Changes to Cyber Essentials requirements – April 2021 update

IASME is the NCSC’s Cyber Essentials partner and we are committed to delivering this accessible, basic level scheme to businesses of all sizes. As part of our partnership with NCSC, we work together to review and update the Cyber Essentials technical controls to ensure the scheme stays up to date and remains effective at protecting against common internet threats. We include feedback from our Certification Bodies and Cyber Essentials customers throughout this process.

In this latest update to the Cyber Essentials Requirements there are no major changes but there are a series of clarifications to the requirements. These will come into effect on 26th April 2021.

In this blog, we aim to give a detailed description of what the changes are and how they will affect you, plus a few comments from our tech team to shed some further light on the issues.

What changes will I see on 26th April?

1. There are new definitions for a corporate virtual private network (VPN), organisational data and organisational services.  These definitions assist when applying the requirements for Bring Your Own Device (BYOD).

How it will be worded:

  • Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.

  • Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.

  • Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.

2. An update to the Bring Your Own Device (BYOD) requirement to explain what is out of scope.

How it will be worded:
In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).

Comments from the tech team:
There are many organisations that might not wish to include BYOD as they may not want the headache of asking their employees and contractors for details of their devices. However, BYOD is probably the biggest risk to any company, and consequently these devices must be included within the scope of the assessment. Cyber Essentials requires an organisation to understand where their data is and which devices are accessing their network and services. Many home workers are accessing cloud services such as Microsoft 365 and Dropbox from their personal devices as well as connecting to the office network. At the weekend, they might be using the same device to play games or access their personal email. The organisation that they work for has no control over what they may be viewing or downloading. Malware can be stored on a device giving no indication that it is there, until the device connects back into the office network or cloud service where the malware can be transferred with devastating consequences for the organisation.

The term ‘native voice’ refers to voice calls. This means that if a mobile phone is used solely for phone calls and text messages as well as receiving 2FA codes, it is not in scope, however, as soon as that device is used for accessing organisational email or any other organisational data, it would come into scope.

3. Clarification on when and where software firewalls are acceptable as the internet boundary.

How it will be worded (changes in blue):
A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol.
Alternatively, where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.

Comments from the tech team:
The previous wording of the requirement simply stated, ‘alternatively, a host-based firewall may be configured on a device to act as their boundary’. This requirement needed some clarification after several very large institutions started to use this as a loop hole, asking their staff and students to rely on their software firewalls on all their devices. Despite the network being under the organisation’s control, they were looking to re-define their network as a work around to avoid declaring several thousand legacy devices in use within that network. The new wording specifies that a software firewall can be used as a boundary only if the organisation does not control the network it connects to.

An example where an organisation legitimately does not control their network might be in the case of managed offices. With a managed office, an organisation might be buying an internet connection, but they would not be in charge of the boundary, and so would need to rely on their software firewall configurations.

4. The name ‘patch management’ control has been changed to ‘security update management’.

How it will be worded:
Security update management.

Comments from the tech team:
The objective is now on applying update packages rather than individual patches.

5.   An update to the security update management control.  This will include automatic updates where possible and clarify the position on updates that do not include details of the level of vulnerabilities that the respective update fixes.

How it will be worded (changes in blue):
The Applicant must keep all its software up-to-date. Software must be:

  • licensed and supported

  • removed from devices when no longer supported

  • have automatic updates enabled where possible

  • updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
    • the update fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’
    • there are no details of the vulnerability severity level the update fixes provided by the vendor.

For optimum security and ease of implementation it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.
*It is important that these updates are applied as soon as possible. 14 days is seen as a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.

Information
If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS). For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values:

  • attack vector: network only

  • attack complexity: low only

  • privileges required: none only

  • user interaction: none only

  • exploit code maturity: functional or high

  • report confidence: confirmed or high

Caution
Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues then it must be installed within 14 days.

Comments from the tech team:
If there is the option to have automatic updates enabled, they should be turned on. The requirement states, ‘where possible’, because the large companies sometimes argue that they cannot apply automatic updates and they then have the option to choose to apply the high and critical patches.

The second part of the requirement change clarifies the position on updates that do not include details of the level of vulnerabilities that the respective update fixes. This clarification is there because Apple has decided to no longer reveal whether the updates are high, critical medium or low. Following on from the high profile Microsoft email server hack, it could now be considered wise not to alert potential hackers as to the severity of an update.

Last month, Microsoft suffered a state actor led attack against their email system and consequently sent out some critical and high end patches for their Exchange product. Within 8 days, somebody had posted how to use those vulnerabilities to attack systems on the public internet. Further to that, someone added an additional ransomware element to the command line attack and started locking people out of their email servers. Estimates suggest that it effected 28000 servers.

In just over a week, vulnerabilities that could be used for a state actor led attack were turned into a commodity attack. This evidence clarifies how important it is that updates are applied as soon as possible.

6. User access control has been expanded to include third party accounts that have access to the certifying organisation’s data and services.

How this will be worded (changes in blue):
The Applicant must be in control of its user accounts and the access privileges granted to each user account that has access to the organisation’s data and services. Importantly, this includes accounts that third parties use for access (for example, device management or support services). It must also understand how user accounts authenticate and control the strength of that authentication. This means the Applicant must:

  • have a user account creation and approval process
  • authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
  • remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
  • implement two-factor authentication, where available
  • use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
  • remove or disable special access privileges when no longer required (when a member of staff changes role, for example)

Comments from the tech team:
IT support companies and developers will connect to a client’s network that is CE certified, but many don’t think the account controls apply to them. It has been known that many engineers from one IT support administration company all use the same admin account, similarly, if a third-party IT provider or developer with admin privileges remains logged in and gets side tracked, there is scope for a great many problems.  These are examples to emphasise that all users must apply the controls required for CE compliance.

What do I need to do now?
The Cyber Essentials assessment questions will change for all assessment accounts created on or after 26th April. The questions are worded differently and there are some additional questions that help clarify the information and reflect the changes detailed above. You can see both question sets) the current one v11c, and the one from 26th April vBeacon) on the IASME website here https://iasme.co.uk/cyber-essentials/free-download-of-cyber-essentials-self-assessment-questions/.

If you have been working offline on the current question set (v11c), you will need to submit your application for an assessment before 26th April to get the same questions that you are currently working on.  If you submit on or after the 26th April, you will the revised questions (vBeacon). If you would like the assessment questions to reflect those you are already working on then you must apply and pay before 26th April.

If you have already applied and paid for your assessment you will not see any changes to the question set on the online assessment platform and you will not need to pay again.

If you currently use the services of an IASME Certification Body, they have all received the update training and will still be able to support you after 26th April.

If you have any further questions regarding the changes to the Cyber Essentials requirements, please contact us via [email protected]