Security advice

Share

Share this page with the external widget:

  • Delicious
  • Digg
  • Reddit
  • StumbleUpon
  • Email

Cyber security

Almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning. The key questions to keep under constant review are:

  • Who would want access to our information and how could they acquire it?
  • How could they benefit from its use?
  • Can they sell it, amend it or even prevent staff or customers from accessing it?
  • How damaging would the loss of data be? What would be the effect on its operations?

CPNI provides a range of guidance documents and technical notes aimed at improving practices and raising awareness of current issues related to information security. The following sections set out this information in more detail.

Cyber research programmes

CPNI's cyber research team is conducting a number of programmes of work providing guidance to the UK Critical National Infrastructure.  These programmes are listed below.

Cyber research programmes

Critical Security Controls

The Critical Security Controls for cyber defence are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. CPNI is participating in an international government-industry effort to promote the Critical Security Controls for computer and network security. The development of these controls is being coordinated by the Council on CyberSecurity website.

Critical Security Controls

iDATA: Improving Defences Against Targeted Attack

The corporate IT systems of UK organisations are targeted by adversaries seeking to steal information and/or disrupt business operations.

iDATA is a CPNI programme of research to address cyber-attacks conducted by adversaries with significant resources and access to sophisticated tools and techniques. Such adversaries are capable of defeating most conventional cyber security measures.

The Critical Controls and other established advice products place emphasis on preventing attackers from penetrating IT infrastructures. iDATA assumes that infrastructures are already compromised and considers the best approaches for impeding the progress of an attack, making attacks more expensive to conduct and frustrating the efforts of an intruder.

A summary of the different projects within iDATA can be found here.

iDATA: Improving Defences Against Targeted Attack

Cyber Attack Types

CPNI have worked with the Cyber Incident Response* (CIR) companies to produce one-page real-world case studies that illustrate different types of cyber-attack.

Patching

Disregard for patching represents a significant and growing problem for all businesses. Figures indicate that untrustworthy software is responsible for over 90% of data breaches worldwide, with nearly all of these vulnerabilities being exploited more than a year after details were made public.

Patching

Risk Management for RPAS

This document provides advice on managing the risks to Remotely Piloted Aircraft Systems (RPAS) for civilian use. It does not address the risk from the use of RPAS for either legitimate or illegitimate purposes, by either authorised or unauthorised persons. It only addresses risks to the RPAS platform and the information it collects.

Emerging Technologies

As part of Cyber R&D, CPNI provide forecasts for technologies that may have an impact on the future protection of national infrastructure. This area contains short summaries of technologies that are already in existence and are at some stage of development. The summaries help to raise awareness and provide input into planning and investment decision making.

Emerging Technologies

Security for Industrial Control Systems

Major industries and critical national infrastructure are increasingly reliant on modern Industrial Control Systems (ICS) for their core operations. These are constructed from commercial off the shelf technologies similar to those used in the IT domain. While this reduces the time and cost of system development and ongoing maintenance, the use of this technology has introduced everyday IT security risks in to the ICS domain.

The fundamental difference between a security incident in the IT domain and the ICS domain lies in the potential impact. The impact of an ICS incident can be far greater, causing not only disruption to business operations and services but also potential damage and destruction of equipment, and injury to people. These systems are critical and therefore are required to be trustworthy and resilient not just operationally but from a security perspective too.

In the past, ICS security was mostly considered as an afterthought and this has led to many of the issues we face today. Although some of these could be resolved by applying standard IT solutions, many remain unresolved due to the particular constraints of ICS. Only by recognising these constraints and implementing industry good practice developed through practical experience can security be improved.

Security for Industrial Control Systems

Threat Intelligence

A diverse array of products and services, classed as Threat Intelligence, are available. To assist organisations with planning their approach to Threat Intelligence, CPNI and CERT-UK have commissioned two pieces of work on this growing topic. An InfoGraphic is also available.

Threat Intelligence

Log File Management

Log files are historical records of the running state of hardware and software, storing information on how they are used, errors that occur and application specific events which detail how users interact with them. Where logging is switched on for appropriate components of an IT infrastructure, providing timely information to correctly configured management tools, the use of log files can raise reliable alarms with low error rates. Good management of log files is also key to successful post-incident investigations and will assist an organisation in determining the source of problems and weaknesses with existing protective security measures.

Mobile devices

This page provides information and documentation on best practice security for a range of Mobile Devices.

Mobile devices

Bring Your Own Device

New joint guidance from CPNI and CESG on Bring Your Own Device (BYOD) has been published on the gov.uk website. If you would like to provide some feedback on this, please email enquiries@cpni.gsi.gov.uk, labelling your email “BYOD Feedback".

Bring Your Own Device

Online reconnaissance

This page provides advice on Open Source Intelligence (OSINT) and how it can potentially be used against an organisation.

Online reconnaissance

DDoS best practice

A Denial-of-Service (DoS) attack involves a malicious attempt to disrupt the operation of a computer system or network that is connected to the Internet. The most common form of attack is one which disrupts the operation of the computer system or network by consuming the bandwidth of the victim network or overloading the computational resources of the victim system.

DDoS best practice

Password advice

This page provides guidance on the different types of passwords and how they are used to protect information and data.

Password advice

Spear Phishing

This page provides advice on Spear Phishing attacks and what an organisation can do to protect themselves from the threat.

Spear Phishing

Cyber Incident Response (CIR) service

The National Cyber Security Strategy sets a strategic objective of making the UK more resilient to cyber attacks. Such attacks can vary in terms of persistence, sophistication and impact.

Cyber Incident Response (CIR) service

Cyber security in corporate finance

A guide giving practical advice to the finance sector has been published by ICAEW, with support from industry and government, including CPNI and GCHQ. It is aimed at enabling companies that deal with sensitive data to be more aware of cyber security risks, and the measures they can take to protect themselves.

Cyber security in corporate finance

Cyber risk and business impact

Most of CPNI's outputs and reports on Cyber Security research focus on helping organisations adopt better security strategies, to avoid cyber compromise. However CPNI has recently been looking at the broader risks that can give rise to and the types of business impact that cyber compromises can have on organisations.

Cyber risk and business impact

Good practice catalogue

Below is a catalogue of cyber and cyber related guidance that has been produced by CPNI. The guidance is sorted alphabetically with all guidance older than 2010 filed under the archive tab at the bottom of this page.

Good practice catalogue

Share

Share this page with the external widget:

  • Delicious
  • Digg
  • Reddit
  • StumbleUpon
  • Email