SlideShare a Scribd company logo

Achieving Cyber Essentials

Qonex
Qonex

The document discusses the Cyber Essentials certification scheme developed by the UK government to provide a baseline of cybersecurity. It aims to protect against over 80% of common cyber attacks. The certification involves assessing five key categories: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. It recommends organizations identify the scope of in-scope systems, conduct a gap analysis against the five categories, and build cybersecurity practices like regular patching and malware protection into ongoing processes to effectively implement Cyber Essentials.

Technology
1 of 22
Download to read offline
© NEXOR 2016 ALL RIGHTS RESERVED ACHIEVING CYBER ESSENTIALS COLIN ROBBINS
© NEXOR 2016 ALL RIGHTS RESERVED An industry supported certification scheme developed by the UK Government Designed as a baseline Designed to thwart more than 80% of common attacks Enables access to the public sector supply chain Cyber Insurance INTRODUCTION TO CYBER ESSENTIALS
© NEXOR 2016 ALL RIGHTS RESERVED ASSESSMENT APPROACH
© NEXOR 2016 ALL RIGHTS RESERVED GROWTH OF CYBER ESSENTIALS Data as of July 4th, 2016. From public web sites of respective organisations
© NEXOR 2016 COMMERCIAL IN CONFIDENCE ACHIEVING CYBER ESSENTIALS
© NEXOR 2016 ALL RIGHTS RESERVED o RECOMMENDATION  Identify key systems  Draw your network SCOPE
© NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES
© NEXOR 2016 ALL RIGHTS RESERVED “To implement these requirements, organisations will need to determine the technology in scope, review each of the five categories and apply each control specified. Where a particular control cannot be implemented for a sound business reason alternative controls should be identified and implemented.” COMPLY OR EXPLAIN…
© NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Securing the perimeter  Network layer device  Configuration management o Where is the boundary?:  Home Workers?  Cloud Services?  Mobile Devices? o RECOMMENDATION  Many firewalls will do more  Switch these elements on
© NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Reduce the attack surface o Configuration Management  Default Accounts  Applications  Auto-run  Personal Firewalls o RECOMMENDATION  Asset register • Who owns / administers them?  Document and audit the configuration
© NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Making it harder for malware to persist o User Management  Joiner / Mover / Leaver  Least Privilege  Passwords o Admin accounts  Only when needed o RECOMMENDATION  Have a robust J/M/L process
© NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Neutralising known malware o Protection Requirement  All devices • Including phones etc.  Up to date  Regular full scan • Daily?  Browse protection o RECOMMENDATION  Firewalls have capability here too – use it  Outside of Cyber Essentials
© NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Plugging known weaknesses  Operating Systems  Applications o Licensed / supported o Apply updates ASAP o Remove unused software o RECOMMENDATION  Monitoring updates have been applied is key to success
© NEXOR 2016 COMMERCIAL IN CONFIDENCE APPROACHES TO CYBER ESSENTIALS
© NEXOR 2016 ALL RIGHTS RESERVED APPROACHES • Self Assess • Monitor • Resolve • Certify • Working Groups • Processes • Policy • Gap Analysis Plan Do CheckAct
© NEXOR 2016 ALL RIGHTS RESERVED RIZIKON o Follows a Cyber Essentials question set o Provides quantitative evidence and specific recommendations o Can be used to submit to some CBs o Available from Qonex
© NEXOR 2016 ALL RIGHTS RESERVED o Do Cyber Essentials First, then… o “Tests of the systems are carried out by an external certifying body, using a range of tools and techniques”  External test  Internal test o RECOMMENDATION  If you have the skills, run your own vulnerability test before engaging a certification body  A high percentage of companies fail CE+ first time  Basic software is available for free CYBER ESSENTIALS PLUS
© NEXOR 2016 ALL RIGHTS RESERVED o Outsourced services (including Cloud)  Where is your data  What controls are implemented  What accreditation o Mobile phones – especially BYOD  Configuration management  Malware protection o Frequency of password changes  60 days versus CESG latest guidance o Frequency of malware scans  Practicality on SAN / NAS? COMMON AREAS OF DEBATE
© NEXOR 2016 ALL RIGHTS RESERVED The Cyber essentials categories are “technical”. To be effective the implementation is not about the technology… o Documented policy & scope o Asset Register o Processes  Joiner / mover / leaver  Configuration / change management  Monitoring / internal audit  Annual reminder of administrator responsibilities COMMON THEME - GOVERNANCE
© NEXOR 2016 ALL RIGHTS RESERVED The Cyber essentials categories are “technical”. To be effective the implementation is not about the technology… o Documented policy & scope o Asset Register o Processes  Joiner / mover / leaver  Configuration / change management  Monitoring / internal audit  Annual reminder of administrator responsibilities  Incident Response COMMON THEME - GOVERNANCE
© NEXOR 2016 ALL RIGHTS RESERVED o Doing the Cyber Essentials is… … Essential o Certification is your business choice  Start with a gap analysis  Engage the business to resolve issues  Build into business-as-usual processes SUMMARY
© NEXOR 2016 ALL RIGHTS RESERVED MORE INFORMATION… www.qonex.com info@qonex.com 0115 952 0500 http://cybermatters.info @QonexCyber www.linkedin.com/company/Qonex

