Cyber Essentials Plus checklist for remote testing

This Cyber Essentials Plus checklist helps you through the remote testing process. Due to the pandemic, we are performing most of our assessments remotely. This requires a structured approach so nothing is missed. (Please note that further details are sent to you on acceptance of the Cyber Essentials Plus quote).
Before reading this checklist, we advise that you familiarise yourself with our comprehensive guide to preparing for Cyber Essentials Basic assessment.

For pricing details of CE Basic, please visit our costs and packages page.

Contents

Back to contents

Post update: 08/08/2023 – Clarified that all servers must be sampled if they reside on the in-scope network.


What we require from you on the day of the Cyber Essentials Plus assessment 

Requirements for a remote Cyber Essentials Plus assessment: 

  • a member of staff with administrative rights must be available for the duration of the assessment.  
    • they must have network knowledge and authority to access all the devices in the sample.  
    • they must be able to start and stop services on devices (Our scanners require certain services to be running) 
  • the remote assessor must be able to see the screen of this administrator . Our preferred methods of screensharing are  Teamviewer, Microsoft Quick Assist or Microsoft Teams but other options can be discussed. 
  •  the administrator must be able to see or take control of the required sample of machines whether on single or multiple sites. Ideally, the assessor might view one machine which inturn can access all other sample machines in scope for both vulnerability scanning and screen sharing 
  • provide live, working email addresses on the Asset Declaration form (this will be sent to you ahead of the test) for us to send blank test files to so we can check it is receiving emails. 
  • ensure that the vulnerability scanner software is fully installed (we will provide a download link and instructions).
  • If you are using Next Generation Anti-Virus software such as CrowdStrike, we are unable to test this is working correctly using our test files. We will therefore manually check that this is installed in accordance with vendor recommendations.

 If any of the above is not possible, then we MUST know ahead of time so that we can discuss further. 

Back to contents

Remote Access Software 

It is also important that, before the day of assessment, the remote access software is downloaded on the computer on which the scans are to run.  

Or, we may have organised a screenshare via Teams or Microsoft Windows’ built-in Quick Assist tool. 

An assessor will call 1-3 days ahead of the Cyber Essentials Plus test and will expect the scanner to have been downloaded on a designated machine (we will send instruction on how to do this). 

Back to contents

Device sample 

The sample is calculated as follows: 

Number of each OS Sample Size 
1 1 
2-5 2 
6-19 3 
20-60 4 
61+ 5 

 

If you change operating system versions on devices after submitting the Asset Declaration form, please advise us before assessment as this will affect the sample size. 

Windows 10 versions are separated by edition and feature version ie. Windows 10 Pro v1909. So, if the company has 6 Windows 10 Pro 1909 versions and 6 Windows 10 Pro 2004, then this would require 3 of each Windows version to be tested on the day (3x Windows 10 Pro 1909 and 3x Windows 10 Pro 2004). In this example (12 devices), if all Windows devices were at the same edition and version, only 3 would need to be tested rather than 6. 

If the company uses the Windows 10 Operating System, we recommend having a single version throughout the company, wherever possible, as this can vastly reduce the number of devices required to be tested.  

Please remember that mobile phones (that access company information, such as emails) are also in scope. The assessor will ask to see the relevant number of Android OS variants and iOS devices following guidelines in the above table 

All servers that reside on the in-scope network are also sampled according to their Operating System – even if they do not access the internet. Those servers used for Remote Desktop activities will have the same checks conducted as laptops/desktops, whereas those servers used for back-end processing will only need to be scanned.

Back to contents

What the Cyber Essentials Plus assessor will be testing 

The guidance for a CE Plus Certification audit is within the Illustrative Test Specification and is found within the resources section of NCSC’c website: https://www.ncsc.gov.uk/cyberessentials/resources

 External scanning 

Before the assessment you will have received an “Asset Declaration” form where you must list any protections that are in place to prevent password guessing of any login prompts that are accessible via the internet. 

On the day of the Cyber Essentials Plus test, we may require you to evidence your answers to show accounts are set to lock-out etc. 

We will conduct technical tests but cannot always identify such controls as 2FA or Throttling, so please have at hand any configuration pages that can help demonstrate that the stated controls have been implemented. 

Back to contents

Email tests 

We will send a mixture of binary, script and files masquerading as viruses (don’t worry, we have written the executable files and “virus” files are internationally recognised test files). 

Cyber Essentials Plus checklist for the executables used: 

Executables:

  • .bat 
  • .exe 
  • .pif 
  • .ps1 
  • .sh 
  • .py 
  • .dmg 

Macros 

  • .docm 
  • .xlsm 

Containers 

  • .zip 
  • .7z 
  • .rar 
  • .tar. 
  • gz 
  • .tar 
  • .gz 

The best outcome is that none of the benign virus files should reach your inbox, but if they do, your virus checker should catch them. 

The same applies to the binary and script files except, as they are not known viruses, the Anti-Virus software may not step in. This is ok, but the email software, or the computer operating system should not allow these files to run on open (there should be a prompt or opportunity to cancel before execution). 

