Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Henson University of Worcester September 2019

Published byJanel Johns Modified over 5 years ago

Similar presentations

Presentation on theme: "Richard Henson University of Worcester September 2019"— Presentation transcript:

1 Richard Henson University of Worcester September 2019
COMP3371 Cyber Security Richard Henson University of Worcester September 2019

2 What this module is about… (Learning Outcomes)
By the end of this module you should be able to: Analyse the information security issues and threats facing both users and information managers in organizations Identify methods, tools and techniques for combating security threats Demonstrate and understanding of methods used to protect a device, computer or network from malware and unauthorized access Review real-world security and/or forensics issues and synthesize appropriate solutions using a combination of technical and user controls

3 Week 1 – Strategies for securing data held within digital systems
Objectives: Explain the difference between “data” and information” Explain why securing data has become so hard Know where to start when dealing with an organisation’s cyber security

4 Data… or Information? Differences? Kids stuff? Meet me at…
NO!!! Always been confusion… even more so confusing with “digital society” data can also be “analog”

5 Origin of the word “Data”
1640s! Plural of Latin “datum” Specifically applied to computers… 1946 Computer Data (Input) Data (Output)

6 Data… or Information? All about context… Great confusion about this…
on its own…. just numbers & characters if linked to something else… could be really important information Great confusion about this…

7 Scenario Within an organisation a few bytes sent may be seen as “just data” employees may not even see it as personal or sensitive relaxed attitude? (too relaxed?) Outsider… NOT just data! easy to extract e.g. via a wireless link known as a data breach… With help from an internal “informer” Data gets context! Data becomes information… (!!!) Device A Device B

8 How Valuable is Data? (1) Most people hack to make money! Data breach
an external agency… gets organisational data… no permission therefore illegal If what is compromised remains just “data”, perhaps a breach is not so serious… data worthless without context

9 How Valuable is Data? (2) If the data can become information…
has value… amount depends on information… breach could be very serious indeed Examples: rival organisation gets corporate information … and uses that information to undermine the organisation (who knows?) hacker accesses customer personal information (e.g. Ashley Madison)

10 How much is Data worth? Organisation value… refers to monetary value
classically based on physical assets & trading data or information not physical… Classical model out of date? What is the value of e.g. company database?

11 Applying the principle of “Context…
Database stores data in a structured form Raw data extracted may not have context Way data structured gives it that context Information revealed can be very valuable…

12 Black Market Value… Information has intrinsic value
e.g. personal data record - if contextualised, become “personal information” worth e.g. £50 on the black market? e.g. spreadsheet, confidential memo could become financial or corporate information may be worth a lot more than £50… By contrast, data it only has potential value just add context, though… and…

13 Anonymising Data A way to safeguard data by not including personal data in a way that can be used especially in any publicly accessible data may be a key field that can link to the data if required needs a higher level of access If anonymised data falls into the wrong hands… no prob! Useless without key field

14 Keeping Data Secure If data can easily become information, it needs to be kept safe… Prime concern for all organisations: take special care of any digital data of importance could be contextualised to become information…

15 Once upon a time… Digital Data not accessible to users
Until 1980s, always held in expensive, secure computer areas ONLY well-paid experts accessed computer operations Small Businesses (SMEs) didn’t use computers completely cost/expertise beyond their scope! analogue data only…

16 1980s-2000s… Society Change to Digital Data
First the PC… Then the PC network… Then portable storage device… and… Then…. public access to the Internet! Then digital banking and e-commerce Finally… national phone network went digital

17 Try securing this… data navigated round the Internet
Over 1 biilion Internet servers!

18 Do Organisations understand this…?
“A Company like Yours?” companies-like-yours.html Questions?

19 Mission Impossible? or technically easy-peasy?

20 “Protecting the fluffy stuff that used to be on paper”… what to call it?
What needs to be secured? Buildings, print-outs, etc. covered by “Physical Security”, security guards, CCTV etc. Everything else is digital… Current good practice destroys the physical asset replaces it by digital… Should physical security be treated separately?

21 Possibilities… Matters relating to digital stuff referred to by organisations as “data security” regarded as an IT matter “Information Security” acknowledged that people and information involved contextualisation needs to be understood… 2009 on… data/information security collectively known as Cyber Security still no wiser?

22 Cyber Security and Organisations
Nothing new! organisations have always kept analogue information important to the extent that the organisation IS its information loss of vital data could therefore be curtains for the organisation!!! information kept very secure… in fireproof, lockable, filing cabinets

23 Group Exercise Define: Data Security Information Security Cyber Security Which of these terms would help SMEs (small/medium-sized enterprises)?

24 And another fine mess… All revolutions bring about change…
The digital revolution brought about the peoples computer power (!) All sorts of possibilities for inexperienced computer users… buy and sell from their homes… shout at each other via Internet do online banking download and install software even do all this on the move via smartphone Driven by speed and convenience. Security gets in the way”

25 E-commerce from home… Increasingly, shops are closing.
The Internet has to be used when people buy products online… Easy for a home computer to be hijacked! Basic Principle of good data management… everyone should have a unique logon should be applied to “leisure” computers at home connected to the Internet… otherwise, family members could easily get hold of each other’s information

26 Information Security: Technology & Management
Basic problem… technology is useless if it goes wrong… (issue of AVAILABILITY) or people don’t use it properly… (issues of INTEGRITY and CONFIDENTIALITY) Solution organisations need specialists to keep technology working… and need procedures… so employees use technology correctly CIA (Confidentiality, Integrity & Availability)

