Richard Henson University of Worcester September 2019 COMP3371 Cyber Security Richard Henson University of Worcester September 2019
What this module is about… (Learning Outcomes) By the end of this module you should be able to: Analyse the information security issues and threats facing both users and information managers in organizations Identify methods, tools and techniques for combating security threats Demonstrate and understanding of methods used to protect a device, computer or network from malware and unauthorized access Review real-world security and/or forensics issues and synthesize appropriate solutions using a combination of technical and user controls
Week 1 – Strategies for securing data held within digital systems Objectives: Explain the difference between “data” and information” Explain why securing data has become so hard Know where to start when dealing with an organisation’s cyber security
Data… or Information? Differences? Kids stuff? Meet me at… NO!!! Always been confusion… even more so confusing with “digital society” data can also be “analog”
Origin of the word “Data” 1640s! Plural of Latin “datum” Specifically applied to computers… 1946 Computer Data (Input) Data (Output)
Data… or Information? All about context… Great confusion about this… on its own…. just numbers & characters if linked to something else… could be really important information Great confusion about this…
Scenario Within an organisation a few bytes sent may be seen as “just data” employees may not even see it as personal or sensitive relaxed attitude? (too relaxed?) Outsider… NOT just data! easy to extract e.g. via a wireless link known as a data breach… With help from an internal “informer” Data gets context! Data becomes information… (!!!) Device A Device B
How Valuable is Data? (1) Most people hack to make money! Data breach an external agency… gets organisational data… no permission therefore illegal If what is compromised remains just “data”, perhaps a breach is not so serious… data worthless without context
How Valuable is Data? (2) If the data can become information… has value… amount depends on information… breach could be very serious indeed Examples: rival organisation gets corporate information … and uses that information to undermine the organisation (who knows?) hacker accesses customer personal information (e.g. Ashley Madison)
How much is Data worth? Organisation value… refers to monetary value classically based on physical assets & trading data or information not physical… Classical model out of date? What is the value of e.g. company database?
Applying the principle of “Context… Database stores data in a structured form Raw data extracted may not have context Way data structured gives it that context Information revealed can be very valuable…
Black Market Value… Information has intrinsic value e.g. personal data record - if contextualised, become “personal information” worth e.g. £50 on the black market? e.g. spreadsheet, confidential memo could become financial or corporate information may be worth a lot more than £50… By contrast, data it only has potential value just add context, though… and…
Anonymising Data A way to safeguard data by not including personal data in a way that can be used especially in any publicly accessible data may be a key field that can link to the data if required needs a higher level of access If anonymised data falls into the wrong hands… no prob! Useless without key field
Keeping Data Secure If data can easily become information, it needs to be kept safe… Prime concern for all organisations: take special care of any digital data of importance could be contextualised to become information…
Once upon a time… Digital Data not accessible to users Until 1980s, always held in expensive, secure computer areas ONLY well-paid experts accessed computer operations Small Businesses (SMEs) didn’t use computers completely cost/expertise beyond their scope! analogue data only…
1980s-2000s… Society Change to Digital Data First the PC… Then the PC network… Then portable storage device… and… Then…. public access to the Internet! Then digital banking and e-commerce Finally… national phone network went digital
Try securing this… data navigated round the Internet Over 1 biilion Internet servers!
Do Organisations understand this…? “A Company like Yours?” http://www2.deloitte.com/au/en/pages/risk/articles/cyber-video- companies-like-yours.html Questions?
Mission Impossible? or technically easy-peasy?
“Protecting the fluffy stuff that used to be on paper”… what to call it? What needs to be secured? Buildings, print-outs, etc. covered by “Physical Security”, security guards, CCTV etc. Everything else is digital… Current good practice destroys the physical asset replaces it by digital… Should physical security be treated separately?
Possibilities… Matters relating to digital stuff referred to by organisations as “data security” regarded as an IT matter “Information Security” acknowledged that people and information involved contextualisation needs to be understood… 2009 on… data/information security collectively known as Cyber Security still no wiser?
Cyber Security and Organisations Nothing new! organisations have always kept analogue information important to the extent that the organisation IS its information loss of vital data could therefore be curtains for the organisation!!! information kept very secure… in fireproof, lockable, filing cabinets
Group Exercise Define: Data Security Information Security Cyber Security Which of these terms would help SMEs (small/medium-sized enterprises)?
