COMP3371COMP3371Cyber SecurityCyber Security

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

September 2015September 2015

What this module is aboutWhat this module is about By the end of this module you should be able to:By the end of this module you should be able to:

Critically analyse the information security issues and threats Critically analyse the information security issues and threats facing both users and information managers in facing both users and information managers in organizationsorganizations

Identify and analyze methods, tools and techniques for Identify and analyze methods, tools and techniques for combating security threatscombating security threats

Develop an information security policy for, and provide a Develop an information security policy for, and provide a strategy for implementation of that policy in an organization.strategy for implementation of that policy in an organization.

Explain the legal issues and implications with security.Explain the legal issues and implications with security.

Week 1 – Strategies for securing Week 1 – Strategies for securing data held within digital systemsdata held within digital systems

Objectives:Objectives:

Explain the difference between “data” and Explain the difference between “data” and information”information”

Explain why doing Cyber Security has Explain why doing Cyber Security has become so hardbecome so hard

Know where to start with organisational Know where to start with organisational information securityinformation security

Data… or Information?Data… or Information?

Kids stuff? Kids stuff? yet the difference between the two is subtle but yet the difference between the two is subtle but

crucial. And should be clearly understood… crucial. And should be clearly understood…

Exercise in pairs…Exercise in pairs… discuss what is (a) similar (b) different about data discuss what is (a) similar (b) different about data

and informationand information give an example of digital data that could be give an example of digital data that could be

categorised as (a) data and (b) informationcategorised as (a) data and (b) information» be prepared to explain why each can be categorised as such…be prepared to explain why each can be categorised as such…

Data… or Information?Data… or Information?

All about context…All about context… if on its own…. just numbers & charactersif on its own…. just numbers & characters if linked to something else… really important if linked to something else… really important

informationinformation

Great confusion about this…Great confusion about this…

ScenarioScenario Within the organisation/department a few Within the organisation/department a few

bytes sent may be “just data” bytes sent may be “just data” employees may not see it as personal or sensitiveemployees may not see it as personal or sensitive Relaxed attitude?Relaxed attitude?

Outsider… still just data?Outsider… still just data? e.g. taken via a wireless linke.g. taken via a wireless link

With help from an internal “informer”…With help from an internal “informer”… context! Becomes informationcontext! Becomes information

How Valuable is Data? (1)How Valuable is Data? (1)

Data breachData breach an external agency… an external agency… gets organisational data… gets organisational data… without permissionwithout permission

If what is compromised remains just “data”, If what is compromised remains just “data”, perhaps a breach is not so serious…perhaps a breach is not so serious… data worthless without contextdata worthless without context

How Valuable is Data? (2)How Valuable is Data? (2)

However… However… If the data becomes information…If the data becomes information…

» it will have value… maybe a lot…it will have value… maybe a lot…

» breach could be very serious indeedbreach could be very serious indeed

Examples:Examples:» rival organisation gets corporate information … and uses that rival organisation gets corporate information … and uses that

information to undermine the organisation (who knows?)information to undermine the organisation (who knows?)

» hacker accesses customer personal information (e.g. Ashley hacker accesses customer personal information (e.g. Ashley Madison)Madison)

How much is Data worth?How much is Data worth?

Organisation value… refers to monetary Organisation value… refers to monetary valuevalue classically based on physical assets & tradingclassically based on physical assets & trading data or information not physical…data or information not physical… Classical model out of date?Classical model out of date?

What is the value of e.g. What is the value of e.g. company database?company database?

Black Market Value…Black Market Value… Information has intrinsic valueInformation has intrinsic value

e.g. personal data record -e.g. personal data record -» if contextualised, become “personal information” if contextualised, become “personal information”

» worth e.g. £50 on the black market?worth e.g. £50 on the black market?

e.g. spreadsheet, confidential memoe.g. spreadsheet, confidential memo» could become financial or corporate informationcould become financial or corporate information

» may be worth a lot more than £50… may be worth a lot more than £50…

By contrast, data it only has potential valueBy contrast, data it only has potential value just add context, though… and… just add context, though… and…

Keeping Data SecureKeeping Data Secure If data can easily become information, it If data can easily become information, it

needs to be kept safe… needs to be kept safe…

Should be a prime concern for all Should be a prime concern for all organisations to take special care of any organisations to take special care of any digital data of importancedigital data of importance could be contextualised to become information…could be contextualised to become information…

Information Security?Information Security?Data Security?Data Security?

