What is Cyber Essentials?
The Cyber Essentials scheme consists of two parts, Cyber Essentials Basic (CE) and Cyber Essentials Plus (CE+). The Cyber Essentials Basic involves completing an online self-assessment questionnaire covering 5 topics which are:
- Firewalls
- Secure Configuration
- Access Control
- Malware Protection
- Security Update Management.
A key point is that any answers submitted by the organisation’s respondent are not verified by the assessor. However, the Cyber Essentials Plus assessment verifies the claims made in the Cyber Essentials Basic questionnaire through a series of IT Audit checks. The common pitfalls mentioned in this article are usually discovered during the Cyber Essentials Plus part of the engagement.
Separation of Privileges
Many organisations grant users administrative privileges or standard accounts with privilege escalation capabilities on their devices which are used to perform everyday tasks like browsing the web or checking emails.
To achieve compliance with the Cyber Essentials scheme, it’s essential to clearly track users with administrative access and ensure that administrative permissions are restricted to authorised users with a required business need. It is equally important that users with administrative accounts should have a separate standard account for routine activities. Administrative accounts should only be used when needed to complete a task that requires elevated permissions. This is known as the Principle of Least Privilege (POLP). This practice greatly reduces the risk of security breaches and ensures a more secure environment.
Updates and Patching
Cyber Essentials requires that any software installed on all devices should be supported and kept up to date. The Cyber Essentials requires that a remediation period of 14 days for system/software updates that patch vulnerabilities with a high or critical risk rating. The first step in achieving this objective is to identify and keep track of software/system versions. Often times organisations may have software installed on devices that they are unaware of or software that is no longer supported by the vendor.
Keeping track of software and their versions is a key step towards ensuring that vendor supported software is installed. After software assets have been identified, it is important that software is being updated regularly. This can be achieved by enabling automated updates for software/systems that support it or manually reviewing software versions on a regular basis.
Cloud Services Accounts without MFA
Some organisations use many cloud services for business needs but user accounts are often not protected by an MFA technical control. Cloud services that offer Multi-Factor Authentication (MFA) protections should be enabled to minimise the risk of an account compromise.
If MFA cannot be directly implemented, organisations should use Single Sign-On (SSO) solutions that incorporate MFA for logging into the service where possible. Even if MFA is a paid feature offered by the cloud service provider, it is essential that the feature be purchased and implemented for user accounts in order to achieve Cyber Essential Plus compliance.
More information about MFA can be found here.
No Execution Policies (.exe /.bat)
As part of the “Secure Configuration” phase of a cyber essentials plus engagement. Users are requested to download executable files from a predetermined website provided by the assessor. If these files are downloaded, the user is requested to double-click the file to observe the default behaviour when attempting to open the file. In most cases, the .exe /.bat files execute which indicates there are no endpoint security policies in place to prevent download or execution of files from the internet.
This is one of the most common pitfalls that we find when performing CE+ assessments. There are multiple ways of remediating this, but ultimately all methods fall back to restricting the execution of malicious file types. Users should not be able to download and run executable files from the internet.
Legacy Systems and Software
Legacy systems are older computer systems that are in use by organisations despite being outdated or no longer supported by the vendor. Some organisations choose to continue using legacy systems because the benefits of utilising them outweighs the cost of replacing or phasing them out.
For organisations that must continue using legacy systems that are generally two solutions to achieve compliance with Cyber Essentials. The first solution is to ensure that technical controls are in place that segregate the legacy systems from the live environment using robust access controls such as configuring firewalls or using VLANs. The second solution is to only scope part of the business for the certification rather than certifying the entire business.
We regularly help companies identify what can be de-scoped from a CE+ engagement. Especially for those with a large number of industrial control systems that rely on legacy operating systems.
Servers
Organisations often make the mistake that servers are not in scope for CE+. The CE+ specification includes all servers, whether these are hosted internally, in a datacentre, or even hosted on the cloud (AWS / Azure etc). As it is the responsibility of the organisation to maintain the security of all systems that hold corporate data, it is important that these systems are included in the scope for CE+. Similarly to workstations, the assessment phase does only require a sample of the total amount.
If your organisation is looking to get certified but isn’t sure whether it’ll pass, Ruptura-Infosecurity provides a cyber essentials gap analysis service that highlights any incompliance without the risk of failing the assessment. If you’re organization is interested, please blaa blaa blaa
How We Can Help
We are an IASME approved certification body, this means that we can certify businesses against both the Cyber Essentials Basic and Plus schemes. If your organisation is looking to get certified but isn’t sure whether it’ll pass, we also provide a cyber essentials gap analysis service that highlights any incompliance without the risk of failing the assessment.
This allows your business to identify areas of non-compliance, make the required fixes with our assistance and then progress to a formal certification with full confidence. We can help with every step of the way and have vast experience delivering the scheme.
If you are looking for a Cyber Essentials Basic assessment, this can be easily purchased through our website here.
If you are looking for a Cyber Essentials Plus assessment, please use this form to provide some additional details. We will then strive to get back to you as soon as possible.