Recommended

What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139evaleng2
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from SymantecArrow ECS UK
 
Data Consult - Managed Security Services
Data Consult - Managed Security ServicesData Consult - Managed Security Services
Data Consult - Managed Security ServicesJad Bejjani
 
Basic Security Requirements
Basic Security RequirementsBasic Security Requirements
Basic Security RequirementsSteven Cahill
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 

Recommended

What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139Cyber essentials-overview-sep-2021-211019100139
Cyber essentials-overview-sep-2021-211019100139evaleng2
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
Top 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureTop 20 Security Controls for a More Secure Infrastructure
Top 20 Security Controls for a More Secure InfrastructureInfosec
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from SymantecArrow ECS UK
 
Data Consult - Managed Security Services
Data Consult - Managed Security ServicesData Consult - Managed Security Services
Data Consult - Managed Security ServicesJad Bejjani
 
Basic Security Requirements
Basic Security RequirementsBasic Security Requirements
Basic Security RequirementsSteven Cahill
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPHuntsman Security
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
Proposal for IT Security Team
Proposal for IT Security TeamProposal for IT Security Team
Proposal for IT Security TeamRishabh Gupta
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014Ricardo Resnik
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Soc
SocSoc
SocMukesh Chaudhari
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklistbackdoor
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 
___2360_SP_VMAN---Screen
___2360_SP_VMAN---Screen___2360_SP_VMAN---Screen
___2360_SP_VMAN---ScreenManuel Sanchez Lopez
 
Computer - TYPES OF MORDEM E-PAYMENT SYSTEM
Computer - TYPES OF MORDEM E-PAYMENT SYSTEMComputer - TYPES OF MORDEM E-PAYMENT SYSTEM
Computer - TYPES OF MORDEM E-PAYMENT SYSTEMruchidalal
 
IISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentationIISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentationIISPEastMids
 

More Related Content

What's hot

Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPHuntsman Security
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNorth Texas Chapter of the ISSA
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1Lisa Niles
 
Proposal for IT Security Team
Proposal for IT Security TeamProposal for IT Security Team
Proposal for IT Security TeamRishabh Gupta
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkKevin Fealey
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014Ricardo Resnik
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklistbackdoor
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseLancope, Inc.
 

What's hot (20)

Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
Proposal for IT Security Team
Proposal for IT Security TeamProposal for IT Security Team
Proposal for IT Security Team
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
 
Effective security monitoring mp 2014
Effective security monitoring mp 2014Effective security monitoring mp 2014
Effective security monitoring mp 2014
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Soc
SocSoc
Soc
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklist
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
Security policies
Security policiesSecurity policies
Security policies
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
The Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident ResponseThe Seven Deadly Sins of Incident Response
The Seven Deadly Sins of Incident Response
 
___2360_SP_VMAN---Screen
___2360_SP_VMAN---Screen___2360_SP_VMAN---Screen
___2360_SP_VMAN---Screen
 

Viewers also liked

Computer - TYPES OF MORDEM E-PAYMENT SYSTEM
Computer - TYPES OF MORDEM E-PAYMENT SYSTEMComputer - TYPES OF MORDEM E-PAYMENT SYSTEM
Computer - TYPES OF MORDEM E-PAYMENT SYSTEMruchidalal
 
IISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentationIISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentationIISPEastMids
 
Governance - the Role of the Board
Governance - the Role of the BoardGovernance - the Role of the Board
Governance - the Role of the BoardQonex
 
IISP Sept 2014 presentation
IISP Sept 2014 presentationIISP Sept 2014 presentation
IISP Sept 2014 presentationIISPEastMids
 
Internet of Things - how secure is it?
Internet of Things - how secure is it?Internet of Things - how secure is it?
Internet of Things - how secure is it?IISPEastMids
 
Managing and insuring cyber risk - a risk perspective
Managing and insuring cyber risk - a risk perspectiveManaging and insuring cyber risk - a risk perspective
Managing and insuring cyber risk - a risk perspectiveIISPEastMids
 
Econocom - identifying funding for success
Econocom - identifying funding for successEconocom - identifying funding for success
Econocom - identifying funding for successIISPEastMids
 
Mike Gillespie - The Internet of Everything
Mike Gillespie - The Internet of Everything Mike Gillespie - The Internet of Everything
Mike Gillespie - The Internet of Everything IISPEastMids
 
Trustworthy Software
Trustworthy SoftwareTrustworthy Software
Trustworthy SoftwareQonex
 
Redscan - Insider threat case study
Redscan - Insider threat case studyRedscan - Insider threat case study
Redscan - Insider threat case studyIISPEastMids
 
Horizon introduction
Horizon introductionHorizon introduction
Horizon introductionIISPEastMids
 
Qonex - Securing the IoT
Qonex - Securing the IoTQonex - Securing the IoT
Qonex - Securing the IoTIISPEastMids
 
Webroot - self-defending IoT devices & gateways
Webroot - self-defending IoT devices & gateways Webroot - self-defending IoT devices & gateways
Webroot - self-defending IoT devices & gateways IISPEastMids
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016IISPEastMids
 
How to avoid becoming the next victim of ransomware
How to avoid becoming the next victim of ransomwareHow to avoid becoming the next victim of ransomware
How to avoid becoming the next victim of ransomwareIISPEastMids
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
Ransomware - Mark Chimely
Ransomware - Mark ChimelyRansomware - Mark Chimely
Ransomware - Mark ChimelyIISPEastMids
 

Viewers also liked (20)

Computer - TYPES OF MORDEM E-PAYMENT SYSTEM
Computer - TYPES OF MORDEM E-PAYMENT SYSTEMComputer - TYPES OF MORDEM E-PAYMENT SYSTEM
Computer - TYPES OF MORDEM E-PAYMENT SYSTEM
 
IISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentationIISP East Midlands Sept 2014 - Jim Shields presentation
IISP East Midlands Sept 2014 - Jim Shields presentation
 
Governance - the Role of the Board
Governance - the Role of the BoardGovernance - the Role of the Board
Governance - the Role of the Board
 
IISP Sept 2014 presentation
IISP Sept 2014 presentationIISP Sept 2014 presentation
IISP Sept 2014 presentation
 
Internet of Things - how secure is it?
Internet of Things - how secure is it?Internet of Things - how secure is it?
Internet of Things - how secure is it?
 
Managing and insuring cyber risk - a risk perspective
Managing and insuring cyber risk - a risk perspectiveManaging and insuring cyber risk - a risk perspective
Managing and insuring cyber risk - a risk perspective
 
Econocom - identifying funding for success
Econocom - identifying funding for successEconocom - identifying funding for success
Econocom - identifying funding for success
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Mike Gillespie - The Internet of Everything
Mike Gillespie - The Internet of Everything Mike Gillespie - The Internet of Everything
Mike Gillespie - The Internet of Everything
 
Trustworthy Software
Trustworthy SoftwareTrustworthy Software
Trustworthy Software
 
Redscan - Insider threat case study
Redscan - Insider threat case studyRedscan - Insider threat case study
Redscan - Insider threat case study
 
Horizon introduction
Horizon introductionHorizon introduction
Horizon introduction
 
Qonex - Securing the IoT
Qonex - Securing the IoTQonex - Securing the IoT
Qonex - Securing the IoT
 
Webroot - self-defending IoT devices & gateways
Webroot - self-defending IoT devices & gateways Webroot - self-defending IoT devices & gateways
Webroot - self-defending IoT devices & gateways
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016The Impact of the General Data Protection Regulation - 10th May 2016
The Impact of the General Data Protection Regulation - 10th May 2016
 
How to avoid becoming the next victim of ransomware
How to avoid becoming the next victim of ransomwareHow to avoid becoming the next victim of ransomware
How to avoid becoming the next victim of ransomware
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
Ransomware - Mark Chimely
Ransomware - Mark ChimelyRansomware - Mark Chimely
Ransomware - Mark Chimely
 

Similar to Achieving Cyber Essentials

Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsSolarWinds
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPROIDEA
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Streamline and Secure Your Network and Users
Streamline and Secure Your Network and UsersStreamline and Secure Your Network and Users
Streamline and Secure Your Network and UsersFrederik Lawson
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Decisions
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Decisions
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri TobolaJan Fried
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
SolarWinds SAM Product Overview & Feature Highlights
SolarWinds SAM Product Overview & Feature HighlightsSolarWinds SAM Product Overview & Feature Highlights
SolarWinds SAM Product Overview & Feature HighlightsSolarWinds
 
SecureTower General Info
SecureTower General InfoSecureTower General Info
SecureTower General InfoAnton Lishchuk
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsDATA SECURITY SOLUTIONS
 
NAC Solution Taarak
NAC Solution TaarakNAC Solution Taarak
NAC Solution TaarakMohit8780
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentErika Barron
 
Three Secrets to Becoming a Mobile Security Superhero
Three Secrets to Becoming a Mobile Security SuperheroThree Secrets to Becoming a Mobile Security Superhero
Three Secrets to Becoming a Mobile Security SuperheroSkycure
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire Vijay Νavgire
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacksdkaya
 

Similar to Achieving Cyber Essentials (20)

Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Streamline and Secure Your Network and Users
Streamline and Secure Your Network and UsersStreamline and Secure Your Network and Users
Streamline and Secure Your Network and Users
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto Presentation
 
Invea - Jiri Tobola
Invea - Jiri TobolaInvea - Jiri Tobola
Invea - Jiri Tobola
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
SolarWinds SAM Product Overview & Feature Highlights
SolarWinds SAM Product Overview & Feature HighlightsSolarWinds SAM Product Overview & Feature Highlights
SolarWinds SAM Product Overview & Feature Highlights
 
SecureTower General Info
SecureTower General InfoSecureTower General Info
SecureTower General Info
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systems
 
NAC Solution Taarak
NAC Solution TaarakNAC Solution Taarak
NAC Solution Taarak
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/Malware
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
How the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to DevelopmentHow the Cloud Shifts the Burden of Security to Development
How the Cloud Shifts the Burden of Security to Development
 
Three Secrets to Becoming a Mobile Security Superhero
Three Secrets to Becoming a Mobile Security SuperheroThree Secrets to Becoming a Mobile Security Superhero
Three Secrets to Becoming a Mobile Security Superhero
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 

