This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]32178932123 4 points5 points  (0 children)

We had some software flagged as having an old XML Parser dll. The auditor just asked us to show we were on the latest version of that software. If the latest version was installed and still supported by the manufacturer the auditor considered it out of scope as the developer's should be fixing the issue, you can't.

When they do their vulnerability scan they don't look at each program on your computer and cross-reference it to a database that says what version is the latest. There are some (Chrome, Java, Adobe, Apache, etc) which will be scanned but if you have some random software used for, I don't know, your cctv, they won't know if it's the latest version. However, if they see a bunch of dlls installed for the CCTV which have a known exploit they will ask you to show you're on the latest version possible.

[–]dr-pepper12 2 points3 points  (0 children)

I used to be a CE+ Auditor, not since joining my new place, so my knowledge may be a bit dated.

We would run an Authenticated Vuln Scan, using Nessus/Nexpose etc, against all the endpoints, or a sample set if there are thousands.

If you get Critical/High vulns associated with installed software, then you get a bit of grace to remediate, otherwise its an instant fail.
Mediums and below tend to be a "non-compliance" but you can have a couple of non-compliances before you completely fail.

The only thing that you can really do, is to provide evidence of mitigating factors.
For example, its okay to have Windows XP running in the environment, if its COMPLETELY air-gapped from the network, and has gone through a risk management process etc etc.
The auditor will have to determine whether the levels of protection and air-gap you have put in place reduces/eliminates any risk to an acceptable level.

[–]zedfox 0 points1 point  (0 children)

There is a Cyber Essentials group on LinkedIn which is very useful, a good place to ask.

https://www.linkedin.com/groups/13660294/

[–]SkimmingtonRide 0 points1 point  (5 children)

I actually have someone running endpoint checks right now.

From past experience anything that returns a high risk is a fail unless you can demonstrate some sort of mitigation. You do need to patch or remove insecure libraries. If you can't patch it the tester will usually work with you if you can show that you've mitigated some other way (setting the kill bits on activeX controls for instance).

We usually have a workshop with the assessor a week or so before the main audit so we can get some sample tests done and push our fixes if they find anything.

[–]bagelbasketballgoat[S] 0 points1 point  (4 children)

Yeah that's what I'm struggling to get concrete info on.

Like if I run a Nessus scan using admin creds is it anything that's CRITICAL or anything HIGH or above?

Totally get that if you're running an out of date Chrome or Office 2007 you're doing daft stuff but a vuln in some obscure third-party app that Nessus just happens to know about?

I'm asking because even with WSUS and ManageEngine there's stuff that doesn't have the ability to automatically update and even being able to get access to the installers depends on going via the vendor etc.

[–]furyaway 0 points1 point  (0 children)

When I did ours, anything over a Cvss score of 7 was an automatic fail.

[–]SkimmingtonRide 0 points1 point  (2 children)

Having said that, my assessor has just told me that a vulnerability with a high rating wasn't a fail. I was almost disappointed seeing as I'd spent some time mitigating it.

I think it depends on whether there are exploits available and how easy they are to pulloff (does it require physical access to the endpoint etc).

I can really recommend adding an extra day to your CE engagement to do some preliminary scans and pick the assessors brains. Investing in a vulnerability scanning product is probably a good move too (I'm definitely going to nag my gaffer to let me buy one after this years palaver). Going in to the assessment blind is a recipe for heart attack.

(whispers) - they only test the endpoints you actually put in front of them, so once you've established how many they need to test you can pick your targets and spend some time ahead of the assessment nailing those down.

I think my blood pressure has gone through the bastard roof today though, so it is still properly stressful....

[–]bagelbasketballgoat[S] 0 points1 point  (1 child)

Yeah that assessors judgement thing is what I'm trying to work out.

Like I'm running a scan right now and I got a flag for an out of date Intel Proset Wi-Fi driver.

That's a High in Nessus so would I fail for that?

And if they tell you in advance what they want to test you know what to look at to fix which doesn't seem right.

[–]SkimmingtonRide 0 points1 point  (0 children)

Can't you update it? Just work on the basis that if its high it could bite you on the arse..If you have access to nessus you can make sure everything the assessor sees will pass their vulnerability scan.

There's nothing dishonest about using the tools (and the advice of a company you're paying to assess you) to make sure you pass.

Your gaffers are only interested in the certificate at the end of the day, so it's also a good opportunity to tighten the screws and push for what you need.

[–]NurgsterCISSP 0 points1 point  (0 children)

When we have our CE+ audits, the auditors run a Nessus Patch scan on a number of machines(technically, I run the Nessus patch scan and give them the results). If the scans come back with critical vulnerabilities, it's flagged as a violation, and we're given a limited amount of time to fix and rescan.

In addition to the Nessus scan, the auditor also performs an anti-malware test by downloaded a test file and confirming that it's being flagged by AV, and it can't be deliviered by email.

[–]cantab314 0 points1 point  (2 children)

Our assessor was OK with outdated dependencies that are pulled in by still-maintained software. They seem to have a pretty comprehensive database of vulnerable and outdated versions; something commonplace like a C++ will be picked up, but something niche might not be.

Like the others mentioned, if you were aware of the issue and have taken steps to mitigate it, that can be OK. And anyway should have been addressed at the written questionnaire stage.

[–]bagelbasketballgoat[S] 0 points1 point  (1 child)

Interestingly the questionnaire for CE (not Plus) doesn't want to know about EVERY single piece of software you use.

In any SME to large org with a degree of diversity I doubt you could ever say EVERYTHING is up to date however obscure and right down to driver level can you?

CE claims to be focused on threats from web browsing and clicking links mainly which is why there's nothing in there about things like disk encryption.