1 / 38

COMP3371 Cyber Security

Learn to critically analyze information security issues, identify tools for combating security threats, develop security policies, and understand legal implications. Week 1 focuses on securing data within digital systems.

beasleyp
Download Presentation

COMP3371 Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Richard Henson University of Worcester September 2018 COMP3371Cyber Security

  2. What this module is about • By the end of this module you should be able to: • Critically analyse the information security issues and threats facing both users and information managers in organizations • Identify and analyze methods, tools and techniques for combating security threats • Develop an information security policy for, and provide a strategy for implementation of that policy in an organization. • Explain the legal issues and implications with security.

  3. Week 1 – Strategies for securing data held within digital systems • Objectives: • Explain the difference between “data” and information” • Explain why doing Cyber Security has become so hard • Know where to start when dealing with an organisation’s information security

  4. Data… or Information? Meet me at… • Kids stuff? • the difference between the two is NOT obvious! • subtle but crucial - should be clearly understood… • Exercise in groups… • discuss what is (a) similar (b) different about data and information • give an example of digital data that could be categorised as (a) data and (b) information • be prepared to explain why each can be categorised as such…

  5. Data… or Information? • All about context… • if on its own…. just numbers & characters • if linked to something else… really important information • Great confusion about this…

  6. Scenario • Within the organisation/department a few bytes sent may be “just data” • employees may not see it as personal or sensitive • Relaxed attitude? • Outsider… still just data? • e.g. taken via a wireless link • With help from an internal “informer”… • context! Data becomes information

  7. How Valuable is Data? (1) • Data breach • an external agency… • gets organisational data… • without permission • If what is compromised remains just “data”, perhaps a breach is not so serious… • data worthless without context

  8. How Valuable is Data? (2) • However… • If the data becomes information… • it will have value… maybe a lot… • breach could be very serious indeed • Examples: • rival organisation gets corporate information … and uses that information to undermine the organisation (who knows?) • hacker accesses customer personal information (e.g. Ashley Madison)

  9. How much is Data worth? • Organisation value… refers to monetary value • classically based on physical assets & trading • data or information not physical… • Classical model out of date? • What is the value of e.g. company database?

  10. Black Market Value… • Information has intrinsic value • e.g. personal data record - • if contextualised, become “personal information” • worth e.g. £50 on the black market? • e.g. spreadsheet, confidential memo • could become financial or corporate information • may be worth a lot more than £50… • By contrast, data it only has potential value • just add context, though… and…

  11. Anonymising Data • This is way to safeguard data by not including personal data directly • especially in any publicly accessible data • may be a key field that can link to the data if required • needs a higher level of access • If anonymised data falls into the wrong hands… no prob! Useless without key field

  12. Keeping Data Secure • If data can easily become information, it needs to be kept safe… • Should be a prime concern for all organisations to take special care of any digital data of importance • could be contextualised to become information…

  13. Once upon a time…, Digital Datanot accessible to users • Until 1980s, always held in expensive, secure computer areas • ONLY well-paid experts accessed computer operations • all completely beyond scope of an SME!

  14. Nowadays, Data usually held Digitally • First came the PC… • then the PC network… • then portable storage device… and… • finally…. public access to the Internet!

  15. Try securing this… data navigated round the Internet Over 1 biilion Internet servers!

  16. Do Organisations understand this…? • “A Company like Yours?” • http://www2.deloitte.com/au/en/pages/risk/articles/cyber-video-companies-like-yours.html • Questions?

  17. Mission Impossible? • or technically easy-peasy?

  18. A new name for protecting the stuff that used to be on paper? • What needs to be secured; • Buildings, print-outs, etc. • covered by “Physical Security” • Current good practice • destroys the physical asset • replace it by digital… • Everything else is digital… • how about “Digital Security”?

