Cyber Essentials Plus Requirements To Achieve Compliance

The Cyber Essentials Plus requirements are intended to review your company’s current security standards, as outlined by the answers provided in the Cyber Essentials self-assessment questionnaire, which tests your company against the five basic security controls:

• Firewalls
• Secure Configuration
• Security Update Management
• User Access Control
• Malware Protection

The process ensures your assets, technical configuration, policies, and processes all align with those that are declared to be in place through the questionnaire and are required by the Cyber Essentials scheme.

What Is Cyber Essentials Plus

Cyber Essentials Plus is a UK government-backed and industry-supported scheme to improve security standards and provide basic security controls to which all organizations can adhere.

Cyber Essentials Plus is the practical security audit that follows on from the Cyber Essentials certified self-assessment questions, providing additional verification of your business’s security posture and controls.

Why Certify Against Cyber Essentials Plus

After achieving Cyber Essentials certification your business has a 90-day timeframe to certify against Cyber Essentials Plus.

Cyber Essentials Plus provides additional assurance and verification that your business has taken a considered and serious approach to maintaining Cyber Security and protecting against common cyber threats.

Similar to Cyber Essentials, Cyber Essentials Plus certification helps your company:

• Demonstrate its commitment towards IT Security
• Protect your business from the most likely cyber attacks and a cyber security breach
• Bid on new business that requires cyber essentials requirements such as government contracts

What Are The Differences Between Cyber Essentials And Cyber Essentials Plus

A Cyber Essentials certificate consists of a self assessment questionnaire. The questionnaire asks for a range of details related to your business and devices, and how cybersecurity is managed through processes, policies, technical controls, and user training.

The questionnaire is also verified and declared to be accurate by an individual within your business, such as a Director, Board Member, or suitably authorized individual.

While the basic Cyber Essentials certification process can be quite extensive with the information and details requested about your business, there are typically no practical checks or audits conducted by a trained consultant.

Cyber Essentials Plus comprises a set of practical tests and vulnerability scans against a range of your company devices, to ensure they align with the Cyber Essentials secure settings and your devices are protected against the most common cyber attacks.

The Cyber Essentials Plus Test Specification

The specific testing process that is followed for Cyber Essentials Plus is available from the National Cyber Security Centre (NCSC), through the document, Illustrative Test Specification.

This document has been regularly updated to refine the testing and assessment process as the Cyber Essentials scheme has also been refined over time.

The Cyber Essentials Plus assessment process covers a practical and technical audit of your business which is divided into five different test cases including:

• Test Case 1: A security review of your Internet-facing services
• Test Case 2: Vulnerability Scanning of Your Devices
• Test Case 3: A review of your Malware Protection solution and its effectiveness
• Test Case 4: A review of the MFA solution in place for Cloud Services
• Test Case 5: A review of user accounts and permissions for your Devices

The Cyber Essentials Plus Requirements

The information and devices reviewed within a Cyber Essentials Plus assessment are intended to align with what has already been defined in the self-assessment questionnaire and Cyber Essentials certification.

Each specific test within Cyber Essentials Plus has several specific requirements that are required to be met to pass the test, and each test needs to be passed to certify to the Cyber Essentials Plus standard.

There are also several checks that your business can conduct before an assessment, or throughout the year, to help improve your company’s overall security and avoid any unexpected security issues which may be identified during your technical audit.

Within this article, each test outlined in the test specification document will be outlined, including steps your business can take to ensure you are compliant and prepared for your Cyber Essentials Plus technical audit.

The Cyber Essentials Plus Testing Process

Test Case 1: Remote vulnerability assessment

The remote vulnerability assessment reviews each of the internet accessible IP Addresses your business has in use, which can include the IP Addresses and services accessible from your office, as well as the IP Addresses directly associated with your business, such as within datacentres or cloud services.

A vulnerability scanning tool will then be run against each of your IP Addresses, looking for ports and services that may be accessible using the TCP and UDP protocols.

