Cyber Essentials PLUS. Common Test Specification



Similar documents
Cyber Essentials. Test Specification

Cyber Essentials Questionnaire

CONTENTS. PCI DSS Compliance Guide

SSL VPN Technology White Paper

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Sophos Mobile Control Installation guide. Product version: 3

Sophos UTM. Remote Access via SSL Configuring Remote Client

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Sophos Mobile Control Installation guide. Product version: 3.5

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Cyber Essentials Scheme

Kerio Control. User Guide. Kerio Technologies

Sophos Mobile Control Installation guide. Product version: 3.6

OnCommand Performance Manager 1.1

BlackBerry Enterprise Service 10. Version: Configuration Guide

A Guide to New Features in Propalms OneGate 4.0

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Steps for Basic Configuration

Payment Card Industry (PCI) Executive Report 10/27/2015

Remote Connectivity to XV, XP and epro units running Visual Designer

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

MultiSite Manager. Setup Guide

Copyright 2013, 3CX Ltd.

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

April 11, (Revision 2)

University of Central Florida UCF VPN User Guide UCF Service Desk

Setting Up Scan to SMB on TaskALFA series MFP s.

Defender Token Deployment System Quick Start Guide

IBM Security QRadar Vulnerability Manager Version User Guide

Vodafone Secure Device Manager Administration User Guide

Payment Card Industry (PCI) Executive Report 08/04/2014

Microsoft Outlook 2013 & Microsoft Outlook Microsoft Outlook Windows Live Mail 2012 & MAC Mail. Mozilla Thunderbird

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Sophos Mobile Control Installation prerequisites form

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Medical Device Security Health Group Digital Output

Penetration Testing with Kali Linux

SonicWALL PCI 1.1 Implementation Guide

IBM Security QRadar Risk Manager Version Getting Started Guide IBM

Workday Mobile Security FAQ

Guideline on Auditing and Log Management

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Release Notes for Dominion SX Firmware 3.1.6

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Virtual Appliance Installation Guide

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Firewall Firewall August, 2003

Enterprise Manager. Version 6.2. Installation Guide

MultiSite Manager. Setup Guide


SHC Client Remote Access User Guide for Citrix & F5 VPN Edge Client

Citrix Receiver for Mobile Devices Troubleshooting Guide

Clientless SSL VPN Users

Quick Connect. Overview. Client Instructions. LabTech

Networking for Caribbean Development

Penetration Testing Report Client: Business Solutions June 15 th 2015

Mobile Device Management Version 8. Last updated:

Sophos Mobile Control SaaS startup guide. Product version: 6

mystanwell.com Installing Citrix Client Software Information and Business Systems

EndUser Protection. Peter Skondro. Sophos

Dell SonicWALL SRA 7.5 Citrix Access

PrinterOn Mobile App for ios and Android

Management, Logging and Troubleshooting

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

IBM. Vulnerability scanning and best practices

Phone Inventory 1.0 (1000) Installation and Administration Guide

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

Security Considerations White Paper for Cisco Smart Storage 1

NETWORK SECURITY (W/LAB) Course Syllabus

NAS 224 Remote Access Manual Configuration

Océ Large Format Systems. Optimizing Security. Administrator manual Security information

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

VMware vcenter Log Insight Getting Started Guide

Sophos Mobile Control Installation guide

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

EXPLORER. TFT Filter CONFIGURATION

Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.3 R6)

Vulnerability Assessment and Penetration Testing

Contents About the Contract Management Post Installation Administrator's Guide... 5 Viewing and Modifying Contract Management Settings...

