Introduction
vRx is a great tool to help achieve and maintain the Cyber Essentials or Cyber Essentials Plus certification.
Cyber Essentials has a number of technical controls which are referred to. One of the key technical controls required for CE / CE+ is security update management, with the aim being:
“Ensure that devices and software are not vulnerable to known security issues for which fixes are available.“
Requirements
You must make sure that all software in scope is kept up to date. All software on in-scope devices must:
- be licensed and supported
- removed from devices when it becomes unsupported or removed from scope by using a defined subset that prevents all traffic to / from the internet
- have automatic updates enabled where possible
- be updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:
- the update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
- the update addresses vulnerabilities with a CVSS v3 base score of 7 or above
- there are no details of the level of vulnerabilities the update fixes provided by the vendor
vRx - Consolidated Vulnerability Remediation
The primary function of vRx is to provide real-time visibility of vulnerabilities, risk prioritisation, and mitigation through patching and virtual patching (“patchless protection”), so it’s ideally suited to provide security update management from end to end.
vRx provides this visibility through the agent running on all managed assets (Windows, Mac & Linux), and the comprehensive catalogue of supported applications maintained by Vicarius.
If any application is no longer supported, vRx will identify this through the use of xTags, and can also remove the unsupported software.
All applications can be updated either through manual means, or an automated schedule, to ensure the critical and high severity patches are applied within 14 days. All applications with CVEs with a CVSS score of 7 or above, or where no detail of vulnerabilities fixed is available, can also be easily identified and managed to ensure patches are applied within the required timeframe.
Scripting
Where configuration changes are required to meet the CE / CE+ requirements, scripts can be created (if they are not already available) to perform the required configuration changes on all managed assets. Scripting can assist with secure configuration management through updating insecure configurations via registry changes, group policy or other configuration change mechanisms. The scripting tool can also be used to deploy software and patches for any software not directly supported through the platform, and so, provides great flexibility.
vRx greatly simplifies one of the most challenging areas of CE / CE+: simply keeping up to date with patches - and having the visibility to know you are up to date.