In the press over the last few days were a large number of articles regarding 12 January 2016. This date has gained significance because it marks the point beyond which Microsoft will no longer support versions of Internet Explorer (IE) prior to version 11.
Cyber Essentials (CE) requirements that are affected by the end of life of many of the early versions of IE are covered under patch management:
- Software running on computers and network devices that are connected to or capable of connecting to the internet should be licensed and supported… to ensure security patches for known vulnerabilities are made available.
- Updates to software… running on computers and network devices that are connected to or capable of connecting to the Internet should be installed in a timely manner.
- Out-of-date software (i.e. software that is no longer supported) should be removed from computer and network devices that are connected to or capable of connecting to the Internet.
When a CREST certification body conducts an internal test, one of the things they look for is evidence that the software on the test targets have patches installed. The CE recommends that this be within 30 days for ordinary patches, and within 14 days for security patches. This requirement includes patches for firmware, operating systems and applications, and applies to all targets that are exposed to the Internet.
With the announcement (https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support ) from Microsoft that only IE11 and the Edge browser will be supported in future, complying with the requirements of the Cyber Essential scheme will mean that the following should be implemented:
- All versions of IE prior to IE11 should be removed and only version 11 or the Edge browser should be installed on machines.
- Those organisations using legacy applications dependent on earlier versions of IE should consider Enterprise Mode in IE11, which offers backward compatibility, enabling many organisations to run many of their legacy web applications designed for older versions of Internet Explorer.
From our experience conducting Cyber Essential Plus audits, browsers are only part of the problem – many other applications, such as Java and Office suites, are frequently found to be unpatched or unsupported. We often find the operating systems are patched but the applications that are run on the targets are not subjected to the same patch management controls. Organisations often have to retest the internal targets to gain compliance and, as the Cyber Essentials certification is a ‘moment in time’ test, there is a very short window of opportunity for a successful retest before a new certification application is required and the original attempt is recorded as a failure.
Planning and preparation are the keys to a successful certification, and having achieved certification once is no guarantee of recertification. New vulnerabilities are identified all the time, and patches and security patches for common software can be released on a monthly basis, or even more frequently.
If you are going for CE Plus certification by a fixed deadline, we recommend allowing time for the elements to be tested, and to allow for a potential retest and issuing of the certificate and report.