• About
  • Services
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • About
  • Services
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • 18.03.2021
  • | Jason Johnson
  • Tags: Cyber Essentials

Cyber Essentials Plus: A Guide to Certification 2021

Cyber Essentials scheme is a Government-backed scheme launched in 2014 that helps organisations to implement fundamental security controls to protect against basic cyber attacks. The scheme offers the standard Cyber Essentials certification which is a prerequisite to the more advanced, Cyber Essentials Plus certification.

Cyber Essentials Plus is the highest level of certification offered and provides a hands-on technical verification of the controls implemented as part of the basic certification. In this article we’ll explore what the Cyber Essentials Plus certification involves, why you should certify and what you can do to ensure you pass.

 

What Does the Cyber Essentials Plus Certification Involve?

 

While the baseline Cyber Essentials certification is a self-assessed evaluation of your basic security controls, the Cyber Essentials Plus certification provides a hands-on evaluation of these controls by a qualified security professional. The following activities are carried out as part of the Cyber Essentials Plus assessment:

 

External Network Vulnerability Scan

All internet facing IP addresses within scope are evaluated by a vulnerability scanner (here at Predatech we use Nessus Professional). This scan aims to find potential areas of weakness on your external network perimeter that attackers may be able to exploit. This allows you to remediate the weaknesses to ensure they can’t be exploited by an attacker in future. An evaluations will also be conducted on the internet facing services identified to check that basic security controls have been implemented.

 

Credentialed Vulnerability Scan

A small sample of devices will be chosen, and these devices will be subjected to an authenticated vulnerability scan that uses admin credentials to conduct a thorough analysis of vulnerabilities. Like the external network vulnerability scan, this allows you to understand the weaknesses that attackers may be able to exploit and helps you to better secure your devices.

 

Testing System Malware Protections

The assessor will review the malware protections in place, which may include ensuring your anti-virus software and malware signatures are up to date. If you have mobile phones in scope, the assessor will make sure that your device will not run unsigned and potentially malicious software.

 

Testing Email Client Defence Against Executables/Malware

The assessor will send a series of files to the device’s email and attempt to open each file, one by one, to see if any of the files can be executed without prompting an express warning. The idea behind this test is to make sure that if a malicious executable file is sent by an attacker, the file won’t be execute without displaying a prompt or warning, helping you thwart phishing attacks that involve malicious attachment. These tests will also ensure that emails containing common malware are blocked before reaching your inbox by the anti-virus controls.

 

Testing Web Browser Defences Against Executables/Malware

The assessor will access a web server that hosts a range of executables and benign malware tests. For each web browser the assessor will attempt to open these files to see if any of the executables or malware tests open without first displaying a prompt or warning. This test helps to ensure that you are protected from malicious files whilst browsing online.

 

Why Become Cyber Essentials Plus Certified?

There are a number of reasons why your organisation should become Cyber Essentials Plus certified:

 

  • Cyber Essentials Plus is becoming increasingly mandated by public and private sector organisations who value Cyber Essentials Plus as a sign of your organisation’s commitment to cyber security.

 

  • Cyber Essentials Plus can be a cost-effective next step after completing your basic Cyber Essentials certification in making sure that your organisation is resilient to a range of common cyber threats.

 

  • The vulnerability scans conducted during the assessment can identify basic vulnerabilities in your external network infrastructure and on your in-scope systems that could potentially be exploited by attackers.

 

  • The additional malware protection and email/web browser executable tests will determine deficiencies in your systems’ ability to protect staff browsing online, receiving emails and downloading malicious files.

 

  • Passing Cyber Essentials Plus means you’ll receive a certificate and the widely recognised Cyber Essentials Plus badge that can be displayed on your website and social media.

 

 

Preparing your Organisation to Pass Cyber Essentials Plus

 

Passing Cyber Essentials Plus is relatively straightforward, and with a little bit of preparation you can be ready to ensure that you get the most out of the certification. Here are some of the key actions you can take to prepare for your Cyber Essentials Plus assessment:

 

Update your Operating System and Applications

Make sure that all your operating systems and application software on in-scope devices are up to date. Take the time a few days before your assessment is scheduled to start to check that all installed software has been updated to its latest version. Updating regularly is important to ensure that critical security patches are applied so that any software vulnerabilities are addressed.

