Preparing for Cyber Essentials Plus: A Cyber Essentials Plus CheckList
What is Cyber Essentials Plus
A Cyber Essentials Plus Checklist can help your business prepare for assessment, and give you the best chance to remove any potential issues and achieve certification the first time.
Cyber Essentials Plus is a technical audit of your business’s systems that follows on from the Cyber Essentials Certification and provides a level of assurance to you, your partners, and your clients that you have taken the necessary steps to secure your business from the most common form of cyber attacks.
The assessment uses the details declared on your Cyber Essentials Self Assessment Questionnaire (SAQ) to carry out a series of practical tests, which validate the defined security controls.
As the Cyber Essentials Plus assessment is a technical audit of your cyber security and the systems defined within the Cyber Essentials Certification, the Plus assessment must be completed within three months of your valid Cyber Essentials Certification.
If you first need to complete your Cyber Essentials Certificate, you can review the information provided within the Cyber Essentials Checklist.
Why get Cyber Essentials Plus Certified
Cyber Essentials Plus provides a higher level of assurance than a Cyber Essentials Certification alone and helps organisations protect themselves from some of the most common cyber threats and cyber attacks
The certification involves carrying out a practical test looking for security vulnerabilities that can impact your IT infrastructure, including your network devices, and external networks.
The certification can also be used as part of your business marketing and advertising and can be helpful or even necessary when working to acquire additional work or certain public sector contracts.
Cyber Essentials Plus Checklist
The National Cyber Security Centre (NCSC) has detailed the test specification for the Plus assessment, published here, which is recommended for review before any scheduled assessment as it defines the cyber essentials requirements for certification.
Each of the tests are designed to assess one of the five cyber security controls which are defined within the Requirements for IT Infrastructure document and are outlined in the SAQ. Each test intends to ensure you have the necessary security measures in place to protect from cyber attacks including:
- Firewalls
- Secure Configuration
- Security Update Management
- User Access Control
- Malware Protection
The tests that are included in the Plus assessment and the information and access an assessor will need are listed below in the Cyber Essentials Plus Checklist.
- Remote Vulnerability Assessment
- In-scope public IP Addresses to be provided to the assessor
- Remote vulnerability scan to be run by the assessor
- Check Patching, by Authenticated Scan of Devices
- Access to your devices, provided to your assessor, to run a vulnerability scan
- Remote access or in-office visits are the most common access methods.
- Administrator account provided for each device to be scanned
- Check Malware Protection
- Access to the desktop environments of in-scope devices with standard user accounts
- Remote access or in-office visits are the most common access methods.
- Confirmation that the antivirus software is installed and running correctly.
- Check Multi-Factor Authentication Configuration
- Access to your in-scope cloud services with standard user and admin accounts.
- Confirmation of the presence of Multi-Factor Authentication for tested accounts
- Check Account Separation
- Access to the desktop environments of in-scope devices as a standard user
- Remote access or in-office visits are the most common access methods.
- Confirmation that the day-to-day user account does not have admin permissions
Further Considerations for Your Checklist
In addition to the Cyber Essentials Plus Checklist, some additional information that can be helpful to consider or arrange in advance of a scheduled assessment includes the following:
- An asset list detailing each of your in-scope devices and their operating system.
- The Plus assessment requires an assessor to perform tests against a sample of your devices. The exact sample is determined by the number of devices you have and the different operating systems you have in use.
- An asset list that details this information can provide an assessor with an easy reference sheet to select their sample and help ensure a smooth assessment.
- Access to Mobile Device Policy documentation and access to a Mobile Device Management System (MDM) where applicable.
- Where you have mobile devices in scope for your Plus assessment, the devices may need to be checked to determine their configuration and settings regarding requirements for protection against malware.
- Having any relevant documentation and access to an MDM ready to provide can help to ensure there are no unnecessary delays if your assessor requests access to confirm any required details.
- An administrator account or several administrator accounts that can provide admin access to your in-scope user workstations, servers, or Infrastructure as a Service (IaaS).
- An authenticated vulnerability scan, performed with an admin account, is a requirement of the Plus assessment.
- For each of your in-scope devices, admin access may be necessary to provide to carry out these vulnerability scans.
- Access to the standard user environments for your in-scope devices.
- Several tests are carried out on your devices from the perspective of a standard day-to-day user account. The assessor will need access to this user environment.
- This can be through the assessor being present in your offices, or a remote access session established using a variety of different software solutions.
- Remote access solutions for necessary Cyber Essentials Plus tests.
- Your assessor will need access to your in-scope devices to run a vulnerability scan with an admin account and other tests as a standard user.
- If this is conducted within your offices, the process should be relatively straightforward.
- If this is carried out remotely, it may require the setup of a VPN connection and associated credentials, or other remote access solutions for the vulnerability scan.
- Scheduled access to your devices may also be necessary via desktop-sharing solutions for the assessor to carry out the tests from the perspective of standard user accounts.
- These tests may require scheduling in advance if your users have other commitments or meetings arranged and will not be available at certain times.
- You should also consider the time it may take for each of the tests to be completed and the potential disruption this may cause for each of your users.
Each of these tests has its conditions for a pass or fail of the Plus assessment and it is recommended to run through each of the tests yourself, to make sure you have the correct information available to provide an assessor, and also to check your devices for any potential issues in advance of a scheduled assessment.
Preparing for Cyber Essentials Plus
Test Case 1: Remote Vulnerability Assessment
Cyber Essentials Plus certification includes running a vulnerability scan against any IP Addresses you own and manage which are accessible over the internet.
Once the vulnerability scan has been run a flow chart is then followed to determine a pass or fail for this part of the assessment, as shown in the Test Specification on page 5.
Running An External Vulnerability Scan
You can help your business prepare for this part of the assessment by running your own vulnerability scan in advance of the scheduled assessment and reviewing the flow chart to determine if there are any issues you need to resolve.
When running the checks against your public-facing IP Addresses, it is recommended to carry out this test when outside of your offices and not connected to any VPN or remote access solutions, to ensure you receive a truly representative view of your IP Addresses from the perspective of an external tester.
There are several vulnerability scanning tools that you can use that offer a free trial, allowing you to prepare before your scheduled test. Vulnerability scanning tools are described in the following post, “A Vulnerability Scan Guide“.
Checking for missing patches
For any services that are found to be accessible on your tested IP Addresses, the Plus assessment is first looking to identify if there are any Critical or High-risk vulnerabilities, as this will be considered a fail.
Checking services for Authentication
The assessment will then review each service and any access to information it may provide. If you manage a service such as a public-facing website that is intended to provide read-only information, this is considered suitable for facing the internet.
However, if you are providing access to data that shouldn’t be made publicly available an authentication system should be in place to protect this information.
These checks align with the answers provided as part of the SAQ, so the authentication system and protection systems in place should match the answers previously provided.
If there is an authentication system in place, for each service determined to require one, this section of the assessment will be considered as a pass and the next check will be carried out.
Checking for Authentication restrictions
For each authentication system that is set up to be publically facing, there should also be a protection system in place to restrict continuous login attempts.
This could be through two-factor authentication, a restricted number of login attempts, or the locking of accounts after several failed login attempts.
For each of your authentication systems, you should also have changed any of your default passwords to strong passwords that adhere to your complex password policies.
Test Case 2: Check Patching, By Authenticated Vulnerability Scan of Devices
Setting up your device vulnerability scans
Vulnerability Scanning of your user’s workstations forms a large part of the Cyber Essentials Plus certification. You can help your business prepare for the Plus assessment by conducting a vulnerability scan of your devices and resolving any missing patches and vulnerabilities that are identified.
Vulnerability scanning tools are described in the following post, “A Vulnerability Scan Guide“.
Checking for Critical and High-Risk Issues
To improve your business’s overall security, you should ideally fix any vulnerabilities that are identified by these scans, with a priority focus on any issues that are categorized as critical or high risk. For Cyber Essentials, any issues that are picked up as Critical or High risk will need to be fixed.
You should also consider when you run your vulnerability scans, as the Plus Specification states that when a missing patch is listed as Critical or High risk and the “patch has been available for more than 14 days prior to testing“, it will fail Cyber Essentials Plus.
Ideally, you can scan your devices a week or two before your scheduled assessment and fix any issues that are identified. If you run your scan a little earlier than this and a new patch is released while waiting on your scheduled assessment, it might get picked up on your test and result in a fail.
Setup Authenticated Vulnerability Scanning
The vulnerability scans against your user workstations, your servers, and your Infrastructure as a Service (IaaS) systems, for Cyber Essentials Plus are designed to be run as authenticated vulnerability scans.
When configuring your scans to run, this means the scan will have full access to your devices and be able to pick up missing patches and configuration issues that impact your devices.
Setting up the authenticated vulnerability scan requires adding valid administrator credentials to your vulnerability scan.
This can take some additional setup and configuration to ensure your scans are running correctly with the appropriate admin accounts for the devices.
