Understanding Cyber Essentials Plus Vulnerability Scanning: Your Guide to Enhanced Cybersecurity 

Achieving Cyber Essentials Plus certification is a significant step for any organisation looking to bolster its cyber security. One of the key components of this certification process involves conducting both internal and external vulnerability scans. These scans are crucial in identifying and addressing potential security weaknesses, ensuring your systems are robust enough to withstand common cyber threats. 

What is a Vulnerability? 

In the realm of cybersecurity, a vulnerability refers to a weakness or flaw in a system, network, or software that could be exploited by hackers. To put it simply, a vulnerability is like an unlocked door in your house—if a burglar finds it, they can easily break in and take what they want. Similarly, in cybersecurity, it’s vital to “lock” your systems by securing these vulnerabilities. 

What is a Vulnerability Scan? 

A vulnerability scan is an automated process that identifies known weaknesses in an organisation’s systems and applications. For Cyber Essentials Plus, two types of vulnerability scans are necessary: internal and external. Both aim to detect and evaluate security flaws, helping organisations strengthen their cybersecurity measures. 

Scanning Requirements for Cyber Essentials Plus 

To achieve Cyber Essentials Plus certification, your organisation must undergo two specific types of vulnerability scans: External and Internal. Here’s what each entails: 

External Vulnerability Scan

An external vulnerability scan targets your router or firewall’s IP addresses. In simple terms, an IP address is like a phone number for your home or business network. The scan attempts to identify the software or services running on your network and compares these to known software versions and vulnerabilities. 

If your company operates websites, external scans may also need to cover these, unless the websites are simple, brochure-style sites hosting only public information. Many applicants pass this scan on the first attempt, but if you host services externally through your firewall, there may be a higher chance that some vulnerabilities are discovered that need resolving. 

During the external vulnerability scan, we check the following: 

  • User Authentication: Ensuring that any discovered external services authenticate users or restrict access to non-public and/or non-read-only information. 
  • Authentication Bypass Prevention: Verifying that multi-factor authentication (MFA) is in place to prevent easy bypassing of authentication mechanisms. 
  • Login Attempt Throttling: Ensuring that login attempts are throttled or that users are locked out after a maximum of 10 failed attempts. 

Internal Vulnerability Scan

The internal vulnerability scan involves installing a small application on a sample of devices within your organisation. This agent evaluates the software (e.g., Microsoft Word, Adobe Acrobat), operating systems (e.g., Windows, Mac), and patches deployed on these devices to ensure they are up-to-date and free of high or critical vulnerabilities. 

The agent also checks device configurations to confirm basic security settings are in place, such as disabling Autoplay, which is a Cyber Essentials requirement. 

What Happens After the Scans? 

If you’re applying for Cyber Essentials Plus through Evolve North, we’ll compile the results of your internal and external vulnerability scans into a single report. This report will list all the vulnerabilities discovered during the scans, along with each host and vulnerability’s “CE Status” (Pass or Fail). Each vulnerability will include details on how to fix it. 

A vulnerability will result in a CE Status of “Fail” under the following conditions: 

  • The vulnerability is classified as “critical” or “high” risk by the software vendor. 
  • The vulnerability has a CVSS v3 base score of 7 or above. 
  • The vendor has not provided details on the severity of the vulnerabilities the update addresses. 
  • A vulnerability fix has been available from the vendor for more than 14 days. 

Is a Penetration Test Required for Cyber Essentials? 

No, penetration testing is not required for Cyber Essentials or Cyber Essentials Plus. While penetration testing involves actively attempting to exploit vulnerabilities, akin to a burglar trying to pick the locks of your house, it is outside the scope of the Cyber Essentials certification process. 

Are There Other Requirements for Cyber Essentials Plus? 

Yes, aside from the internal and external vulnerability scans, Cyber Essentials Plus also includes other tests, often conducted via remote screen sharing. During this process, Evolve North checks: 

  1. Separation of user and admin accounts on sampled devices and cloud services. 
  1. Multi-factor authentication (MFA) for all users on all cloud services. 
  1. Up-to-date and effective anti-malware configurations for email and browser threats. 
  1. Mobile device configurations for app installations. 

How We Can Help 

If you’re considering applying for Cyber Essentials Plus but are unsure where to start, contact us today. Our advisors are ready to assist you with a free initial consultation, guiding you through the process, providing upfront costs, and answering any questions you may have. 

Even if your organisation is already Cyber Essentials or Cyber Essentials Plus certified, it might be worthwhile to schedule a call with us to discuss our support and assessment approach, ensuring your cybersecurity remains robust and up to date. 

At Evolve North, we are committed to making cybersecurity accessible and effective for all businesses, regardless of size or industry. 

Reach out on 01748 905 002 or email info@evolvenorth.com 

Previous Article