Logo Transparent

The Cyber Essentials Plus Tests

A Cyber Essentials Plus assessment consists of 7 tests, which are conducted in two phases by the KEYSIGMA consultants. 

Phase 1 consists of:

  1. A remote external vulnerability assessment.
  2. A remote internal vulnerability assessment.
  3. Mobile device malware protection assessment.

Phase 2 consists of online or in person: 

  1. Multi factor authentication assessment(s).
  2. Malware protection assessment(s).
  3. Email malware protection assessment(s).
  4. Web malware protection assessment(s).
  5. Account separation tests.

Phase 1

Test 1. External Vulnerability Assesments

The purpose of the external vulnerability assessments is to identify any vulnerabilities that would allow an internet-based, opportunist attacker to hack into your company’s systems using typical low-skill methods.

The KEYSIGMA consultant will scan your external IP address(s) using our industry leading commercial vulnerability scanners. 

For all services that give access to information that is either non-public or writable, to comply with the Cyber Essentials Plus standard the service must either have brute force protections by either: 

  • Requiring Multifactor Authentication.
  • Utilising lockouts or throttling.

Should any vulnerabilities be discovered, KEYSIGMA will provide you with guidance to correct the vulnerabilities and will support your patching efforts by rescanning your external infrastructure until your vulnerabilities have been remediated.

External Vulnerability Scanning
External Vulnerability Scanning
Brute Force Protection Verification
Brute Force Protection Verification
Replicates Low Skilled Attacks
Replicates Low Skilled Attacks

Test 2. Internal Vulnerability Assesments

Security Update Management
Internal Vulnerability Scan

The Cyber Essentials Plus standard requires that a
representative sub sample of your internal assets scanned for vulnerabilities using KEYSIGMA’s industry leading vulnerability scanners.

The purpose of the internal vulnerability scans are to find
and rectify any vulnerabilities that could lead to your devices being
compromised by an internal attacker. 

 Vulnerabilities rated High or Critical (CVSSv3 score ≥ 7.0)  for which a patch was released more than 14 days ago are not compliant with the Cyber Essentials Plus standard. 

KEYSIGMA will provide you with guidance to support your patching
efforts and will rescan your internal devices until the vulnerabilities have been remediated. 

Test 3. Mobile Device Security Assessment

KEYSIGMA will also assess the security of your mobile devices, by analysing screenshots collected from the mobile devices in your sample set. These checks will confirm that all devices are:

  • Supported
  • Up to date (and set to auto apply security patches). 
  • Restricted to download only applications from official app stores.
    • Jailbroken iPhones are non compliant.
    • Side loaded applications are not complaint.
  • Do not have any untrusted user certificates.

Phase 2

Test 4. Cloud Service Multifactor Authentication Assessment

The MFA checks are in the Cyber Essentials Plus standard for good reason, as passwords are often compromised. However, as the breach of an account configured with multifactor authentication requires both knowledge of the account’s password and control of the authenticating device, MFA makes it exponentially harder for attackers to compromise your cloud services.

To confirm the use of multi-factor authentication the Key Sigma assessor will observe users accessing cloud services using their organisation issued accounts on an untrusted device.

 If these test results in the user being prompted for a form of MFA before access is granted then a pass is awarded.

Test 5. Malware Protection Assessment

The Cyber Essentials Plus assessment requires the assessor to verify that antivirus is installed and up to date on all of the sampled devices and tests the effectiveness of the installation against malware:

a) Sent via e-mail.

b) Delivered through all installed browsers.

Malware by E-mail Assessment
Malware by E-mail Assessment
Malware by Browser Assessment
Malware by Browser Assessment
Anti Malware Configuration Assessment
Anti Malware Configuration Assessment

Test 6. Account Separation Assessment

Account Separation
Admin Acc SPlit

The cyber essentials plus standard requires administrative and user accounts to be separated, with the low privileged user account used for dat to day activities, with the administrative account used for administrative duties only. 

The rationale for this is easy to understand. For example, imagine that your users inadvertently download a malicious file which leads to an attacker taking control of the affected device. If the user has administrative rights, then after the initial compromise, the attacker would have full control of the compromised system. 
 
However, if the user account has been configured to be a standard , low privileged account, the hacker would then have to try to elevate their privileges to take control of the system in what’s known as a privilege escalation attack, a technique that requires a much more advanced skillset.
 

To confirm your account separation in the Cyber Essentials Plus assessment, the key sigma consultants will try to run administrative processes on your standard user accounts. 

A pass is obtained if the user is prompted for an additional credentials and the process does not run using the user account’s credentials. 

 

How to Start Your Assessment

telephone-call

Schedule a free 30 minute consultation with a KEYSIGMA Cyber Advisor

Book a Call