FREQUENTLY ASKED QUESTIONS

Configuration Guide BES12. Version 12.2

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

Media Server Installation & Administration Guide

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Division of Information Technology Lehman College CUNY

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

Using a VPN with Niagara Systems. v0.3 6, July 2013

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Rapid Vulnerability Assessment Report

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Configuration Guide BES12. Version 12.3


Web App Security Audit Services

IT HEALTHCHECK TOP TIPS WHITEPAPER

IceWarp to IceWarp Server Migration

SC-T35/SC-T45/SC-T46/SC-T47 ViewSonic Device Manager User Guide

Transcription:

Cyber Essentials PLUS Common Test Specification Page 1

Version Control Version Date Description Released by 1.0 07/08/14 Initial Common Test Specification release SR Smith 1.1 19/08/14 Updated Scope SR Smith 1.2 20/10/14 Corrected Errors, introduced footer version SR Smith Page 2

Contents Introduction... 4 Scope of the Cyber Essentials Plus Test... 4 Assumptions... 4 Success Criteria... 5 External systems... 6 Required tests... 6 Test Details... 6 Internal systems... 8 Tester pre-requisites... 8 Required tests... 8 Test Details... 8 Appendix 1 - Tool requirements... 12 Vulnerability scanners... 12 Weak Credentials... 13 Ingress file types... 14 Executables... 14 Containers... 14 Page 3

Introduction The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber security test where IT is a business enabler rather than a core deliverable. It is mainly applicable where IT systems are primarily based on Common-Off-The-Shelf (COTS) products rather than large, heavily customised, complex solutions. The aim of the testing is to identify opportunistically exploitable vulnerabilities within an organisation s Internet facing infrastructure and user workstations that provide a high level of exposure to potential attackers with a low level of skill. This level of testing assumes no specific threats against an organisation need to be addressed and that the likely level of attack is the broad, untargeted style of unsophisticated attacks. This level of testing is not suitable for organisations that may be the target of Advanced Persistent Threat (APT) style attacks. Scope of the Cyber Essentials Plus Test The Test Scope is defined in the scheme Assurance Framework document, available on the scheme web site https://www.cyberstreetwise.com/cyberessentials/#downloads Complex Application Testing (both thick client and web applications) is beyond the scope of the engagement. Database audits and reviews (other than trivial credential checks) are beyond the scope of the engagement. Where a host has multiple browsers installed, all must be tested. Denial of Service (DoS) attacks in all forms are specifically excluded from the scope of the Cyber Essentials test. Assumptions The Assessor has access to an appropriate and sufficient set of test files and a remote web page with links to downloadable test files, to test the implementation of the controls specified in the Framework. The organisation being evaluated has, or is prepared to, assert that the controls described in the Scheme Requirements document have been properly implemented. Only vulnerability analysis and verification rather than full penetration testing is required. Limited exploitation may be included to remove false positive findings following vulnerability scanning. The two-click rule is intended to limit the level of nesting under test. If a user is required to undertake multiple steps to execute potential malware (such as for example a file in a zip archive within a zip archive within a zip archive ), then the tester should use experience and initiative to determine what level of nesting is appropriate to test. Page 4

Success Criteria Any organisation that is awarded a fail status for ANY test within this specification document is deemed to have failed overall. Otherwise, a pass status should be awarded. Any action points or observations should be detailed in the final report delivered to the customer. Page 5

External systems Required tests The following tests cases are required 1) Vulnerability scan for stated IP range including website scanning; Test Details Test Description Results 1) Vulnerability scan for stated IP range Using an appropriate industry standard vulnerability scanner that has been approved by the Accreditation Body, scan the external IP range for all IP addresses within the specified ranges. Note this should also include IPv6 addresses where they are in use. Results: Boundary Firewalls and Internet Gateways Ensure scans include a full (all 65535 ports) TCP port scan for all IPv4 (and IPv6 where used) addresses within the specified ranges. Ensure scans include a scan for known common UDP services for all IPv4 (and IPv6 where used) addresses within the specified ranges. All risks identified should be scored using the CVSSv2 standard. Low risk issues are defined as a score from 0.0 to 3.9 and should not be reported within the Cyber Essentials report. Secure Configuration Medium risks are defined as a score between 4.0 and 6.9 and will usually be associated with the obtaining of some piece of specific information enumerated from the system but that could not actually be directly exploited. High risks are defined as a score between 7.0 and 10.0 and will usually be associated with direct compromise of a system or application for the extraction of production data, system passwords or the introduction of malware. Patch Management Results within this section should be split in to three areas for the purposes of reporting in line with the relevant Basic Technical Cyber Protection Controls. 1. Boundary Firewalls and Internet Gateways 2. Secure Configuration 3. Patch Management Page 6

