Security advice

Share

Share this page with the external widget:

  • Delicious
  • Digg
  • Reddit
  • StumbleUpon
  • Email

Cyber security

Almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning. The key questions to keep under constant review are:

  • Who would want access to our information and how could they acquire it?
  • How could they benefit from its use?
  • Can they sell it, amend it or even prevent staff or customers from accessing it?
  • How damaging would the loss of data be? What would be the effect on its operations?

CPNI provides a range of guidance documents and technical notes aimed at improving practices and raising awareness of current issues related to information security. The following sections set out this information in more detail.

Cyber research programmes

CPNI's cyber research team is conducting a number of programmes of work providing guidance to the UK Critical National Infrastructure.  These programmes are listed below.

Cyber research programmes

Critical Security Controls

The Critical Security Controls for cyber defence are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. CPNI is participating in an international government-industry effort to promote the Critical Security Controls for computer and network security. The development of these controls is being coordinated by the Council on CyberSecurity website.

Critical Security Controls

iDATA: Improving Defences Against Targeted Attack

The corporate IT systems of UK organisations are targeted by adversaries seeking to steal information and/or disrupt business operations.

iDATA is a CPNI programme of research to address cyber-attacks conducted by adversaries with significant resources and access to sophisticated tools and techniques. Such adversaries are capable of defeating most conventional cyber security measures.

The Critical Controls and other established advice products place emphasis on preventing attackers from penetrating IT infrastructures. iDATA assumes that infrastructures are already compromised and considers the best approaches for impeding the progress of an attack, making attacks more expensive to conduct and frustrating the efforts of an intruder.

A summary of the different projects within iDATA can be found here.

iDATA: Improving Defences Against Targeted Attack

Mobile devices

This page provides information and documentation on best practice security for a range of Mobile Devices.

Mobile devices

Log File Management

Log files are historical records of the running state of hardware and software, storing information on how they are used, errors that occur and application specific events which detail how users interact with them. Where logging is switched on for appropriate components of an IT infrastructure, providing timely information to correctly configured management tools, the use of log files can raise reliable alarms with low error rates. Good management of log files is also key to successful post-incident investigations and will assist an organisation in determining the source of problems and weaknesses with existing protective security measures.

Online reconnaissance

This page provides advice on Open Source Intelligence (OSINT) and how it can potentially be used against an organisation.

Online reconnaissance

DDoS best practice

A Denial-of-Service (DoS) attack involves a malicious attempt to disrupt the operation of a computer system or network that is connected to the Internet. The most common form of attack is one which disrupts the operation of the computer system or network by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.

DDoS best practice

Password advice

This page provides guidance on the different types of passwords and how they are used to protect information and data.

Password advice

Spear Phishing

This page provides advice on Spear Phishing attacks and what an organisation can do to protect themselves from the threat.

Spear Phishing

SCADA

Almost all critical industrial infrastructures and processes are managed remotely from central control rooms, using computers and communications networks. The flow of gas and oil through pipes, the processing and distribution of water, the management of the electricity grid, the operation of chemical plants, and the signalling network for railways. These all use various forms of process control and 'supervisory control and data acquisition' - known as SCADA technology.

SCADA

Cyber Incident Response (CIR) service

The National Cyber Security Strategy sets a strategic objective of making the UK more resilient to cyber attacks. Such attacks can vary in terms of persistence, sophistication and impact.

Cyber Incident Response (CIR) service

Good practice catalogue

Below is a catalogue of cyber and cyber related guidance that has been produced by CPNI. The guidance is sorted alphabetically with all guidance older than 2010 filed under the archive tab at the bottom of this page.

Good practice catalogue

Cyber security in corporate finance

A guide giving practical advice to the finance sector has been published by ICAEW, with support from industry and government, including CPNI and GCHQ. It is aimed at enabling companies that deal with sensitive data to be more aware of cyber security risks, and the measures they can take to protect themselves.

Cyber security in corporate finance

Share

Share this page with the external widget:

  • Delicious
  • Digg
  • Reddit
  • StumbleUpon
  • Email