HND COMPUTING

UNIT 05 – SECURITY

Introduction to Security

Phil Smith

ORGANISATIONAL SECURITY

• We continue with LO1

• LO1 - Assess risks to IT security.

ORGANISATIONAL SECURITY

• Operational impact of security breaches.

• Information –

• Regulators across Europe include the ICO (Information Commissioners Office), have noted a

steep increase in the number of data breaches being reported since the GDPR cam into force

on 25th May 2018.

ORGANISATIONAL SECURITY

• Operational impact of security breaches.

• Data is a valuable commodity and cybercriminals are keen to capitalize on this data to make

money and commit fraudulent activities. Identity theft is the main driver behind all attacks and

accounts for 65% of breaches and over 3.9 billion of the compromised data records in 2018.

• External hackers have been behind the majority of all data breaches and Phishing remains the

number one attack method. 72% of data breaches are related to employees receiving phishing

emails, closely followed by accidental loss of data.

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text

message by someone posing as a legitimate institution to lure individuals into providing

sensitive data such as personally identifiable information, banking and credit card details, and

passwords.

The information is then used to access important accounts and can result in identity theft and

financial loss.

ORGANISATIONAL SECURITY

• Operational impact of security breaches.

• 1. In September 2018, Facebook announced that an attack on its computer network exposed

the personal data of over 50 million users. According to Facebook, hackers were able to gain

access to the system by exploiting a vulnerability in the code used for the ‘View as’ feature.

• Once this feature was exploited, the attackers were able to steal ‘access tokens’, which could

be used to take over user’s accounts and gain access to other services. The breach also

affected third party apps connected to Facebook, and as a precautionary measure, the company

logged 90 million users out of their accounts and reset the access tokens.

• The security breach is the largest in the company’s 14-year history and topped off a very

turbulent year which saw the company deal with the fallout from the Cambridge Analytica

scandal and the ongoing allegations that the platform was used in Russian disinformation

campaigns.

• The Irish Data Protection Commission subsequently opened a formal investigation into the

breach which could result in a fine of up to $1.63bn for the social media giant.

Exampl

e

ORGANISATIONAL SECURITY

• Operational impact of security breaches.

• In June 2018, Dixons Carphone revealed a major data breach involving 5.9 million bank cards

and the personal data of up to 10 million customers. The hacked data included names,

addresses and email addresses.

• The electronics retailer announced that in a review of its systems, it uncovered an attempt to

gain unauthorised access to 5.9 million cards in one of the processing systems of Currys PC

World and Dixons Travel Stores.

• The group said there was no evidence of fraud as the majority of cards were protected by Chip

and Pin and card verification value (CVV) systems, however around 105,000 non-EU cards

without Chip and Pin were compromised in the attack.

• When the group first reported the breach, they estimated that the data of up to 1.2 million

customers was compromised, but the number has now jumped up to ten times more than

initially thought.

Exampl

e

ORGANISATIONAL SECURITY

• Operational impact of security breaches.

• In yet another attack on the aviation industry, British Airways announced that a major security

breach had exposed the personal data of 380,000 customers. The airline confirmed that over a

two-week period, the personal and financial details of customers making or changing bookings

had been compromised.

• The breach took place between 21 August and 5 September 2018, and within this time frame,

hackers were able to gain access to names, addresses, email addresses, credit card numbers,

expiry dates and security codes. Travel and passport details were not affected by the breach.

• The airline recently disclosed that the data of a further 185,000 customers who made reward

bookings between 21 April and 28 July was also exposed, bringing the total number of affected

customers to 565,000.

Exampl

e

ORGANISATIONAL SECURITY

• Operational impact of security breaches.

1. Discuss how business operations and levels of customer service could be affected by a security

breach.

• 3. Group activity: Make a scenario where a security breach has a major operational impact and

create a solution to recover from the breach.

Task

UNDERSTAND RISKS TO IT SECURITY

Organisational security procedures

An operational model:

• Prevention

• Detection

• Response

SOME DEFINITIONS

Write down your understanding of these terms:

• Policies

• Procedures

• Standards

• Guidelines

Task

POLICIES

• High-level

• Broad

• Laid down by senior managers

• A statement of what is required to be accomplished

PROCEDURES

• Step-by-step instructions

• State exactly how to act in a given situation

• Or to achieve a specific task

• How to implement the policy

STANDARDS

• Mandatory elements relating to policy

• Accepted specifications

• Specific details on how a policy is enforced

• May be externally driven

• E.g. regulations requiring certain actions that are prescribed by law

• May also be set by individual organisations

GUIDELINES

• Recommendations relating to a policy

• Not mandatory

POLICY LIFE-CYCLE

• All of the above are living documents.

1. Plan (adjust) for security

2. Implement the plans

3. Monitor the implementation

4. Evaluate the effectiveness

ORGANISATIONAL SECURITY PROCEDURES

Need to consider:

• data,

• network,

• systems,

• operational impact of security breaches,

• web systems,

• wireless systems

DATA

• With a new Information Security Officer for MWS, they will need to

develop a security plan.

• What will this person need to know about the company’s data?

• Task

• 5 Min group discussion then individual feedback.

Task

DATA

• What is the data?

• Where is it stored?

• What format is it stored in? Some data may still be stored in paper-form.

• Who has access to the data?

• Where can they access the data?

• What systems can access the data?

• Who owns the data?

• Who can change the data?

• Where is the data backed-up?

