Cyber Essentials Scheme Patching Requirements
The UK government introduced the Cyber Essentials accreditation/certification in 2014 to protect the businesses being a victim of cyber attacks. Nearly 85% of the most common cyber attacks could be prevented by implementing the fundamental security controls described in Cyber Essentials framework. The certification has two different levels. The Cyber Essentials and Cyber Essentials Plus. The cyber essentials level 1 is a self-assessment certification where as Cyber Essentials plus is the more advanced and comprehensive. At the advanced level, an onsite assessment/audit including a vulnerability scan will be performed by the Cyber Essentials Certification body. Check out our blog on 'what exactly is involved in Cyber Essentials Plus audit?' to find out more about the audit. Under IASME, the new (and only) accreditation body and it’s Cyber Essentials process the applicant’s business has to achieve the Cyber Essentials level 1 before applying for Cyber Essentials Plus.
There are 5 different areas Cyber Essentials focuses on. They are
- Secure configuration
- User access controls
- Patch Management
- Malware management
Check out the article 'what is the process for Cyber Essentials Plus certification?' to understand more about the process. Having performed dozens of these certifications we know what the challenges are and how you can resolve them to avoid any surprises. Here is the checklist & requirements to help you achieve the Cyber Essentials Plus certification in the order of biggest challenge first.
Patch Management - The biggest challenge of all
- How do you manage 3rd party software updates?
Likes of Java, Chrome, Adobe, vlc, AutoCAD, etc… More often we come across clients think SCCM would be enough for the patch management but that's not the case. You will need to keep 3rd party applications up to date. Ideally, a centrally managed console. In most cases these providers cover Microsoft updates too. Your Antivirus vendor may have a plugin to do this. Check with them. Especially in the current pandemic a cloud-based central patch management console would do wonders.
- Are all systems up-to-date?
The critical updates have to be applied within 14 days of their release. When we perform the audit we do not expect any critical vulnerabilities on your network. If there are some, then it's not a good news.
- Do you have unsupported operating Systems on the network?
Likes of Windows 7, Windows server 2008 or older. If you do, it's a fail straight away unless you have an extended support agreement in place from Microsoft. If you are an IT manager or security manager or IT admin this can be a great opportunity to build a strong business case to upgrade your systems. Remember, outdated systems are a security vulnerability and security is continuous investment just like fitness
- Is all the software used in the business properly licenced?
All software in use need to be properly licenced to be used in the business.
- Do you have mobile devices that are up to date?
Yes. You heard that right. Company mobiles are under the scope and you are expected to keep them up to date operating system. If you have older devices that cannot update to new OS then we have a problem. For example if you have iPhone 5 in your environment then time for phone shopping.
- Did you change the default login details on network devices?
Likes of firewalls, routers, printers, etc… You cannot leave the default credentials on your routers and firewalls. They would have to be updated to your own and kept secret.
- Have you uninstalled the unnecessary software?
The truth is if you have the software you don't need you will need to maintain it. It's easier to remove the applications when you no longer need them. They can be a vulnerability.
- Have you disabled unnecessary user accounts on the company’s systems?
You may have created local user accounts for a purpose or you may still have the user accounts that left the company active. Is that the case? Just like the unnecessary software you will need to remove them.
- Do you have a strong password policy and is it enforced?
The good old one. The password policy. What does your policy say? Minimum 8 characters? Ideally you need to have a policy that is enforced and requiring users to have a strong password. If you don't encourage the users to change the password regularly then you can enable 2-factor authentication to compensate.
- Did you close the opened ports when they are no longer necessary?
As part of the audit we will running an external vulnerability assessment on your Public IPs. We will not be expecting to find any unusual ports left opened on the firewall. It's a good practice to regularly check for the opened ports. Try an NMAP scan yourself to see what's left open.
- Is opening/closing ports process and authorisation documented?
If you are going to open ports on the firewall then what's the process for change? If it's a small business I would assume IT Manager authorises the change, execution opens then the documentation. In an enterprise it might more enhanced. As long as you have a documented process that's good.
- Is admin access restricted to certain IP addresses only?
From time to time IT personnel need to access the firewall from outside the network. We usually enable this remote management feature but might not necessarily have restricted the access to certain IP addresses. It is a good idea not to open for the world and restrict the remote access to certain source addresses.
- Do you have a firewall enabled on end user devices?
Soft firewall on the end user device. This can be the windows firewall or the firewall provided with your Antivirus vendor.
- Do you have an anti-virus software installed on all the machines?
Antivirus software is to be installed on all systems, regular scanning to be enabled.
- Is the Anti-virus software regularly updated?
Most antivirus software update themselves every few minutes with the latest knowledge base and signatures. Is that the case with yours? If not, double check.
- Does the antivirus software scans automatically and regularly?
When you plugin a new device and open a file from it your antivirus should automatically kick off the scan of that device. Also, you must have regular scans enabled on your AV.
User access controls
- Do you have a policy & process for joiners and leavers’ user accounts?
It just makes things easier with new joiners and leavers.
- Do you have a policy for setting user permissions?
Who approves the permissions and who executes and how do you monitor the usage?
- Do you have separate accounts for admin tasks? Is the process documented?
This is a critical one. We come across local admin accounts a lot. People using their local admin account for regular tasks. Happens more often in smaller businesses. You are not supposed to use an account with admin privileges for regular browsing. Use the admin account for only admin related tasks.
- Do you review the admin accounts regularly?
As explained in the above step what do you to monitor the usage of the local admin account? You will need to review them regularly and take necessary action.
If you answered YES to most of the questions above then you are likely to get through the Cyber Essentials Plus certification on the first attempt as you will meet the certification requirements. It’s always a good idea to get a full vulnerability assessment done on the network to understand the overall gaps in the software patching. I hope this article has helped you. Please refer to ‘Everything you need to know about Cyber Essentials’ to know more about the Cyber Essentials certification and the process involved. Also, the National Cyber Security Centre has useful guidance laid out too. For more information on the Accreditation body and the certification bodies please check out ‘IASME’ website.
IASMECyber Essentials questionnaire
Read or Download the IASME Cyber Essentials Questionnaire pdf copy here. The questionnaire has different sections laid out for all the controls as well as providing the preparation advice.More
What is the process for Cyber Essentials Plus Certification?
Cyber Essentials Plus accreditation involves the auditing of your IT systems. Read the article to know what exactly is involved in the process.More
What exactly is involved in Cyber Essentials Plus audit?
Cyber Essentials Plus accreditation involves the auditing of your IT systems. Read the article to know what exactly is involved in he audit process.More
Cyber Essentials most frequently asked questions
Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). Here are the Cyber Essentials scheme most frequently asked questio...More
FOR LATEST UPDATES SUBSCRIBE HERE: