Data Confidentiality

Learning Objectives:

By the end of this topic you should be able to:

• discuss the need to keep data confidential 

• explain how data confidentiality can be achieved;

Learning Objective:

By the end of this topic you should be able to:

•discuss how the following can be used to protect data:– encryption, – authorisation, – authentication, – virus checking, – virus protection, – physical security 

Learning Objective (G061 synoptic)

– physical security,

– firewalls,

– backup,

– encryption,

– biometric security,

– software patches/updates,

– ‘anti-virus’ & anti-spyware software,

– access rights,

– auditing,

– education of users,

– user IDs,

– passwords

– methods for ensuring passwords remain effective

• explain methods for combating ICT crime and protecting ICT systems:

Confidentiality

• is my data safe?• can I trust who has access to my data?• is my data correct?• can I be sure that my data will not be passed on?

Example:• bank account information is highly confidential

– however, on-line banking takes place through the Internet an open network prone to attacks by hackers

Why does data need to be kept confidential?

1. to comply with the Data Protection Act– personal data must be kept secure– personal data must not be revealed

2. organisational reasons– information maybe commercially sensitive

details of new products or procedures• of value to competitors

EncryptionWhat is Encryption?

• the process of disguising messages or data– ‘scrambling’ data

– so that only the intended recipient can understand them

– if data accessed unlawfully, it will be meaningless to unauthorised user

• involves data being ‘arithmetically transformed' before transmission in a scrambled form. – uses a random process set up using a special key value

– the data is then decoded at receiver by reversing the encryption process.

EncryptionWhy use Encryption?• to provide security of data

– especially during transmission through the Internet

– where it is liable to interception.

• so that sensitive data cannot be understood by criminals – credit card details, emails

• to ensure that data of a sensitive nature can only be accessed by those for whom data is intended– to maintain privacy

• to protect important data that might be hacked or stolen– music CD, movie DVD, digital TV

Authorisation• giving permission (authority) for users to access data

• different users are allowed to access different data– and/or perform different operations on data

Authorisation: Levels of Access1. may want to restrict access to data

– only certain users can access the data

– so that unauthorised changes are not made

2. data is commercially valuable – could be stolen or damaged/modified

3. legal restrictions on the access to personal data– DPA

Authorisation: Levels of Access• there are four main levels of access rights to data:

– Read Only: a user is allowed to view data

– Create: a user is allowed to create new data records

– Write: a user is allowed to make changes to data

– Delete: a user is allowed to delete data

• to gain authorisation, a user must identify themself • usually by entering a user name (User ID) • other methods of supplying User IDs include:

– such as a magnetic stripe on the back of a card,

– a smart chip on a card,

– biometric: voice recognition, finger print, retina scan ….

Authorisation: User IDsWhy?• allow access to user areas

– stop unauthorised access

– protect data

• to make individual users members of groups– allow access to files based on access rights

– allow access to resources – printers, software

• to be able to monitor use– audit logs

• to comply with the law– DPA

Authorisation: User IDsEffectiveness of user ID maintained by:

• must be unique – so can be sure who is doing what

• can be suspended when user is away– on holiday, leaves the company (or infringes code of conduct)

• can be linked to resources– an individual machine

– software applications

– times of use

Authentication • “the process of determining the identity and

legitimacy of a user or process”– confirming that a user is who they say they are

Why:• authorisation only tells the computer who the user is

• authorisation does not prevent somebody from pretending to be a different person

• need a 2nd level of identification

Authentication 3 main ways for authenticating individuals:

• 'Something you know'– password, PIN

• 'Something you have'– mobile phone, credit card or hardware security token

• 'Something you are'– biometric: voice recognition, fingerprint, retinal scan ….

Authentication: PasswordEffectiveness of password maintained by:

1. Network Manager:– force password change frequently

– enforce minimum length password

– enforce unrecognisable words only (not in dictionary)

– must contain numbers and letters (& punctuations)

– cannot reuse passwords

– 3 incorrect password attempts account is locked

2. User:– not writing password down

– make it something others can’t guess – not personal

– make sure no one is looking when you type it in

Viruses• a program which infects computer systems by self-

replicating (copying itself to other systems)

• computers can be infected by viruses when new data is introduced to the computer:– removable media: USB storage devices, memory cards, CD-R,

DVD-R

– across a network: LAN, via the Internet

• infection by a virus can:– cause harm to data on a computer

– collect information about a user without the user’s knowledge (spyware)

Boot Sector Viruses• spreads by hiding itself in the boot sector your hard

drive or floppy disk. • when your computer reads an infected floppy disk, the

virus is copied from the disk to your computer's memory.

• any new disk, CD or memory stick inserted in the computer will then become infected

• if this storage medium is used on another computer – it becomes infected ……

E-mail Virus• contained in attachments to e-mail messages, • replicates itself by automatically mailing itself to

people in the victim's e-mail address book.• spreads very rapidly

Trojan• a computer program • program claims to do one thing but instead does

damage when you run it– delete files, erase hard disk

• opens your computer up to malicious intruders, allowing them to read your files

• appears to be friendly – but isn’t!

Macro Virus• many applications now have their own built-in

programming language (macro language)– Microsoft Office applications use Visual Basic

• infects word processor files, spreadsheets, databases …• can spread quickly

– if a Word file is sent via email – file used by many people.

• Microsoft added protection into later versions of Word, – now receive a warning about infected documents.

Virus Protection • install anti-virus software on all computers• scan storage devices for infected files

– detects viruses

– allows removal of infected code from file

– deletion of infected files

• regularly update virus data files• install firewall on network

– hardware or software

• prevent use of removable storage media – CDs, DVDs

– USB devices - memory stick, removable HDD

Audit Logs• consist of data about each stage of any transaction, • logs are maintained automatically by the system• allow the network manager to examine patterns of use • audit logs track:

– who did what,

– at which workstation,

– when it occurred.

• logs can be used to see which member of staff:– accessed particular files

– other resources

– web pages.

Firewall• network security device

– stands between a network and the outside world

– can either be hardware and/or software based.

– examines data packets moving into and out of the system.

• configured to permit or deny connections

– using a set of rules

– access is denied if not allowed by the rules

– rules set using the organization's security policy configured by the system administrator

– checks data sent by users and applications

– filters websites users are permitted to visit

Why use a Firewall?• prevents external users from gaining unauthorised

access to a computer system• limits/filters the data that can be received or sent to

external users• could block certain types of data• to protect data from being viewed/altered/deleted• to comply with the Data Protection Act• to stop hackers/viruses from entering the system

January 2007

Physical Security• lock the computer up• entry measure to get into building• disconnect (or remove) floppy/CD/DVD drives • disconnect USB ports (memory sticks/portable HDD)