Recently uploaded

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 

Achieving Cyber Essentials

  • 1. © NEXOR 2016 ALL RIGHTS RESERVED ACHIEVING CYBER ESSENTIALS COLIN ROBBINS
  • 2. © NEXOR 2016 ALL RIGHTS RESERVED An industry supported certification scheme developed by the UK Government Designed as a baseline Designed to thwart more than 80% of common attacks Enables access to the public sector supply chain Cyber Insurance INTRODUCTION TO CYBER ESSENTIALS
  • 3. © NEXOR 2016 ALL RIGHTS RESERVED ASSESSMENT APPROACH
  • 4. © NEXOR 2016 ALL RIGHTS RESERVED GROWTH OF CYBER ESSENTIALS Data as of July 4th, 2016. From public web sites of respective organisations
  • 5. © NEXOR 2016 COMMERCIAL IN CONFIDENCE ACHIEVING CYBER ESSENTIALS
  • 6. © NEXOR 2016 ALL RIGHTS RESERVED o RECOMMENDATION  Identify key systems  Draw your network SCOPE
  • 7. © NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES
  • 8. © NEXOR 2016 ALL RIGHTS RESERVED “To implement these requirements, organisations will need to determine the technology in scope, review each of the five categories and apply each control specified. Where a particular control cannot be implemented for a sound business reason alternative controls should be identified and implemented.” COMPLY OR EXPLAIN…
  • 9. © NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Securing the perimeter  Network layer device  Configuration management o Where is the boundary?:  Home Workers?  Cloud Services?  Mobile Devices? o RECOMMENDATION  Many firewalls will do more  Switch these elements on
  • 10. © NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Reduce the attack surface o Configuration Management  Default Accounts  Applications  Auto-run  Personal Firewalls o RECOMMENDATION  Asset register • Who owns / administers them?  Document and audit the configuration
  • 11. © NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Making it harder for malware to persist o User Management  Joiner / Mover / Leaver  Least Privilege  Passwords o Admin accounts  Only when needed o RECOMMENDATION  Have a robust J/M/L process
  • 12. © NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Neutralising known malware o Protection Requirement  All devices • Including phones etc.  Up to date  Regular full scan • Daily?  Browse protection o RECOMMENDATION  Firewalls have capability here too – use it  Outside of Cyber Essentials
  • 13. © NEXOR 2016 ALL RIGHTS RESERVED Boundary Firewalls and Internet Gateways Secure Configuration User Access Control Malware Protection Patch Management CYBER ESSENTIALS – CATEGORIES o Plugging known weaknesses  Operating Systems  Applications o Licensed / supported o Apply updates ASAP o Remove unused software o RECOMMENDATION  Monitoring updates have been applied is key to success
  • 14. © NEXOR 2016 COMMERCIAL IN CONFIDENCE APPROACHES TO CYBER ESSENTIALS
  • 15. © NEXOR 2016 ALL RIGHTS RESERVED APPROACHES • Self Assess • Monitor • Resolve • Certify • Working Groups • Processes • Policy • Gap Analysis Plan Do CheckAct
  • 16. © NEXOR 2016 ALL RIGHTS RESERVED RIZIKON o Follows a Cyber Essentials question set o Provides quantitative evidence and specific recommendations o Can be used to submit to some CBs o Available from Qonex
  • 17. © NEXOR 2016 ALL RIGHTS RESERVED o Do Cyber Essentials First, then… o “Tests of the systems are carried out by an external certifying body, using a range of tools and techniques”  External test  Internal test o RECOMMENDATION  If you have the skills, run your own vulnerability test before engaging a certification body  A high percentage of companies fail CE+ first time  Basic software is available for free CYBER ESSENTIALS PLUS
  • 18. © NEXOR 2016 ALL RIGHTS RESERVED o Outsourced services (including Cloud)  Where is your data  What controls are implemented  What accreditation o Mobile phones – especially BYOD  Configuration management  Malware protection o Frequency of password changes  60 days versus CESG latest guidance o Frequency of malware scans  Practicality on SAN / NAS? COMMON AREAS OF DEBATE
  • 19. © NEXOR 2016 ALL RIGHTS RESERVED The Cyber essentials categories are “technical”. To be effective the implementation is not about the technology… o Documented policy & scope o Asset Register o Processes  Joiner / mover / leaver  Configuration / change management  Monitoring / internal audit  Annual reminder of administrator responsibilities COMMON THEME - GOVERNANCE
  • 20. © NEXOR 2016 ALL RIGHTS RESERVED The Cyber essentials categories are “technical”. To be effective the implementation is not about the technology… o Documented policy & scope o Asset Register o Processes  Joiner / mover / leaver  Configuration / change management  Monitoring / internal audit  Annual reminder of administrator responsibilities  Incident Response COMMON THEME - GOVERNANCE
  • 21. © NEXOR 2016 ALL RIGHTS RESERVED o Doing the Cyber Essentials is… … Essential o Certification is your business choice  Start with a gap analysis  Engage the business to resolve issues  Build into business-as-usual processes SUMMARY
  • 22. © NEXOR 2016 ALL RIGHTS RESERVED MORE INFORMATION… www.qonex.com info@qonex.com 0115 952 0500 http://cybermatters.info @QonexCyber www.linkedin.com/company/Qonex