The importance of robust defences against digital threats cannot be overstated. Among the measures available to safeguard organisations against cyberattacks, the Cyber Essentials scheme offers foundational cyber security controls. At the same time, the Cyber Essentials Plus Vulnerability Scan provides a more profound, hands-on verification of these controls, ensuring comprehensive protection and enhancing your organisation’s security posture.
This article looks into Cyber Essentials Plus vulnerability scan components and how vulnerability scans play an essential role in improving your organisation’s security.
What is an external vulnerability scan?
A vulnerability scan is a process that involves using a vulnerability scanner to inspect your external networks and find out what network vulnerabilities and security weaknesses affect the environment in scope.
This collected information is then cross-referenced with a list of known weaknesses to check if any identified software or operating systems are susceptible to exploitation by malicious actors.
The outcome of a vulnerability scan is typically presented as a report, which outlines the vulnerabilities found on each device.
What is the Cyber Essentials Vulnerability Scan?
The Cyber Essentials scan evaluates your internet-facing assets from the outside. It’s carried out remotely by a certification body such as Cyphere as part of the certification process. The certification process also requires completing an online self-assessment questionnaire where organizations assess themselves against five basic security controls, followed by verification from a qualified assessor.
This exercise of vulnerability scanning is an age-old technique aimed at identifying weaknesses in your assets from the outside. It helps you measure your attack surface to analyse and remediate identified weaknesses.
This scan aims to ensure that your company has taken steps to minimise its vulnerability to typical cyberattacks.
What is the Cyber Essentials PLUS Scan?
When seeking Cyber Essentials Plus certification, the certifying organisation will also assess IT assets onsite, such as the internal network, the employees’ IT systems and all the software installed on systems and mobile devices.
As part of the Cyber Essentials Plus certification process, an authenticated vulnerability scan is performed on a sampling basis on the target systems. This scan is performed to ensure no high or critical risks exist in the infrastructure under scope that, if found, must be rectified by the customer to achieve Cyber Essentials Plus certification. This risk assessment aims to identify known vulnerabilities the customer organisation must address.
The remote audit is mostly the preferred method, but an onsite audit is an option where remote access isn’t possible. It includes external (internet-facing) and internal (inside environment) vulnerability scans. Any old versions, default passwords, end-of-use operating systems, or critical vulnerabilities found in any elements in scope are considered a ‘fail’ or significant and require mitigation.
You can find a list of the assets to consider per the scope of CE. Organisations pursuing Cyber Essentials Certification need internal and external vulnerability tests.
What is Cyber Essentials Penetration Testing?
Cyber Essentials Plus certification requirements do not mandate penetration testing to achieve certification. Penetration testing is often conducted to assess and improve an organisation’s organisations and mitigate cyber security risks proactively. Due to the vulnerability assessment requirement, Cyber Essentials penetration testing is used interchangeably while mentioning the Cyber Essentials Plus process.
Protecting against cyber threats is crucial as they evolve and pose significant business risks.
Cyphere’s CREST penetration testing services include extensive health checks around the organisation and an in-depth assessment of your wireless and wired networks, cloud environments, specific web applications, APIs, and mobile applications.
Requirements for Cyber Essentials
The requirements for both Cyber Essentials and Cyber Essentials Plus certification involve a substantial portion of their assessment focused on security controls and vulnerability scans, both internal and external, which often demand the most attention for compliance.
External Scan
During Cyber Essentials certification process, external vulnerability scans are conducted using an approved tool to identify network vulnerabilities. These scans target devices accessible from the internet and have connections to the corporate network or contain customer data.
Vulnerability scanning services are crucial in keeping companies informed of infrastructure changes, ensuring that any new vulnerabilities are promptly identified and addressed.
Cyber Essentials Plus Certification
- Protect sensitive data, protect your business
- Improve eligibility for new opportunities across regulated industries and public sector.
Cyber Essentials Plus Certification
If you opt for Cyber Essentials through us, we utilise a cloud-based scanner to assess your security posture and external network. Scanned devices typically include your organisation’s website, and other internet-facing hosts, services, or network devices.
To qualify for certification, all external hosts scanned must meet the following criteria:
- They should have no vulnerabilities with a CVSS v3 score equal to or greater than 7.
- They must either authenticate users or restrict access to non-public or non-read-only information.
- The National Cyber Security Centre (NCSC) has introduced a tiered pricing structure for Cyber Essentials assessment.
- Preventing easy bypassing of authentication is crucial, with multi-factor authentication being beneficial.
- There should be measures to limit login attempts or lock out users after a maximum of 10 failed login attempts.
Internal Scan
On the other hand, internal scans focus on selecting the organisation’s devices (or all organisations’) determined by the assessor based on device types and configurations as part of a comprehensive risk assessment.
These internal scans use the credentialed scan method, allowing the scanner to gain comprehensive insights into what’s running on the internal network and offering a more in-depth assessment than external scans.
Since these tests are internal scans, they will be performed remotely by a qualified tester. During the on-site internal scan, the assessor examines each vulnerability and evaluates whether it aligns with the following CVSS v3 parameters:
- Attack vector: Network only
- Attack complexity: Low only
- Privileges required: None, only
- User interaction: None, only
- Exploit code maturity: Functional or high
- Report Confidence: Confirmed or high
Suggested Read: Cyber Essentials Plus Checklist
Requirements for Cyber Essentials Plus
The Cyber Essentials Plus certification involves a substantial portion of its assessment focused on vulnerability scans, both internal and external, tests which often demand the most attention for compliance. In addition to these scans, the certification process includes several other tests. Here’s a breakdown of the tests conducted as part of Cyber Essentials Plus:
- External vulnerability scan
- Internal vulnerability scan (assessing patch management)
- Verification of malware protection on end-user devices
- Evaluation of the efficacy of end-user device defences against malware delivered via email
- Assessment of the effectiveness of end-user device defences against malware delivered through various services and websites
Conclusion
Cyber Essentials scanning is an integral part of the certification process, and also helpful to provide you visibility into your weaknesses. Cyber Essentials scheme opens further opportunities for your business to demonstrate cyber security commitment and be eligible for public sector and highly regulated areas where this is a must have requirement.
Get in touch to schedule a chat to discuss your security compliance roadmap.
