Knight Talks Tech

Introduction to cyber security – Week 7, When your defences fail

Identity theft

Preventing identity theft – ensure AV software is up to date, do not respond to phising emails.
Detecting identity theft

Loss of data

Destruction or deletion of data. Unauthorised copies no longer under control.
Either via direct access or over network.
Insider attacks

Examples include Chelsea (born Bradley) Manning leaking US Army documents to Wikileaks.

Risks of data loss

Consequences can be expressed as series of costs, such as:

Can also be loss in reputation.
Example – JournalSpace, database corrupt by disgruntled employee, users lost their data only able to regain some from Google’s big cache servers. Company reborn but lost most of users.
Internal breaches not always from malicious users but also inadvertently by such ways as:

Better staff training can reduce risks.
Most companies may have security policies to secure computers, networks and data but not many train employees on risk awareness.

Laws and computers

Criminal Law – punishing behaviour such as murder, serious injury & fraud. Brought to court by the State. “Beyond reasonable doubt” evidence required. Punished by fines, imprisonment depending on severity.
Civil Law – Disputes. Brought to court by individuals. Concerns including property law, contracts and noise. “Balance of probability” proof required. Usually punished by fines.
Bills, Acts & Laws
Act of Parliament – law approved by British Parliament. Law not passed through Parliament called Common Law.
Act starts as bill, debated in House of Commons. Passed for review and possible changes. Formal vote, Bill passes from House of Commons to House of Lords for scrutiny & amendments. Bill voted on by Lords then passed back to House of Commons – if both houses agree then Bill is given Royal Assent and becomes Act.
Act not always in effect straight away, sometimes needs time to put process in place to achieve compliance.
Bill not law until it becomes Act.
Keeping up with threats – legislation constantly revising to keep pace with changes in cyber security. Outcomes from trials can result in changes to interpretations of existing laws & creation of new laws.
Cyber threats are global, they can be affected by legislation from other jurisdiction.
2002, British hacker Gary McKinnon hacked the US Department of Defence and NASA. Fought extradition for 10 years, British Government block extradition in 2012.

Data Protection Act 1998 (DPA)

Legally obliged to act responsibly with personal information relating to any living individual held in computer databases.
Information Commissioner’s Office (ICO) uphold the DPA, ensures access to information held by public authorities is freely available.
DPA stops data being held or used unnecessarily, exchanged without good reason, ensure it is held securely & provide redress if individuals feel data has been misused.
Data Protection Register held by ICO – list of organisations holding data.
Data – representation of information stored, conveyed or manipulated.
Information – data presented in particular contexts.
Polls collect data from individuals, it is then manipulated and interpreted and presented as information.
Data controllers, in relation to DPA, are employees who store, manipulate or retrieve personal information stored on computers.
DPA based around eight principles of good information handling.
Inadvertent breaches of DPA may be prosecuted although no harm was intended.

Regulation of Investigatory Powers Act 2000 (RIPA)

Governs use of surveillance technologies by public bodies e.g. the police, intelligence services and local authorities.
Ensures strict safeguards in place with regards to intrusive powers such as intercepting communications, bugging, covert CCTV and undercover agents.
Overseen by Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.
Investigatory Powers Tribunal – independent senior lawyers & members of judiciary – hear complaints relating to exercise of the powers under the Act.
RIPA allows certain public bodies to access communications – telephone & internet – when proportionate to special investigation. May include names, addresses & telephone numbers of individuals, time & duration of calls, source & destination of emails and location of mobile devices.
Warrant for interception of communications issued by Secretary of State.

Computer Misuse Act 1990 (CMA)

CMA drawn up after two hackers who hacked Prestel in 1988 failed to be prosecuted under Forgery and Counterfeiting Act 1981 as the high courts determined the Act had not been intended for this purpose.
Original CMA introduced three new criminal offences:

Unauthorised, in this context – attacker must be aware they are not intended to use computer in question.
Amendments include offences such as:

Fraud Act 2006

Introduced to simplify complex Theft Act.
Only in 1996 that obtaining money via a fraudulent bank transfer became specifically illegal in UK.
Fraud Act defines fraud in three ways:

Defendant’s conduct must be dishonest with intention of making gain or causing loss, or risk of loss. No actual gain or loss needs to occur, could have been unsuccessful.
Section 11 references electronic fraud, can prosecute in response to:

Lawful Business Practise Regulations

Under UK law, employers have certain rights to monitor communications made by employees.
Authorised under Telecommunications (Lawful Business Practise) (Interception of Communications) Regulations 2000 SI 2000/2699. Sometimes called IC Regs.

Companies monitor networks to meet legal requirements – financial organisations offer ‘health warnings’ to customers.
IC Regs exception to general understanding that it is unlawful to intercept communications unless authorised to. Interception can be made under special conditions, where both parties consent – could be condition of employment.
Employers must still ensure that Human Rights Act and DPA are adhered to when monitoring employees.

European Economic Area

UK also subject to European laws.
Member states have roughly same laws relating to EU directives.
Some leeway in interpretation, may be slight differences between countries laws.

Who should you contact?

Responding to identity theft

Personal data and security

Bank card fraud

Getting your computer working again

Recovering from virus or other malware

Recovering from accidentally deleting a file

Recovering from lost computer, disk or flash drive containing confidential data

Recovering from operating system failure

Making your information less vulnerable

User accounts and passwords help secure data.
Computer and mobile devices should be configured to require login or passcode. Also to lock after period of inactivity.
Network firewall on router and personal firewall on computer help stop attackers getting into computer.
Up to date antivirus helps stop malware from deleting, encrypting or stealing your data.
Consider encryption for very sensitive documents.
User accounts

File permissions

Disabling ports

Locks

Protecting your data for the future

Backups protect us from threats including:

Backup Media

Optical storage

Magnetic disks

Solid state drives (SSDs)

Remote backups

Offsite backups

Backing up to the cloud

Cloud security

Archiving data

Most media is reused after certain period of time, old backups overwritten with new data.
Businesses need to retain backups for number of years due to legal and tax reasons.
Important files of historic or legal interest should be kept indefinitely.
 

Exit mobile version