eBook - ePub
Cyber Essentials
A Pocket Guide
Alan Calder
This is a test
Share book
- 58 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Cyber Essentials
A Pocket Guide
Alan Calder
Book details
Book preview
Table of contents
Citations
About This Book
Every year, thousands of computer systems in the UK are compromised. The majority fall victim to easily preventable cyber attacks, carried out with tools which are freely available on the Internet.
Â
Cyber Essentials is the UK Government's reaction to the proliferation of these attacks. It requires that organisations put basic security measures in place, enabling them to reliably counter the most common tactics employed by cyber criminals. From 1 October 2014, all suppliers bidding for a range of government ICT contracts â in particular contracts requiring the handling of sensitive and personal information â must be certified to the scheme.
Â
This Pocket Guide explains how to achieve certification to Cyber Essentials in a fast, effective and cost-efficient manner. It will help you to:
Â
- understand the requirements of the scheme
- implement the controls correctly
- realise when you are ready to seek certification
- get a grip on both the certification process and the distinction    between Cyber Essentials and Cyber Essentials Plus
- find additional help and resources.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Cyber Essentials an online PDF/ePUB?
Yes, you can access Cyber Essentials by Alan Calder in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
PART I: REQUIREMENTS FOR BASIC TECHNICAL PROTECTION FROM CYBER ATTACKS
The controls set out in the Requirements are relevant to organisations of all sizes, but have been chosen for Cyber Essentials because they are relatively easy to implement for SMEs and protect against a wide variety of common cyber threats. But what are the common attacks that your organisation faces, and which the UK Government are so keen to protect against?
Types of attack
The image of the hacker in popular media is usually of a lone individual in a basement, tapping away at a keyboard, trying to break into a specific computer system. This targeted attack methodology is not how most attackers operate, which is lucky because it is difficult to keep out a motivated and expert cyber criminal who is deliberately targeting your organisation.
The good news is that most cyber attackers run their criminal enterprises like a business, and it is just not economical for them to go after their targets one-by-one. Successful cyber attacks in the UK generally rely on simple technology that is widely available on the web. Such attackers employ a scattergun approach, using vectors such as spam email to go after hundreds of organisations and individuals at once, and then opportunistically break into exposed networks â these are known as âcommodityâ cyber threats. To break into a system, the attackers rely on poor technical security measures at target organisations and/or a lack of security awareness among staff â so addressing these issues goes a long way toward making your organisation secure.
The types of common attack can be split into five major categories:
1. Social engineering
Attackers âconâ employees into allowing them to access the organisationâs systems. Social engineering can be targeted â for example, the attacker might phone technical support, pretend to be a senior member of staff with a high level of access, and request that they change the password for the impersonated individualâs user account so that the hackers can log in later. It is also employed in low-tech attack methods â a common tactic is to send out spam emails with virus-bearing attachments, which, when opened, log keystrokes or otherwise accumulate data (Trojans). âPhishingâ is a type of social engineering attack which many of us have encountered at some point â emails purporting to come from an authoritative source (such as a bank or credit card company) are sent out, requesting that the recipient enter their login details. The criminal can then gain access to their account to siphon off funds.
2. Denial of service (DOS)
Attackers seek to overload a network with external communications requests to create a server overload, preventing the target from performing its normal functions. The requests which make up the attack usually come from computers which have been infected with malware â without their owners even being aware of it. The Cyber Essentials scheme helps prevent your computer being used in such an attack.
3. Brute force
Attackers attempt to discover a password by using a program which tries all possible combinations of letters, numbers and punctuation marks. If the target is using a weak password, such as the name of a favourite football team or a dictionary word, this process is a relatively easy way to break into a system. It is also possible for some login systems to be fooled into giving up the password â if you have chosen to let your computer ârememberâ it after you have logged out, then the attacker can use this against you.
4. Physical attack
Attackers steal data by gaining physical access to your systems. They use tactics which range from breaking into office buildings and stealing servers or laptops, to masquerading as employees to gain access during working hours so that they can install malware or infected hardware.
5. Exploiting vulnerabilities
Attackers gain access to systems using vulnerabilities that have been discovered in applications and configurations.
Cyber Essentials provides protection against the first three types of attack, which involve the use of malware â hostile or intrusive software. It also helps you to repair vulnerabilities. Although it is not a requirement it may also be a good idea to make your office more physically secure as well â one sensible policy is to require staff to ask unfamiliar, unaccompanied visitors for identification, not just at reception but throughout the building.
The scope
The first step in becoming secure from such threats is to adequately scope which parts of your IT infrastructure need to be given a basic level of technical protection. This is defined firstly in terms of the business unit/ organisation and secondly in terms of the hardware and software used by that business unit, which will need to be made secure. The part of your IT infrastructure which stores and/or processes sensitive information will have to be included in the scope, but you can choose whether to have the rest of your organisation certified as well â this is an important decision to make up-front.
There is a helpful graphic in the Requirements which can be used to work out what is in scope, but the Assurance Framework goes into far greater detail on the subject and it is recommended that you consult that instead. This book examines scope in detail at the beginning of Part 2.
The five cyber security measures and implementing controls
The measures laid out in the Requirements have been chosen deliberately to protect against the low-tech attacks discussed above. Fully implementing these five key measures will put interlocking cyber security measures into place to defend your organisation.
The measures are:
1. Boundary firewalls and Internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
After you have determined the scope, the next step is to implement the controls that make up each measure.
It should be noted that it is sometimes legitimately impossible to implement a control; the Cyber Essentials scheme recognises this and allows you to create compensating controls, which should be defined and put in place prior to the auditing process.
Documentation
Before you start implementing the controls, you should have established an approach to documenting your progress which can be used with all five measures. Documentation is important to ensure that the rules are being applied consistently across your organisation, and is required under the scheme in certain cases. It will also help you to fill out the self-assessment questionnaire when trying for Cyber Essentials certification.
Your suite of documentation should be based on the controls and explicitly linked to the network and user devices which are in scope for Cyber Essentials. It should be easily accessible to every member of staff who can make changes to these devices. Rules should be put in place to ensure that whenever staff work on these devices they must consult the documentation...