Cyber Essentials & Cyber Essentials Plus: Our Journey

Cyber Essentials & Cyber Essentials Plus – Our Journey

We have recently achieved the much coveted Cyber Essentials Plus – just over two months after being awarded the ever popular Cyber Essentials. Both achievements, it is fair to say, have had many lessons learnt that were not entirely expected.

I thought I would document some of these lessons at a high level for the benefit of other businesses thinking of travelling down the same road.

Why?

I would like to start with the question of Why? Why did we start on this journey in the first place?

In short we started down the first tier of Cyber Essentials to assist us in line with our GDPR strategy. A common theme within our business though, whether it relates to Data Cabling & Power, IP Surveillance, Voice Telephony or IT Support & Security is that we are never satisfied with achieving just the minimum requirement and the Plus certification was always on our radar.

On embarking upon this journey, the first thing that took us by surprise was how engrossed we became in both assessments and integrating cyber strategies into the fabric of our business operation. I mean, we thought that we were secure as we stood. We had an excellent track record of keeping our partners and ourselves safe from breaches – a 16-year unbroken record in fact.

Previously, our support consisted of no small amount of regularly patched Operating Systems, constant updating of active firewall rules, secure LAN segmentation, proactive anti-malware policy and process as well as introducing Cisco Umbrella as an extra layer of defence.

Little did we know how deep the Cyber Essentials Hole would go…

Looking back now, post-op, it makes me question whether our previous approach, whilst effective, was a little too self-confident.

First Stop….Cyber Essentials

Although obtaining Cyber Essentials is not difficult with the correct planning and strategies in place. It is the ongoing commitment to honouring what you have documented and submitted. That is when the true journey starts with Cyber Essentials.

When we passed our Cyber Essentials, one of the key items that struck us was the deployment of critical patches within 14 days. Now, personally, I feel 30 days is a more reasonable timeframe to be able to complete internal processes such as change control, tests and roll back plans (technically all part of change control) and still manage to do the day job of looking after customers. Upping this to 14 days is a challenge.

Nevertheless I put some thought into this and planned a manual way in which we could achieve it. Needless to say after the first month the process was reviewed in favour of a more automated (and costly) approach.

Just to be clear, this is not just a case of installing Windows Server Update Service (WSUS) and scheduling for regular patching of your Windows estate, no not at all. All applications must be included, for example, Adobe products such as Flash and Reader and others, such as 7-Zip, Putty and all Internet browsers. You get the picture!

We, therefore, expanded our internal monitoring systems to incorporate system reporting and patching. The only things to patch manually still remain, the server estate. This is by design as we feel this still requires a more controlled and granular process.

As a business, we have not historically enforced strict software policies. As long as licensing is compliant we have been happy for staff to install what they need to make their lives simple and productive.

We had to change our mindset since becoming involved with the Cyber Essentials programme however as we cannot control the software across our estate if we have no visibility. This has led us to introduce a new software policy and improve software reporting across the desktop and server estate.

Other policies that were updated in line with Cyber Essentials were password, mobile device, account creation & teardown policies to name but a few.

Generally speaking, these have been relatively simple to change as we have a user-base where the majority of our users are IT literate and can cope with these changes. I suspect for other organisations this may prove to be quite a challenge!

How Do Colleagues in the Industry Feel?

Since achieving Cyber Essentials certification I have spoken to quite a few businesses that have also gone through the same process.

On the whole, I am pleased to say that most, like ourselves, have embraced the process as an integral part of their security strategy. Unfortunately, this has not been the case for everyone. Some see it as a necessity for GDPR or other immediate compliance reasons and are not adopting the practices as needed to remain continuously compliant. One conversation I had that left me thinking ‘why did you bother in the first place?’ was a business who claimed to me that they managed to get 95% of their infrastructure classed as ‘Out of Scope’. I am sure that they have their own legitimate reasons otherwise the assessor would not have passed them, maybe I was just missing something!

Another unexpected (but positive) surprise to come out of us achieving Cyber Essentials is a number of customers approaching us to help them through the assessment.