And another fine mess… All revolutions bring about change… The digital revolution brought about the peoples computer power (!) All sorts of possibilities for inexperienced computer users… buy and sell from their homes… shout at each other via Internet do online banking download and install software even do all this on the move via smartphone Driven by speed and convenience. Security gets in the way”
E-commerce from home… Increasingly, shops are closing. The Internet has to be used when people buy products online… Easy for a home computer to be hijacked! Basic Principle of good data management… everyone should have a unique logon should be applied to “leisure” computers at home connected to the Internet… otherwise, family members could easily get hold of each other’s information
Information Security: Technology & Management Basic problem… technology is useless if it goes wrong… (issue of AVAILABILITY) or people don’t use it properly… (issues of INTEGRITY and CONFIDENTIALITY) Solution organisations need specialists to keep technology working… and need procedures… so employees use technology correctly CIA (Confidentiality, Integrity & Availability)
Management of Information Security IT infrastructure a major undertaking technology has to work staff (usually) have to be trained data has to be managed securely (Senior) Management... historically had misconceptions about digital data and the costs of maintaining it result: 3rd item (above) less priority changed with GDPR…
Reasons to look after Data: 1. Data Protection Act, revised onto GDPR All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) criminal offence not to do so... Personal data must be kept in accordance with six principles of Data Protection not to do so can result in hefty fines or even imprisonment
Reasons to look after Data: 1. The Law - continued Financial data also covered under a slightly different law, through the Financial Services Authority (FSA)… much more severe penalties than the ICO… e.g. Nationwide fined in 2007 approx £1million e.g. HSBC fined in 2009 £ several MILLION e.g. Zurich Insurance fined 2010 £ >1 million
2. Data Losses do not look good for the business… Fines for infringing GDPR… even if data merely copied not stolen Interesting… if someone has taken something from you and you still have it… is it theft? The term Data Breach covers both… ALSO lose trade secrets, customer image, market share, reputation… If a business is breached it might not be able to trade efficiently, or even at all! estimation: once it goes offline, they have 10 days maximum to recover, or out of business!
2. Breaches & public sector, not-for-profit organisations Unsurprisingly… customers expect their personal data to be safeguarded increasing concern about privacy in recent years source of great embarrassment if data lost but not commercial… no threat of going out of business if breached In practice… personal data often not given priority in protection catastrophic sequence of errors led to 25 million records being lost by HMRC in 2007 plenty of fines, but public money, so the public fines itself (!) big shake up when GDPR arrived, in 2018…
The Threats to Organisations…
Back to that Scenario for Internal Breach Within an organisation a few bytes sent may be seen as “just data” employees may not even see it as personal or sensitive relaxed attitude? (too relaxed?) Outsider… NOT just data! easy to extract e.g. via a wireless link known as a data breach… With help from an internal “informer” Data gets context! Data becomes information… (!!!) Device A Device B
Internal Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. Employees or temps with bad intent… Solution: manage users effectively and monitor user activity for signs of usual patters…
Do we have a problem? Perceptions “from the inside” quite different from “outside looking in”
External Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it People hacking in from outside, usually via the Internet Solution: penetration testing by an outsider, monitoring account activity of partners with internal access
Where to start? Start at the top! Organisations are hierarchical! Strategic (senior) management Tactical (middle) management Operational (junior) management Strategy… involves POLICY!
Small Organisations and Policy Senior Management busy running the company Policy may be delegated especially over matters like cyber security May not wish to engage… research suggests at least half! Not enforced by law (not even GDPR)… But all organisations must have a named data controller
What should an organisations include in its Information Security Policy? Over to you…
How could an organisation Manage its Policy? Over to you again…
Rewarding Information Security Policy Essential for doing on-line business with a credit card thanks to recent PCI DSS guidelines… other information assurance schemes require a policy (e.g. ISO27001, COBIT, IASME) more rigorously enforced by ICO ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy can then implemented tactically and operationally through the organisational structure
Stakeholders and Responsibility A number of jobs involve security of data in one way or another e.g.: Data Controller (Data Protection Act) Head of Personnel/HR Department Heads (especially Finance) Who should bear responsibility/carry the can?? Difficult for organisations, but it is… “The Boss” (!) Can’t get ISO27001 without this acceptance… http://www.iso.org/iso/home/standards/certification/home/standards/certification/is o-survey.htm