Monday 21 July 2014

Information Security for Business-Where to Start

Update 5th July 2015, 28th June 2015

Where does a business or organisation start if they want to improve their information security stance?

Here are some ideas. The links are at the bottom of the post.

Council on CyberSecurity Critical Security Controls

  • "The Council's Technology practice area is built upon the Critical Security Controls (the Controls), a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks"
This is related to the Sans Institute Critical Security Controls - See below

The council also has its "First Five Quick Wins"
  1.  application whitelisting (found in CSC 2);
  2.  use of standard, secure system configurations (found in CSC 3);
  3.  patch application software within 48 hours (found in CSC 4);
  4.  patch system software within 48 hours (found in CSC 4); and
  5.  reduced number of users with administrative privileges (found in CSC 3 and CSC 12).
These are related to the Australian Signals Directorate Top 4 - See below

SANS Institute Critical Security Controls

The SANS institute maintains a list of the top 20 critical security controls.

  • The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness

Australian Signals Directorate Top 4

The Australians Signals Directorate (ASD) maintain that:
  • "At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package.
The  top 4 are:
  1. Application Whitelisting
  2. Patching Systems
  3. Restricting Administrative Privileges
  4. Creating a defence-in-depth system


Here are a number of programs from the The UK Government.

Cyber security guidance for business 

This guidance is aimed at business in general and starts off with board level responsibilities.It then describes  the "10 steps" to cyber security" which cover the following topics
  1. Information Risk Management Regime
  2. Home & Mobile Working
  3. User Education & Awareness
  4. Incident Management
  5. Managing User Privileges
  6. Removable Media Controls
  7. Monitoring
  8. Security Configuration
  9. Malware Protection
  10. Network Security

 Cyber Street Wise

Cyber street wise has the following "five essential tips for cyber safety" for your business
  1. Install Updates and antivirus software
  2. Use strong passwords
  3. Only download from trusted sites and organisations
  4. Beware of phishing emails
  5. Review and protect your business' information

Cyber Essentials

First comes "Cyber Essentials"  which "is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks."

This is more technical and covers the following five areas.
  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management
It also states the following
"From 1 October 2014, [UK] government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme."

Useful Links


Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

Sunday 13 July 2014

FUD: A Plea for Intolerance

Another interesting paper from Cormac Herley at Microsoft Research

In it he talks about "Fear, Uncertainty and Doubt" (FUD)  and how

"Even a casual observer of computer security must notice the prevalence of FUD :non - falsifiable claims that promote fear, uncertainty or doubt (FUD)"
It is short at 5 pages and well worth reading.

Useful Link:

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot