Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3123 Internet Security Richard Henson University of Worcester December 2010.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3123 Internet Security Richard Henson University of Worcester December 2010."— Presentation transcript:

1 COMP3123 Internet Security Richard Henson University of Worcester December 2010

2 Week 10: Risks, Response, Recovery, ROI n Objectives:  Relate B2B and B2C hesitancy over use of the www to ignorance about the PKI  Develop Information Security procedures for use in an organisation  Develop a strategy to sell a security policy to the work force  Explain the complexity of decision-making on whether, or whether not, to spend on security

3 Global Use of SSL/PKI n According to recent figures, nearly all top companies in the US are now using SSL/PKI for secure communications:  top 40 e-commerce sites  all Fortune 500 companies with a web presence n Conclusion: this technology is tried and tested, and has become industry-standard n Yet, according to another study:  eighty-five percent of Web users reported that a lack of security made them uncomfortable sending credit card numbers over the Internet  huge difference between perception and reality!

4 The Real Picture on Security and Online trading n Research has shown that fears of online fraud are more common than fraud itself n Example quotes:  "Online shopping gets a bad rap in the press, but most of the stories reported are anecdotal tales of companies that haven't put successful defensive measures in place"  "Web businesses running proper screening of customer information are suffering very little, with average fraud losses held to just over 1%.”  “Fraud control is clearly possible online, although many companies do not implement stringent screening and prevention measures.”

5 Why are security problems STILL arising? n Repeating research findings:  SSL/PKI reliable  About 1% cases of fraud on sites using SSL/PKI – still too much, but nothing like the problem that headlines suggest n However…  Many companies not applying strict security measures such as SSL/PKI are: »being defrauded »skewing the statistics for more responsible online traders

6 Security Communications with the would-be on-line shopper n As the main issues for users are encryption and authentication, both are well catered for in the browser n Communications involving these features through pop ups and error messages should warn a savvy customer off from using the online trader n However, what about the “first time buyer?” who probably knows nothing of the ways in which security could be safeguarded through the browser…

7 Reassurances about Encryption n Most users can understand the implications of encrypting data n How can they KNOW that the data they are sending really is being encrypted before it goes onto the www? n How can they know that when the data is decrypted again at its destination that it doesn’t get abused? n Something more than mere encryption is needed to convince the sceptic!

8 Encryption alone is not enough! n The other aspect of SSL/PKI is the establishment of trust between online vendors and customers  usually achieved by providing a digital certificate system: »verifies the identity at each end of the communication link »thereby authenticating the server/user n Again, the savvy user will know about digital certificates and expect to be able to view them online

9 Security Differences between B2B and B2C n Normally, a business will set themselves up properly for online trading  use server certificates for their servers  use SSL to ensure data is encrypted  train users to become aware of the danger signs n B2B trading is therefore generally secure n A B2B customer using the web will (SHOULD!!!) understand implications of security messages from the browser

10 An Organisational Data Security Strategy: Where to start? n Strategy can’t START with technology  needs to start with ISSUES that need addressing n Should be primarily “top down”  concerned with policies, not technical matters…  can be supplemented by “bottom up” approach n Technologies can be used to put policies into practice  degree of success in the latter depends on: »communication of policies »understanding of technologies

11 Information Security Strategy n Identify and quantify ALL potential security threat:  BOTH internal »Policy should already exist! »Most likely will need updating  AND external »May have been neglected as the Internet creeped into the network! n Need to set out a policy that, if implemented correctly, WILL effectively secure data

12 Typical Information Security Policy n Who will quantify the threats?  Head of IT?  External Consultant?  Both? n Who will suggest strategies to mitigate against those threats?  As above? n Who will make the policies?  Senior Management

13 Creating a Policy n The same principles apply as with the introduction of ANY change in organisational policy  It MUST come from the top!!! n Problem with any IT policy change is that senior management often don’t understand IT… n Big responsibility on the IT manager to convince senior management:  that policy change is necessary!  that the organisation won’t suffer financially  the consequences of NOT implementing such a change

14 Going beyond a Creating a Policy… n According to the latest BERR figures, the majority of businesses say they have an information security policy n But is it implemented??? n One possible approach to making sure policy gets through to all parts of an organisation is to implement a quality standard  standard for information security is ISO27001

15 What is ISO27001? n A set of procedures and standards on Information Security for organisations  evolved from BS7799 n Does give an organisation credibility in terms of providing evidence that it has procedures in place to appropriately manage its information n But quite an extensive “to do” list, and achievement of the kitemark can be a lengthy process…

16 Role of the Adviser/Consultant n Will have specialist knowledge of Information Security in organisations n Likely to be aware of the need to convince senior management that the cost involved in obtaining ISO27001 is worthwhile n In an SME:  the adviser can provide moral, intellectual, and evidential support for the IT manager’s position n In a microbusiness:  there is no IT manager…  adviser will usually be supporting the most IT- literate employee against a sceptical senior mgt…

17 How achieving ISO27001 could help with business strategy n Whatever the business:  any new work will have a cost  That cost needs to be qualified n More cost means less profit…  What is the ROI of achieving a high level of information security (assurance)? n Senior management have to be convinced that this is a price worth paying…

18 Potential Financial Benefits of ISO27001 n These need to be sold to senior mgt…  Less risk of losing valuable (even strategically important…) data »less likely to get embarrassing leaks, which could even get to the media »less likely to fall foul of the law  An ever growing set of examples of businesses who have done both of the above »evidence that they lost customers and share price dropped…

19 Role of Adviser/Consultant n Needs to have good credentials to be credible:  plenty of experience in this area  contacts in the industry  a good track record for: »knowledgability »keeping up to date »communication of knowledge  needs to be able to put technical problems into terms that non-technologists can understand…. »very many technical “solutions” available that would be unnecessary if systems and procedures were properly implemented

20 Role of Adviser/Consultant for Implementation of Policy n Role doesn’t stop once policy has been agreed n Enforcement of policy is essential  needs procedures »agreed at institutional level »implemented by departments n The processes involved in getting ISO27001 will ensure that policy implementation processes are in place

21 Implementation of Policy (Technical) n Technical aspects of implementation of policy is a matter of operationalising the agreed technologies that will CURRENTLY combat that threat  e.g. make sure that W2K network users only have access to files & services they need through careful choice of parameters in GROUP POLICIES  e.g. authenticate a secure site for buying online – check, read, approve server certificate n Adviser’s knowledge and experience will be crucial to the organisation when they select actual products and engage in actual implementation

22 Implementation of Policy (Technical) n Furthermore, a good consultant will be able to offer useful advice regarding;  embedding the new technologies into existing systems as seamlessly and transparently as possible!  bring about a set of procedures from the agreed “tools for the job” that should cover all eventualities…

23 Implementation of Procedures (People) n Not all security procedures will be implemented by IT/networking staff:  may apply such procedures to ensure security of servers and data coming into/leaving the organisation  but… only limited control on user behaviour n Client end security procedures have to be implemented by ALL staff n In order to implement such procedures, they must UNDERSTAND these procedures and their crucial importance to the organisation

24 Implementing of Procedures (People) n On its own, a set of procedures distributed to staff (perhaps by email!) will therefore have little effect!  people will often carry on in their own sweet way! n Senior Management must also provide the means to enforce policy through requiring adherence to procedures  Not just stick, but “carrot-and-stick”

25 Impact at the Operational Level n Imposing a new set of procedures may well affect work practices  therefore the impact of each needs to be carefully considered n Pilot scheme first  carefully trialled at operational level…  time for retraining realistically assessed  accurate capital costing for roll-out n Only when lessons have been learned…  can it be positively sold to staff i.e: »Does mean learning new procedures »BUT there’ll be no more viruses, pop-ups, etc.

26 Testing the Policy n A wise manager will not impose something new on employees without checking first that it is WORKABLE n Pilot new procedures with a small group first…  get feedback…  learn lessons…  PLAN to roll out across the organisation

27 Selling the Policy n Most policies are usually implemented on a departmental basis n The job of enforcement may be through departments n Again… to enforce a policy, you must be able to understand it! n Therefore the first stage should be EDUCATION

28 Selling the Policy n Once the penny drops, everyone will be aware that this will mean changes to working practices…  need to assure about training  Need to assure that it is worth doing: »for the individual employee »for the department »for the whole organisation

29 Reviewing the Policy/Procedures n If the problem is understood at a conceptual level…  POLICY changes shouldn’t be necessary n However…  security technology does not stand still!  procedures may need to be revised: »every year? »six months? »whenever a new threat becomes apparent?

30 The Cost of Losing Organisational Data n Plenty of data around to supporting the observation that organisations have been leaking data for years  actual problem has to be worse…  could be far worse…  not all data losses ever get reported! n Is there is a cost to the organisation of losing their data?  can a figure be put on this cost?

31 The Direct Cost of Losing Personal Data n Same systemic failures and potential cover-ups as for organisation data… n Direct cost to the organisation probably regarded as very low?  why?  public reaction to loss?  is all personal data equal?

