Introduction to cyber security – Week 8, Managing security risks

Information as an asset

Information is valuable but can be lost or stolen.
Considering information as an asset allows creation of strategies for protecting info and minimising consequences of disaster.
Information assets vary by organisations/individuals:

  • Doctors surgery
    • Medical records
    • Contact lists
    • Emails
    • Employee records
  • Manufacturer
    • Order books
    • Staff records
    • Bank references
    • Supplier & customer correspondence

Risk management

  • Assesses value of information and protects on ongoing basis
  • Info stored, used & transmitted in various media (tangible)
    • Can protect by locking filing cabinets, restricting access to archives
  • Some info is intangible
    • Ideas – harder to protect
    • Protect by ensuring employees are happy
    • Contracts preventing employees leaving & joining rivals

Imperatives & incentives

  • Information security risk management process – two factors
    • Imperatives
      • Pressures force you to act
      • Legislation and regulation
      • CMA and DPA – legislative imperatives
      • Payment Card Industry Data Security Standard (PCI-DSS) – regulatory imperative
    • Incentives
      • Rewards & opportunities arise from acting
      • Trust

Your own information assets

Review of information assets list made earlier in course.

Risk analysis

Identification, analysis and management of risks.
Risk – chance of adverse consequences or loss occurring.
Main technique for qualitative risk analysis – likelihood-impact matrix
Basic form is two-by-two grid

  • Low likelihood, high likelihood
  • Low impact, high impact

Results in rank order for tackling risks:

  • High-impact, high-likelihood risks
  • High-impact, low-likelihood risks
  • Low-impact, high-likelihood risks
  • Low-impact, low-likelihood risks – not worth expanding much energy

Look at high-impact or high-likelihood risks & identify ways to mitigate.
Apply quantitative techniques, financial assessment of impact, to rank order with greatest at top.

Risk analysis in practise

Successful attack on email, banking details or passwords would have a high impact and due to their value, there is a high likelihood of them being attacked. Therefore they would be placed in High impact/High likelihood.
Study materials or personal photographs would have a high impact if they were attacked but the likelihood is low so would be High impact/Low likelihood.
Digital music and movies would have low impact if stolen as they could be obtained again but they may be of value to someone so could be Low impact/High likelihood.

Staying safe online

Stay up to date

  • Unfixed bugs provide a vulnerability
  • Operating systems and software need to be updated

Do the basics

  1. Set up personal firewall
  2. Install antivirus
  3. Make backups
  4. Require passwords to login and unlock screen
  5. Use hard disk encryption

Fix your email

  • Enable junk mail filtering if not already done
  • Mark any spam mails that slip through as spam for the future

Fix your browser

Cookies track use of the web.
Third-party cookies are of no use to the user.
Use “Fix Your Browser” PDF to improve security of web browser.

Risk management in practise

Having analysed the situation, decide what to do.
Identify cost-effective countermeasures to use:

  • Avoiding the risk
    • Stop activity causing risk
    • E.g. deleting all banking info and unsubscribing from online service
  • Modifying the risk (likelihood and/or impact)
    • Choose & implement security mechanism to reduce risk or impact of successful attack
    • E.g. install up to date antivirus
  • Transferring the risk to others
    • Typically taking out insurance to cover losses in event of successful attack
  • Accepting the risk
    • Not implement any countermeasures
    • Monitor information asset for any attacks

Protecting your information assets

Review personal information asset list made earlier in course, consider following:

  • Set up firewalls to protect computers from external attacks?
  • Protected with up to data antivirus?
  • Operating system and key software up to date?
  • Important information protected with encryption?

What should I do next?

Review again information asset list and determine what else can be done to protect information.
Create information security plan based on risk analysis of information assets.
Implement identified countermeasures.

Tracking a moving target

Old technologies retired leaving users exposed to bugs and security weaknesses.
New threats discovered every day, i.e. Heartbleed bug.
Heartbleed affected at least half a million websites.
Exposed bug in OpenSSL’s heartbeat function used to verify connection from remote machine is still established.
Bug allows for fake heartbeat to be returned with it taking potentially site certificate, unencrypted credentials or valuable information.
Introduced in version of OpenSSL released in 2012, present in all versions since until April 2014.
Present of sites including Yahoo and Flickr among others.
Discovered by two groups of researchers including people at Google. Worked together to resolve issue before public announcement. Possible they weren’t the first to find Heartbleed.
Response to Heartbleed

  • Fix implementation of OpenSSL
  • Create new site certificates
  • Request users change passwords

Your questions answered

Keeping data safe in cloud

  • User strong password
  • Use two-factor authentication where possible
  • Encrypt important/confidential files before uploading

Resources

How to Easily Encrypt Files on Windows, Linux, and Mac OS X
Open Learn resources relating to cyber security


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *