RB Consultancy Logo
Call NOW

Cyber Essentials Plus: Vulnerability Assessments

RB Consultancy

Cyber Essentials Plus: Vulnerability Assessments

Cyber Essentials Plus: Vulnerability Assessments

Introduction

Cyber Essentials Plus (Level Two) is a technical audit to demonstrate that protections are in place, guarding against common forms of cyberattacks. This article takes a deeper dive into the vulnerability assessments and patching checks. We shine a light on these to help show why that testing is carried out, the benefits, what to expect, and how we help.

 

Aim of Remote Vulnerability Assessment

  • To see whether an internet-based attacker can hack into systems remotely using typical, low skill-based methods (such as through firewalls and routers)
  • This is akin to checking that the front door of a property is locked and secure – if it’s vulnerable, then the chances of theft and burglary can increase significantly 
  • Common forms of cyberattack (vectors) relate to the vulnerabilities being exploited by remote attackers via the internet

 

Aim of Patching and Vulnerability Checks

  • To identify and fix any weaknesses that are associated with devices that are used to create and store organisational data (such as desktops and laptops)
  • This is similar to checking whether assets that reside inside a property are also safe, secure, and can’t easily be stolen 
  • Typical forms of cyberattack (vectors) relate to remote attackers finding ways to get inside networks, where they then identify and exploit weaknesses

 

Benefits of Patching and Vulnerability Assessments 

  • Protect an organisation from ransomware and data breaches 
  • Identify security flaws before they’re exploited by threat actors
  • Highlight and address critical risks that may otherwise go unnoticed 
  • Close risks before threat actors exploit and abuse them
  • Increase protection capabilities from common forms of attack
  • Strengthen security posture 
  • Adhere to regulatory standards and reduce the risk of fines

 

What to Expect 

  • Ahead of the testing, provide details of devices and networks 
  • Document the names, types and IP addresses of devices
  • Provide written approval for the testing to take place 
  • Support the deployment of specific tools, designed to identify system vulnerabilities
  • Be prepared to find weaknesses that were not previously identified 
  • Take action to quickly address the most critical findings – they will be risk ranked for you
  • Remove software and/or services that are not being used 
  • Apply missing patches and updates that may previously not have been identified 
  • Make registry changes to windows devices to harden the system setup 
  • Be prepared to apply fixes in phases, moving from critical to high risk findings 

 

How We Help

At RB Consultancy Ltd, we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:

  • NCSC Cyber Advisor certified – we’re proven to help organisations understand and implement technical controls 
  • Vulnerability Assessment Plus certified – we have skills and tools to identify weaknesses, risk rank findings to support prioritisation and provide remediation advice to enable swift action to be taken
  • IASME Cyber Essentials Plus Assessor certified – we’ve been tested to assess organisations against the requirements and provide advice on how to apply fixes  
  • Cyber Essentials Plus Certification Body certified – we’re trusted to issue certificates to organisations who have met the required standards

 

Conclusion – how Cyber Essentials Plus testing supports organisations with vulnerability management

Cyber Essentials Plus provides extra assurance that technical controls are in place to prevent common internet-based attacks. Remote vulnerability assessments test whether an internet-based attacker can hack into systems remotely using typical, low skill-based methods – like checking whether a front door to a property has been left open. Devices are also checked for missing security patches and vulnerability fixes, like checking whether valuable assets are secure. Specific tools are used, similar to those used for testing credit card-related security. Written approval is required to conduct the testing. Testing can highlight weaknesses that might otherwise go unnoticed. Missing patches and systems configurations are often identified for remediation – with critical and high-risk findings being prioritised. RB Consultancy Ltd offer support and guidance through the whole Cyber Essentials and Cyber Essentials Plus certification process. We’re certified to provide assessment, advice and certification services. If you would like assistance for Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.

 

 

Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.