Identity theft

Preventing identity theft – ensure AV software is up to date, do not respond to phising emails.
Detecting identity theft

Unexplained bank withdrawals or credit card charges
Bills & other expected official letters don’t arrive
Cards/cheques decline
Notified that their information has been breached/compromised
Connected by bank/credit card company about suspicious activity

Loss of data

Destruction or deletion of data. Unauthorised copies no longer under control.
Either via direct access or over network.
Insider attacks

Security risk posed by employee of organisation
Ranked as bigger threat than cyber attacks and device security

Examples include Chelsea (born Bradley) Manning leaking US Army documents to Wikileaks.

Risks of data loss

Consequences can be expressed as series of costs, such as:

Cost of recreating data – hardware/software, re-entering data
Cost of continuing without data
Cost of informing others about loss

Can also be loss in reputation.
Example – JournalSpace, database corrupt by disgruntled employee, users lost their data only able to regain some from Google’s big cache servers. Company reborn but lost most of users.
Internal breaches not always from malicious users but also inadvertently by such ways as:

copying data to external websites/devices
opening infected emails
clicking malicious links
installing software

Better staff training can reduce risks.
Most companies may have security policies to secure computers, networks and data but not many train employees on risk awareness.

Laws and computers

Data Protection Act 2008
Regulation of Investigatory Powers Act 2000
Computer Misuse Act 1990
Fraud Act 2006

Criminal Law – punishing behaviour such as murder, serious injury & fraud. Brought to court by the State. “Beyond reasonable doubt” evidence required. Punished by fines, imprisonment depending on severity.
Civil Law – Disputes. Brought to court by individuals. Concerns including property law, contracts and noise. “Balance of probability” proof required. Usually punished by fines.
Bills, Acts & Laws
Act of Parliament – law approved by British Parliament. Law not passed through Parliament called Common Law.
Act starts as bill, debated in House of Commons. Passed for review and possible changes. Formal vote, Bill passes from House of Commons to House of Lords for scrutiny & amendments. Bill voted on by Lords then passed back to House of Commons – if both houses agree then Bill is given Royal Assent and becomes Act.
Act not always in effect straight away, sometimes needs time to put process in place to achieve compliance.
Bill not law until it becomes Act.
Keeping up with threats – legislation constantly revising to keep pace with changes in cyber security. Outcomes from trials can result in changes to interpretations of existing laws & creation of new laws.
Cyber threats are global, they can be affected by legislation from other jurisdiction.
2002, British hacker Gary McKinnon hacked the US Department of Defence and NASA. Fought extradition for 10 years, British Government block extradition in 2012.

Data Protection Act 1998 (DPA)

Legally obliged to act responsibly with personal information relating to any living individual held in computer databases.
Information Commissioner’s Office (ICO) uphold the DPA, ensures access to information held by public authorities is freely available.
DPA stops data being held or used unnecessarily, exchanged without good reason, ensure it is held securely & provide redress if individuals feel data has been misused.
Data Protection Register held by ICO – list of organisations holding data.
Data – representation of information stored, conveyed or manipulated.
Information – data presented in particular contexts.
Polls collect data from individuals, it is then manipulated and interpreted and presented as information.
Data controllers, in relation to DPA, are employees who store, manipulate or retrieve personal information stored on computers.
DPA based around eight principles of good information handling.
Inadvertent breaches of DPA may be prosecuted although no harm was intended.

Regulation of Investigatory Powers Act 2000 (RIPA)

Governs use of surveillance technologies by public bodies e.g. the police, intelligence services and local authorities.
Ensures strict safeguards in place with regards to intrusive powers such as intercepting communications, bugging, covert CCTV and undercover agents.
Overseen by Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.
Investigatory Powers Tribunal – independent senior lawyers & members of judiciary – hear complaints relating to exercise of the powers under the Act.
RIPA allows certain public bodies to access communications – telephone & internet – when proportionate to special investigation. May include names, addresses & telephone numbers of individuals, time & duration of calls, source & destination of emails and location of mobile devices.
Warrant for interception of communications issued by Secretary of State.

