Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Keiran Mather
Bulletproof’s penetration testers show how to abuse the ESC13 technique from Linux.
Read More
The Cyber Essentials scheme has started to become a victim of its own success, with some organisations thinking it’s all they need to operate securely. Now I need to start by saying that Cyber Essentials is a great security baseline and I strongly recommend that every single organisation gets Cyber Essentials certification. It provides a valuable framework for establishing fundamental cyber security practices. But is that always enough? In this article I’ll explore why organisations dealing with critical infrastructure, public incident response, emergency services supply chain, or processing highly sensitive data, need additional safeguards to manage their significant risks.
The Cyber Essentials (CE) scheme is designed to protect an organisation from up to 80% of the most common internet-born threats. It covers a broad spectrum of common cyber attacks by looking at five elemental technical controls: Firewalls, Secure Configuration, Passwords, Malware Protection and Patch Management. Cyber Essentials is a valuable first step towards cyber security, and, along with penetration testing, I recommend that every business, charity, organisation, and other entity gets CE certification. However it is crucial to understand that it represents a foundational layer of starting best practices. It’s your start line, not your finish line.
The types of attack that CE guards against are the ones conducted by automated malware attackers and entry-level hackers. These represent the majority of online threats, which is a key part of what makes Cyber Essentials certification so valuable. However, despite its broad covering of cyber security best practises, there are several attack scenarios that are out of scope of CE’s protection, including:
The formidable resources available to nation-state attacks is especially applicable to organisations working with national/local public incident response, defence supply chain contractors, and emergency services supply chain providers.
A motivated adversary will have considerably more resources and capability than the adversaries modelled by Cyber Essentials.
Cyber Essentials is primarily a collection of technical measures. A significant proportion of cyber attacks start with social engineering attacks, making it a key risk that is unmitigated by CE certification.
The controls and protections afforded by Cyber Essentials cannot to differentiate between valid users and the kind of insider threats that are applicable to higher-risk organisations.
Additionally, there are two key limitations of Cyber Essentials to consider that are especially relevant for critical operations or those businesses who are somewhat more security mature.
Cyber Essentials certification is a self-assessment. This means information provided to achieve the certification could be knowingly or accidentally false or incomplete.
Cyber Essentials is a point-in-time-only snapshot of cyber security that relies on trust. Security could not be simply not maintained between annual re-certification dates, exposing any organisation to significant risk.
Now it’s time I talk about risk. The risks faced by organisations dealing with critical infrastructure, public incident response, emergency services supply chain, or processing highly sensitive data, go far beyond the simple, common attack vectors that CE guards against. This means that CE has completed its mission of setting a good security baseline, but it is not commensurate with the actual security challenges faced by these higher-risk organisations.
Learn everything you need to know to take your cyber security strategy from zero to hero. Boost your security defences & plan your strategy with our free 10-point security checklist
Download the checklist now
Analysing at a typical modern cyber security incident helps to demonstrate the defensive gaps in CE certification and benefits of specific additional cyber security controls. A typical attack will follow these key steps:
An attacker sends a phishing email with a malicious attachment to an unsuspecting employee. The employee opens the attachment, launching malware that exploits a known vulnerability and establishes a foothold on the employee's computer.
Cyber Essentials makes sure you have an anti-virus that can detect common malware types, but determined adversaries will easily overcome this with customised phishing campaigns and customised malware. Only security training can educate the user on what a malicious email looks like.
A managed SOC/SIEM service can analyse email logs for suspicious patterns, such as unexpected senders, or attempts to bypass email filters and identify reconnaissance activities early in the attack. This can help identify potential phishing campaigns before an attacker is able to gain an initial foothold.
The attacker exploits a known vulnerability to gain administrative privileges on the compromised device.
Cyber Essentials interacts with patch management and admin credential separation, but it’s a point-in-time assessment, and no provision is made for an on-going patch management programme nor enforcement of credential separation.
This can be a case of ‘process to the rescue’, and something like ISO 27001 is great at putting in place things that make you both ‘do’ and ‘review’. ISO compliance needs evidence of things happening, so it helps make sure that your patching happens when it should happen, instead of 1 day before a re-certification audit. This is also another time a managed SOC/SIEM service ca help: tried-and-tested runbooks tell the SOC team to react if something out of the ordinary for a business and deny the escalation request or isolate a device so no others can be impacted.
The attacker uses these admin privileges to move laterally throughout the infrastructure, identifying sensitive data stores and other systems to compromise.
Network segmentation, where networks are divided into smaller segments, is a key defence against an attacker moving throughout your infrastructure. Network segmentation limits an attacker's ability to move laterally and access sensitive data. Cyber Essentials does not provide for network segmentation, instead focussing on the network boundary.
A cleverly scoped penetration test will do a great job of testing your network segmentation. Bulletproof has lots of resources on getting the most out of penetration testing, which are included at the bottom of this article. Going further, once again a managed SIEM service can provide network traffic monitoring to analyse network traffic for suspicious activity, detecting lateral movement attempts.
The attacker exfiltrates sensitive data to a remote server under their control, mines crypto currencies or causes disruption/denial of service.
If an attacker exfiltrates data that is properly encrypted, the stolen data can be effectively rendered useless to the attacker. Strong data protection practices are essential here. Encryption at-rest and in-transit is not mandated by Cyber Essentials, but will be in-scope of other certification standards. Not to motion that, if you’re being risk-based by following ISO 27001 or SOC 2, you’ll know what you need to encrypt and where.
The landscape of cyber threats is continuously evolving, with nation-state actors increasingly targeting Government and Gov-aligned entities, including supply chain partners. These actors often employ sophisticated tactics, techniques, and procedures (TTPs) that are specifically designed to bypass traditional, foundational security measures such as those defined in Cyber Essentials. To effectively detect and respond to these advanced threats promptly, a comprehensive security approach that incorporates a joined up layered defence strategy. A red team engagement is the best way for a security mature organisation to test their defences.
While achieving Cyber Essentials certification offers a baseline cyber security posture, solely aiming for "minimum compliance" can create significant vulnerabilities and expose your organisation to substantial risks. I advocate for a holistic approach that incorporates continuous monitoring that goes beyond this mindset. Implementing these measures not only enhances security but also fosters trust and resilience, ultimately empowering you to reduce the risks of a rapidly evolving threat landscape.
As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.
Completed Cyber Essentials but not sure where to go next? A consultant-led cyber security assessment will review your risks & boost your business resilience. Find the next step in your strategy.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.