Shaun Peapell | Vice President, Threat Services | Rootshell Security
The necessary restrictions on physical movement caused by the COVID-19 pandemic, and the repercussions of these changes on businesses are plain to see. Technology businesses, especially those whose work can be done remotely, are the least affected operationally, even if their commercial units are having a tough time of it. Now, it’s the cybersecurity industry’s time to join the affected.
Cyber Essentials (CE) is the Government’s National Cyber Security Centre accreditation for business’ (internal or external) information security teams, that offers some indication and advance notice that your systems are not wide-open to threats.
Cyber Essentials Plus (CE+) is the advanced level of the accreditation, and includes a hands-on technical verification by a qualified penetration tester. Suppliers to Her Majesty’s Government, for example, require this advanced certification to continue to be on the approved list.
Earlier this week, April 20th, well-known tech website The Register brought to light a little known Industry Security Notice, which, in a similar vein to the DVLA extending MOT validity, seems to accept that an internal test by a consultant would not be possible to be carried out, and therefore lowered the standard of the CE+ not to require it.
The assessment usually includes some basic penetration testing and vulnerability scanning, both external and internal, as well as individual device configuration checks.
On the GOV.UK website, the Information Security Notice advises that, “Organisations obtaining or renewing CE+ for a future contract will need to provide a Cyber Implementation Plan. This should inform Defence that the supplier is committed to seeking CE+ but cannot do so due to travel restrictions resulting from COVID-19”, effectively temporarily suspending the more rigorous level of testing: pivotal, some might argue, to keeping UK infrastructure and supply chains free from attack. In the meantime, suppliers are advised to “acquire the basic level of Cyber Essentials”.
As a Cyber Essentials certifying body, accredited by IASME, Rootshell Security have been continuing to deliver the full CE+ level of testing during the Coronavirus outbreak. How, you may ask, if our consultants are unable to travel to customer sites for the internal portion of the testing?
Security must continue, and by leveraging our hardened remote security appliances, many of our clients who have already adopted and integrated them, internal or onsite security assessments have continued to be a straightforward and secure process. Coupled with the Rootshell Secure Operation Centre (SOC), our business, and your organisational security strategy, remains operational and of highest standard.
When active, a secure connection from the appliance is maintained, allowing our SOC analysts and penetration testing consultants to conduct full internal assessments as though they were on site. A secure remote connection is created by leveraging an encrypted pipe, more commonly known as a VPN, or Virtual Private Network, leveraging the strongest possible certificated encryption. The effect is like having the Rootshell Security consultants in the office with (or without) you.
By maximising the advantages of remote access, the client can subscribe to scores of testing types, this can include a full internal penetration test, bespoke desktop applications, operating system (OS) build reviews, Wi-Fi assessments, internal vulnerability assessments – anything is possible. Our appliances are pre-configured and ready to go, meaning our clients just needs to plug them and give them network access.
Continuous secure monitoring of the devices is managed by the SOC, who ensure the appliances themselves are fully secured and locked down, allowing only Rootshell Security remote access for on-demand security assessments.
Many of our clients choose to provide their own VPN access into the internal areas for testing. The client is then always in control and can decide what systems can be accessed and when.
Standards are being lowered by the UK government to accommodate the difficult circumstances we find ourselves in. With such powerful, secure remote working and remote access tools at our fingertips, the cyber security industry and our partners do not need to use this as an excuse to lower the bar, potentially opening up private and public sector organisations to attack.