Cyber Security?Cyber Security? Matters relating to digital stuff referred to by Matters relating to digital stuff referred to by

organisations as “data security”organisations as “data security” regarded as an IT matterregarded as an IT matter

Then Then “Information Security” to take account of “Information Security” to take account of contextualisation & human factorscontextualisation & human factors

2009 on… became Cyber security2009 on… became Cyber security woke up to “cyber threats…”woke up to “cyber threats…”

Group ExerciseGroup Exercise

Define: Define: Data SecurityData Security

Information SecurityInformation Security

Cyber securityCyber security

Which of these would be the to use to Which of these would be the to use to help SMEs…?help SMEs…?

Information SecurityInformation Securityand Organisationsand Organisations

Nothing new!Nothing new! organisations have always kept organisations have always kept

informationinformation important to the extent that the important to the extent that the

organisation IS its informationorganisation IS its information loss of vital data could therefore be loss of vital data could therefore be

curtains for the organisation!!!curtains for the organisation!!! information kept very secure…information kept very secure…

» in fireproof, lockable, filing cabinetsin fireproof, lockable, filing cabinets

Nowadays, usually held Nowadays, usually held digitallydigitally

Until 1980s, always held in expensive, Until 1980s, always held in expensive, secure computer areassecure computer areaswell-paid experts looked at computer well-paid experts looked at computer

operationsoperationscompletely beyond scope of an SME!completely beyond scope of an SME!

Then came the PC… the network… the Then came the PC… the network… the portable storage device… and…portable storage device… and… public access to the Internet!public access to the Internet!

Over 1 biilion Internet servers!

Navigating data round the Navigating data round the InternetInternet

Mission Impossible?Mission Impossible?

More… after the break!More… after the break!

Information Security: Information Security: Technology & ManagementTechnology & Management

Basic problem…Basic problem… technology is useless if people technology is useless if people

won’t stick to procedureswon’t stick to procedures

procedures are equally useless if the technology procedures are equally useless if the technology can’t detect intrusions or prevent themcan’t detect intrusions or prevent them

A Company like Yours?A Company like Yours?

http://www2.deloitte.com/au/en/pages/http://www2.deloitte.com/au/en/pages/risk/articles/cyber-video-companies-like-risk/articles/cyber-video-companies-like-yours.html yours.html

Questions?Questions?

E-commerce from home…E-commerce from home… Principles of good data management should Principles of good data management should

be applied to a “leisure” computer at home be applied to a “leisure” computer at home connected to the Internet…connected to the Internet… e.g. family members could get hold of each other’s e.g. family members could get hold of each other’s

informationinformation

But all But all much, muchmuch, much more important when a more important when a whole organisation’s data is being whole organisation’s data is being managed…managed…

Management of Management of Information SecurityInformation Security

(Senior) Management... (Senior) Management... used to the spoken or written wordused to the spoken or written wordoften misconceptions about digital often misconceptions about digital

data…data…» e.g. what is data, what is information and e.g. what is data, what is information and

the relationship between the twothe relationship between the two security of data may therefore not be security of data may therefore not be

given sufficient prominence... (!)given sufficient prominence... (!)

Result: digital data is usually not Result: digital data is usually not properly managed…properly managed…

Reasons to look after Data: Reasons to look after Data: 1. The Law1. The Law

All UK organisations that hold data on people All UK organisations that hold data on people must register with the Information must register with the Information Commissioner's Office (ICO)Commissioner's Office (ICO) criminal offence not to do so...criminal offence not to do so...

Personal data must be kept in accordance Personal data must be kept in accordance with eight principles of the Data Protection with eight principles of the Data Protection ActAct not to do so can result in hefty finesnot to do so can result in hefty fines or even imprisonmentor even imprisonment

Reasons to look after Data: Reasons to look after Data: 1. The Law - continued1. The Law - continued

Financial data also covered under the law, Financial data also covered under the law, through the Financial Services Authority through the Financial Services Authority (FSA)…(FSA)… much more severe penalties than the ICO…much more severe penalties than the ICO…

» e.g. Nationwide fined in 2007e.g. Nationwide fined in 2007 approx £1millionapprox £1million

» e.g. HSBC fined in 2009e.g. HSBC fined in 2009 £ several MILLION£ several MILLION

» e.g. Zurich Insurance fined 2010e.g. Zurich Insurance fined 2010 £ >1 million£ >1 million

2. Losses do not look good for 2. Losses do not look good for the business…the business…

If a business loses its dataIf a business loses its datait won’t be able to trade efficiently, or even it won’t be able to trade efficiently, or even

at all!at all!estimation: 10 days maximum to recover, or estimation: 10 days maximum to recover, or

out of business!out of business!