DATA - TASK

• Elaborate on the previous questions.

• What are the possible answers?

• What are the implications of these different answers?

• Are there other possible questions?

• What are the possible answers to these?

• What are the implications of these different answers?

Task

FURTHER CONSIDERATIONS -TASK

Develop a list of questions, possible answers and implications for the

following aspects:

• network,

• systems,

• operational impact of security breaches,

• web systems,

• wireless systems

TO SUMMARISE

Organisational security procedures

• An operational model:

• Prevention

• Detection

• Response

• Definitions: Policies, Procedures, Standards, Guidelines

• Policy life-cycle:

• Aspects to consider

• Questions to ask

Evaluate the effectiveness

Plan (adjust) for

security

Implement the plans

Monitor the implementation

DATA

• What is the data?

• Where is it stored?

• What format is it stored in? Some data may still be stored in paper-form.

• Who has access to the data?

• Where can they access the data?

• What systems can access the data?

• Who owns the data?

• Who can change the data?

• Where is the data backed-up?

PROCEDURES

• So you know about the data…

• What procedures will you implement to protect it?

• Influenced by:

• Computer Misuse Act 1990

• Data Protection Act 1998 (principle 7)

• “Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental

loss or destruction of, or damage to, personal data.”

GUIDANCE FROM THE ICO

• What needs to be protected?

• What level of security?

• What measures?

https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-

security/

FIRST LINE OF DEFENCE?

• Not overly burdensome

• prevent breaches from occurring

• lay out the proper procedures should a breach occur.

MONEY

• Security as a cost

Creating value from security

ORGANISATIONAL SECURITY

• Audits and testing procedures.

• Conducting an internal security audit is a great way to get your company on the right track towards

protecting against a data breach and other costly security threats. Many IT and security professionals think

of a security audit as a stressful, expensive solution to assessing the security compliance of their

organization (it is, with external security audit costs hovering in the $50k range). But they are overlooking

the fact that with the right training, resources, and data, an internal security audit can prove to be effective

in scoring the security of their organization, and can create critical, actionable insights to improve company

defenses.

ORGANISATIONAL SECURITY

• Audits and testing procedures.

• Vulnerability Assessment is also known as Vulnerability Testing, is a software testing type performed to

evaluate the security risks in the software system in order to reduce the probability of a threat.

• A vulnerability is any mistakes or weakness in the system security procedures, design, implementation or

any internal control that may result in the violation of the system's security policy. In other words, the

possibility for intruders (hackers) to get unauthorized access.

ORGANISATIONAL SECURITY

• Vulnerability Analysis depends upon two mechanisms namely Vulnerability Assessment and Penetration

Testing(VAPT).

• It is important for the security of the organization.

• The process of locating and reporting the vulnerabilities, which provide a way to detect and resolve

security problems by ranking the vulnerabilities before someone or something can exploit them.

• In this process Operating systems, Application Software and Network are scanned in order to identify the

occurrence of vulnerabilities, which include inappropriate software design, insecure authentication, etc.

VULNERABILITY

• Stages to test for organizational vulnerability

VULNERABILITY

Step 1) Setup:

1. Begin Documentation

2. Secure Permission

3. Update Tools

4. Configure Tools

VULNERABILITY

Step 2) Test Execution:

Run the Tools

Run the captured data packet (A packet is the unit of data that is routed between

an origin and the destination. When any file, for example, e-mail message, HTML

file, Uniform Resource Locator(URL) request, etc. is sent from one place to

another on the internet, the TCP layer of TCP/IP divides the file into a number of

"chunks" for efficient routing, and each of these chunks will be uniquely numbered

and will include the Internet address of the destination. These chunks are called

packet. When they have all arrived, they will be reassembled into the original file by

the TCP layer at the receiving end. , while running the assessment tools

VULNERABILITY

Step 3) Vulnerability Analysis:

1. Defining and classifying network or System resources.

2. Assigning priority to the resource( Ex: - High, Medium, Low)

3. Identifying potential threats to each resource.

4. Developing a strategy to deal with the most prioritize problems first.

5. Defining and implementing ways to minimize the consequences if an attack

occurs.

Step 4) Reporting

Step 5) Remediation:

The process of fixing the vulnerabilities.

For every vulnerability

ORGANISATIONAL SECURITY

• Research vulnerability testing and list the tests that can be used to detect weaknesses in security systems.

• I will ask each of you for one type.

Task

VULNERABILITY TESTING

For example –

ORGANISATIONAL SECURITY

• Audits and testing procedures.

• There are usually five steps you need to take to ensure your internal security audit will provide return on

your investment:

• Define Your Audit (should include vunerability if IT systems are involved?)

• Define Your Threats

• Assess Current Security Performance

• Prioritize (Risk Scoring)

• Formulate Security Solutions

ORGANISATIONAL SECURITY

• What about external audits?

• It is important to understand the difference between an external and internal security audit.

• An external security audit has incredible value for companies, but it’s prohibitively expensive for smaller

businesses and still relies heavily on the cooperation and coordination of internal IT and security teams.

Those teams must first and foremost find a respected and affordable external audit partner, but they’re

also required to set goals/expectations for auditors, provide all the relevant and accurate data, and

implement recommended changes.

TASK

• Produce an audit document showing the range of tests on IT systems and networks (e.g. LANs/WANs and wireless networks).

• Draw up a list of procedures that you will implement to protect the systems at MWS.

• Preparation for assignment!

Task