The Cyber Essentials Plus Tests
A Cyber Essentials Plus assessment consists of 7 tests, which are conducted in two phases by the KEYSIGMA consultants.
Phase 1 consists of:
- An external vulnerability assessment
- An internal vulnerability assessment
- Mobile device malware protection assessment
- Multi factor authentication assessment(s)
- Malware protection assessment(s)
- Email malware protection assessment(s)
- Web malware protection assessment(s)
- Account separation tests
Phase 1
Test 1. External Vulnerability Assesments
The KEYSIGMA consultant will scan your external IP address(s) using our industry leading commercial vulnerability scanners.
Should any vulnerabilities be discovered, KEYSIGMA will provide you with guidance to correct the vulnerabilities and will support your patching efforts by rescanning your external infrastructure until your vulnerabilities have been remediated.
The company will pass the assessment providing that the externally available services do not include high risk vulnerabilities (with a CVSS 3 score greater than 7).
For all services that give access to information that is either non-public or writable, to comply with the Cyber Essentials Plus standard:
○ Users need to authenticate to the service
○ Multifactor authentication is in use.
For services that do not have multifactor authentication available default passwords must have been changed and the service must throttle login attempts or lock users out
Phase 1
Test 2. Internal Vulnerability Assesments
The Cyber Essentials Plus standard requires that a
representative sub sample of your internal assets undergo the internal device assessment.
The purpose of the internal vulnerability scans are to find
and rectify any vulnerabilities that could lead to your devices being
compromised by an internal attacker.
KEYSIGMA will use the same industry leading vulnerability scanners to scan the sampled internal devices for vulnerabilities.
Vulnerabilities rated High or Critical by the vendor for which a patch was released more than 14 days ago or vulnerabilities rated at 7 or higher on the CVSSv3.0 scale for which a patch was released more than 14 days ago are not compliant with the Cyber Essentials Plus standard.
Should any vulnerabilities be discovered in your internal
devices, KEYSIGMA will provide you with guidance to support your patching
efforts and will rescan your internal devices until you’re the vulnerabilities have been remediated.
Phase 1
Test 3. Mobile Device Assesments
Once your organisation has successfully passed phase 1 of the assessment, KEYSIGMA will schedule phase 2, which will be performed remotely over a Microsoft team’s call.
Phase 2
Test 1. Cloud Service Multifactor Authentication Assessment
The MFA checks are in the Cyber Essentials Plus standard for good reason, as passwords are often compromised.
However, as the breach of an account configured with multifactor authentication requires both knowledge of the account’s password and control of the authenticating device, MFA makes it exponentially harder for a would be attacker to compromise your cloud services.
To confirm the use of multi-factor authentication the Key Sigma assessor will observe users accessing cloud services using their organisation issued accounts on an untrusted device.
If these test results in the user being prompted for a form of MFA before access is granted then a pass is awarded.
This test is performed on all cloud services which are tested for user and administrator access.
The KEYSIGMA consultants will assist you to enable MFA on your cloud services if it hasn’t been enabled already.
Phase 2
Test 2. End User Device Malware Protection
Phase 2
Test 3. Email Malware Protection Assessment
As part of the cyber essentials plus audit, the Key Sigma consultant will send emails to user account on your system containing inert malware files.
Phase 2
Test 4. Web Malware Protection Assessment
As part of the cyber essentials plus audit, the Key Sigma consultant will test the secure configuration of all of your browsers.
Phase 2
Test 5. Account Separation Assessment
The cyber essentials plus standard requires administrative and user accounts to be separated.
To confirm your account separation in the Cyber Essentials Plus assessment, the key sigma consultants will try to run administrative processes on your standard user accounts.
A pass is obtained if the user is prompted for an additional login and the process does not run using the user account’s credentials.