Is your company thinking of becoming Cyber Essentials Plus certified? The work our team performed for Cambridge Kinetics will help you see what is involved. Cambridge Kinetics are software development experts and came to us in need of ensuring the organisations security configuration was compliant. David, our Cyber Security Specialist said that a Cyber Essentials Plus certification would be the best plan of action.
Being Cyber Essentials Plus certified
Cyber Essentials is a government-led scheme that helps organisations better protect their company with the best cyber security practices. There are two certifications, the standard Cyber Essentials and Cyber Essentials Plus. Being certified reassures customers that as a company you are working to secure your IT against cyber attacks. Being certified could attract new business because of the promise that you have cyber security measures in place. It also shows that your company has a clear picture of your organisations cyber security level. Lastly, many government contracts even require a Cyber Essentials certification.
The challenge Cambridge Support faced
Cambridge Support needed to guide our client, Cambridge Kinetics through the entire process of the certification. Working with their Managing Partner, Jason, we carried out work on the following subjects:
- End user computers – checking if they are on a compliant OS version with the latest update patch.
- Servers – checking are they on a compliant OS version and the latest update patch.
- Tablets – ensuring they on a compliant OS version with the latest update patch.
- Network equipment – is their equipment still supported and on the latest update patch.
- Firewall checks.
- Password policy checks.
- Software patching – is supported software installed and is it on the latest update patch.
- MFA configuration – is Multi-factor Authentication on for their main Microsoft platform and if it is configured on their other cloud services.
The solution we presented
An audit of seven tests were performed by Cambridge Support, shown below:
- Test Case 1: Remote vulnerability assessment. We require the external IP address that is in scope to run a vulnerability scan.
- Test Case 2: Check patching. Both OS and software were checked. We also checked for unsupported software. The most common that are missed are things like .NET, Visual C++
- Test Case 3: Check malware protection on EUDs (End-user Device). This is checking that an anti-malware solution is enabled and it is up to date.
- Test Case 4: Check effectiveness of EUD defences against malware delivered by email. The Auditors will send various emails through to each person during the test which include various attachments. This involves sending fake malicious attachments and checking if they are blocked. This test requires the user to be logged in and have access to their chosen method of email retrieval such as outlook.
- Test Case 5: Check EUD defences against malware delivered through a website. The Auditors ask to visit websites that contain test files. In this test we download fake malicious files and check to see if they are blocked either by the browser or the anti-malware solution.
- Test Case 6: Testing separation between standard account and admin account. We do this by trying to run a single application as an admin. If a prompt for credentials comes up, the test has been passed.
- Test Case 7: 2 factor authentication is tested on cloud consoles. This is done by opening the admin console over the preferred browser in a clear incognito session. If, when a user tries to sign in, a prompt for MFA comes up, the test has been passed. For this test we ask the user to attempt to login to the cloud service being used via an incognito browser session to prevent cached information being used. The user only needs to get as far as the authenticator message and does not need to go any further. Alternatively, a screenshot can be provided of the config.
After performing all the scans in the audit, Cambridge Kinetics were thrilled to achieve their Cyber Essentials Plus Certification. They can now display the Cyber Essentials Plus logo on their website to show their commitment to cyber security. They also recently became ISO 9001 certified, so they are certainly a company committed to improving their company. All these measures will help protect the company and possibly even acquire more clients.
For more information regarding how Cambridge Support can help your company become Cyber Essentials Plus certified, please contact us today.