How to Pass Cyber Essentials - Part 1
We see a lot of Cyber Essentials applications through the year and over time it has become clear that some businesses are, quite understandably, not really understanding the questions. This series blog post will be in a number of parts. In each post I will focus on one section of the standard and give you both the “assessors” view on the question and the “pentesters” view. With these combined, you should be able to answer the questions easily and put in place changes in your IT systems to pass the standard.
Once all of the series is completed, we will create a PDF of the guide, along with a little discount code for your assessment. So, on with section 1.
Remote Vulnerability Scan
This section MUST be completed. We received a number of returned questionnaires with nothing entered. Unless your organisation has no internet connection and you do not use email or have a website, then this will result in an automatic fail. So what needs to go in this section?
Your office IP address
This might sound a little obvious, but it is very often missed. The easiest way to get your office IP address is to browse to https://www.whatsmyip.org/. The heading will say “Your IP Address is” and following this will be a series of numbers. This is you IP address. So that goes into the first column. You skip the second column. The third column enter “Our Office IP”. In the fourth column enter “Internally Hosted - In Scope” and leave the last column blank.
The table should look a little like this:
|IP Address||Fully Qualified Domain Name||Name & Description||System Ownership||If out of scope, explain|
|220.127.116.11||Our Office IP||Internally hosted - in scope|
|www.hsec.li||Our website||Internally hosted - in scope|
What are looking for in the Vulnerability Scan?
The vulnerability scan should be very easy to pass yet many companies that end up failing this first time around. So what is it we are looking for? In short, no Critical or High risk vulnerabilities. But lets look at the top vulnerabilities raised over our last 100 assessments:
This is the number one reason for failing. If you have not configured your SSL services to only use TLSv1.1 and higher with a strong cipher suite then you will FAIL! We posted a remediation guide to this and it is the single most visited page on our website. You can find the guide to fixing SSL here.
Patch Your Systems
This is the second most common reason for failing. You would be astounded how many companies fail because they do not patch their systems. If you do not patch your externally facing systems, then you are highly likely to have a Critical or High-risk vulnerability present.
Replace those Out of Support Systems
The third most common reason for failing. Still using Windows 2003 or Windows XP systems. Even 2008 is pretty much out of support now. But the problem is not just confined to Windows. We see a lot of old out of date Linux systems in use. You need to retire these and replace them with modern alternatives.
Cloud / Shared Services Assessment
This part of the assessment is really only looking at your cloud-delivered applications such as Office365, Gmail suite, Salesforce, etc. You should list all SAAS (Software as a service) products that you use within the business.
Description of the service
This is usually the name of the service which you use. For example:
Microsoft Office 365
This is simply the name of the supplier.
Independent audit standards to which the suppliers have been previously assessed.
This can take some digging but it is usually on the supplier’s website somewhere. In some cases you may need to ask the supplier directly. Common answers include:
Evidence of certification provided to the certifying body
This is the most import column for us as the assessor. You need to provide links to, or attach to your return, evidence that the supplier has completed any independent audits.