What do I need to know for Cyber Essentials Plus?
If you are looking to achieve Cyber Essentials Plus there are a few things you should look at before going ahead with the Certification. This blog post hopefully helps to explain some of the areas that I’ve seen people fail their audits on.
First you will need to achieve the Cyber Essentials Basic certification, this is a self-assessment certification which is carried out through a Certification Body, like InfoSec Governance and once you have successfully passed this, you can move on to work towards Cyber Essentials Plus.
Cyber Essentials Plus is an audited version of Cyber Essentials, it looks at the controls that you have in place, though performing a vulnerability scan against your external gateway IP address as well as a credentialed vulnerability scan internally. Lastly there are tests to check to see how you email filters work as well as your endpoint configurations.
Before you go ahead with a Cyber Essentials Plus certification, you should check, check and check again that all your Operating Systems are supported, are fully patched and do not run any non-supported applications. Check to make sure that your router passwords are changed, that your firmware is up to date on routers, printers and devices.
You should also, where possible, run a vulnerability scan against your systems beforehand, this will help identify any problematic areas and gives you time to fix these before the audit happens.
Check to make sure that people are not running as local administrators and ensure that your antivirus is working and is up to date, will make life easier on the day of your audit.
If possible, download and run Nessus Professional, if you can’t justify the professional, look at getting the Essentials version, this is free up to 16 IP addresses. Otherwise look at something like OpenVAS. Then perform a scan across everything that is on your network. Configure the scan to scan all ports – 0-65535 as well as UDP ports. This scan should also be configured to scan using administrator credentials, so the scan has full access to your systems.
When scanning, you should look at remediating anything that shows up as a CVSS 7.0 or above, for Cyber Essentials Plus, however, in reality it is good to look at and resolve anything that is found which has a CVSS score of low, medium, high or critical.
Patching is a big area and its surprising how many people don’t have all of their software up to date, its not just about keeping your Operating System up to date, but what about all your third-party applications? Are they configured to automatically update? Are you using third parties to patch for you? Do you check they are updated?
The “two-click” rule for downloading files
The two-click rule is used when the testing of files is performed when downloading files from a website (or opening from an email). If you can download and run an application or any other file within two clicks, this is a fail.
To test this, go to the website: https://ceplus.s3.eu-west-2.amazonaws.com/index.html try downloading the files, can you download them to your computer then run them straight away? If so this could be a fail. You will need to put in place checks or measures to make sure it takes more than two clicks to run a file. Whether this is blocking all files form downloading, putting prompts in place to ask the user or simply block files form running from the download location.
Once you have put these measures in place, you should be in a good place to go for your Cyber Essentials Plus certification. If you are looking to achieve this, please get in touch with us to see how we can help you.