Test Description Results Interpreting Results: Award a pass status if only low risk issues are returned. Award an Action Point status if the highest risk issues returned are medium. Award a fail status if any high risks issues are present. The issues (medium and above) identified should be included in the additional information sections of the report. The high level categorisation of issues is described below but the precise classification will not affect the pass/fail result of the test and is instead provided as clarification for the customer. Boundary Firewalls and Internet Gateways Unnecessary open ports and services Secure Configuration Weak credentials Use of unsupported operating systems Patch Management Vulnerabilities in unpatched services Page 7

Internal systems Tester pre-requisites Access to an external mail system that is not blacklisted and that performs no filtering; Access to an Internet host listening on the predefined set of egress test ports; Access to appropriate and sufficient test binaries and payloads; Details of a target e-mail account per platform being assessed. Required tests The following tests cases are required 2) Inbound email binaries and payloads 3) Web site page with URLs linking to binaries 4) Authenticated vulnerability scan of host Test Details Test Description Results 2) Inbound email binaries and payloads Using your remote test account and desktop/laptop system provided by the customer, send an initial email with no attachments and determine that it arrives successfully in the target inbox. Results: Malware Protection Next, attempt to send multiple emails in from your remote test account, with attached test files. Results within this section should be split in to two areas for the purposes of reporting in line with relevant the Basic Technical Cyber Protection Controls. 1. Malware Protection 2. Secure Configuration Secure Configuration If any of the AV test attachments arrive successfully and the user is not blocked from accessing them then record a Fail status for Malware Protection, otherwise record a Pass for this element If any of the attachments can be run successfully and provide an alert warning of successful execution then record a Fail status for Secure Configuration, otherwise record a Pass for this element. Note the two click rule as per the assumptions section. If no email communications at all can be established during the test window then record a Fail status for both elements of this test. Ensure customer s technical staff are given sufficient information to enable them to attempt to resolve the problem during the test. Page 8

Test Description Results 3) Web site page with URLs linking to binaries Browse to a test page containing links to a downloadable set of test binaries. Results within this section should be split in to two areas for the purposes of reporting in line with relevant the Basic Technical Cyber Protection Controls. Result : Boundary Firewalls and Internet Gateways 1. Boundary Firewalls and Internet Gateways 2. Malware Protection 3. Secure Configuration If any of the executable URL links allow a file to be downloaded and run successfully and provide an alert warning of successful execution then record a Fail status for Boundary Firewalls and Internet Gateways, otherwise record a Pass for this element. Malware Protection Note the two click rule as per the assumptions section. If any of the AV test files can be downloaded successfully and the user is not blocked from accessing them then record a Fail status for Malware Protection, otherwise record a Pass for this element. If any of the non AV attachments can be run successfully and provide an alert warning of successful execution then record an Action Point status for Secure Configuration, otherwise record a Pass for this element. Secure Configuration Note the two click rule as per the assumptions section. If no web access at all can be established during the test window then record a Fail status for both elements of this test. Ensure customer s technical staff are given sufficient information to enable them to attempt to resolve the problem during the test. Page 9

4) Authenticated vulnerability scan of host Using an appropriate industry standard workstation build review tool, perform an admin level scan of the host including local checks for each host within sample set. Result: Patch Management Ensure scans include a patch check for operating system updates. Ensure scans include a patch check for the following applications 1. Oracle Java 2. Adobe Acrobat 3. Office software suites 4. Adobe Flash 5. Mozilla Firefox 6. Google Chrome 7. Opera 8. Microsoft Internet Explorer Malware Protection Ensure scans include a check of any AV solution in use. All risks identified should be scored using the CVSSv2 standard. Low risk issues are defined as a score from 0.0 to 3.9 and should not be reported within the Cyber Essentials report. Access Control Medium risks are defined as a score between 4.0 and 6.9 and will usually be associated with a specific weak configuration of the system but that could not actually be directly exploited. High risks are defined as a score between 7.0 and 10.0 and will usually be associated with likely direct compromise of a system for the extraction of production data, system passwords or the introduction of malware. Secure Configuration Results within this section should be split in to four areas for the purposes of reporting in line with relevant the Basic Technical Cyber Protection Controls. 1. Patch Management 2. Malware Protection 3. Access Control 4. Secure Configuration Interpreting Results: Patch Management All patches released within 14 days of the date of the audit for any of the applications listed should be installed. If this is true, award a Pass. Otherwise, if all patches released within 30 days of the date of the audit for any of the applications listed are installed award an Action Point Otherwise, award a Fail If the OS or any application is unsupported and no patches are available then award a Fail. For an Action Point or Fail status the issues identified should be included in the additional information sections of the report. Page 10