32 The Direct Cost of Tightening Up Security n Human cost of completing new documentation  essential part of tightening up procedures  Cost of re-educating and re-training staff to make best use of new procedures n Associated with employing new technology  cost of purchase  cost of installation  cost of day-to-day management

33 Indirect Costs of Losing Data n Cost of falling foul of the law…  time spent in court  fines n Cost of bad publicity  public embarrassment & loss of credibility  making statements explaining how it wasn’t as bad as reported  stock market price may fall… n Cost of losing respect of customers  send their personal data (and custom) elsewhere n Cost of business insurance  perceived as higher risk  premiums more expensive

34 Differences in Organisational Data between Public & Private Enterprises? n Is there a difference?  If strategic business data is lost, with no back up »cannot do new business »cannot fulfil existing business »the business will fold  If public organisation data is similarly lost »service level drops or becomes zero »people get angry, write to media »public sector body gets lots of bad publicity »system gets patched up and limps on »enquiry suggests deficiencies & changes to be made…

35 Differences in Personal Data between Public & Private Enterprises n A business losing personal data usually does nothing  if information leaked to the media »should have a “damage limitation exercise” in place »can (e.g. Virgin media) be taken to court n Public enterprises previously also adopted the above approach  media usually kept quiet on such matters n HMRC’s huge (26 million) records loss changed all that)  result: media ALWAYS reports public sector data loss

36 The Concept of “Value” of Data n People don’t look after what they perceive not to have any value… n If organisational and personal data could be given an intrinsic monetary value, perhaps…  people might look after it better?  businesses might wish to protect data as a monetary asset in its own right?

37 Economics of Information Security n New academic research area n Seeks to produce economic models for organisations to attribute value to data n Back to basics of Information Security:  Confidentiality – relationship between confidentiality & intrinsic value?  Integrity – very difficult to quantify  Availability – if loss of particular data: »causes system failure »puts the business temporarily out of business »Must have intrinsic value

38 Value of Business Data n More success to date with organisational data that affects business availability than with personal data...  can put a monetary value on loss to the organisation of e.g. »a day’s lost production »a 10% fall in share price  If 10000 customer details are leaked, who cares??? »members of the public? »The Information Commissioner… »would this affect: n the business’s availability in the market place n the business’s share price?

39 Further Research n Business-oriented recent white papers:  http://www.findwhitepapers.com/security/security http://www.findwhitepapers.com/security/security n What SHOULD have happened as the 1998 DPA was implemented…:  http://management.silicon.com/government/0,390 24677,11015799,00.htm http://management.silicon.com/government/0,390 24677,11015799,00.htm http://management.silicon.com/government/0,390 24677,11015799,00.htm n Information Commissioner’s current website – huge collection of documents:  http://www.ico.gov.uk http://www.ico.gov.uk

Download ppt "COMP3123 Internet Security Richard Henson University of Worcester December 2010."

Similar presentations

Information Security and Common Sense Richard Henson University of Worcester October 2008.

Information Security and Common Sense Richard Henson University of Worcester October 2008.
An Introduction to professional services. The professional services The professional services support businesses of all sizes across the economy, providing.

An Introduction to professional services. The professional services The professional services support businesses of all sizes across the economy, providing.
Child Safeguarding Standards

Child Safeguarding Standards
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?

Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting www.peterscottconsult.co.uk.

Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting
IT Technical Support Policies and Procedures South Nottingham College.

IT Technical Support Policies and Procedures South Nottingham College.
PERFORMANCE FOR ALL The Project & the System. A HE project co-ordinated by University of Bristol, open to HE internationally. Developing the requirements.

PERFORMANCE FOR ALL The Project & the System. A HE project co-ordinated by University of Bristol, open to HE internationally. Developing the requirements.
* The e-commerce revolution has changed business practices around the world and traditional retailers have had to learn how best to operate in the new.

* The e-commerce revolution has changed business practices around the world and traditional retailers have had to learn how best to operate in the new.
Understand the effects of e-commerce on society

Understand the effects of e-commerce on society
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
WHAT’S A TECHNOLOGY SYSTEM? A technology system is a machine that processes digital data. A computer is a technology system. A computer installation is.

WHAT’S A TECHNOLOGY SYSTEM? A technology system is a machine that processes digital data. A computer is a technology system. A computer installation is.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Be able to plan e-commerce strategies. Hosting When setting up an e-commerce site, there are two issues of hosting which need to be decided - who will.

Be able to plan e-commerce strategies. Hosting When setting up an e-commerce site, there are two issues of hosting which need to be decided - who will.
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Welcome ISO9001:2000 Foundation Workshop.

Welcome ISO9001:2000 Foundation Workshop.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8

Similar presentations

Ads by Google