For the Tenable Nessus vulnerability scanning tool, an additional post is provided here for setting up your first Nessus Scan, and another post can be used for setting up a “Credentialed Nessus Scan“, to run through some of the checks you can do, and ensure you successfully authenticated and don’t miss any vulnerabilities.
Test Case 3: Check Malware Protection
Where you have previously detailed on the SAQ which method is in place to protect your devices from malicious software, a check is conducted to confirm this system is in place.
The test is intended to assess your user workstations, servers, and IaaS instances where they are used to provide users with an interactive desktop, such as a virtual workspace.
The specific type of test that is conducted will align with your answers provided within the self-assessment questionnaire.
Sub-Test 3.1: For devices that use Anti-Malware Software
For your devices protected from malware by software, the initial check is relatively straightforward and is only intended to confirm that the software is present on the device, that it is running, and that it is up to date with the vendor’s instructions and the latest available updates.
Sub-Test 3.1.1: For Malware delivered by Email
For the Plus assessment, your assessor will have a set of test files, which will be emailed to the user of each device included in the assessment.
These files will be categorized as either a “malware test file” or an “executable test file”.
The intended outcome of these tests is either that the emails never arrive in your inbox, in which case your email protection systems have identified the files as a potential threat and blocked them.
Alternatively, if the files do arrive in your inbox, the intention is that your antivirus software will be able to identify and restrict access to the “malware test files.”
For the “executable test files,” the intention is that they cannot be executed without a prompt or additional action being presented to the user. This could be through restrictions set on your software, email restrictions, or device restrictions.
Sub-Test 3.1.2: For Malware delivered by Browser
This part of the assessment, against your Anti-Malware software, is intended to be a repeat of the requirements from the previous test, where test files are sent by email, however the test files are instead downloaded through an installed web browser.
There can sometimes be variations in how downloaded files are treated when being accessed from different browsers, and the tests should include each installed browser, on the device.
Similarly, your Anti-Malware software should block access to the “test malware files” whereas your device, browser, or software should restrict the “executable test files” from executing without a prompt being presented to the user.
Sub-Test 3.2: Certificate-Based Application Allow Listing
Although most of your devices that are included in the Cyber Essentials Plus tests will likely utilize antivirus software, certain devices such as any in-scope mobile devices may make use of a certificate-based application allow list to restrict what can run on the device.
Your assessor will need to review the trusted root certificates that are installed on each in-scope device as well as conduct a review of the policy settings that are in place for each operating system.
While this information can sometimes be accessed via a Mobile Device Management System (MDM), the assessor may also need access to the list of trusted certificates from each device.
This can involve physical access to devices, while present in an office, or may involve providing the output of the trusted certificates from the device. For mobiles, this can typically be accessed from the settings panel of each device.
Test Case 4: Check Multi-Factor Authentication Configuration
For the Cyber Essentials SAQ, you are likely to have defined a set of Cloud Services in scope that you use for your business.
This test aims to review each of your in-scope cloud services and confirm the login process for both your standard and administrator users, to confirm that a Multi-Factor authentication system is in place and working as intended.
Providing that each of your users has a Multi-Factor Authentication solution setup for their cloud accounts, which will prompt them for a code upon login, there should be no issues encountered during this stage of the assessment.
Test Case 5: Check Account Separation
For each of your in-scope devices where users are logging into a desktop environment, including a virtual desktop, their day-to-day account and activities should be carried out with non-administrative accounts.
The assessor will, therefore, attempt to run a process on your device with administrator permissions, to determine if the process will automatically run, or if a prompt will appear requesting administrator credentials are entered.
If the prompt for credentials appears and the process does not automatically run, this verifies that the day-to-day user has not been assigned administrator privileges and this test will be a pass.
You can check this process in advance of your scheduled assessment if you need to confirm any user accounts. Most services, on a Windows device, that provide a “Run As Administrator” option will be suitable to test this and confirm if a prompt for credentials appears.
For Mac and Linux, verifying that your user accounts are not provided with administrative permissions should work as the equivalent.
Conclusion
The Cyber Essentials Plus assessment can be filled with small details which may mean the difference between a pass and fail of the certification.
For your peace of mind, checking all of your systems in advance of any scheduled assessment is recommended to ensure you are compliant with the standard and haven’t overlooked anything.
Regularly reviewing your systems is also good practice for your business’s overall security controls.
When you are working with your certification partner, ideally they will be able to provide some advice and guidance as you proceed through your assessment and help you to achieve your certification.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.