Computer Misuse Act 1990 (CMA)

CMA drawn up after two hackers who hacked Prestel in 1988 failed to be prosecuted under Forgery and Counterfeiting Act 1981 as the high courts determined the Act had not been intended for this purpose.
Original CMA introduced three new criminal offences:

Unauthorised access to computer materials
Unauthorised access with intent of committing or aiding further offences
Unauthorised modification of computer materials

Unauthorised, in this context – attacker must be aware they are not intended to use computer in question.
Amendments include offences such as:

Denial of access or service to legitimate users
- DoS attacks criminal offence in UK
Creation and use of hardware or software might aid attack on computer
- Software used to break passwords
- Malware
- Also software sued by forensic experts to investigate computer crime

Fraud Act 2006

Introduced to simplify complex Theft Act.
Only in 1996 that obtaining money via a fraudulent bank transfer became specifically illegal in UK.
Fraud Act defines fraud in three ways:

False representation
Failing to disclose information
Abusing power

Defendant’s conduct must be dishonest with intention of making gain or causing loss, or risk of loss. No actual gain or loss needs to occur, could have been unsuccessful.
Section 11 references electronic fraud, can prosecute in response to:

Dishonestly obtaining electronic communications services such as telephone, ISP or television subscription
Cloning mobile phones so that calls made on one handset are billed to another
Reprogramming mobile phones to interfere with operation or to change unique identifier
Breaking encryption on encrypted communications service such as subscription based television services or telephone conversations

Lawful Business Practise Regulations

Under UK law, employers have certain rights to monitor communications made by employees.
Authorised under Telecommunications (Lawful Business Practise) (Interception of Communications) Regulations 2000 SI 2000/2699. Sometimes called IC Regs.

Can record telephone calls, store telephone numbers, email and website addresses, storage of email and attachments
Employers can ensure networks not used to bring company into disrepute – offensive emails, illegal activities or inappropriate use of resources

Companies monitor networks to meet legal requirements – financial organisations offer ‘health warnings’ to customers.
IC Regs exception to general understanding that it is unlawful to intercept communications unless authorised to. Interception can be made under special conditions, where both parties consent – could be condition of employment.
Employers must still ensure that Human Rights Act and DPA are adhered to when monitoring employees.

European Economic Area

UK also subject to European laws.
Member states have roughly same laws relating to EU directives.
Some leeway in interpretation, may be slight differences between countries laws.

Who should you contact?

Responding to identity theft

Loss of important docs (passport, payment cards etc.) reported to issue immediately
Report any unexplained transactions to bank/credit card company
Credit reference agencies record applications and use of financial products
- CallCredit
- Experian
- Equifax

Personal data and security

Don’t enter personal information if site is not secure

Bank card fraud

Notify card issuer straight away if there is suspicious transactions on account
Card issuer will investigate case and advise
Also contact police and complete crime report

Getting your computer working again

Recovering from virus or other malware

Update antivirus software
Isolate machine
Start in safe mode
Remove virus
Think about cause of how to safe guard in the future

Recovering from accidentally deleting a file

If the file is no longer in recycle bin, specialist software is required
Data is still on disk but OS cannot find it
Link: 17 Free Data Recovery Software Tools – http://pcsupport.about.com/od/filerecovery/tp/free-file-recovery-programs.htm
Stop using computer immediately
Easier on Windows PC than Mac to recover files

Recovering from lost computer, disk or flash drive containing confidential data

Was data encrypted with strong encryption with strong password?
If acting as an employee, obliged under DPA to contact either organisation DPA enforcer or Information Commissioner’s Office
May need to contact organisation if lost data relates to them

Recovering from operating system failure

Microsoft Windows (XP onward) has Restore Point feature
Windows saves configuration daily, before updates or before installation of unsigned software
Macs (10.5 or later) have Time machine, backs up both files and system configuration
Hourly backups for past day, daily backups for past month and weekly backups for anything older

Making your information less vulnerable

User accounts and passwords help secure data.
Computer and mobile devices should be configured to require login or passcode. Also to lock after period of inactivity.
Network firewall on router and personal firewall on computer help stop attackers getting into computer.
Up to date antivirus helps stop malware from deleting, encrypting or stealing your data.
Consider encryption for very sensitive documents.
User accounts

Varying levels of access, includes:
- Guest – only perform limited tasks, unable to change configuration
- Administrator – able to do pretty much anything
- Users – limited access, usually unable to install software
Even on own computer, sensible to use a restricted access user account day-to-day and only use admin account for specific tasks

File permissions

Files and folders have permissions
- Write – file can be edited
- Read – can be read and copied
- Execute – can be executed as a program
Different users have different sets of permissions
- User A may have read only
- User B, the owner, may have read, write and execute
- User C may have no access to the file at all
File can be copied (read permissions) and although not edited directly, the information could be extracted to a new file where user has full rights

Disabling ports

USB ports can be used to attach external device and copy data to them
These ports can be disabled either via the OS or a specific piece of software

Locks

Easiest way to steal data is to steal computer/device
Most computers/devices have slot to allow locking to table or wall bracket

Protecting your data for the future

Backups protect us from threats including:

Accidental deletion of files or programs
Lose of disk, computer or memory cards
Hardware failures including disk crash
Software bugs
Disasters such as flooding or fire
Crimes including terrorism, theft, sabotage, hacking

Backup Media

Optical storage

CDs, DVDs & Blu-ay
Most common is writeable DVDs – DVD-R, DVD+r, DVD-RW etc
DVD = 4.7GB
Dual layer DVD = twice DVD
Blu Ray = 25GB
Dual layer Blu Ray = 50GB
Three layer Blu Ray = 100GB
Advantages
- Hardware and media widely available and cheap
- Most new devices are backward compatible
- Small physical size allowing for large amounts of data to be stored in small space
- Media is robust
Disadvantages
- Slow compares to hard disks
- Some types of disc not so widely supported
- Low capacity compared to hard disks, useful for backing up key data but not entire drives

Magnetic disks

Most computers have space for second internal hard disk to store backups
Can be used as externally attached back up devices
Network Attached Storage (NAS) – attached to network via Ethernet or wifi
Redundant Array of Independent Disks (RAID) used to provide resilience
Advantages
- Relatively cheap with increasingly large capacity
- External disks are portable
- Many manufacturers, widely compatible
- Many back-up programs to use with hard disks
Disadvantages
- Fragile, easily damaged
- If used once only and archive becomes expensive

Solid state drives (SSDs)

Stores data in memory chips
Used in memory sticks
More commonly used in nearer laptops
Advantages
- Same as hard disks plus
- More robust
- Faster read/write times
- No noise as no moving parts
Disadvantages
- More expensive than magnetic disks
- Currently max capacity is 1TB

Remote backups

Offsite backups

Specialist companies offer facilities to hold backups
Could be extremely secure vault
Increasingly they are large server farms on high speed networks
UKs largest site is Telehouse UK in London Docklands
Facility covers 45,00 square metres

Backing up to the cloud

Certain amount of storage space available free in many cases
Designed for convenience
Can be used to transfer files between computers
Backups can be encrypted
No protection in case of deleted files

Cloud security

Unless further steps are taken, once in cloud can no longer be sure data is safe from prying eyes
Example – Apple iCloud leak
Some companies may have policies against cloud storage
Should use encryption to ensure data in Cloud is safe

Archiving data

Most media is reused after certain period of time, old backups overwritten with new data.
Businesses need to retain backups for number of years due to legal and tax reasons.
Important files of historic or legal interest should be kept indefinitely.

Introduction to cyber security – Week 7, When your defences fail