also ensure that emails containing common malware are blocked before reaching your inbox by the anti-virus controls.
Testing Web Browser Defences Against Executables/Malware
The assessor will access a web server that hosts a range of executables and benign malware tests. For each web browser the assessor will attempt to open these files to see if any of the executables or malware tests open without first displaying a prompt or warning. This test helps to ensure that you are protected from malicious files whilst browsing online.
Why Become Cyber Essentials Plus Certified?
There are a number of reasons why your organisation should become Cyber Essentials Plus certified:
- Cyber Essentials Plus is becoming increasingly mandated by public and private sector organisations who value Cyber Essentials Plus as a sign of your organisation’s commitment to cyber security.
- Cyber Essentials Plus can be a cost-effective next step after completing your basic Cyber Essentials certification in making sure that your organisation is resilient to a range of common cyber threats.
- The vulnerability scans conducted during the assessment can identify basic vulnerabilities in your external network infrastructure and on your in-scope systems that could potentially be exploited by attackers.
- The additional malware protection and email/web browser executable tests will determine deficiencies in your systems’ ability to protect staff browsing online, receiving emails and downloading malicious files.
- Passing Cyber Essentials Plus means you’ll receive a certificate and the widely recognised Cyber Essentials Plus badge that can be displayed on your website and social media.
Preparing your Organisation to Pass Cyber Essentials Plus
Passing Cyber Essentials Plus is relatively straightforward, and with a little bit of preparation you can be ready to ensure that you get the most out of the certification. Here are some of the key actions you can take to prepare for your Cyber Essentials Plus assessment:
Update your Operating System and Applications
Make sure that all your operating systems and application software on in-scope devices are up to date. Take the time a few days before your assessment is scheduled to start to check that all installed software has been updated to its latest version. Updating regularly is important to ensure that critical security patches are applied so that any software vulnerabilities are addressed.
Check Your Anti-Virus
You should also check your anti-virus software to make sure that it’s running the latest software version and that its signatures (which the anti-virus will use to identify malware) are up to date. You will also want to check that your anti-virus actively scans any file that you attempt to download. Keeping the anti-virus software and its signatures up to date is pivotal to ensure that new malwares can be identified.
Check Your Firewall
Ensure that you have an active firewall in place between your in-scope networks and the internet and where possible, turn on the software-based firewall on your devices. This will provide a layer of protection over the services running on your network and on the in-scope devices so attacker’s can’t access running network services.
Remove Unsupported Applications and Software
Once software becomes unsupported by the vendor who provides it, vulnerabilities that are found in the software are never patched. Therefore, unsupported software can become an open door to exploitation by attackers. Make sure that all software that is no longer supported is removed from all in-scope devices.
Evaluate External Network Services
If you host any services from your private network (e.g., web, SSH or SMTP servers), make sure that any services that grant access to business critical data require authentication (i.e., via a login or token). Where authentication takes place via a login, ensure that secure passwords are used (mixture of more than 10 lower case, upper case, numbers and special characters), two-factor authentication is in place wherever possible, and that there is some sort of brute-force protection mechanism (i.e. a lockout policy or other rate-limiting controls).
Predatech is Cyber Essentials Plus certification body and can help your business prepare for and pass its Cyber Essentials Plus assessment. Contact us today for a free consultation.