In the ever-evolving landscape of cybersecurity, the importance of robust defences against digital threats cannot be overstated. Among the measures available to safeguard organisations against cyberattacks, the Cyber Essentials Plus Vulnerability Scan is a significant milestone in ensuring comprehensive protection.
This article looks into Cyber Essentials Plus vulnerability scan component and how vulnerability scans play an important role in improving your organisations security.
What is a vulnerability scan?
A vulnerability scan is a process that involves inspecting your internal or external networks to find out what devices are connected to them, as well as the specific operating systems and software being used on these devices.
This collected information is then cross-referenced with a list of known weaknesses to check if any identified software or operating systems are susceptible to exploitation by malicious actors.
The outcome of a vulnerability scan is typically presented as a report, which outlines the vulnerabilities found on each device.
What is the Cyber Essentials Scan?
The Cyber Essentials scan evaluates your internet-facing assets from the outside. It’s carried out remotely by a certification body such as Cyphere as part of the certification process.
This exercise of vulnerability scanning is an age-old technique aimed at identifying weaknesses in your assets from the outside. It helps you measure your attack surface to analyse and remediate identified weaknesses.
This scan aims to ensure that your company has taken steps to minimise its vulnerability to typical cyberattacks.
What is the Cyber Essentials PLUS Scan?
When seeking Cyber Essentials Plus certification, the certifying organisation will also conduct an on-site assessment of various IT assets, including your employees’ computers and mobile devices.
It includes external (internet-facing) and internal (inside environment) vulnerability scans.
You can find a list of the assets to consider as per the scope of CE. Organisations pursuing Cyber Essentials Certification need internal and external vulnerability tests.
Requirements for Cyber Essentials
The Cyber Essentials Plus certification involves a substantial portion of its assessment focused on vulnerability scans, both internal and external, which often demand the most attention for compliance.
In the context of Cyber Essentials, external vulnerability scans are conducted using an approved vulnerability scanning tool. These scans target devices accessible from the internet and have connections to the corporate network or contain customer data.
Cyber Essentials Plus Certification
- Protect sensitive data, protect your business
- Improve eligibility for new opportunities across regulated industries and public sector.
If you opt for Cyber Essentials through us, we utilise a cloud-based scanner to assess your external network. Scanned devices typically include your organisation’s website, office firewall, and other internet-facing hosts, services, or network devices.
To qualify for certification, all external hosts scanned must meet the following criteria:
- They should have no vulnerabilities with a CVSS v3 score equal to or greater than 7.
- They must either authenticate users or restrict access to non-public or non-read-only information.
- Preventing easy bypassing of authentication is crucial, with multi-factor authentication being beneficial.
- There should be measures to limit login attempts or lock out users after a maximum of 10 failed login attempts.
On the other hand, internal scans focus on a selection of the organisation’s devices (or all devices for smaller organisations) determined by the assessor based on device types and configurations.
These internal scans use credentials, allowing the scanner to gain comprehensive insights into what’s running on the internal devices, offering a more in-depth assessment than external scans.
Since these tests are an internal scan, they will be performed remotely or on-site by a qualified tester. During the internal scan, the assessor examines each vulnerability and evaluates whether it aligns with the following CVSS v3 parameters:
- Attack vector: Network only
- Attack complexity: Low only
- Privileges required: None, only
- User interaction: None, only
- Exploit code maturity: Functional or high
- Report Confidence: Confirmed or high
Requirements for Cyber Essentials Plus
The Cyber Essentials Plus certification involves a substantial portion of its assessment focused on vulnerability scans, both internal and external, tests which often demand the most attention for compliance. In addition to these scans, the certification process includes several other tests. Here’s a breakdown of the tests conducted as part of Cyber Essentials Plus:
- External vulnerability scan
- Internal vulnerability scan (assessing patch management)
- Verification of malware protection on end-user devices
- Evaluation of the efficacy of end-user device defences against malware delivered via email
- Assessment of the effectiveness of end-user device defences against malware delivered through various services and websites
In today’s interconnected world, where digital threats loom at every corner, the Cyber Essentials Plus Vulnerability Scan emerges as a beacon of security.
Its rigorous evaluation self assessment of internal and external vulnerabilities empowers organisations to fortify their defences against cyberattacks, thereby ensuring the safety of their digital assets and the trust of their stakeholders. Embracing this cybersecurity milestone, organisations can confidently navigate the complex terrain of the digital age, secure in the knowledge that they have taken proactive steps to protect what matters most.
Get in touch to schedule a chat to discuss your security compliance roadmap.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.