Vulnerability testing for Cyber Essentials
Once the organisation has determined the scope, the next step in certification to Cyber Essentials is to complete a self-assessment questionnaire (SAQ).
Once the SAQ is completed the certification body will assess whether it has sufficient confidence that the controls have been effectively implemented. This form of ‘verified self-assessment’ is relevant for Cyber Essentials and Cyber Essentials Plus. Cyber Essentials accreditation bodies each have their own requirements for verifying the submitted SAQ for Cyber Essentials and so your experience will vary according to which of these accredit your certification body.
Non-CREST-accredited verification only involves reviewing the information contained in the SAQ. CREST-accredited certification bodies review the questionnaire and conduct an external vulnerability scan of the Internet-facing networks and applications. This scan is used to verify that there are no obvious vulnerabilities present.
The external vulnerability scan is an additional requirement for Cyber Essentials certification mandated by CREST, and serves as an added level of independent assurance beyond the self-reported answers contained in the questionnaire.
Vulnerability testing for Cyber Essentials and Cyber Essentials Plus
The Cyber Essentials scheme technical scans cannot be purchased via a software provider unless the provider is an certification body and the scan has been developed specifically for Cyber Essentials certification purposes.
The aim of the testing is to identify vulnerabilities within an organisation’s Internet-facing infrastructure and user workstations that could be exploited by attackers with a low level of skill. This level of testing assumes no specific threats against an organisation need to be addressed, and that the likely level of attack is in the broad, untargeted style of unsophisticated attacks. This level of testing is specifically not suitable for organisations that may be the target of Advanced Persistent Threat (APT) style attacks.
The following external tests are required for Cyber Essentials:
- External full TCP port and top UDP service scan for stated IP range.
- Vulnerability scan for stated IP range.
- Basic web application scanning for common vulnerabilities
Cyber Essentials Plus: independently verified
Organisations seeking certification to Cyber Essentials Plus will be required to go through the verified self-assessment tests described above, in addition to a series of internal vulnerability tests of the system(s) in scope.
The tests required for this stage can be described as an authenticated internal scan and a test of the security and anti-malware configuration of each device type/build. The internal scan checks patch levels and system configuration, while the security and anti-malware test ensures that the organisation’s systems are resistant to malicious email attachments and web-downloadable binaries. Due to the fact that the tests are internal, the certification body will require an on-site assessment visit. The IT Governance conducted tests for Cyber Essentials Plus combine vulnerability scans with a series of other tools, and are conducted by qualified and experienced CREST-accredited penetration testing teams.
The following internal tests are required for Cyber Essentials Plus:
- Inbound email binaries and payloads.
- Inbound emails containing URLs linking to binaries and browser exploitation payloads.
- Authenticated vulnerability and patch verification scan.
Upon completion of the tests, a report will be issued, stating the outcomes of the tests and explaining what actions, if any, should be taken in order to eliminate any risks or vulnerabilities. The report is intended to provide customers with meaningful information regarding practical risks to their organisation and its activities.
The need for repeat tests
It is possible that the organisation may fail either the external or internal tests performed for certification. The certification body will provide a list of required actions and remedial actions necessary to repeat the tests before a certificate can be awarded. Once the remedial activities have been completed, the organisation will be able to contact the certification body to repeat the specific tests and, subject to a successful outcome, receive the relevant certificate/badge.
Source: CREST and the Cyber Essentials scheme
IT Governance offers a number of unique solutions to certification that will enable you to achieve certification to Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the IT Governance solutions to certification >>