Malware Protection An AV solution must be in place and all AV definitions released within 7 days of the date of the audit should be installed. Any AV engine updates should be applied within a maximum of 90 days. If both of these are true, award a Pass, otherwise award a Fail. Access Control User accounts should be assigned to individuals rather than shared accounts and users should not have admin level access to change system settings and/or install software. If this is true, award a Pass, otherwise award a Fail. Secure Configuration Review the output from the build review tool and award a pass status if only low risk issues are returned. Award an Action Point status if the highest risk issues returned are medium. Award a fail status if any high risks issues are present. The issues (medium and above) identified should be included in the additional information sections of the report. Mobile Devices Where there is a requirement to audit a mobile device such as a tablet or phone, then only the following platforms are supported and their specific rules should be applied. Microsoft Surface Tablet Pro Treat as a standard workstation and apply the rules above. Microsoft Surface Tablet Apple ios on IPhone or ipad Android on Phone or Tablet Patch Management All OS and application store updates released within 7 days of the date of the audit should be installed. If this is true, award a Pass, otherwise award a Fail. Access Control User accounts should be protected by passwords or PINs. If this is true, award a Pass, otherwise award a Fail.. Page 11

Appendix 1 - Tool requirements Vulnerability scanners Platforms used to perform scanning must already be approved by PCI for ASV scanning prior to being put forwards for accreditation for the Cyber Essentials scheme. This is to ensure consistency with existing standards but to allow enhancements to be applied where appropriate. Tools must be able to perform a TCP SYN or FULL CONNECT scan across all 65535 TCP ports for each IP address under review. Tools must be able to perform a UDP scan across all the first 1024 UDP ports for each IP address under review. Tools must be able to perform a UDP service scan on commonly used UDP ports. Specifically TFTP, SNMP and NTP ports must be checked due to their common weaknesses. It is permissible for scanned ports to be performed in any order. Vulnerability scanners must be able to identify the following classes of issues: Open ports with service identification Weak credentials (as defined in the weak credentials list) for the following protocols (and their SSL/TLS variants) SMTP, POP3, IMAP, ActiveSync SSH, TELNET, SMB, LDAP FTP, HTTP SNMP, VNC, RDP, Citrix ICA/CAG VPN including but not limited to SSL, PPTP, OpenVPN, IPSEC MYSQL, MSSQL, POSTGRES, ORACLE Other authenticated services that may allow host compromise or exfiltration of data Application level weaknesses within visible services. Where possible false positives should be removed from reports during the internal review stage and findings with minimal real world risk for a non-targeted attack against the organisation under review should also be removed. The intent for all Cyber Essentials reporting is to provide customers with meaningful information regarding practical risks to their business and its activities as such, reporting SSL/TLS issues should only be done by exception when a clear and significant business risk has been identified. Page 12

Weak Credentials All combination of the following usernames and passwords should be tested for remote services accessible via the Internet. Usernames Passwords adm <null> admin 1234 administrator 12345678 cisco Admin debug Administrator guest Changeme manager changeme2 monitor Cisco operator Letmein patrol Manager public monitor recovery Operator root pass security password superuser Password support PASSWORD sysadm Password1 sysadmin Password123 system Passw0rd tech private test public user recovery root security tech Page 13

Ingress file types The following list of file types should be tested for when evaluating inbound email filtering controls. Files should be either native binaries that launch obvious behaviour to identify execution (eg launching a web browser to a known page, or creating an onscreen dialog) or specific inert files that are known to flag the majority of common AV solutions. Executables.com.bat.exe.pif.scr.msi.ps1.jar.sh.py.dmg Containers.zip.7z.rar.tar.gz.tar.gz Page 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information