27 Management of Information Security
IT infrastructure a major undertaking technology has to work staff (usually) have to be trained data has to be managed securely (Senior) Management... historically had misconceptions about digital data and the costs of maintaining it result: 3rd item (above) less priority changed with GDPR…

28 Reasons to look after Data: 1. Data Protection Act, revised onto GDPR
All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) criminal offence not to do so... Personal data must be kept in accordance with six principles of Data Protection not to do so can result in hefty fines or even imprisonment

29 Reasons to look after Data: 1. The Law - continued
Financial data also covered under a slightly different law, through the Financial Services Authority (FSA)… much more severe penalties than the ICO… e.g. Nationwide fined in 2007 approx £1million e.g. HSBC fined in 2009 £ several MILLION e.g. Zurich Insurance fined 2010 £ >1 million

30 2. Data Losses do not look good for the business…
Fines for infringing GDPR… even if data merely copied not stolen Interesting… if someone has taken something from you and you still have it… is it theft? The term Data Breach covers both… ALSO lose trade secrets, customer image, market share, reputation… If a business is breached it might not be able to trade efficiently, or even at all! estimation: once it goes offline, they have 10 days maximum to recover, or out of business!

31 2. Breaches & public sector, not-for-profit organisations
Unsurprisingly… customers expect their personal data to be safeguarded increasing concern about privacy in recent years source of great embarrassment if data lost but not commercial… no threat of going out of business if breached In practice… personal data often not given priority in protection catastrophic sequence of errors led to 25 million records being lost by HMRC in 2007 plenty of fines, but public money, so the public fines itself (!) big shake up when GDPR arrived, in 2018…

32 The Threats to Organisations…

33 Back to that Scenario for Internal Breach
Within an organisation a few bytes sent may be seen as “just data” employees may not even see it as personal or sensitive relaxed attitude? (too relaxed?) Outsider… NOT just data! easy to extract e.g. via a wireless link known as a data breach… With help from an internal “informer” Data gets context! Data becomes information… (!!!) Device A Device B

34 Internal Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. Employees or temps with bad intent… Solution: manage users effectively and monitor user activity for signs of usual patters…

35 Do we have a problem? Perceptions “from the inside” quite different from “outside looking in”

36 External Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it People hacking in from outside, usually via the Internet Solution: penetration testing by an outsider, monitoring account activity of partners with internal access

37 Where to start? Start at the top! Organisations are hierarchical!
Strategic (senior) management Tactical (middle) management Operational (junior) management Strategy… involves POLICY!

38 Small Organisations and Policy
Senior Management busy running the company Policy may be delegated especially over matters like cyber security May not wish to engage… research suggests at least half! Not enforced by law (not even GDPR)… But all organisations must have a named data controller

39 What should an organisations include in its Information Security Policy?
Over to you…

40 How could an organisation Manage its Policy?
Over to you again…

41 Rewarding Information Security Policy
Essential for doing on-line business with a credit card thanks to recent PCI DSS guidelines… other information assurance schemes require a policy (e.g. ISO27001, COBIT, IASME) more rigorously enforced by ICO ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy can then implemented tactically and operationally through the organisational structure

42 Stakeholders and Responsibility
A number of jobs involve security of data in one way or another e.g.: Data Controller (Data Protection Act) Head of Personnel/HR Department Heads (especially Finance) Who should bear responsibility/carry the can?? Difficult for organisations, but it is… “The Boss” (!) Can’t get ISO27001 without this acceptance… o-survey.htm

Download ppt "Richard Henson University of Worcester September 2019"

Similar presentations

Information Security and Common Sense Richard Henson University of Worcester October 2008.

Information Security and Common Sense Richard Henson University of Worcester October 2008.
Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.

Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.

Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
Practical Information Management

Practical Information Management
INFORMATION SECURITY THE NEXT GENERATION 13 th World Electronics Forum Israel Christopher Joscelyne Board Member & Membership Chairman AEEMA November 2007.

INFORMATION SECURITY THE NEXT GENERATION 13 th World Electronics Forum Israel Christopher Joscelyne Board Member & Membership Chairman AEEMA November 2007.
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.

BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
COMP1321 Networks in Organisations Richard Henson March 2014.

COMP1321 Networks in Organisations Richard Henson March 2014.
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.

Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
COMP1321 Digital Infrastructure Richard Henson University of Worcester December 2012.

COMP1321 Digital Infrastructure Richard Henson University of Worcester December 2012.
Topic 5: Basic Security.

Topic 5: Basic Security.
COMP3371 Cyber Security Richard Henson University of Worcester September 2015.

COMP3371 Cyber Security Richard Henson University of Worcester September 2015.
COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.
COMP3371 Cyber Security Richard Henson University of Worcester October 2015.

COMP3371 Cyber Security Richard Henson University of Worcester October 2015.
Www.safensoft.com Safe’n’Sec IT security solutions for enterprises of any size.

Safe’n’Sec IT security solutions for enterprises of any size.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.

Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
Information Security January 2016. What is Information Security?  Information Security is about the physical security of our equipment and networks as.

Information Security January What is Information Security?  Information Security is about the physical security of our equipment and networks as.
Over the past 40 years, IT has influenced and really changed the way we live out lives. It’s fair to say that we love our gadgets; with most of us owning.

Over the past 40 years, IT has influenced and really changed the way we live out lives. It’s fair to say that we love our gadgets; with most of us owning.
A properly constructed virus can disrupt productivity causing billions of dollars in damage A virus is a small piece of software that piggybacks on real.

A properly constructed virus can disrupt productivity causing billions of dollars in damage A virus is a small piece of software that piggybacks on real.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!

Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!

Similar presentations

Ads by Google