Frequently Asked Questions
Cyber Essentials or Cyber Essentials Plus? Both qualifications are accredited by the UK government. They certify the constraints put in place to protect access to a computer network and the security of the data on that network. If your business does not use a computer network you cannot achieve either award. Cyber Essentials is self certified. A standardised set of on-line questions must be answered. The answers are checked by an independent moderator. A business is allowed two attempts to pass. There is no system in place to ensure that any answers given relate to the actual systems and processes in place at the system tested. Cyber Essentials Plus requires that an assessor will contact the business undertaking assessment and investigate their network security procedures. Software tests will also be run on computer systems to evaluate their level of compliance. For example systems will be probed to determine when they were last updated or patched. The assessment will fail if these systems are not running recent versions of software.
How long does ISO 27001 certification last? Certification lasts for 3 years. Auditors will make yearly visits during the certification period to ensure that security standards are being maintained and that action plans are being kept to.
I think my computer system has been compromised or hacked? Leave any suspicious computer alone. Remove any network cables or turn off WiFi. Report the issue either by phone or through an external system to the relevant person and ask for advice. Do not use the suspect machine to contact them (even if it still has some functionality) as that could pass on any malware. If you are the relevant authority use an external network and run the symptoms of the event through a search engine to find out more about the issue. In many cases a suspected issue turns out to be a false alarm but it pays to be cautious and to make sure straight away.
If I patch on release or upgrade promptly am I vulnerable to zero day exploits? Yes but the security risk to unpatched systems is the greater threat. A zero day exploit affects new systems or new versions of systems where the programmers have exposed vulnerabilities. This can result in a patch being released followed by another soon afterwards to fix vulnerabilities in the initial patch. Upgrading networks might be seen as a low priority when one patch could be quickly overwritten by another. The rule should always be patch as soon as possible. The longer software is ‘in the wild’ the more time hackers have to find flaws and for knowledge of those exploits to become more widely known. Eventually the software authors will withdraw support from a system meaning no more patches and only limited support should a system fail.
What does a penetration test report? The exact information exposed by a penetration test depends on the systems being tested. An external test will investigate access and vulnerabilities from public portals such as web pages. An internal test will look at servers, connections and account vulnerabilities from within a corporate network. This would include remote access for example through a VPN. A social engineering assessment will look at corporate information exposed on public web sites and social media that could be used to make social engineering attacks such as phishing and spoofing. Exemplar attacks will then be run to demonstrate how the information can be used to reveal corporate information. In the report the systems that have been investigated will be listed together with any vulnerabilities found. Where a vulnerability has been found this will be explained together with an outline of how to fix it. The information revealed will be kept in confidence between your business and Kindus. The solutions may be simple or more involved but we will guide you through any steps required to secure your system.
Why do I need a computer security audit? Audits are often required as part of business agreements to ensure that the audited body meets certain computer security standards. Even if a business is not required to undertake an audit having one in place will be a commercial advantage. When tendering for new business having an audit in place can be one of the key constraints used to filter the number of applicants. The audit itself, even if not required, will ensure that robust computer and industry standards are in place. If issues are identified during an audit these can be addressed before they cause real world problems.