During one of IT Governance’s latest events we discussed the up and coming Cyber Essentials scheme. While the requirements of the scheme and its business implications were covered by the speakers, a considerable number of people have approached me with technical questions relating to the scans mandated by the new scheme.
Cyber Essentials defines two types of test: external and internal
In order to achieve Cyber Essentials certification, an organisation will undergo an external scan performed by a certifying body. In order to advance to a Cyber Essentials Plus certification, an additional internal security assessment is required.
The external scan is, simply put, an external vulnerability assessment that attempts to verify whether the individual controls covering the Internet-facing perimeter network have been implemented correctly, and that obvious vulnerabilities are not present.
In more detail, this assessment consists of identifying the current open ports and underlying services on the Internet-facing devices and testing them for known vulnerabilities or security loopholes.
For example, such a scan would attempt to identify the version of OpenSSL used by your web server and compare it with the version affected by the Heartbleed vulnerability. In the event of a match, the system is deemed exposed.
Vulnerability identification does not solely rely on matching open ports or version numbers. In order to verify the existence of a security flaw or misconfiguration, the behaviour of the scoped system would also be analysed.
The internal security assessment consists of two parts. The first targets end-user devices in an attempt to determine whether individual controls have been correctly implemented. This is achieved by recreating various attack scenarios and assessing whether an attacker with basic skills could compromise a system.
Expanding on this, the assessor would attempt to infect the system using malware transmitted via email and downloaded from a website. This not only tests the accuracy and efficiency of spam and anti-malware filters implemented on the organisation’s email server, but also of those implemented on the end device.
The second part is an authenticated scan that verifies the current patch level of the operating system and additional components, along with configuration and vulnerability issues. If any of these is found to be out of date or affected by known vulnerabilities, the system will be deemed exposed. In addition to this, the scanner would also attempt to connect to services requiring authentication using a set of commonly used usernames or passwords.
In order to determine the scope of testing, an organisation needs to identify a sample set consisting of the user devices and common configuration builds. One of each type of device will be tested. For example, if an organisation uses a standard image deployed over a variety of hardware, only one configuration build will require testing. In contrast, an organisation using a single type of hardware but non-standard installations would require each variation to be tested, based on the set of common applications consisting of Office, browsers, Java and Adobe Acrobat along with operating systems.
Ideally, every organisation should already employ a level of security matching or exceeding the requirements of Cyber Essentials Plus. By following such good practice, the organisation in question is not only protected against scripted attacks but also those of unskilled ‘script kiddies’ using automated tools.
If you are looking to achieve certification to Cyber Essentials or Cyber Essentials Plus, you can do it yourself, get a little help, or get a lot of help.