Information Security Risk Management

IT operation outsourcing

The Cloud and Data aggregation

More data is collected, storage is ‘free’

Data sets are connected and correlated for many reasons

They are combined with open source data sets – credit referencing = identity exists

Data sets are shared internationally

There is a new focus on privacy people are sensitive to this issue

Privacy sensitive information is valuable and can easily be sold if stolen

Single records unclassified or low classification, or privacy sensitive only

As set grows 10, 100, 1,000, 10,000, 1m, 10m......100m something changes but traditional classification did not change

Changes for two reasons damage caused by large data loss is clearly greater – resign, resign, resign......

Acquisition of large data sets opens up opportunities for new insights with dangerous consequences

Forgery and alteration does not work

Better to apply for a real one in a false identity

All identities checked on application for ‘social footprint’ so must take from a real person

May already be holder or past holder or known to agency - fraud will be detected

Need to know in advance use two methods

With target cooperation and without

Access to large data sets reduces risks

On line genealogy and credit referencing

Electoral rolls

Travel data sets (if you travel you already have a passport)

Vulnerable adult data sets addicts, long term carers

Lists of professionals with issues

All increase the chance of success and reduce the number of simultaneous applications that need to be made

Standard method was to adopt the identity of a dead child born about the same time as the applicant who would not have a passport

Duplicate birth certificate obtained (a legal right in UK)

Application will not work now as deaths checked, but for various reasons records not complete

Monitor open source deaths in online local newspapers

Find a soldier who served abroad, 20-40 yrs older than target

Use on line regimental histories to establish when served overseas and what countries

Aim to identify a country where soldier was around the time the applicant was born with weak record system

Forge a birth certificate for that country

Apply as the illegitimate child of the dead soldier – it was always kept a secret

Using a cloud makes aggregation happen inherently

Cloud needs to be set up so penetration is limited in containers to manage risk

Encryption at rest looks like the answer but it introduces many other problems

These include key management, escrow, and penetration of key provider

RSA issue a good example

It’s not just about accessing the data but also the ability to combine big data sets

WP is a good example

Many controls will be traditional

Passport special control process was to cost Eu 10m

By taking two highly vetted people from a pool of 24 at random and using a four eyes process same/better protection was delivered at a fraction of cost

To break this have to corrupt all 24 people

Basic training and awareness more important than ever

Traditional approach to risk management is still valid for the cloud but the threats and risks are different

Controls and mitigations are similar but applied differently

There is a good opportunity, the risks are greater if they are not well engineered but they can be !

Risk management must be done properly by specialists and asset owners together