Cyber Essentials Plus: Vulnerabilities that cause a failure
If you are looking to achieve the Cyber Essentials Plus certification for your business, you may be wondering are there any vulnerabilities that could cause a failure. This blog post is the latest in a series about Cyber Essentials and discusses what happens when a vulnerability is found as part of the authenticated vulnerability scan.
If you didn’t already know, as part of the Cyber Essentials Plus audit we, the Certification Body, need to undertake a credentialed vulnerability scan across all devices which are in scope (or a sample set if working in a home environment). When the scan is run, we often find that there are several vulnerabilities that could cause a failure, which can cause a failure of the audit. This happens when vulnerabilities are CVSS 7.0 or above, however, this can depend upon a few metrics which are mentioned here in this article.
Once we see a score of 7.0 or above, we need to look at the vulnerability metrics, these are defined as below:
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Required (PR)
- User Interaction (UI)
- Exploit Code Maturity (E)
- Report Confidence (RC)
Although there are many more metrics defined within the CVSS scoring system, these are the ones that are used by the Cyber Essentials scheme and are used to give an overview of the type of vulnerability and how it can be manipulated.
If the vulnerability is found to be 7.0 or above and matches the above metrics then the vulnerability is marked as a failure. Depending upon the type and number of vulnerabilities found, InfoSec Governance may decide to inform you that based upon the results you should remediate the vulnerability, even though it’s a pass. This can help ensure that your business is protected against threats from vulnerabilities that cause a failure and is best practice.
To ensure that you don’t get any surprises at this part of the audit, InfoSec Governance offers a pre-audit analysis of your business to help check to make sure things are in place. For this, we’ll run a scan and take a quick look around your processes which are defined as part of the audit and highlight any issues before you undergo the certification.
If you would like to undergo Cyber Essentials, please contact us to discuss your requirements.