 

Check Your Anti-Virus

You should also check your anti-virus software to make sure that it’s running the latest software version and that its signatures (which the anti-virus will use to identify malware) are up to date. You will also want to check that your anti-virus actively scans any file that you attempt to download. Keeping the anti-virus software and its signatures up to date is pivotal to ensure that new malwares can be identified.

 

Check Your Firewall

Ensure that you have an active firewall in place between your in-scope networks and the internet and where possible, turn on the software-based firewall on your devices. This will provide a layer of protection over the services running on your network and on the in-scope devices so attacker’s can’t access running network services.

 

Remove Unsupported Applications and Software

Once software becomes unsupported by the vendor who provides it, vulnerabilities that are found in the software are never patched. Therefore, unsupported software can become an open door to exploitation by attackers. Make sure that all software that is no longer supported is removed from all in-scope devices.

 

Evaluate External Network Services

If you host any services from your private network (e.g., web, SSH or SMTP servers), make sure that any services that grant access to business critical data require authentication (i.e., via a login or token). Where authentication takes place via a login, ensure that secure passwords are used (mixture of more than 10 lower case, upper case, numbers and special characters), two-factor authentication is in place wherever possible, and that there is some sort of brute-force protection mechanism (i.e. a lockout policy or other rate-limiting controls).

 

CE Plus CB

 

Predatech is Cyber Essentials Plus certification body and can help your business prepare for and pass its Cyber Essentials Plus assessment. Contact us today for a free consultation.

Latest Posts

British Data Awards 2021 Finalists

British Data Awards 2021 Finalists Announced

With 149 entries received, competition to be named a Finalist in the British Data Awards proved to be tough, and today we’re thoroughly delighted to…
  • Michael Fotis|
  • 09.04.2021|
READ MORE

Cyber Essentials Plus: A Guide to Certification 2021

Cyber Essentials scheme is a Government-backed scheme launched in 2014 that helps organisations to implement fundamental security controls to protect against basic cyber attacks. The…
  • Jason Johnson|
  • 18.03.2021|
READ MORE
What is phishing

What are phishing attacks? And do they really work?

Most of us have been the target of a phishing attack at some point. Sometimes these phishing attempts take the form of a badly worded…
  • Michael Fotis|
  • 26.02.2021|
READ MORE
British Data Awards 2021 Finalists

British Data Awards 2021 Finalists Announced

With 149 entries received, competition to be named a Finalist in the British Data Awards proved to be tough, and today we’re thoroughly delighted to…
  • Michael Fotis|
  • 09.04.2021|
READ MORE

Cyber Essentials Plus: A Guide to Certification 2021

Cyber Essentials scheme is a Government-backed scheme launched in 2014 that helps organisations to implement fundamental security controls to protect against basic cyber attacks. The…
  • Jason Johnson|
  • 18.03.2021|
READ MORE
What is phishing

What are phishing attacks? And do they really work?

Most of us have been the target of a phishing attack at some point. Sometimes these phishing attempts take the form of a badly worded…
  • Michael Fotis|
  • 26.02.2021|
READ MORE

Protecting Your Web Application From Brute-Force Login Attacks

Capitalising on simplicity, brute-force attacks have long been the noisy and least elegant method of exploiting authentication mechanisms. The origins of brute-force techniques date back…
  • Jason Johnson|
  • 09.02.2021|
READ MORE
SEE ALL ARTICLES
Quick Links
  • About Us
  • Resources
  • British Data Awards
  • Contact
Services
  • External Network Penetration Testing
  • Internal Network Penetration Testing
  • Web Application Penetration Testing
  • Vulnerability Assessment
  • Phishing Simulation
  • Cyber Defender
  • Cyber Essentials
Services
  • External Network Penetration Testing
  • Phishing Simulation
  • Internal Network Penetration Testing
  • Cyber Defender
  • Web Application Penetration Testing
  • Cyber Essentials
  • Vulnerability Assessment

Contact

  • info@predatech.co.uk
  • 01784 410 011

© 2021 Predatech Limited

Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Find out more by reading our Privacy Policy.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

Get a Quote
  • *