eBook - ePub
Cyber Essentials
A Pocket Guide
Alan Calder
This is a test
Partager le livre
- 58 pages
- English
- ePUB (adapté aux mobiles)
- Disponible sur iOS et Android
eBook - ePub
Cyber Essentials
A Pocket Guide
Alan Calder
DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations
Ă propos de ce livre
Every year, thousands of computer systems in the UK are compromised. The majority fall victim to easily preventable cyber attacks, carried out with tools which are freely available on the Internet.
Â
Cyber Essentials is the UK Government's reaction to the proliferation of these attacks. It requires that organisations put basic security measures in place, enabling them to reliably counter the most common tactics employed by cyber criminals. From 1 October 2014, all suppliers bidding for a range of government ICT contracts â in particular contracts requiring the handling of sensitive and personal information â must be certified to the scheme.
Â
This Pocket Guide explains how to achieve certification to Cyber Essentials in a fast, effective and cost-efficient manner. It will help you to:
Â
- understand the requirements of the scheme
- implement the controls correctly
- realise when you are ready to seek certification
- get a grip on both the certification process and the distinction    between Cyber Essentials and Cyber Essentials Plus
- find additional help and resources.
Foire aux questions
Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier lâabonnement ». Câest aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via lâapplication. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă la bibliothĂšque et Ă toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode dâabonnement : avec lâabonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă 12 mois dâabonnement mensuel.
Quâest-ce que Perlego ?
Nous sommes un service dâabonnement Ă des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă toute une bibliothĂšque pour un prix infĂ©rieur Ă celui dâun seul livre par mois. Avec plus dâun million de livres sur plus de 1 000 sujets, nous avons ce quâil vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Ăcouter sur votre prochain livre pour voir si vous pouvez lâĂ©couter. Lâoutil Ăcouter lit le texte Ă haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, lâaccĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que Cyber Essentials est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă Cyber Essentials par Alan Calder en format PDF et/ou ePUB ainsi quâĂ dâautres livres populaires dans Computer Science et Cyber Security. Nous disposons de plus dâun million dâouvrages Ă dĂ©couvrir dans notre catalogue.
Informations
Sujet
Computer ScienceSous-sujet
Cyber SecurityPART I: REQUIREMENTS FOR BASIC TECHNICAL PROTECTION FROM CYBER ATTACKS
The controls set out in the Requirements are relevant to organisations of all sizes, but have been chosen for Cyber Essentials because they are relatively easy to implement for SMEs and protect against a wide variety of common cyber threats. But what are the common attacks that your organisation faces, and which the UK Government are so keen to protect against?
Types of attack
The image of the hacker in popular media is usually of a lone individual in a basement, tapping away at a keyboard, trying to break into a specific computer system. This targeted attack methodology is not how most attackers operate, which is lucky because it is difficult to keep out a motivated and expert cyber criminal who is deliberately targeting your organisation.
The good news is that most cyber attackers run their criminal enterprises like a business, and it is just not economical for them to go after their targets one-by-one. Successful cyber attacks in the UK generally rely on simple technology that is widely available on the web. Such attackers employ a scattergun approach, using vectors such as spam email to go after hundreds of organisations and individuals at once, and then opportunistically break into exposed networks â these are known as âcommodityâ cyber threats. To break into a system, the attackers rely on poor technical security measures at target organisations and/or a lack of security awareness among staff â so addressing these issues goes a long way toward making your organisation secure.
The types of common attack can be split into five major categories:
1. Social engineering
Attackers âconâ employees into allowing them to access the organisationâs systems. Social engineering can be targeted â for example, the attacker might phone technical support, pretend to be a senior member of staff with a high level of access, and request that they change the password for the impersonated individualâs user account so that the hackers can log in later. It is also employed in low-tech attack methods â a common tactic is to send out spam emails with virus-bearing attachments, which, when opened, log keystrokes or otherwise accumulate data (Trojans). âPhishingâ is a type of social engineering attack which many of us have encountered at some point â emails purporting to come from an authoritative source (such as a bank or credit card company) are sent out, requesting that the recipient enter their login details. The criminal can then gain access to their account to siphon off funds.
2. Denial of service (DOS)
Attackers seek to overload a network with external communications requests to create a server overload, preventing the target from performing its normal functions. The requests which make up the attack usually come from computers which have been infected with malware â without their owners even being aware of it. The Cyber Essentials scheme helps prevent your computer being used in such an attack.
3. Brute force
Attackers attempt to discover a password by using a program which tries all possible combinations of letters, numbers and punctuation marks. If the target is using a weak password, such as the name of a favourite football team or a dictionary word, this process is a relatively easy way to break into a system. It is also possible for some login systems to be fooled into giving up the password â if you have chosen to let your computer ârememberâ it after you have logged out, then the attacker can use this against you.
4. Physical attack
Attackers steal data by gaining physical access to your systems. They use tactics which range from breaking into office buildings and stealing servers or laptops, to masquerading as employees to gain access during working hours so that they can install malware or infected hardware.
5. Exploiting vulnerabilities
Attackers gain access to systems using vulnerabilities that have been discovered in applications and configurations.
Cyber Essentials provides protection against the first three types of attack, which involve the use of malware â hostile or intrusive software. It also helps you to repair vulnerabilities. Although it is not a requirement it may also be a good idea to make your office more physically secure as well â one sensible policy is to require staff to ask unfamiliar, unaccompanied visitors for identification, not just at reception but throughout the building.
The scope
The first step in becoming secure from such threats is to adequately scope which parts of your IT infrastructure need to be given a basic level of technical protection. This is defined firstly in terms of the business unit/ organisation and secondly in terms of the hardware and software used by that business unit, which will need to be made secure. The part of your IT infrastructure which stores and/or processes sensitive information will have to be included in the scope, but you can choose whether to have the rest of your organisation certified as well â this is an important decision to make up-front.
There is a helpful graphic in the Requirements which can be used to work out what is in scope, but the Assurance Framework goes into far greater detail on the subject and it is recommended that you consult that instead. This book examines scope in detail at the beginning of Part 2.
The five cyber security measures and implementing controls
The measures laid out in the Requirements have been chosen deliberately to protect against the low-tech attacks discussed above. Fully implementing these five key measures will put interlocking cyber security measures into place to defend your organisation.
The measures are:
1. Boundary firewalls and Internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
After you have determined the scope, the next step is to implement the controls that make up each measure.
It should be noted that it is sometimes legitimately impossible to implement a control; the Cyber Essentials scheme recognises this and allows you to create compensating controls, which should be defined and put in place prior to the auditing process.
Documentation
Before you start implementing the controls, you should have established an approach to documenting your progress which can be used with all five measures. Documentation is important to ensure that the rules are being applied consistently across your organisation, and is required under the scheme in certain cases. It will also help you to fill out the self-assessment questionnaire when trying for Cyber Essentials certification.
Your suite of documentation should be based on the controls and explicitly linked to the network and user devices which are in scope for Cyber Essentials. It should be easily accessible to every member of staff who can make changes to these devices. Rules should be put in place to ensure that whenever staff work on these devices they must consult the documentation...