What The Test Is Looking For

The Illustrative test specification document provides a useful flow diagram that describes what exactly is tested for and what outcomes may constitute a pass or fail for the first test.

The assessor will primarily be looking for the following:

• If there is an accessible service, is there a known vulnerability considered Critical or High risk
• If an authentication system is in place for the service, does it meet the following standards:
  • Is Multi-Factor Authentication enabled, or alternatively:
    • Have default passwords been changed for the service
    • Does the service throttle the number of login attempts, or:
    • Does the service limit the number of login attempts to no more than 10

Preparing For The Test

To ensure your company remains compliant throughout the year and is ready for assessment, a vulnerability scanning tool can be used to test your business’s remotely accessible IP Addresses.

A list of vulnerability scanning tools is defined in the following post on Network Vulnerability Scanning tools, however, a walkthrough guide on setting up a free to use scanning tool, Nessus Essentials, is also available here.

When reviewing the security of your company’s remotely accessible IP Addresses it is important to

• Conduct your vulnerability scan with direct permission from an authorized individual within the business.
• Additionally, the scan should be conducted from outside of your company’s regular offices, and network, without connections such as a VPN in place.
• This ensures your scanning results reflect those that may be collected by the Cyber Essentials assessor or through a potential cyber attack.

Once you have the results of your vulnerability scan you can:

• Review each of the open services that are identified to ensure they align with your company’s requirements, and close any services considered unnecessary
• Ensure any required services have appropriate authentication systems in place where necessary
• Resolve any vulnerabilities that are highlighted as Critical or High impact, although it can be best practice to resolve all identified vulnerabilities

Test Case 2: Authenticated vulnerability scan of Devices

The authenticated vulnerability scan of your devices aims to test a sample of the devices your business has in use including:

• End User Devices, such as laptops and desktops
• Servers that your company manages in your offices, data centers, or cloud-hosted systems.

The sample size can be variable depending on your specific assets and is intended to be randomly chosen by the qualified assessor.

Similar to the remote audit, a vulnerability scanning tool will also be run against the chosen sample of devices. However, unlike the remote audit, an authenticated scan will be run against the sample of devices using Administrative accounts.

This ensures the vulnerability scanning tool can assess the operating system and software installed on the device for missing patches and can also review the configuration profile and settings of the device for security issues.

What The Test Is Looking For

The test specification document outlines the specifics of the test and what an assessor will check for when reviewing the results of the scan, which includes:

• A vulnerability, which the scanner identifies as:
  • A vulnerability that is labeled as having a Critical or High-risk impact rating
  • A vulnerability that is scored as a CVSSv3 score of 7 or above.
  • A vulnerability which does not have either of the previous impact ratings or scores
• A vulnerability where a vendor-provided patch has been available for more than 14 days.

Preparing For The Test

The authenticated vulnerability scanning of devices aims to review a sample of devices rather than every device your business uses, however, with small businesses, the sample may include every device.

As it isn’t possible to know exactly which devices will be included within the sample, to ensure your company maintains compliance throughout the year, it is recommended to test your entire infrastructure.

Similar to the remote vulnerability scan, your business can make use of a vulnerability scanning tool to review your own devices. An article detailing the process to run an authenticated Nessus scan is detailed here. When conducting authenticated scans for your business, ensure the following are in place:

• Conduct your vulnerability scan with direct permission from an authorized individual within the business.
• Verify vulnerability scans are running with valid credentials and have successfully authenticated to each of your assets.
  • The authenticated Nessus scan article describes the specifics of this check in further detail when using Nessus, although similar checks should be conducted for any scanning tool.
• Resolve any vulnerabilities that are identified which are categorized, as described above, using impact ratings or CVSSv3 scores. However, it can be considered security best practice to resolve all vulnerabilities that are highlighted from the scanner results.

This vulnerability scanning process can be scheduled on a weekly, monthly, or quarterly basis to regularly review each of your assets and ensure you have addressed all current and new vulnerabilities that are gradually identified.

To set up a vulnerability management program within your business, the following article can be reviewed for further guidance.

