Software Development Data securityData SecurityWhat is data security?Procedures & equipment to protect dataConsequences of not protecting

What is Data Security?Virtual teams often work with confidential or secret dataAll data needs to be protected against loss or damageSensitive information needs protection against theftProcedures & Equipment to Protect DataPasswordsCan be applied to:Individual ComputersNetwork AccessWebsite AccessFTP AccessOpening DocumentsChanging Documents

Procedures & Equipment to Protect DataBiometric IDPasswords are weak protectionEasily forgotten, discovered, guessedBiometric ID measures a unique physical attribute of an individual:FingerprintIris pattern (the coloured bit of the eye)Retinal pattern (the blood vessels at the back of the eye)Cant be copied, faked or stolen as passwords and swipe cards are5Procedures & Equipment to Protect DataEncryptionMakes information unreadable for unauthorised peoplePublic Key encryption does not have an unlocking key the weak point of all previous encryption systemsPublic Key encryption (look up RSA, PGP, SSL) is very, very hard to breakEven if an encrypted document is stolen or copied, it is worthless to the thief6Procedures & Equipment to Protect DataEncryptionSSL (Secure Socket Layer) encrypts web trafficIs active when the padlock in your browser snaps shutMessages between web servers (banks) and visitors are encrypted by the sender and decrypted by the recipientSecure sites sometimes are identifiable by a HTTPS:// prefix7Procedures & Equipment to Protect DataAccess HierarchyDifferent users get different levels of access to dataLevel of access based on what they need to get their work donePrevents unskilled, stupid or evil people deliberately, carelessly or accidentally destroying data8Procedures & Equipment to Protect DataAccess HierarchyDatabases, for example, can assign rights such as:See some data, but not allSee all data, but not add/delete/change dataAdd data but not delete anyAdd and delete data but not change any programming or presentation layoutsAccess all areas9

Procedures & Equipment to Protect DataSafe DisposalDeleted files are easily recoveredTo be safe, unwanted files should be wipedMilitary-grade wiping involves overwriting data at least 7 times with rubbish dataComputers being disposed of should have their HDD reformattedSome organisations shred used HDD as they reformatting can be reversed, in some cases HDDs are physically pulverised10Procedures & Equipment to Protect DataSafe Disposal

11Procedures & Equipment to Protect DataBackupsBackup = copying data so it can be restored if the original is lost or damagedMust be done regularly (daily)Must be stored offsiteProcedures must be tested and documented

12Procedures & Equipment to Protect DataBackupsFull BackupCopy absolutely everything all new and old data and programsIncremental BackupCopy only files that are new or have been changed since the last full backup13Procedures & Equipment to Protect DataBackup SchemesWeekly full backupsDaily incremental backupsTo restore data, reload the latest full backup and then add on all the incremental backups made since thenGoogle: grandfather-father-son scheme it is a variety of the rotation backup14Procedures & Equipment to Protect DataBackup MediaMedia is what the data is saved toTapes Large capacity, slow, wear out, expensive but very commonRemovable HHDLarge capacity, fast and cheapCD/DVDRelatively low capacity, easily damaged. Non-magnetic, so not hurt by electromagnetic fields as are tapes and HDDs15Procedures & Equipment to Protect DataBackup MediaSelection Criteria (Constraints):Read/Write speedCapacityLifetime of recorded dataDurability of media16Procedures & Equipment to Protect DataArchivingCopy obsolete data to secondary storage (DVD) and delete the original dataThis is different to a Backup as it does not copy and keep the original data

17Procedures & Equipment to Protect DataContinuous Data Protection CDPChanged files are automatically saved to local or remote storageDifferent versions of the same-named file can be restoredCan save to cloud, local network, or remote friends computerGoogle: CRASHPLAN.COM18Procedures & Equipment to Protect DataVirus ScannersMust have up-to-date virus definitionsMust be running all the timeMust be accurate:False-positives: wrongly believes a virus existsFalse-negatives: fails to identify a virusEven market-leading products are imperfectSome free products (Avira) outperformed Symantec & McAfee in a test in 2009

19Procedures & Equipment to Protect DataOther ScannersMalware, spyware and adware:Either does bad things (monitoring users actions) or is badly programmed and badly affects the stability of computersTrojan Horses:Bad software installed by users who think its innocent.Keylogger:Records passwords, credit card information, bank account logins & sends them to hackersSpamming Agent:Your computer acts as a zombie sending spam on behalf of the hackerDistributed Denial of Service DDOSAttack your computer is taken over and joins a concentrated attack on a server chosen by the hacker20Procedures & Equipment to Protect DataFirewallsCloses unused internet communication portsYour computer has 65535 ports but you only use about 3Hackers can gain entry to a PC through unguarded portsFirewalls close the unused portsOpen ports are watched to ensure only authorized programs use them (preventing Trojans sending spam or DDOS attacks)21Procedures & Equipment to Protect DataSoftware FirewallsCan be software or hardware firewallsSoftware:Windows FirewallZone AlarmNeeds training when first installedYou teach it which programs are allowed to connect to the internet

22Procedures & Equipment to Protect DataHardware FirewallsRoutersOn all LANs and in nearly all homes, office cable and ADSL modemsCan use Stateful Packet Inspection SPI to examine inside data packets to see if they are harmfulProtect against incoming bad data, but not outgoing bad data.If you are already infected by a Trojan, a router wont stop your PC sending spam or keylogs23Consequences of not protectingConsequencesLoss of trade secretsPotential violation of the Privacy Policy if personal information is damaged or releasedLoss of reputation as a trustworthy organisationLoss of income after catastrophic data loss destroys your ability to get paid by customers or conduct businessProsecution by the tax office if tax records are lostCorporate death24