COMP3371 Cyber Security Richard Henson University of Worcester October 2015
Week 2 – Strategies for securing data held within digital systems n Objectives: Understand principles of maintaining data confidentiality, privacy, integrity, availability Apply a security strategy in terms of denial of access to unauthorised services and information Explain that total security is a myth; people are people, and computer technology is constantly evolving…
Typical organisational approaches n Outsource n In-house… guru n In-house… committee
Outsource/Offshore Buy in the services of a third party from outside the organisation to “look after security”. This may be on the back of a general strategy to outsource IT »usually involves managing data and/or processes remotely »outsource… usually still in the UK »offshore… usually outside the UK
Seek an in-house solution… guru Appoint someone internally or from outside »look after (information) security… n development of policy, usually by consensus e.g. via stakeholder committee »annual audit »manage a budget
Seek an in-house solution… committee Senior manager chairs a group consisting of key stakeholders »agree a set of procedures »designated employees should take ownership; ensure these are adhered to »meet at regular intervals as a matter of organisational policy
How would you set up an Information Security policy? n BREAK!!! n And discussion again in groups why outsource? how could it be done internally »Who would be the “stakeholders”?
Relative Merits of using a Third Party … n Advantages: pass responsibility on to someone else (?!) pay someone a flat annual fee; easily budgeted n Disadvantages: Data Controller still has DP Act responsibility… may also pass control to someone else… third party may be looking after many other clients…
Appointing a “security tzar” with Information Security budget n Will this work, as a single solution? n Is Information Security just an IT spending problem? n Groups again… discuss…
“Middle Manager” Solution n Will this work, as a single solution? n Again… groups
Answers (to each) n 1. Of course not!!! organisation still has responsibility!! n 2. Of course not!!! this is a people problem… data integrity errors leaving data on physical devices that can be taken by a third party
If this was just about technology, would that make any difference? n Over to you again…
If this WAS just about IT, would that make any difference? n It is true that, at considerable effort and expense… a computer network can be made completely secure at a particular point in time n BUT THEN the following day, a new security threat may be launched onto the Internet from any one of over 2 billion potential sources… quite a challenge?
The Changing Threat… n A good outsourcer will have time and resources to keep up with the reality of many new threats each day should be on top of this problem… n But merely employing a “security supremo” to buy, install, configure security devices won’t solve the problem securing data must be ONGOING… supremo must put procedures into place to deal with a continuing problem… »and company must make sure everybody knows about them…
Security as a “Process” n Security cannot ever be “done” a new threat may be being planned today, and rolled out tomorrow… n Could make the most secure network suddenly very vulnerable!
Managing Information Security as a Process n First step… identify all systems that carry information and decide what controls are in place to protect them test those controls for potential security breaches identify what has been forgotten »secure as appropriate through further controls n Next step: once secure, develop a strategy to MANAGE this process over time... implement that strategy
Information Security Management n Implement a set of agreed procedures to protect data administered at organisational level acknowledge the iterative nature of information security & agree on rate of iteration n Appoint someone with institutional responsibility realistic budget that takes into account the resource and human cost… »may use a third-party outsourcer to provide advice, expertise, implement procedures, but at least they are in control of the policy-making »even better…. develop an Information Security Management System (ISMS)
The Costs of securing data n Hardware/software cost fixed and easily determined n Human resource cost cost of Information Security supremo cost the organisation of using staff to implement and enforce data security procedures »more difficult to quantify cost of testing/retraining employees
Costs of Securing Data n Isolated LAN, with no internet connectivity no need to worry about data in and data out via the Internet less stringent procedures may be needed/enforced employees could still mess up or steal data n LAN connected to the Internet: “secret” data? highly rigorous procedures, implemented frequently – very expensive no real secrets (political or commercial) more infrequent cycle, less exhaustive procedures »much cheaper…
The Costs of Data Breach? n Groups again…
The Costs of Data Breach n People not able to work… n Organisation not able to communicate effectively with customers… n Embarrassment of reporting in the media loss of reputation n Fines, etc., by FSA or ICO n Fall in stock market price n Increase in insurance premiums n Not getting future contracts…
Information Security Procedures n In groups again, discuss: possible procedures the organisation could set up… how expensive such procedures might be to implement…
The ISMS - Making an Information System secure n As ever, the success of rules and procedures depends on people how they are managed… n In practice, standards developed based on the concept of an ISMS (Information Security Management System)
Developing an ISMS n Each organisation is different! n Original ISO27001 standard for an ISMS identified 133 possible controls how many of these are actually needed depends on the organisational processes each control not used »non-use needs to be justified
An ISMS that is “fit for purpose” n Each organisation is different! n ISO27001 standard for an ISMS has identified over 100 possible controls how many of these are actually needed depends on the organisational processes n ISMS needs to knowledge all aspects of how data is managed requires an understanding of processes and identification of where that data may need have security controls n Organisations need to undergo process analysis and risk assessment to determine where controls are needed no point spending money on controls where they are not needed…
An Alternative Approach to Security Controls: PCI DSS n System devised by Credit Card Companies (i.e. banks…) n Guidelines for a number of years… n Now with v3 a sting in the tail for the SME heavy fines possible can be refused business merchant facilities… n Will affect small businesses WORLDWIDE selling online directly to consumers
Requirements for PCI DSS compliance? (1) n 12 controls Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Use and regularly update anti-virus software or programs
What is needed for PCI DSS compliance? (2) Develop and maintain secure systems and applications Restrict access to cardholder data by business need-to- know Assign a unique ID to each person with computer access Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security for employees and contractors
PCI DSS issues n Is it realistic? n Is it essential? n How can it be policed? n Discussion in groups…
IASME & Cyber Essentials n IASME uses principles of ISMS and 100+ controls… but more SME friendly n Cyber Essentials uses only 5 controls… but all essentially technical Cyber Essentials now a minimum for government contracts Useful starting point? No IS policy!
Policy in Action: The Client-Server Model n Excellent way to centralise organisational resources client can still hold resources »a lot (workstation) »not much (thin client) n Microsoft model: called a domain
Request and response 1.All network users use clients 2.Client requests information… 2. Server processes the request, sends a response back to the client
A Domain in action… (Today’s practical)
The next sessions will explore… a) theoretical aspects related to the technical implementation of information security b) the setting up policies, procedures controls and systems to manage information security