What is it, how do we complete it, and what do you need to know?
We are often asked about the Cyber Essentials Plus Assessment process, or as some refer to it, the "Exam", so to help explain what this is all about, we have created this article, specifically about how we approach an assessment for you.
NOTE: We will NEVER ask you to share any credentials with us, please do not send us/share with us, or provide any of your identity credentials for any system with our team.
VSA - Cyber Essentials Basic
To proceed to a PLUS level assessment, you must have completed a Verified Self Assessment (VSA) for CE Basic, within the last 90 days. The requirement for Cyber Essentials Plus is that you complete the journey, from basic to plus, within 90 days and ideally, the gap between the Basic and Plus assessments is as small as possible.
If you are more than 90 days, you will have to purchase a new VSA to be able to proceed to Cyber Essentials Plus.
If you cannot complete the CE Plus journey within 90 days, for any reason, you will also need to purchase a new VSA.
Cyber Essentials Plus
The Cyber Essentials Plus is completed by a qualified assessor who will be completing a number of checks and tests to ensure that many aspects of the VSA, as you have attested to, have indeed been put in place and are correctly configured and working.
Testing is completed 100% remotely, whether you are office-based, hybrid, or completely remotely based around the world, it really doesn't matter, as we are set up to complete our work, wherever you and your users happen to be.
The Tests
Our assessment team will be completing a standard set of tests, both via our agents and interactively with you and your users. These include:
- Internal Vulnerability Analysis (Agent-Based)
- End User Devices of all types and operating systems
- Servers of all types
- External Vulnerability Analysis and Enumeration (Assessor Tools)
- The external IP addresses of your office locations
(if no locations, a director home IP)
- The external IP addresses of your office locations
- Interactive Testing with users (GoToAssist, TeamViewer, your own RMM Remote Tools etc)
We utilise our remote support tools, so when we connect to your user's device, we are in effect "your user" and not any special account created for assessment - it is essential that your user's day-to-day account is used for testing and we will not accept any accounts that have been created especially for the testing. Every device being selected for testing must be tested with a unique user account.- Browser Checks (all installed, not just used)
- Checking all browsers are appropriately configured to prevent the download and auto running of executable content (.MSI, .COM, .PS1, .SH, .BAT etc)
- Checking your Anti-Virus blocks the download and execution of test virus files
- Email Checks (Web-based and/or Application-based)
- We will email in a test email to ensure we can send you emails and then a selection of executable content and other malicious test files. We are looking to see that your email platform blocks the virus test files, and ideally other files, but that nothing executes without asking for permission first.
- Anti-Virus Status
- We will be looking to ensure you have a functional anti-virus solution in place (via the checks above and manual review) and that this is up-to-date and active.
- Account Separation Testing
- We will look to ensure that the day-to-day account that you are using (the account you will use when we are testing your devices) is not an administrative account and is a day-to-day standard user account.
- UAC on Windows with Username/Password (not Yes/No)
- SU on Linux, so you are SU-ing a different user and the current user is not set up in sudoers.
- Padlock on a MAC but where a different username for admin and password is used to elevate access.
- PAM/PIM solutions are NOT allowed within Cyber Essentials unless they are elevating a separate admin account, and not where they elevate the same user account as the day-to-day account, as this is not account separation.
- We will look to ensure that the day-to-day account that you are using (the account you will use when we are testing your devices) is not an administrative account and is a day-to-day standard user account.
- Cloud Service Testing
- We will be looking to confirm that at least a user and admin of every cloud service within the scope of the assessment, has MFA enabled.
- Mobile Device Testing
- Using our support tools, we can connect to your mobiles and confirm their compliance with Cyber Essentials, however, if you are a larger mobile estate (50 users plus) you should have a Mobile Device Management or Mobile Application Management (MDM/MAM) solution in place, as it has been deemed impossible to manage a larger mobile estate by a manual or informal policy.
If you have an MDM/MAM solution in place, delivering compliance for Cyber Essentials, it may be possible (if it delivers what we need) to utilise this to assess mobiles.
- Using our support tools, we can connect to your mobiles and confirm their compliance with Cyber Essentials, however, if you are a larger mobile estate (50 users plus) you should have a Mobile Device Management or Mobile Application Management (MDM/MAM) solution in place, as it has been deemed impossible to manage a larger mobile estate by a manual or informal policy.
- Browser Checks (all installed, not just used)
Vulnerability Analysis - Internal
Vulnerabilities are identified daily in virtually anything running software of any description, and these vulnerabilities may just cause problems with the machine, or software application itself, or indeed, could also be used to gain access to your device, or compromise your device by a threat actor, and therefore it is essential that you remove these as soon as possible.
Vulnerabilities are removed via patching, where the vendors release new code, or smaller aspects of their code, to replace vulnerable ones and thus remove the risk.
The risks for each vulnerability are scored using a CVSS (Common Vulnerability Scoring System) score, which will range from 0.00 to 10.00, with 10 being Critical and the Highest Risk and 0.00 generally being informational.
For Cyber Essentials, you have to install patches for any Critical and High vulnerabilities within 14 days of the manufacturer releasing the patch, and, where their patch doesn't state specifically if it contains any particular CVSS-based fixes, you have to install it within 14 days with the assumption that it does have Critical or High fixes.
Cyber Essentials utilises the CVSS 3.1 Base Score for CVSS identification.
For example, Apple often does not release specific CVSS information within their patches, therefore, you have to install all Apple patches within 14 days.
Within your VSA you will have advised that you complete patching within 14 days of release for Critical and High vulnerabilities, and this is what will be checked during the assessment. To do this, we will ask you to install agents onto a set of devices, the quantity of which we will advise, and this agent will assess the device for vulnerabilities and we will then know if you are patched and updated correctly, or if there are remedial actions to complete.
Our agents can be installed individually per device, via scripts using RMM tools or device management tools.
Vulnerability Analysis - External
Just as you have vulnerabilities within the software on user/server devices, you can have similar issues with the software (generally known as firmware) on Routers and Firewall devices and the 14-day requirement, as per the above, applies also to firewalls.
We will externally assess your office IP addresses to determine if there are any outstanding risks and vulnerabilities with your firewall/router devices.
External Port Enumeration
Your external IP address will be interrogated to understand if it is advertising any services to the Internet that can be seen by anyone - if you have such services, these should be declared within your VSA and if we find other issues, these will be advised for remediation.
Cloud Services
All your cloud services should have MFA enabled for users and administrators.
NOTE: There is no such thing as Break-Glass Accounts NOT having MFA, the requirement is that all accounts that can log into a cloud service should have MFA enabled.
MFA of course can be a code on a device, a push notification or indeed, a known IP address - we are interested in something other than the username and password, a second factor.
Whilst we have spelt out Microsoft 365 here (as the most commonly used platform) the same applies to GSuite solutions, where "Cloud Identity" is required to deliver account separation.
Interactive Testing
If you are a Managed Service Provider or an internal IT admin with appropriate tools, we can connect to your device and then, with you, utilise your tools to connect to your client's devices for the assessment.
For our normal assessments, we will utilise our remote support tools to access, on an ad-hoc basis, your end-user devices (interacting as your end user who is logged into the device - not sharing credentials with us). We will never need your end-users or admin credentials.