  19. Information Security? Or Data Security? • Matters relating to digital stuff referred to by organisations as “data security” • regarded as an IT matter • “Information Security” introduced to take account of contextualisation & human factors • 2009 on… became Cyber security • woke up to “cyber threats…”

  20. Information Securityand Organisations • Nothing new! • organisations have always kept information • important to the extent that the organisation IS its information • loss of vital data could therefore be curtains for the organisation!!! • information kept very secure… • in fireproof, lockable, filing cabinets

  21. Group Exercise • Define: • Data Security • Information Security • Cyber Security • Which of these terms would help SMEs (small/medium-sized enterprises)?

  22. E-commerce from home… • Principles of good data management should be applied to a “leisure” computer at home connected to the Internet… • e.g. family members could get hold of each other’s information • The Internet has to be used when people buy products online… • Easy for a home computer to be hijacked!

  23. Information Security: Technology & Management • Basic problem… • technology is useless if it goes wrong… • or people don’t use it properly… • organisations need specialists to keep technology working • need procedures so employees use technology correctly applies equally to IT!

  24. Management of Information Security • IT infrastructure a major undertaking • technology has to work • staff (usually) have to be trained • data has to be managed • (Senior) Management... • often misconceptions about digital data and the costs of maintaining it • result: 3rd item less priority • digital data therefore not properly managed…

  25. Reasons to look after Data: 1. Data Protection Act • All UK organisations that hold data on people must register with the Information Commissioner's Office (ICO) • criminal offence not to do so... • Personal data must be kept in accordance with eight principles of the Data Protection Act • not to do so can result in hefty fines • or even imprisonment

  26. Reasons to look after Data: 1. The Law - continued • Financial data also covered under a slightly different law, through the Financial Services Authority (FSA)… • much more severe penalties than the ICO… • e.g. Nationwide fined in 2007 • approx £1million • e.g. HSBC fined in 2009 • £ several MILLION • e.g. Zurich Insurance fined 2010 • £ >1 million

  27. 2. Losses do not look good for the business… • If a business loses its data • it won’t be able to trade efficiently, or even at all! • estimation: 10 days maximum to recover, or out of business! • ALSO lose trade secrets, customer image, market share, reputation…

  28. 2. Losses & public sector, not-for-profit organisations • In practice… personal data often not given priority in protection • catastrophic sequence of errors that led to 25 million records being lost by HMRC in 2007 • Unsurprisingly… customers expect their personal data to be safeguarded • increasing concern about privacy in recent years • source of great embarrassment if data lost

  29. The Threats to organisations… • Divides neatly into: • “internal” • “external”

  30. Internal • Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. • Employees or temps with bad intent…

  31. External • Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it • People hacking in from outside, usually via the Internet

  32. Do we have a problem? • Perceptions “from the inside” quite different from “outside looking in”

  33. Where to start? • Group Exercise…

  34. Start the top…an Information Security Policy • As information is so important to organisations, security of information should be central to organisation’s strategic plan… • therefore part of organisational policy… • Problem: organisations (especially small ones) are very reluctant to do this…

  35. How can organisations be encouraged to have a policy? • Over to you again…

  36. An Information Security Policy • Fortunately, now becoming a commercial imperative for do any on-line business with a credit card • thanks to recent PCI DSS guidelines… • other information assurance schemes require this (e.g. ISO27001, COBIT, IASME) • more rigorously enforced by ICO • ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational strategy • can then implemented tactically and operationally through the organisational structure

  37. “Stakeholders” of organisational Information Security? • Who should be responsible for what? • (no responsibility… no accountability) • Exercise again in groups…

  38. Stakeholders • A number of jobs involve security of data in one way or another e.g.: • Data Controller (Data Protection Act) • Head of Personnel/HR • Department Heads (especially Finance) • Who should bear responsibility/carry the can?? • Difficult for organisations, but is… “The Boss” (!) • Can’t get ISO27001 without this acceptance… • http://www.iso.org/iso/home/standards/certification/home/standards/certification/iso-survey.htm

More Related