Logo Transparent

The Cyber Essentials Plus Tests

A Cyber Essentials Plus assessment consists of 7 tests, which are conducted in two phases by the KEYSIGMA consultants. 

Phase 1 consists of:

  1. An external vulnerability assessment
  2. An internal vulnerability assessment
  3. Mobile device malware protection assessment 
Phase 1 of the assessment is performed remotely by the KEYSIGMA consultants. 
 
 
 
Phase 2 consists of:
 
  1. Multi factor authentication assessment(s)
  2. Malware protection assessment(s)
  3. Email malware protection assessment(s)
  4. Web malware protection assessment(s)
  5. Account separation tests 
Phase 2 of the assessment is performed over a Microsoft teams call between the owners of your company’s devices and the KEYSIGMA consultants. 

Phase 1

Test 1. External Vulnerability Assesments

The purpose of the external vulnerability assessments is to identify any vulnerabilities that would allow an internet-based opportunist attacker to hack into your company’s systems using typical low-skill methods.

The KEYSIGMA consultant will scan your external IP address(s) using our industry leading commercial vulnerability scanners. 

Should any vulnerabilities be discovered, KEYSIGMA will provide you with guidance to correct the vulnerabilities and will support your patching efforts by rescanning your external infrastructure until your vulnerabilities have been remediated. 

The company will pass the assessment providing that the externally available services do not include high risk vulnerabilities (with a CVSS 3 score greater than 7). 

For all services that give access to information that is either non-public or writable, to comply with the Cyber Essentials Plus standard: 

       ○ Users need to authenticate to the service 

       ○ Multifactor authentication is in use.

For services that do not have multifactor authentication available default passwords must have been changed and the service must throttle login attempts or lock users out

Phase 1

Test 2. Internal Vulnerability Assesments

The Cyber Essentials Plus standard requires that a
representative sub sample of your internal assets undergo the internal device assessment.

The purpose of the internal vulnerability scans are to find
and rectify any vulnerabilities that could lead to your devices being
compromised by an internal attacker. 

 KEYSIGMA will use the same industry leading vulnerability scanners to scan the sampled internal devices for vulnerabilities. 

 

 Vulnerabilities rated High or Critical by the vendor for which a patch was released more than 14 days ago or vulnerabilities rated at 7 or higher on the CVSSv3.0 scale for which a patch was released more than 14 days ago are not compliant with the Cyber Essentials Plus standard. 

Should any vulnerabilities be discovered in your internal
devices, KEYSIGMA will provide you with guidance to support your patching
efforts and will rescan your internal devices until you’re the vulnerabilities have been remediated. 

Phase 1

Test 3. Mobile Device Assesments

KEYSIGMA will also assess the security of your mobile devices to confirm that they are updated, and not jail broken. 

This will be performed by the KEYSIGMA consultants analysing screenshots collected from the mobile devices in your sample set. 

Once your organisation has successfully passed phase 1 of the assessment, KEYSIGMA will schedule phase 2, which will be performed remotely over a Microsoft team’s call. 

Phase 2

Test 1. Cloud Service Multifactor Authentication Assessment

The MFA checks are in the Cyber Essentials Plus standard for good reason, as passwords are often compromised.

However, as the breach of an account configured with multifactor authentication requires both  knowledge of the account’s password and control of the authenticating device, MFA makes it exponentially harder for a would be attacker to compromise your cloud services.

To confirm the use of multi-factor authentication the Key Sigma assessor will observe users accessing cloud services using their organisation issued accounts on an untrusted device.

 If these test results in the user being prompted for a form of MFA before access is granted then a pass is awarded.

This test is performed on all cloud services which are tested for user and administrator access.

The KEYSIGMA consultants will assist you to enable MFA on your cloud services if it hasn’t been enabled already. 

 

Phase 2

Test 2. End User Device Malware Protection

Given that antivirus products prevent malware from causing damage to your device by detecting, quarantining or deleting malicious code the Cyber Essentials plus standard requires that each device has AV installed. 

Phase 2

Test 3. Email Malware Protection Assessment

As part of the cyber essentials plus audit, the Key Sigma consultant will send emails to user account on your system containing inert malware files.

 These files have been created with all the hallmarks of a malicious untrusted file as they are unsigned and uncommon and should trigger software restriction policies. 
 
The Cyber Essentials standard requires that these files, if received, cannot be inadvertently executed by unwitting users. 
 

Phase 2

Test 4. Web Malware Protection Assessment

As part of the cyber essentials plus audit, the Key Sigma consultant will test the secure configuration of all of your browsers. 

To pass the assessment, all of the browsers must present a warning about or block the inert malicious binary hosted by the Key Sigma assessor.
 
To pass the assessment all virus files must be blocked, all executable files must prompt a warning or require user interaction before being run (this is the two click rule).

Phase 2

Test 5. Account Separation Assessment

The cyber essentials plus standard requires administrative and user accounts to be separated. 

The rationale for this is  easy to understand. For example, imagine that your users inadvertently download a malicious file which leads to an attacker taking control of the affected device. If the user has administrative rights, then after the initial compromise, the attacker would have full control of the compromised system. 
 
However, if the user account has been configured to be a standard , low privileged account, the hacker would then have to try to elevate their privileges to take control of the system in what’s known as a privilage escalation attack, a technique that requires a much more advanced skillset.
 

To confirm your account separation in the Cyber Essentials Plus assessment, the key sigma consultants will try to run administrative processes on your standard user accounts. 

A pass is obtained if the user is prompted for an additional login and the process does not run using the user account’s credentials. 

Begin Your Cyber Essentials Plus Journey With a Free Consultation With a Key Sigma Technical Expert!

Free