Cyber Essentials is a joke?

[glenimp617]

I think the auditors will usually allow a small percentage to be out, but it’s pretty small. My point about it overall being a good thing is that it forces you to have systems in place rather than an ad hoc process that probably doesn’t get used that often.

yeah I can imagine there’s some very dodgy networks out there

 

[kefkef]

The issue is the return for the DSP Toolkit isn't phrased to allow you to put in we're 90% complete. It's an all or nothing statement.

Looking at what we can put in place to inform us, products such as Snow, Deskcenter, Iventi, Remedy etc but even then there will be some manual trawl to be done.

 

[glenimp617]

We got our cyber essentials plus certificate today

Can’t say I was impressed with the process, but we passed

 

[Deleted member 138126]

We got our cyber essentials plus certificate today

Can’t say I was impressed with the process, but we passed

Did you have any issues remediating workstations remotely? What about all the laptops for everyone working from home?

 

[glenimp617]

Did you have any issues remediating workstations remotely? What about all the laptops for everyone working from home?

No, everything is handled automatically via SCCM and the laptops are on Microsofts always on vpn

The auditors setup a teams meeting and we simply shared the screen so he could check stuff

 

[Quartz]

I wonder how much Microsoft et al paid to have 'latest versions' a requirement? I've been out of it over a decade but when I was - preipherally - involved, we had standard versions of software which were often many years out of date. We then ensured they were up to date wrt patches etc.

 

[Deleted member 77746]

It seems like a tick in the box exercise to me.

Everything in IT is a ticky box exercise.

 

[Deleted member 138126]

No, everything is handled automatically via SCCM and the laptops are on Microsofts always on vpn

The auditors setup a teams meeting and we simply shared the screen so he could check stuff

Nice one. I would argue that a significant part of CyberEssentials is to get your underlying infrastructure setup properly, so when it comes time to prepare for the audit, things are pretty much already there.

 

[Deleted member 138126]

I wonder how much Microsoft et al paid to have 'latest versions' a requirement? I've been out of it over a decade but when I was - preipherally - involved, we had standard versions of software which were often many years out of date. We then ensured they were up to date wrt patches etc.

Software doesn't patch itself, and as vendors release new versions of software (a market necessity to stay relevant in a constantly evolving world), by simple necessity at some point they have to stop supporting older versions (most big software companies support n-2 versions). However, security vulnerabilities and bugs are still found in older un-supported software versions, so what would you propose is the solution? Answer: you have to stay up to date if you want to be even remotely secure. It's nothing to do with "Microsoft paying", it's simple economic reality, supporting every version of software ever released is just not feasible, and would be a terrible waste of precious developer resource.

I don't get this hatred for patching. Staying up to date is essential for security, compatibility, and supportability, and anything that promotes the improvement of these practices and the underlying tools that support them (like SCCM), is a good thing.

 

[Quartz]

I don't get this hatred for patching.

It wasn't a hatred of patching; it weas a desire for a consistent stable platform across thousands of PCs.

 

[Deleted member 138126]

Microsoft normally supports products for 5 years or more, don't they? So you're saying you want your estate to stagnate for 5 years? An estate that remains untouched for 5 years is not a stable estate. New software products that your users might need come out in that time, and they will have compatibility requirements of their own (because the vendor will have only tested against modern OS releases). And because it's been untouched for so long, there is nobody in the company that actually knows how to update the estate (there are no practices, tools, procedures), and the users are used to their machines never being touched, so it would be super traumatic for them when you did do it, and then on top of all that, when you were finally forced to update things (at which point this has become bigger than Ben Hur), the change would be so big because you'd left it for so long, that it would be a shock to the employees and error-prone to deploy. Frequent small changes are far better than infrequent big changes, not only because there is less change in between updates, but because by doing more of them, you get better at testing and deploying them.

 

[glenimp617]

Microsoft normally supports products for 5 years or more, don't they? So you're saying you want your estate to stagnate for 5 years? An estate that remains untouched for 5 years is not a stable estate. New software products that your users might need come out in that time, and they will have compatibility requirements of their own (because the vendor will have only tested against modern OS releases). And because it's been untouched for so long, there is nobody in the company that actually knows how to update the estate (there are no practices, tools, procedures), and the users are used to their machines never being touched, so it would be super traumatic for them when you did do it, and then on top of all that, when you were finally forced to update things (at which point this has become bigger than Ben Hur), the change would be so big because you'd left it for so long, that it would be a shock to the employees and error-prone to deploy. Frequent small changes are far better than infrequent big changes, not only because there is less change in between updates, but because by doing more of them, you get better at testing and deploying them.

I think windows 10 is 18 months

Our estate is 4,000 client devices managed by four front line technicians. We manage with ease. So long as you have the back end setup right, that's key.

 

[Lanz]

It's a laugh trying to get CE+ when all your infra is 8 years old - Erm i could update Java, but i need version xxxx for the old SAN GUI that doesn't work with anything newer.
Why are you on this version of ESXI? Well our servers don't support the latest version...

 

[glenimp617]

It's a laugh trying to get CE+ when all your infra is 8 years old - Erm i could update Java, but i need version xxxx for the old SAN GUI that doesn't work with anything newer.
Why are you on this version of ESXI? Well our servers don't support the latest version...

Don't worry, you'll pass. It's a complete joke. The auditor will simply tell you to ensure at least one machine has the latest java, and they'll basically run their tests on that one machine.

We were in the same boat. The dell equalogic sans require java 6, so.... and we still passed lol

 

[Lanz]

Exactly, we’ll have equallogic until the end of days.... we’ve been trying to get rid of them for years. (But I do really like them...)

 

[LizardKing]

Don't worry, you'll pass. It's a complete joke. The auditor will simply tell you to ensure at least one machine has the latest java, and they'll basically run their tests on that one machine.

We were in the same boat. The dell equalogic sans require java 6, so.... and we still passed lol

Who were the auditors? (asking for a friend ) though CE was never about being accreditation as such and more about showing your "on the ball" to a degree. I did use it as an argument for getting sign off on some new equipment thanks to some servers no longer being supported by the later versions vmware so its useful for something. I see vmware are also looking at requiring tpm, so thats another one to add down the line!

re Oracles Java, dont you need to be licensed for support now? or does that not apply to the older versions? i was glad to see the back of that on our network for sure.

 

[glenimp617]

Exactly, we’ll have equallogic until the end of days.... we’ve been trying to get rid of them for years. (But I do really like them...)

We went down from 4, to 1 and 1 compellent. The compellents are brilliant. Still, that one we do have means at least my machine needs java 6 lol

 

[awaybreaktoday]

I hope not it’s been a life saver

Yes Microsoft have silently killed AppV, the replacement is MSIX...

 

[Wee Jock Poo Pong McPlop]

Most companies doing the assessments seem to just run through some scripts they didn't write without really understanding them and they nearly always miss things.

For your RDS can't you do passwords resets through rdweb?

Only just seen this thread, I can shed some light on that. I do penetration testing, but unfortunately most companies that off that service also require you to deliver Cyber Essentials as well, the annoying thing is that as a pen tester I didn't spend years of self study and spend hours every evening on OSCP and HTB and others so I could spend my days marking a questionnaire, and it gets even worse as only Crest Registered Testers or equivalent can deliver CE+. In regards to the scripts, IASME writes those and insist they are used, each time an assessment is completed it is audited by IASME and if there is any deviation from those scripts by the auditor they can revoke the assessment and order you to deliver it again, so for a peaceful life I just run the scripts they send and if they don't work its IASME`s problem and not mine.

I see no benefit in CE at all, and its something I absolutely hate doing but at the same time I feel trapped as if I speak out too much about them to IASME and bad mouth them I worry that they may remove my employers right to deliver Cyber Essentials and this will cost people their jobs, its like working for a dictator.