Typically, in an Office 365 environment, binary files and the benign viruses are blocked at the server. Script files (such as .py and .sh) often make it through to the inbox and cause issues with companies that develop software – as software developers’ computers are often set up to run such files. This means that the test .py and .sh files may execute. Measures must be taken to, at least, prompt or give an opportunity to cancel before execution.  

Remember – we are not asking you to block “Zip” files as we know that companies rely on sending many such files every day as they are an important way of grouping a folder-worth of files together as attachments. We do, however, expect your email server, or computer’s operating system, to act upon any executable files contained within “Zip” files. It is very unlikely that users will receive executable files in the course of their day-to-day duties. 

Typical actions that we would expect to find are either: 

  • that the container files are blocked  
  • there is an opportunity to cancel execution after opening the container file 

We will send you a link containing sample files representing those that we would expect to be “caught” on the day – you may then try sending them via email to yourself address to see how they are treated – but be aware, that not every ISP allows you to send emails with executable files attached. 

We will also send relevant files to email accounts to be accessed by mobile devices. Currently these are the .py and .sh files, but are subject to change. 

This Cyber Essentials Plus checklist does not include the links to the files that can be tested, however, on acceptance of a quote, we will send you details on how to access a range executable files, similar to the actual test files, to help you prepare.

Back to contents

URL checks

The aim of this test is to ensure that computers are configured not to execute files via web browsers without sufficient warning (prompt or give an opportunity to cancel before execution). 

All browsers found within the sample set of devices are checked and must show, at least, a warning, or opportunity to cancel before execution. 

We will send you a link to a website containing the relevant file-types (please be aware that these are not the same files as the ones used on assessment day, but will give you an idea of whether your devices are correctly configured).

This Cyber Essentials Plus checklist does not advertise the Web URL, however, on acceptance of a quote, we will send you links to a site that has a range of executable files, similar to the actual test files, to help you prepare.

Back to contents

Scanning of devices to check they are patched correctly 

This is generally the most involved and challenging aspect of the Cyber Essentials Plus test. Remember that the assessor has a limited knowledge of the network they are about to attach to, so it is important that a representative of the company is on-hand to help navigate around. 

This assessment is not about preventing the assessor from accessing devices in the limited time they have onsite! It is about identifying known weaknesses in devices that, if left unresolved, could cause them to become exploited by malware. 

So, for example, if the assessor cannot access your device and an un-patched service goes unreported, that device could become compromised at a later date, so please ensure you have the following ready for the assessor: 

  • Temporary administrative credentials (domain level preferred). 
  • The remote registry service enabled on all machines in the sample set. 
  • The server service enabled. 
  • File and print services enabled. 
  • The onboard firewall set to allow probes from the scanning machine. 

This Cyber Essentials Plus checklist does not give the links to the scanning software used in the assessment, however, on acceptance of a quote, we will send you links to a site where the software can be downloaded.

If the assessment overruns due to technical issues, then additional costs are likely to be incurred so it is highly recommended that you, at least, check the services are running following the guidance in the above article before the assessment. 

Back to contents

Assessment procedure to support the Cyber Essentials Plus checklist

  • A start time and screen-share method will have been agreed in the prep call 
  • We ask for the email addresses from the Client to which test emails and a screen share link will be sent to. 
  • We send the test emails (without attachments) whilst the Client is on the phone 
  • We talk you through the screen sharing session and send all the remaining test emails.  
  • Once Indelible Data is able to see the screen, with the Clients help, we will need to ensure the user is not an administrator (the Client should not be able to run the secpol program if it is a Windows device). 
  • We will remain on the line to ensure the scan is authenticating correctly then move on to perform the next tests whilst the scan is working. 
  • The assessor will type “what is my IP” into Google and check it is in range of the IPs that were declared in the Asset Declaration Form ahead of the Cyber Essentials Plus test. 
  • We will ask the Client to click through the emails and it will record the findings in the Evidence spreadsheet. Relevant emails will also be sent to mobile devices. 
  • We will then ask the Client to visit a web page (provided on the day) and click through the links on each browser and we will record the findings in the evidence spreadsheet. 
  • The client must then bring up the anti-virus screen and check it is up to date. 
  • We ensure the correct sample of machines are in the Scanner’s target box (these may actually be different to those identified in the Evidence spreadsheet if the Client wishes – just as long as they represent the different uses of devices in the company). 
  • The client must ensure the account has sufficient credentials for the scan (Credentialed Scan) – we recommend a temporary Domain Admin account is used (there maybe a requirement on the day to amend a registry key or create a local admin user). On a Mac, a representative of the company should be confident in privilege escalation where required.  
  • We will request sight of the mobile devices in scope – this may be via web cam or a Team Viewer session (if installed). 
  • The devices will be checked for no sign of Rooting / Jailbreaking / Developer mode and certificates will be checked to ensure untrusted applications cannot run. Screenlock will be checked for required minimum six characters.
  • Multi-Factor Authentication (MFA) will be tested for one administrator of each cloud service declared.
  • If the client has indicated in the CE Basic application that they have MFA enabled for all users of cloud services, then MFA will be tested for one random user of each system declared.
  • Account separation (administrator vs standard user) will be tested on all the systems declared
  • We will ask you to upload any results using our secure upload site.

If you have any questions on our Cyber Essentials Plus checklist, please get in touch.

 

Back to contents