Cyber Essentials Plus – Your Burning Questions Answered

Cyber Essentials Plus

In our recent webinar, Achieving Cyber Essentials Plus, Nick Roberts and Taras Sachok provided valuable information on the CE+ process to reach certification. The webinar ended with a Q&A session that lent for some insightful questions.

In this post, we list the answers to those questions asked by individuals looking to get a head start on data protection post-Brexit transition period ending December 2020.

Here are some of the pressing questions that were asked:

Q: What are the most common points of assessment failure for small and large organisations?

A: Large organisations often fail the unsupported operating systems/software part of the assessment. The unsupported operating systems would usually be flagged during the CE self-assessment stage since all operating systems and devices in scope must be listed in the Cyber Essentials questionnaire, including their full name, type and build number. The assessor should thus be able to see and address any potential non-compliant software at this stage.

The authenticated patch audit, which is performed on a representative sample of client’s systems, is run with admin privileges and checks the targets for any out of date/unsupported/unpatched software. Large organisations often have neglected corners of their infrastructure where such software is found.

Small organisations often fail configuration and procedural checks. Examples include password length not being enforced across all devices, admin accounts’ usage not being monitored, logged, segregated or properly allocated, BYODs usage not being regulated.

Q: Our staff only access email/calendar from their personal mobile devices. Can the Bring Your Own Devices (BYODs) be de-scoped?

A: No. Any device that is allowed to regularly access (private) business information via the internet is in scope. In practice, this means an assessor would check the device’s AV protection, whether the operating system is supported, whether the device is rooted/jailbroken and whether device’s password protection (including PINs) meets the standard.

Q: A lot of our staff have moved to work from home since lockdown. What devices/infrastructure would be in the scope of the assessment in the whole organisation?

A: This partly depends on how your staff access the company’s network/resources and what devices they’re using. If a company only allows remote access to the company’s internal resources via a VPN – the users’ devices and the company’s internal infrastructure would be in scope. For example, this would include perimeter firewall (s) and VPN server(s) if managed by the company.

If VPN connectivity is not implemented by the company, the home worker’s perimeter infrastructure (i.e. personal routers such as BT/Virgin/Sky hubs) become part of the scope. This is also true if the company has no dedicated internal network, i.e. all staff are collaborating on cloud-based Office 365, SharePoint Online, Google Docs etc.

Q: Why do we need to whitelist the assessor’s source IPs for the external network vulnerability scan?

A: The CE standard’s requirement is very clear – scanning source IP(s) must be whitelisted to access all services and ports on the target IP(s). Specifically, an assessor must be able to scan all TCP and UDP ports of all publicly accessible IPs managed by the client. Why does this requirement exist? Here are the top two reasons:

  • To ensure the scanner’s IP(s) are not blocked by the firewall/IPS before the assessment is finished. The scanning tool’s multiple requests can be interpreted as malicious by the firewall/IPS
  • A whitelisted external network scan will uncover more known issues and vulnerabilities compared to a non-whitelisted scan, which might be blocked from checking all services connected to the target IP(s).

The aim of the CE+ assessment is to ensure a client has no or few well-known, easily exploitable vulnerabilities on the network. A whitelisted vulnerability scan is a quick and cost-effective way to identify such low hanging fruit.

Q: It is against our policy to provide VPN access to our internal network to any 3rd party and on-site visits are currently not possible. Will the assessor be able to complete the assessment?

A: Yes. While VPN domain or local admin access helps to streamline the internal patch audit part of the assessment, it is not a requirement. An on-site assessment typically includes:

  • Authenticated internal patch audit scan of a sample of systems
  • Malware check of a sample of systems, including mobile devices
  • The antivirus check of a sample of systems, including mobile devices
  • Sample mobile devices audit

The last three can be conducted via video call with no problems. The internal patch audit scan is trickier as it is a type of authenticated internal vulnerability scan that has to be run or supervised by an assessor with admin privileges. When VPN is not an option and an assessor is unable to provide you with tools which would enable them to remotely connect to target End User Devices to run the scan, a client might be asked to run the scan themselves under the assessor’s supervision. An assessor should provide you with clear guidance on how to install a scanning tool, set up and run the scan and export the results. The whole process, until the scan is finished, and results exported would need to be supervised by the assessor via your preferred video app/call method.

If you have any further Cyber Essentials questions, please do not hesitate to contact Taras, he’ll be happy to help you.

Get the Free Webinar On-demand: Achieving Cyber Essentials Plus

Risk Crew