eBook - ePub
Cyber Essentials
A Pocket Guide
Alan Calder
This is a test
Compartir libro
- 58 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Cyber Essentials
A Pocket Guide
Alan Calder
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
Every year, thousands of computer systems in the UK are compromised. The majority fall victim to easily preventable cyber attacks, carried out with tools which are freely available on the Internet.
Cyber Essentials is the UK Government's reaction to the proliferation of these attacks. It requires that organisations put basic security measures in place, enabling them to reliably counter the most common tactics employed by cyber criminals. From 1 October 2014, all suppliers bidding for a range of government ICT contracts – in particular contracts requiring the handling of sensitive and personal information – must be certified to the scheme.
This Pocket Guide explains how to achieve certification to Cyber Essentials in a fast, effective and cost-efficient manner. It will help you to:
- understand the requirements of the scheme
- implement the controls correctly
- realise when you are ready to seek certification
- get a grip on both the certification process and the distinction between Cyber Essentials and Cyber Essentials Plus
- find additional help and resources.
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Cyber Essentials un PDF/ePUB en línea?
Sí, puedes acceder a Cyber Essentials de Alan Calder en formato PDF o ePUB, así como a otros libros populares de Computer Science y Cyber Security. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Categoría
Computer ScienceCategoría
Cyber SecurityPART I: REQUIREMENTS FOR BASIC TECHNICAL PROTECTION FROM CYBER ATTACKS
The controls set out in the Requirements are relevant to organisations of all sizes, but have been chosen for Cyber Essentials because they are relatively easy to implement for SMEs and protect against a wide variety of common cyber threats. But what are the common attacks that your organisation faces, and which the UK Government are so keen to protect against?
Types of attack
The image of the hacker in popular media is usually of a lone individual in a basement, tapping away at a keyboard, trying to break into a specific computer system. This targeted attack methodology is not how most attackers operate, which is lucky because it is difficult to keep out a motivated and expert cyber criminal who is deliberately targeting your organisation.
The good news is that most cyber attackers run their criminal enterprises like a business, and it is just not economical for them to go after their targets one-by-one. Successful cyber attacks in the UK generally rely on simple technology that is widely available on the web. Such attackers employ a scattergun approach, using vectors such as spam email to go after hundreds of organisations and individuals at once, and then opportunistically break into exposed networks – these are known as ‘commodity’ cyber threats. To break into a system, the attackers rely on poor technical security measures at target organisations and/or a lack of security awareness among staff – so addressing these issues goes a long way toward making your organisation secure.
The types of common attack can be split into five major categories:
1. Social engineering
Attackers ‘con’ employees into allowing them to access the organisation’s systems. Social engineering can be targeted – for example, the attacker might phone technical support, pretend to be a senior member of staff with a high level of access, and request that they change the password for the impersonated individual’s user account so that the hackers can log in later. It is also employed in low-tech attack methods – a common tactic is to send out spam emails with virus-bearing attachments, which, when opened, log keystrokes or otherwise accumulate data (Trojans). ‘Phishing’ is a type of social engineering attack which many of us have encountered at some point – emails purporting to come from an authoritative source (such as a bank or credit card company) are sent out, requesting that the recipient enter their login details. The criminal can then gain access to their account to siphon off funds.
2. Denial of service (DOS)
Attackers seek to overload a network with external communications requests to create a server overload, preventing the target from performing its normal functions. The requests which make up the attack usually come from computers which have been infected with malware – without their owners even being aware of it. The Cyber Essentials scheme helps prevent your computer being used in such an attack.
3. Brute force
Attackers attempt to discover a password by using a program which tries all possible combinations of letters, numbers and punctuation marks. If the target is using a weak password, such as the name of a favourite football team or a dictionary word, this process is a relatively easy way to break into a system. It is also possible for some login systems to be fooled into giving up the password – if you have chosen to let your computer ‘remember’ it after you have logged out, then the attacker can use this against you.
4. Physical attack
Attackers steal data by gaining physical access to your systems. They use tactics which range from breaking into office buildings and stealing servers or laptops, to masquerading as employees to gain access during working hours so that they can install malware or infected hardware.
5. Exploiting vulnerabilities
Attackers gain access to systems using vulnerabilities that have been discovered in applications and configurations.
Cyber Essentials provides protection against the first three types of attack, which involve the use of malware – hostile or intrusive software. It also helps you to repair vulnerabilities. Although it is not a requirement it may also be a good idea to make your office more physically secure as well – one sensible policy is to require staff to ask unfamiliar, unaccompanied visitors for identification, not just at reception but throughout the building.
The scope
The first step in becoming secure from such threats is to adequately scope which parts of your IT infrastructure need to be given a basic level of technical protection. This is defined firstly in terms of the business unit/ organisation and secondly in terms of the hardware and software used by that business unit, which will need to be made secure. The part of your IT infrastructure which stores and/or processes sensitive information will have to be included in the scope, but you can choose whether to have the rest of your organisation certified as well – this is an important decision to make up-front.
There is a helpful graphic in the Requirements which can be used to work out what is in scope, but the Assurance Framework goes into far greater detail on the subject and it is recommended that you consult that instead. This book examines scope in detail at the beginning of Part 2.
The five cyber security measures and implementing controls
The measures laid out in the Requirements have been chosen deliberately to protect against the low-tech attacks discussed above. Fully implementing these five key measures will put interlocking cyber security measures into place to defend your organisation.
The measures are:
1. Boundary firewalls and Internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
After you have determined the scope, the next step is to implement the controls that make up each measure.
It should be noted that it is sometimes legitimately impossible to implement a control; the Cyber Essentials scheme recognises this and allows you to create compensating controls, which should be defined and put in place prior to the auditing process.
Documentation
Before you start implementing the controls, you should have established an approach to documenting your progress which can be used with all five measures. Documentation is important to ensure that the rules are being applied consistently across your organisation, and is required under the scheme in certain cases. It will also help you to fill out the self-assessment questionnaire when trying for Cyber Essentials certification.
Your suite of documentation should be based on the controls and explicitly linked to the network and user devices which are in scope for Cyber Essentials. It should be easily accessible to every member of staff who can make changes to these devices. Rules should be put in place to ensure that whenever staff work on these devices they must consult the documentation...