Guidance

Cyber Essentials Questionnaire Guidance

Providing relevant and detailed answers along with supporting evidence is key to a successful Cyber Essentials submission. As such we have issued the following cyber essentials questionnaire guidance. As a recommendation, we would suggest the following approach be used: 1. Use the comments field to provide narrative that supports the statement. 2. Where appropriate, use additional […]

Read More

Securing Server Message Block (SMB) Against Null Session Enumeration

Null session functionality within the SMB protocol enables anonymous access to hidden administrative shares on a system. Once a user is connected to the a share through a null session they can enumerate information about the system and environment. Information that can be gained includes (but not limited to): Users and groups Operating system information Password policies […]

Read More

Passphrase Guidance

A secure and functionally usable form of password authentication is passphrases. Passphrases are a combination of words that can be entered as a password. Recent attacks that have resulted in password leaks provide a wealth of knowledge about common password patterns. Passphrases provide a more secure but user-friendly alternative to traditional passwords. A well-formed passphrase […]

Read More

Password Guidance

Most organisations utilise passwords as a method of authenticating users as part of their access control solution for their systems. 7 Elements have often found poor password policy or insufficient policy enforcement can be a severe point of failure in an otherwise secure system. For password authentication to be effective the security provided by using […]

Read More

Forensic v’s Tactical

Forensic v’s Tactical – Acpo Guidelines Computer Evidence A key consideration for any organisation responding to an incident will be the decision about whether to take a forensically sound approach to data acquisition and interrogation. The purpose of forensics is to gain legally permissive evidence from computers and digital storage media. Organisations should therefore take […]

Read More

What is a penetration test?

What is a penetration test? Penetration testing simulates an attack by a malicious party by using tools and manual investigation to identify weaknesses. Testing involves the exploitation of found vulnerabilities to gain further access. Using this approach will result in an understanding of the ability of an attacker to gain access to confidential information, affect […]

Read More

What is a security assessment?

What is a security assessment? A security assessment builds upon a vulnerability assessment by adding manual verification of the results to confirm the level of exposure. It does not though include the use of exploitation code to gain further access to systems. What do you get? A security assessment is looking to gain a broad coverage […]

Read More

What is a vulnerability assessment?

What is a vulnerability assessment? A vulnerability assessment takes a vulnerability scan a step further by using a security tester‘s knowledge to drive an appropriate use of automated tools and test scripts. What do you get? The report for the results should be manually created, which places the findings into the context of the environment under […]

Read More

What is a vulnerability scan?

What is a vulnerability scan? A vulnerability scan uses automated tools to identify known security issues through matching conditions with known vulnerabilities. What do you get? The tool automatically sets the risk level for the results of the scan and no manual verification or interpretation of the results prior to issue takes place. This is […]

Read More

Creating a Strong SNMP Community String

Creating a Strong SNMP Community String To ensure that an attacker does not gain privileged or read access to your devices via a poorly configured SNMP community string, we would recommend that the following steps should be taken: Follow similar guidance to mainstream password guidance. • Use both upper and lower case • Include one […]

Read More