Cyber Essentials – Evendine

Our Senior Information Security Consultant, James Ogier, shares his thoughts on the recent changes to Cyber Essentials.

On the 24th January 2022, the NCSC and IASME made the largest change to the Cyber Essentials scheme in its history so far. The scheme was most recently changed in April 2020, named Beacon, which included some minor changes. This latest overhaul, named Evendine, which follows the naming scheme of various areas of interest in the very pretty Malvern Hills – home of IASME, expands and further defines the scope of the assessment, includes cloud services, as well as changes in requirement regarding passwords and multi factor requirements, among other minor changes.

Simply put, it’s a bit more tough.

The NCSC have issued the latest Cyber Essentials: Requirements for IT Infrastructure, following this change.

Since Cyber Essentials was launched in June 2014, over 30,000 certifications have been issued to various sized and types of organisations. The scheme itself is aimed at promoting basic and (the clue is in the name) essential security controls to identify exploitable vulnerabilities and weaknesses through broad attack vectors from the internet, and those potential attacks or weaknesses that may be used by the opportunist attacker. The standard is based around five key technical controls to help protect an organisation.

• Use of a firewall (hardware or software) to help secure the internet connection.
• Use a secure configuration across devices, inclusive of mobile devices.
• Use of relevant and appropriate controls to prevent unauthorised access to data and software.
• Protection of devices from viruses and malware.
• Applying required patches and updates to devices and software in a timely manner.

On to the inclusion of cloud services, it is now a requirement for organisations to demonstrate account separation and multi factor authentication for administrators across all their used cloud services. Whilst the organisation will not require multi factor authentication on all user accounts until 2023 (when the organisation will automatically fail if multi factor authentication is not configured), it’s worth implementing now, especially as a larger organisation. That said, if you’re not using multi factor authentication on cloud services, you should definitely consider implementing it for the level of protection it provides. We configure multi factor authentication as a standard as it’s a fine way to easily protect your user accounts and data.

There are also some changes in terms of how the assessment is scoped – picture this scenario, your organisation has a legacy 2008 (read: unsupported) server running a line of business application which is required for historic data purposes. Previously, if this server was blocked from accessing the internet, it would effectively remove it from the scope of the assessment, even if it was on the same logical network as the rest of your devices. Easy peasy, no longer an issue.

Now, under the changes in Evendine, this server must be in a ‘sub-set’, which in simple terms is a separate network, without internet access which must be configured using a firewall or network switch. Or, put these devices on a separate network with internet access, but not certify the entirety of your organisation and declare it as such, for example: “Joe Bloggs Company Ltd, excluding the legacy network”. However, the NCSC prefer an organisation to achieve “whole company” wherever it can.

This might not be an issue for most organisations, but there certainly will be some challenges achieving this requirement for some.

Additionally, there are some changes to how vulnerabilities are defined. A vulnerability on a system is a ‘hole’ in a system which system manufacturers and providers for the most part, fix by applying patches or updates. These vulnerabilities are generally given a rating on a scale of 1 to 10 in severity, this scale is called the Common Vulnerability Scoring System Version 3.0, or more simply, CVSS v3.0 score. Previously, there was some leeway in what constituted a ‘high’ vulnerability according to Cyber Essentials (this was based on how complex the attack could be), but this has now changed, and any vulnerability rated at a 7 or above, has to be remediated and not exist at the time of assessment, if that patch or fix has been released more than fourteen days ago.

Finally, there are some changes to how devices can be unlocked, there is no longer a requirement for devices purely to have a 8 character passwords to be unlocked, and organisations can opt for 6 characters if there are other protection methods such as multi factor authentication in place, once a password has been initially configured.

Outside of these more major changes, there has been some removal of ambiguity across the assessment, such as password requirements applying to all accounts, not just those internet facing systems, as well as the definition of home routers provided by ISP, now falling outside of scope of the assessment.

My overall thoughts on the changes to Cyber Essentials are that it’s a welcome change in bringing the standard up to date, simple things such as it not including cloud services and not leveraging multi factor authentication held it back and, in my opinion, should have been added some time ago.

That, mixed with the challenges we have all faced in the last two years, and the new working practices organisations are implementing with home and remote working, means it absolutely makes sense that these controls have been added to the assessment. With all things considered, it does make it more difficult for some organisations to achieve but this is realistic, these simple controls should be in place anyway, not just to achieve the certification, but most importantly help protect the organisation’s assets. And realistically, the NCSC have a very difficult task on their hands to ensure that the certification remains obtainable, as well as proportionate for all organisations to achieve.

Contact us at Resolution IT if you’d like more advice or wish to achieve the Cyber Essentials certification.