HND Computingwiki.computing.hct.ac.uk/_media/computing/hnd/l4-u... · •1. In September 2018,...
Transcript of HND Computingwiki.computing.hct.ac.uk/_media/computing/hnd/l4-u... · •1. In September 2018,...
HND COMPUTING
UNIT 05 – SECURITY
Introduction to Security
Phil Smith
ORGANISATIONAL SECURITY
• We continue with LO1
• LO1 - Assess risks to IT security.
ORGANISATIONAL SECURITY
• Operational impact of security breaches.
• Information –
• Regulators across Europe include the ICO (Information Commissioners Office), have noted a
steep increase in the number of data breaches being reported since the GDPR cam into force
on 25th May 2018.
ORGANISATIONAL SECURITY
• Operational impact of security breaches.
• Data is a valuable commodity and cybercriminals are keen to capitalize on this data to make
money and commit fraudulent activities. Identity theft is the main driver behind all attacks and
accounts for 65% of breaches and over 3.9 billion of the compromised data records in 2018.
• External hackers have been behind the majority of all data breaches and Phishing remains the
number one attack method. 72% of data breaches are related to employees receiving phishing
emails, closely followed by accidental loss of data.
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text
message by someone posing as a legitimate institution to lure individuals into providing
sensitive data such as personally identifiable information, banking and credit card details, and
passwords.
The information is then used to access important accounts and can result in identity theft and
financial loss.
ORGANISATIONAL SECURITY
• Operational impact of security breaches.
• 1. In September 2018, Facebook announced that an attack on its computer network exposed
the personal data of over 50 million users. According to Facebook, hackers were able to gain
access to the system by exploiting a vulnerability in the code used for the ‘View as’ feature.
• Once this feature was exploited, the attackers were able to steal ‘access tokens’, which could
be used to take over user’s accounts and gain access to other services. The breach also
affected third party apps connected to Facebook, and as a precautionary measure, the company
logged 90 million users out of their accounts and reset the access tokens.
• The security breach is the largest in the company’s 14-year history and topped off a very
turbulent year which saw the company deal with the fallout from the Cambridge Analytica
scandal and the ongoing allegations that the platform was used in Russian disinformation
campaigns.
• The Irish Data Protection Commission subsequently opened a formal investigation into the
breach which could result in a fine of up to $1.63bn for the social media giant.
Exampl
e
ORGANISATIONAL SECURITY
• Operational impact of security breaches.
• In June 2018, Dixons Carphone revealed a major data breach involving 5.9 million bank cards
and the personal data of up to 10 million customers. The hacked data included names,
addresses and email addresses.
• The electronics retailer announced that in a review of its systems, it uncovered an attempt to
gain unauthorised access to 5.9 million cards in one of the processing systems of Currys PC
World and Dixons Travel Stores.
• The group said there was no evidence of fraud as the majority of cards were protected by Chip
and Pin and card verification value (CVV) systems, however around 105,000 non-EU cards
without Chip and Pin were compromised in the attack.
• When the group first reported the breach, they estimated that the data of up to 1.2 million
customers was compromised, but the number has now jumped up to ten times more than
initially thought.
Exampl
e
ORGANISATIONAL SECURITY
• Operational impact of security breaches.
• In yet another attack on the aviation industry, British Airways announced that a major security
breach had exposed the personal data of 380,000 customers. The airline confirmed that over a
two-week period, the personal and financial details of customers making or changing bookings
had been compromised.
• The breach took place between 21 August and 5 September 2018, and within this time frame,
hackers were able to gain access to names, addresses, email addresses, credit card numbers,
expiry dates and security codes. Travel and passport details were not affected by the breach.
• The airline recently disclosed that the data of a further 185,000 customers who made reward
bookings between 21 April and 28 July was also exposed, bringing the total number of affected
customers to 565,000.
Exampl
e
ORGANISATIONAL SECURITY
• Operational impact of security breaches.
1. Discuss how business operations and levels of customer service could be affected by a security
breach.
• 3. Group activity: Make a scenario where a security breach has a major operational impact and
create a solution to recover from the breach.
Task
UNDERSTAND RISKS TO IT SECURITY
Organisational security procedures
An operational model:
• Prevention
• Detection
• Response
SOME DEFINITIONS
Write down your understanding of these terms:
• Policies
• Procedures
• Standards
• Guidelines
Task
POLICIES
• High-level
• Broad
• Laid down by senior managers
• A statement of what is required to be accomplished
PROCEDURES
• Step-by-step instructions
• State exactly how to act in a given situation
• Or to achieve a specific task
• How to implement the policy
STANDARDS
• Mandatory elements relating to policy
• Accepted specifications
• Specific details on how a policy is enforced
• May be externally driven
• E.g. regulations requiring certain actions that are prescribed by law
• May also be set by individual organisations
GUIDELINES
• Recommendations relating to a policy
• Not mandatory
POLICY LIFE-CYCLE
• All of the above are living documents.
1. Plan (adjust) for security
2. Implement the plans
3. Monitor the implementation
4. Evaluate the effectiveness
ORGANISATIONAL SECURITY PROCEDURES
Need to consider:
• data,
• network,
• systems,
• operational impact of security breaches,
• web systems,
• wireless systems
DATA
• With a new Information Security Officer for MWS, they will need to
develop a security plan.
• What will this person need to know about the company’s data?
• Task
• 5 Min group discussion then individual feedback.
Task
DATA
• What is the data?
• Where is it stored?
• What format is it stored in? Some data may still be stored in paper-form.
• Who has access to the data?
• Where can they access the data?
• What systems can access the data?
• Who owns the data?
• Who can change the data?
• Where is the data backed-up?
DATA - TASK
• Elaborate on the previous questions.
• What are the possible answers?
• What are the implications of these different answers?
• Are there other possible questions?
• What are the possible answers to these?
• What are the implications of these different answers?
Task
FURTHER CONSIDERATIONS -TASK
Develop a list of questions, possible answers and implications for the
following aspects:
• network,
• systems,
• operational impact of security breaches,
• web systems,
• wireless systems
TO SUMMARISE
Organisational security procedures
• An operational model:
• Prevention
• Detection
• Response
• Definitions: Policies, Procedures, Standards, Guidelines
• Policy life-cycle:
• Aspects to consider
• Questions to ask
Evaluate the effectiveness
Plan (adjust) for
security
Implement the plans
Monitor the implementation
DATA
• What is the data?
• Where is it stored?
• What format is it stored in? Some data may still be stored in paper-form.
• Who has access to the data?
• Where can they access the data?
• What systems can access the data?
• Who owns the data?
• Who can change the data?
• Where is the data backed-up?
PROCEDURES
• So you know about the data…
• What procedures will you implement to protect it?
• Influenced by:
• Computer Misuse Act 1990
• Data Protection Act 1998 (principle 7)
• “Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.”
GUIDANCE FROM THE ICO
• What needs to be protected?
• What level of security?
• What measures?
https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-
security/
FIRST LINE OF DEFENCE?
• Not overly burdensome
• prevent breaches from occurring
• lay out the proper procedures should a breach occur.
MONEY
• Security as a cost
Creating value from security
ORGANISATIONAL SECURITY
• Audits and testing procedures.
• Conducting an internal security audit is a great way to get your company on the right track towards
protecting against a data breach and other costly security threats. Many IT and security professionals think
of a security audit as a stressful, expensive solution to assessing the security compliance of their
organization (it is, with external security audit costs hovering in the $50k range). But they are overlooking
the fact that with the right training, resources, and data, an internal security audit can prove to be effective
in scoring the security of their organization, and can create critical, actionable insights to improve company
defenses.
ORGANISATIONAL SECURITY
• Audits and testing procedures.
• Vulnerability Assessment is also known as Vulnerability Testing, is a software testing type performed to
evaluate the security risks in the software system in order to reduce the probability of a threat.
• A vulnerability is any mistakes or weakness in the system security procedures, design, implementation or
any internal control that may result in the violation of the system's security policy. In other words, the
possibility for intruders (hackers) to get unauthorized access.
ORGANISATIONAL SECURITY
• Vulnerability Analysis depends upon two mechanisms namely Vulnerability Assessment and Penetration
Testing(VAPT).
• It is important for the security of the organization.
• The process of locating and reporting the vulnerabilities, which provide a way to detect and resolve
security problems by ranking the vulnerabilities before someone or something can exploit them.
• In this process Operating systems, Application Software and Network are scanned in order to identify the
occurrence of vulnerabilities, which include inappropriate software design, insecure authentication, etc.
VULNERABILITY
• Stages to test for organizational vulnerability
VULNERABILITY
Step 1) Setup:
1. Begin Documentation
2. Secure Permission
3. Update Tools
4. Configure Tools
VULNERABILITY
Step 2) Test Execution:
Run the Tools
Run the captured data packet (A packet is the unit of data that is routed between
an origin and the destination. When any file, for example, e-mail message, HTML
file, Uniform Resource Locator(URL) request, etc. is sent from one place to
another on the internet, the TCP layer of TCP/IP divides the file into a number of
"chunks" for efficient routing, and each of these chunks will be uniquely numbered
and will include the Internet address of the destination. These chunks are called
packet. When they have all arrived, they will be reassembled into the original file by
the TCP layer at the receiving end. , while running the assessment tools
VULNERABILITY
Step 3) Vulnerability Analysis:
1. Defining and classifying network or System resources.
2. Assigning priority to the resource( Ex: - High, Medium, Low)
3. Identifying potential threats to each resource.
4. Developing a strategy to deal with the most prioritize problems first.
5. Defining and implementing ways to minimize the consequences if an attack
occurs.
Step 4) Reporting
Step 5) Remediation:
The process of fixing the vulnerabilities.
For every vulnerability
ORGANISATIONAL SECURITY
• Research vulnerability testing and list the tests that can be used to detect weaknesses in security systems.
• I will ask each of you for one type.
Task
VULNERABILITY TESTING
For example –
ORGANISATIONAL SECURITY
• Audits and testing procedures.
• There are usually five steps you need to take to ensure your internal security audit will provide return on
your investment:
• Define Your Audit (should include vunerability if IT systems are involved?)
• Define Your Threats
• Assess Current Security Performance
• Prioritize (Risk Scoring)
• Formulate Security Solutions
ORGANISATIONAL SECURITY
• What about external audits?
• It is important to understand the difference between an external and internal security audit.
• An external security audit has incredible value for companies, but it’s prohibitively expensive for smaller
businesses and still relies heavily on the cooperation and coordination of internal IT and security teams.
Those teams must first and foremost find a respected and affordable external audit partner, but they’re
also required to set goals/expectations for auditors, provide all the relevant and accurate data, and
implement recommended changes.
TASK
• Produce an audit document showing the range of tests on IT systems and networks (e.g. LANs/WANs and wireless networks).
• Draw up a list of procedures that you will implement to protect the systems at MWS.
• Preparation for assignment!
Task