Test Case 3: Check Malware Protection

The malware protection test also aims to review a sample of devices within your company, although, for a small business, this may include all of your devices.

The test is intended to cover devices that are regularly used and present an interactive interface to your users, including:

• End-user devices such as laptops and desktops
• Servers that provide a desktop interface to users, such as through virtual desktop solutions.
• Servers that may be hosted within datacentres or Cloud services, if they also provide a desktop interface to users.

The specific test that is conducted to review your Malware Protection solution will depend on how your company completed the Cyber Essentials self-assessment questions. This may involve either:

• A test of the Malware Protection software that is installed on your devices
• A test of the Application allow list which is configured on your devices.

Each test has the specific aim of ensuring your devices are adequately protected from malicious files impacting your devices if accidentally accessed through an email attachment or downloaded from a web page.

What The Test Is Looking For

Where your business has installed Malware Protection Software for your devices, the assessment will check:

• The software defined in your Cyber Essentials Self Assessment Questionnaire is installed
• Ensure that the installed software is up-to-date
• Determine whether the malware protection software is functioning as intended, through:
  • Attempting to access a set of malware test files, via email attachments and web downloads,
  • Determine if the installed software for the device is either:
    • Preventing the typical day-to-day user account from accessing the internet
    • Preventing the typical day-to-day user account from downloading the malware test files
    • Preventing the typical day-to-day user account from accessing the downloaded malware test files
• In some instances, depending upon the results of the previous tests, the assessor may also review activity logs for the malware protection software to determine if it is functioning correctly

Where your business has set an Application allow-list to prevent the execution of any unknown or malicious files, the assessment will check:

• Each of the trusted installed root certificates for the device to ensure they consist of those set up by the operating system providers, and those that have been specifically approved by the company.
• If a test file without a valid approved certificate will be able to execute on the device.
• If the configuration of the operating system verifies approved certificates for all file formats, relevant to the type of device.

Preparing For The Test

As the sample of devices which will be assessed during the Cyber Essentials Plus certification process will be selected by the assessor, it is necessary to test and review each of your companies assets, throughout the year, to prepare for the assessment.

Where Malware Protection software is installed on your devices, it is recommended to:

• Ensure that the software and malware signatures are automatically updated.
  • These may be part of the same update mechanism, or separate depending upon the specific software.
  • Automatic updates are recommended to ensure the latest malware detection methods are available.
  • An authenticated vulnerability scanner may also highlight any missing updates in your installed software to verify if automated updates are working as expected.
• Periodically check your software is identifying known malware files, using the test EICAR files, which are designed to test the response of malware protection software without damaging your devices.

Where your devices are managed through an approved application allow list,

• Regularly review the list to ensure only necessary and approved software is maintained for your devices.
• Ensure, when attempting to run any other executable type files, they do not form part of your approved list of applications and are blocked on your devices.

For additional security and protection against potentially malicious websites and malware files, it is also recommended to enable your web browser’s increased protection measures.

• For Google Chrome there is an Enhanced protection setting which improves your browsing security, and an additional setting for your Downloads to always prompt and verify where a file should be saved to.
• Mozilla Firefox has a Strict security setting, to offer similar additional protection options as well a similar prompt for downloaded files.
• Apple Safari has security controls to provide warnings of known fraudulent websites.
• Microsoft Edge maintains security controls to block the download of potentially unwanted files, provide a user prompt for each downloaded file and enable an enhanced security mode for web browsing.

Further malware protection settings can also be enabled for your email provider.

• Google Workspace provides Advanced Phishing and Malware Protection settings within the administrative interface.
• Microsoft 365 similarly provides additional Malware Protection settings for its environments.

Test case 4: Check Multi-factor Authentication

The Multi-factor Authentication test aims to review each of the Cloud Services that are in use for your business and ensure that MFA settings are enabled for each standard user account and admin account that uses the service.

Sample testing of the Cloud Services accounts is also conducted, rather than testing every individual account, however, both standard user accounts and admin accounts will be reviewed for each service.

