Qualys is utilised for the vulnerability scanning element of any assessment, and our assessors will manually review, remotely, the actual security (via testing) of the devices during your assessment.
VULNERABILITY SCANNING
To complete a Cyber Essentials Plus assessment, we need to conduct a fully authenticated vulnerability assessment. This is achieved by installing an agent on your systems, which in our case will be Qualys.
The Qualys Agent runs in the background on your devices, checking the software and hardware inventory every 4 to 5 hours and sending that data into the Qualys solution, where a vulnerability assessment is then completed.
No files or information, other than that required for the vulnerability assessment (the hardware and software inventory and basic configuration information), are sent into the Qualys platform.
Qualys will gather:
- IP Address
- The internal IP and the External IP address from which the device is checking in, whether that be in an office, via tethering or indeed at a home location.
- Operating System
- The operating system the device is running, the version of the operating system, and the specific flavour of the operating system. (e.g. Microsoft Windows 11 25H2 Enterprise)
- Software / Drivers
- Software and any "installed" applications on the device (using various methods of identification, including file-level, registry/WMI/DCOM checks), as well as services running on the device.
- Hardware Inventory
- What is the device, manufacturer, and specifications of the device? This is an asset scan to ensure that the scanning solution is aware of potential risks on the device. What is the BIOS and its level? How much disk space and memory does it require? Network information, such as the current default gateway, IPv4, IPv6, and DNS Server.
- Configuration Information
- How is the device configured? Is it on a domain? Who is in the local users list and groups? Is the firewall enabled? What is the password policy? When was it last rebooted? When was Qualys first installed? A guess of the geographic location of the device based on the IP address identified. Open Ports identified on the device.
- DNS / NETBIOS NAME
- The name of your device, which will include the domain name for the network its associated with
- Vulnerabilities identified
- Using the installed software and hardware information, vulnerabilities are identified and listed in any generated reports. This will also continue to record the times found, the first time found, the last time found, and the reappearances. CVE information related to the issue and associated CVSS scoring.
- Risks, threats, and impact information, including exploitability, Associated Malware, and other technical details, as available, regarding the identified vulnerability. Where possible, solutions, identified and potential fix solutions, are also provided.
- Vendor References
- Bugtraq ID
- PCI Vulnerability Status
- Quantity of Vulnerabilities
- Number of vulnerabilities identified on the device, and its security risk score (calculation)
- Last known user
- Who was the last known user who was logged in when the device scanned? This will be as detailed as you use internally, so if you use firstname.surname, that is precisely what we will see in the results.
INTERACTIVE TESTING
During the interactive testing, you will be working with one of our assessors, who will then assess your devices. We may use any number of connectivity solutions for this, including:
- GoToAssist
- TeamViewer
- Google Remote Desktop
- QuickAssist
- Teams Remote Control
Whilst the assessor is connected to your system, you and/or your users will also be able to see everything that is happening. The only requirement where your data could be exposed is when we access your inbox to complete email platform tests; however, the assessor is only interested in emails that they send to you and not any other content within your system.
Outside of the email tests, we are looking to ensure your device is set up securely, so will look at the admin account setup and user account setup, the status of the anti-virus and testing all browsers installed on the device (whether used or not) to ensure they do not allow virus files to execute and do not just run software on a single click.
We never have remote access to your systems without you being on the device, as you initiate the connection with our assessment team, and we have no way to initiate a connection to you.
MOBILE DEVICE TESTS
If it is possible to assess your devices (required if you have over 30 devices) via a Mobile Device Management Solution (MDM) or Mobile Application Management (MAM), we will do so; however, if we have to access the devices remotely (using one of the tools listed above) we require you to initiate the connection with our assessor. Again, they won't have access without you initiating the connection.
Once connected, our assessor will be able to see what apps are installed on the phone and also any background image you may have on the desktop, but that is the limit of any data that they can see on your device, aside from its setup, such as the operating system and whether you have Jailbroken or rooted the device, for example.
CLOUD SERVICE CHECKS
Our assessors will verify that your cloud services are correctly configured. As such, they will require an administrator to log into the cloud service and provide evidence that the solution is configured to ensure MFA/2FA/2SVis is required and enforced for all platform users.
Only if there is no ability to check the entire cloud service will our assessors fall back to having multiple users and administrators sign in to the application to show that MFA/2FA/2SV is enabled on their accounts.
During this testing, some platform data may be exposed to our assessors; however, we are primarily interested in verifying the proof of MFA/2FA/2SV, and therefore, we are capturing that information solely as part of the assessment process.