Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Richard Henson University of Worcester September 2015.

Published byMelissa Cole Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Richard Henson University of Worcester September 2015."— Presentation transcript:

1 COMP3371 Cyber Security Richard Henson University of Worcester September 2015

2 What this module is about n By the end of this module you should be able to:  Critically analyse the information security issues and threats facing both users and information managers in organizations  Identify and analyze methods, tools and techniques for combating security threats  Develop an information security policy for, and provide a strategy for implementation of that policy in an organization.  Explain the legal issues and implications with security.

3 Week 1 – Strategies for securing data held within digital systems n Objectives:  Explain the difference between “data” and information”  Explain why doing Cyber Security has become so hard  Know where to start with organisational information security

4 Data… or Information? n Kids stuff?  yet the difference between the two is subtle but crucial. And should be clearly understood… n Exercise in pairs…  discuss what is (a) similar (b) different about data and information  give an example of digital data that could be categorised as (a) data and (b) information »be prepared to explain why each can be categorised as such…

5 Data… or Information? n All about context…  if on its own…. just numbers & characters  if linked to something else… really important information n Great confusion about this…

6 Scenario n Within the organisation/department a few bytes sent may be “just data”  employees may not see it as personal or sensitive  Relaxed attitude? n Outsider… still just data?  e.g. taken via a wireless link n With help from an internal “informer”…  context! Becomes information

7 How Valuable is Data? (1) n Data breach  an external agency…  gets organisational data…  without permission n If what is compromised remains just “data”, perhaps a breach is not so serious…  data worthless without context

8 How Valuable is Data? (2) n However…  If the data becomes information… »it will have value… maybe a lot… »breach could be very serious indeed  Examples: »rival organisation gets corporate information … and uses that information to undermine the organisation (who knows?) »hacker accesses customer personal information (e.g. Ashley Madison)

9 How much is Data worth? n Organisation value… refers to monetary value  classically based on physical assets & trading  data or information not physical…  Classical model out of date? n What is the value of e.g. company database?

10 Black Market Value… n Information has intrinsic value  e.g. personal data record - »if contextualised, become “personal information” »worth e.g. £50 on the black market?  e.g. spreadsheet, confidential memo »could become financial or corporate information »may be worth a lot more than £50… n By contrast, data it only has potential value  just add context, though… and…

11 Keeping Data Secure n If data can easily become information, it needs to be kept safe… n Should be a prime concern for all organisations to take special care of any digital data of importance  could be contextualised to become information…

12 Information Security? Data Security? Cyber Security? n Matters relating to digital stuff referred to by organisations as “data security”  regarded as an IT matter n Then “Information Security” to take account of contextualisation & human factors n 2009 on… became Cyber security  woke up to “cyber threats…”

13 Group Exercise n Define:  Data Security  Information Security  Cyber security n Which of these would be the to use to help SMEs…?

14 Information Security and Organisations n Nothing new!  organisations have always kept information  important to the extent that the organisation IS its information  loss of vital data could therefore be curtains for the organisation!!!  information kept very secure… »in fireproof, lockable, filing cabinets

15 Nowadays, usually held digitally n Until 1980s, always held in expensive, secure computer areas  well-paid experts looked at computer operations  completely beyond scope of an SME! n Then came the PC… the network… the portable storage device… and…  public access to the Internet!

16 Over 1 biilion Internet servers! Navigating data round the Internet

17 Mission Impossible? n More… after the break!

18 Information Security: Technology & Management n Basic problem…  technology is useless if people won’t stick to procedures  procedures are equally useless if the technology can’t detect intrusions or prevent them

19 A Company like Yours? n http://www2.deloitte.com/au/en/pages/ri sk/articles/cyber-video-companies-like- yours.html http://www2.deloitte.com/au/en/pages/ri sk/articles/cyber-video-companies-like- yours.html http://www2.deloitte.com/au/en/pages/ri sk/articles/cyber-video-companies-like- yours.html n Questions?