The assessment aims to ensure your internet facing Cloud Services, which are more susceptible to attack, have appropriate security controls in place for each of your user accounts.

What The Test Is Looking For

The Requirements for IT Infrastructure document provides a useful description of which type of Cloud services may be considered in scope for Cyber Essentials and require MFA to be enabled for your accounts.

A qualified assessor verifies the use of MFA for your standard user and admin accounts. This process can typically be conducted by accessing the services login portal, either:

• While the user is logged out of the service and will receive a prompt for a username, password, and MFA code.
• While the user is still logged into a service but attempting to log in again within an Incognito browser window which removes any prior authentication details.

Preparing For The Test

For each cloud service your organisation makes use of, it is recommended to enforce the use of MFA settings, wherever possible, rather than encourage individuals to enable these security settings by choice.

• Within Google Workspace there are options available to deploy MFA and also enforce the setting. Enrollment within MFA will then be required within a time period your organization can define.
• Microsoft 365 also has similar MFA settings which can be enabled using the information provided in the following article.

For each of your services and accounts it is recommended to conduct a regular review throughout the year, with different users of the services. This review can be a simple verification that as a user logs in, the MFA settings are operating as intended and the user receives a prompt for an additional authentication code.

In some scenarios, MFA authentication can be set up on a conditional basis, so that it may only prompt for a code when authenticating outside of your organizations offices, or when connecting via a non-company issued device.

Specific setups such as this, with additional security measures, should still be acceptable to certify against the Cyber Essentials standard, providing the MFA requirements can be verified by a Cyber Essentials auditor.

Test case 5: Check account separation

The Account Separation test aims to review the user accounts that are typically used on a day-to-day basis and ensure that the permissions for standard user accounts are appropriate for their use.

Similar to the Malware Protection test, this part of Cyber Essentials Plus also reviews a sample of your user devices, with the sample selected from your company assets such as:

• End-user devices such as laptops and desktops
• Servers that provide a desktop interface to users, such as through virtual desktop solutions.
• Servers which may be hosted within datacentres or Cloud services, if they also provide a desktop interface to users.

Where your accounts are used to access these types of devices and environments and are used for typical daily activities such as internet browsing and email access, it is important to maintain account separation, so that when an administrative action is required, it is conducted using a separate and independent user account.

What The Test Is Looking For

Each device and account that is tested will be viewed attempting to run an administrative action.

• For a Windows device, this can be any action, where you can select “Run as Administrator”, which could be through accessing the Start menu, and right-clicking on the Edge browser icon.
• For a Mac, this could be through running a “.dmg” installation file for a Mac and reviewing any prompt that appears to ask for an administrative login.

Where no prompt is identified, or the prompt that appears does not request additional admin authentication, the user account being tested is likely part of the administrator group for the device and would need to be removed from this group.

Preparing For The Test

To review each of your devices and user accounts throughout the year, similar checks and verification of the authentication prompt can be conducted when attempting to run an administrative task.

For additional verification, you can review the permissions that are assigned to the individual user accounts on the device:

• For Windows devices within the Start menu and Settings, there is an option for Accounts, which details the user account and permissions, as well as other accounts configured on the device and the type of account which is configured.
• For Mac devices, within System Settings and Users & Groups, a list of each account for the device is displayed, alongside the permissions that are assigned to the account.

Conclusion

The Cyber Essentials Plus certification is intended to provide additional assurance and security verification to your business through a technical audit of your existing security controls, policies, and processes.

While there are a range of specific tests involved in the assessment the testing process is designed to be a fair review of the security measures that were described within the Cyber Essentials self-assessment questions, seeking only to verify that the described security standards are in place.

Through some regular checks and periodic reviews of your devices and accounts, to remove any potential surprises during your audited assessment, Cyber Essentials Plus certification should be attainable for your business.

Where you have any further questions regarding different cybersecurity solutions, or the Cyber Essentials Plus certification program our consultants are available to address any concerns you may have.