If business data is stolen, they may If business data is stolen, they may ALSO lose trade secrets, customer ALSO lose trade secrets, customer image, market share…image, market share…

2. Losses & public sector, not-2. Losses & public sector, not-for-profit organisationsfor-profit organisations

Personal data often not regarded as so Personal data often not regarded as so important, other than in legal termsimportant, other than in legal termshence the catastrophic sequence of errors hence the catastrophic sequence of errors

that led to 25 million records being lost by that led to 25 million records being lost by HMRCHMRC

HOWEVER… customers do expect HOWEVER… customers do expect their personal data to be safeguardedtheir personal data to be safeguardedincreasing concern about privacy in recent increasing concern about privacy in recent

yearsyearssource of great embarrassment if data lostsource of great embarrassment if data lost

The Threats to organisations…The Threats to organisations…

Divides neatly into:Divides neatly into:

““internal”internal”

““external”external”

InternalInternal Well-meaning employees not following Well-meaning employees not following

procedures and misusing data or procedures and misusing data or allowing it to get into the wrong allowing it to get into the wrong hands….hands….

Employees or temps with bad intent…Employees or temps with bad intent…

ExternalExternal

» Inside people or business partners Inside people or business partners accessing data from outside, and accessing data from outside, and either accidentally or on purpose, either accidentally or on purpose, misusing itmisusing it

» People hacking in from outside, People hacking in from outside, usually via the Internetusually via the Internet

Do we have a problem?Do we have a problem? Perceptions “from the inside” quite Perceptions “from the inside” quite

different from “outside looking in”different from “outside looking in”

Where to start?Where to start?

Group Exercise…Group Exercise…

Start the top…an Information Start the top…an Information Security PolicySecurity Policy

As information is so important to As information is so important to organisations, security of information organisations, security of information should be central to organisation’s should be central to organisation’s strategic plan…strategic plan…therefore part of organisational policy…therefore part of organisational policy…

Problem: organisations (especially small Problem: organisations (especially small ones) are very reluctant to do this…ones) are very reluctant to do this…

How can organisations be How can organisations be encouraged to have a policy?encouraged to have a policy?

Over to you again…Over to you again…

An Information Security PolicyAn Information Security Policy Fortunately, now becoming a commercial imperative for do Fortunately, now becoming a commercial imperative for do

any on-line business with a credit cardany on-line business with a credit card thanks to recent PCI DSS guidelines…thanks to recent PCI DSS guidelines…

other information assurance schemes require this other information assurance schemes require this (e.g. (e.g. ISO27001, COBIT, IASME)ISO27001, COBIT, IASME)

more rigorously enforced by ICOmore rigorously enforced by ICO

ONCE the organisation has finally accepted that they need ONCE the organisation has finally accepted that they need a policy, they should base it on existing organisational a policy, they should base it on existing organisational strategystrategy can then implemented tactically and operationally through the can then implemented tactically and operationally through the

organisational structureorganisational structure

Who are “stakeholders” in Who are “stakeholders” in organisational Information organisational Information

Security?Security?

Who should be responsible for what?Who should be responsible for what? (no responsibility… no accountability)(no responsibility… no accountability)

Exercise again in groups…Exercise again in groups…

StakeholdersStakeholders A number of jobs involve security of data in one A number of jobs involve security of data in one

way or another e.g.:way or another e.g.: Data Controller (Data Protection Act)Data Controller (Data Protection Act) Head of Personnel/HRHead of Personnel/HR Department Heads (especially Finance)Department Heads (especially Finance)

Who should bear the responsibility/carry the can??Who should bear the responsibility/carry the can?? Difficult one for organisations, but has to be The Boss Difficult one for organisations, but has to be The Boss

(!) ISO27001 insists on it…(!) ISO27001 insists on it… http://www.iso.org/iso/home/standards/certification/home/standards/certification/iso-http://www.iso.org/iso/home/standards/certification/home/standards/certification/iso-

survey.htmsurvey.htm