20 E-commerce from home… n Principles of good data management should be applied to a “leisure” computer at home connected to the Internet…  e.g. family members could get hold of each other’s information n But all much, much more important when a whole organisation’s data is being managed…

21 Management of Information Security n (Senior) Management...  used to the spoken or written word  often misconceptions about digital data… »e.g. what is data, what is information and the relationship between the two  security of data may therefore not be given sufficient prominence... (!) n Result: digital data is usually not properly managed…

22 Reasons to look after Data: 1. The Law n All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO)  criminal offence not to do so... n Personal data must be kept in accordance with eight principles of the Data Protection Act  not to do so can result in hefty fines  or even imprisonment

23 Reasons to look after Data: 1. The Law - continued n Financial data also covered under the law, through the Financial Services Authority (FSA)…  much more severe penalties than the ICO… »e.g. Nationwide fined in 2007 n approx £1million »e.g. HSBC fined in 2009 n £ several MILLION »e.g. Zurich Insurance fined 2010 n £ >1 million

24 2. Losses do not look good for the business…  If a business loses its data  it won’t be able to trade efficiently, or even at all!  estimation: 10 days maximum to recover, or out of business! n If business data is stolen, they may ALSO lose trade secrets, customer image, market share…

25 2. Losses & public sector, not- for-profit organisations n Personal data often not regarded as so important, other than in legal terms  hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC n HOWEVER… customers do expect their personal data to be safeguarded  increasing concern about privacy in recent years  source of great embarrassment if data lost

26 The Threats to organisations… n Divides neatly into:  “internal”  “external”

27 Internal n Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. n Employees or temps with bad intent…

28 External » Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it » People hacking in from outside, usually via the Internet

29 Do we have a problem? n Perceptions “from the inside” quite different from “outside looking in”

30 Where to start? n Group Exercise…

31 Start the top…an Information Security Policy n As information is so important to organisations, security of information should be central to organisation’s strategic plan…  therefore part of organisational policy… n Problem: organisations (especially small ones) are very reluctant to do this…

32 How can organisations be encouraged to have a policy? n Over to you again…

33 An Information Security Policy n Fortunately, now becoming a commercial imperative for do any on-line business with a credit card  thanks to recent PCI DSS guidelines…  other information assurance schemes require this (e.g. ISO27001, COBIT, IASME)  more rigorously enforced by ICO n ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy  can then implemented tactically and operationally through the organisational structure

34 Who are “stakeholders” in organisational Information Security? n Who should be responsible for what?  (no responsibility… no accountability) n Exercise again in groups…

35 Stakeholders n A number of jobs involve security of data in one way or another e.g.:  Data Controller (Data Protection Act)  Head of Personnel/HR  Department Heads (especially Finance) n Who should bear the responsibility/carry the can??  Difficult one for organisations, but has to be The Boss (!) ISO27001 insists on it…  http://www.iso.org/iso/home/standards/certification/home/standards/certifica tion/iso-survey.htm http://www.iso.org/iso/home/standards/certification/home/standards/certifica tion/iso-survey.htm http://www.iso.org/iso/home/standards/certification/home/standards/certifica tion/iso-survey.htm 

Download ppt "COMP3371 Cyber Security Richard Henson University of Worcester September 2015."

Similar presentations

Information Security and Common Sense Richard Henson University of Worcester October 2008.

Information Security and Common Sense Richard Henson University of Worcester October 2008.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Confidentiality and HIPAA

Confidentiality and HIPAA
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.

Government Databases and You or How I Learned to Stop Worrying and Love Information Loss. By Patrick Fahey Mis 304.
Network security policy: best practices

Network security policy: best practices
Data Protection Act.

Data Protection Act.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
Data Protection Act. Lesson Objectives To understand the data protection act.

Data Protection Act. Lesson Objectives To understand the data protection act.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.

Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
Practical Information Management

Practical Information Management
Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.

Information Assurance and Information Sharing IMKS Public Sector Forum 7 February 2011 Clare Cowling, Senior Information Governance Adviser Transport for.
INFORMATION SECURITY THE NEXT GENERATION 13 th World Electronics Forum Israel Christopher Joscelyne Board Member & Membership Chairman AEEMA November 2007.

INFORMATION SECURITY THE NEXT GENERATION 13 th World Electronics Forum Israel Christopher Joscelyne Board Member & Membership Chairman AEEMA November 2007.
BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.

BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Similar presentations

Ads by Google