Although we do not do the assessment ourselves (and have no desire to do so), we do work closely with a partner for the assessment part and we help with the compliance element. As the customers that have approached us are currently supported by us we have been able to expand their support contracts so that Cyber Essentials can be bound into the fabric of their security strategy and assisted by ourselves so they remain compliant.

Then there was Cyber Essentials Plus…

The first steps on the road toward our Plus certification was a conference call between myself and our chosen assessor.

This was a great call, because if they did not give us the heads up on the length and depth that they go into so we can achieve a pass it would have been very difficult to pass on the first assessment (which, I am proud to say, that we achieved).

Generally speaking, the first rule is that most things are in scope, for example:

  1. Mobile Phones – even if they are not company phones are in scope if they access company data, e.g. email.
  2. Wireless Infrastructure – access points and controllers must be current and patched up-to-date (remember the 14-day rule discussed previously, this affects wireless also).
  3. Firewalls – I assume we all expect firewalls to be 100% in scope and they are, but remember that not just patching within 14 days being in scope. Any publishing rules that you have are also subject to vulnerability scanning. If the service on the receiving end contains vulnerabilities you will fail the audit. This should, therefore, link back into your server & service patching plan.
  4. Server & Service Patching – like with Cyber Essentials all critical patches must be applied within 14 days. The main difference with Plus is that it is verified with scans and specific tests.
  5. Desktops & Laptops – scanning for vulnerabilities across all desktops and laptops are in scope. All installed applications are also in scope.
  6. Other Devices – basically anything with an IP address is in scope so the key is to make sure that the model\software\version is still under support or current and is patched up-to-date. This may include IP Phones, virtual appliances, hypervisors (e.g. vSphere) or CCTV systems.
  7. Anti-Malware – downloading of executable files, malware infected documents and downloading and launching known viruses also tested.

Armed with this information, we set up an internal vulnerability scanner, split our roles and started scanning devices in line with their roles. The scans we ran were comprehensive scans that also probed into testing of any vulnerability found.

Now, coming back to my earlier comment about our attitude going into the Cyber Essentials assessments, we were again taken aback by the sheer number of possible vulnerabilities found. Please bear in mind with the estate also patched up-to-date, you’d assume the vulnerabilities were covered. In short, no, they were not.

Now with a more targeted list, we hit our infrastructure hard. Many a change request was written, many a vulnerability closed and retested. One of the interesting things we discovered was that many of those found were not resolved by software patches, but by hardening the registry, some even required software patches installed in a specific order (I still think there was a rabbit off with that one, cumulative update not being very cumulative).

Once the first list had been tackled, we re-scanned and found more vulnerabilities that required hardening. We then proceeded to attack them until we were clean.

Now, for a business that, for the last 16 years had never suffered a breach, this was a valuable lesson learnt. I appreciate that we have, as do many businesses, many lines of defence in terms of anti-malware, firewalls, DNS security and Intrusion Prevention Systems. Should any of these systems fail and an attacker gain access to the infrastructure it is these vulnerabilities that are exposed to gain unauthorised access.

After having gone through the rigorous and thorough Cyber Essentials Plus, I would now challenge any business to question their security as I suspect many will be in a much weaker position than we found ourselves in.

D-Day : The Day of the Audit

On the day of the audit, I and one of my senior technical staff worked with the auditor to start the assessment process. We started extremely confident with all the work we had put in; surely passing this was just a tick box exercise?

Again, we were wrong. Although it was not a painful audit there were a few items highlighted that needed some attention but once addressed, we passed with no other major issues.

The biggest lesson learned? Cyber Essentials Plus is a process that I would recommend that any business big or small goes through. The insight it gives you into your infrastructure that you were previously naïve of is invaluable and, potentially, incalculable to your partners (clients).

The Good News

The good news for us though is that from here on in, this will not be the sizeable job it was to achieve compliance. From now on, it will be regular, manageable incremental improvements and patching as new vulnerabilities are found.

It is interesting that we found a vulnerability (non-critical) in vSphere’s vCenter Server Appliance v6.7c that, when we reported to VMWare, not even they were aware of.

I have since been informed they are currently working on a fix!

Address

Advantex Network Solutions Limited
16B Follingsby Close
Gateshead
Tyne and Wear
NE10 8YG

Phone

0345 222 0 666