Introduction
Cyber Essentials Plus (Level Two) is a technical audit that demonstrates protections are in place to guard against the most common forms of cyberattacks. Here, we focus on multi-factor authentication and account separation checks, explaining why these tests are carried out, the benefits, what to expect, and how we help.
Aim of Multi-factor Authentication Testing
- To ensure additional levels of protection are in place that would reduce the risk of threat actors accessing cloud services
- This is similar to checking whether a door can be opened using a stolen key or by guessing a combination on a lock
- Cloud services are therefore checked to determine whether multi-factor authentication is in place, so that something else (as well as or instead of a username/password combination) is used to gain access
Why Multi-factor Authentication is Important
Cybercriminals could gain unauthorised access to your cloud services (such as Microsoft 365 and Google Workplace) if a username and password combination is compromised without another way to check authenticity. They achieve this using various techniques:
- Using common/guessable username and password combinations (brute force)
- Using (known) username and password combinations from hacked cloud services, assuming the same password is re-used (credential stuffing)
- Capturing usernames and passwords via phishing, key logging software, social engineering, or man-in-the-middle attacks, that trick people into providing these details without genuine consent
- Vulnerabilities may also be exploited, allowing threat actors to steal information, including credentials (infostealing)
What Types of Additional Factors are there?
Cyber Essentials scheme recognises additional ways to verify identity, including:
- ‘Authenticator’ app that prompts for a six-digit code to also be entered
- Key fob that has a rotating code to enter
- The message via email that needs to be entered to validate access
- Trusted device that’s owned by the person trying to access the data
- Biometrics, such as face ID or fingerprint reading
- Push notifications are prompts sent to smartphone apps
The additional step of the above check can help ensure cloud services are protected and can’t easily be accessed via username and password alone.
Benefits of Multi-factor Authentication
- Protect an organisation from ransomware and data breaches
- Identify security flaws before they’re exploited by threat actors
- Highlight and address critical risks that may otherwise go unnoticed
- Close risks before threat actors exploit and abuse them
- Increase protection capabilities from common forms of attack
- Strengthen security posture
- Adhere to regulatory standards and reduce the risk of fines
What to Expect
- Testing of cloud services to prove MFA is in place for users and administrators
- Testing from different devices, chosen for sampling
How We Help
At RB Consultancy Ltd, we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:
- NCSC Cyber Advisor certified – we’re proven to help organisations understand and implement technical controls
- Vulnerability Assessment Plus certified – we have skills and tools to identify weaknesses, risk rank findings to support prioritisation, and provide remediation advice to enable swift action to be taken
- IASME Cyber Essentials Plus Assessor certified – we’ve been tested to assess organisations against the requirements and provide advice on how to apply fixes
- Cyber Essentials Plus Certification Body certified – we’re trusted to issue certificates to organisations who have met the required standards
Conclusion – multi-factor authentication and Cyber Essentials Plus
Cyber Essentials Plus provides extra assurance that technical controls are in place to prevent common internet-based attacks. Multi-factor authentication checks are aimed at protecting access to cloud services. Many ways exist for additional levels of authentication and Cyber Essentials Plus testing can highlight weaknesses that might otherwise go unnoticed. RB Consultancy Ltd offer support and guidance through the whole Cyber Essentials and Cyber Essentials Plus certification process. We’re certified to provide assessment, advice, and certification services. If you would like assistance for Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.