Information as an asset
Information is valuable but can be lost or stolen.
Considering information as an asset allows creation of strategies for protecting info and minimising consequences of disaster.
Information assets vary by organisations/individuals:
- Medical records
- Contact lists
- Employee records
- Order books
- Staff records
- Bank references
- Supplier & customer correspondence
- Assesses value of information and protects on ongoing basis
Info stored, used & transmitted in various media (tangible)
- Can protect by locking filing cabinets, restricting access to archives
Some info is intangible
- Ideas – harder to protect
- Protect by ensuring employees are happy
- Contracts preventing employees leaving & joining rivals
Imperatives & incentives
Information security risk management process – two factors
- Pressures force you to act
- Legislation and regulation
- CMA and DPA – legislative imperatives
- Payment Card Industry Data Security Standard (PCI-DSS) – regulatory imperative
- Rewards & opportunities arise from acting
Your own information assets
Review of information assets list made earlier in course.
Identification, analysis and management of risks.
Risk – chance of adverse consequences or loss occurring.
Main technique for qualitative risk analysis – likelihood-impact matrix
Basic form is two-by-two grid
- Low likelihood, high likelihood
- Low impact, high impact
Results in rank order for tackling risks:
- High-impact, high-likelihood risks
- High-impact, low-likelihood risks
- Low-impact, high-likelihood risks
- Low-impact, low-likelihood risks – not worth expanding much energy
Look at high-impact or high-likelihood risks & identify ways to mitigate.
Apply quantitative techniques, financial assessment of impact, to rank order with greatest at top.
Risk analysis in practise
Successful attack on email, banking details or passwords would have a high impact and due to their value, there is a high likelihood of them being attacked. Therefore they would be placed in High impact/High likelihood.
Study materials or personal photographs would have a high impact if they were attacked but the likelihood is low so would be High impact/Low likelihood.
Digital music and movies would have low impact if stolen as they could be obtained again but they may be of value to someone so could be Low impact/High likelihood.
Staying safe online
Stay up to date
- Unfixed bugs provide a vulnerability
- Operating systems and software need to be updated
Do the basics
- Set up personal firewall
- Install antivirus
- Make backups
- Require passwords to login and unlock screen
- Use hard disk encryption
Fix your email
- Enable junk mail filtering if not already done
- Mark any spam mails that slip through as spam for the future
Fix your browser
Cookies track use of the web.
Third-party cookies are of no use to the user.
Use “Fix Your Browser” PDF to improve security of web browser.
Risk management in practise
Having analysed the situation, decide what to do.
Identify cost-effective countermeasures to use:
Avoiding the risk
- Stop activity causing risk
- E.g. deleting all banking info and unsubscribing from online service
Modifying the risk (likelihood and/or impact)
- Choose & implement security mechanism to reduce risk or impact of successful attack
- E.g. install up to date antivirus
Transferring the risk to others
- Typically taking out insurance to cover losses in event of successful attack
Accepting the risk
- Not implement any countermeasures
- Monitor information asset for any attacks
Protecting your information assets
Review personal information asset list made earlier in course, consider following:
- Set up firewalls to protect computers from external attacks?
- Protected with up to data antivirus?
- Operating system and key software up to date?
- Important information protected with encryption?
What should I do next?
Review again information asset list and determine what else can be done to protect information.
Create information security plan based on risk analysis of information assets.
Implement identified countermeasures.
Tracking a moving target
Old technologies retired leaving users exposed to bugs and security weaknesses.
New threats discovered every day, i.e. Heartbleed bug.
Heartbleed affected at least half a million websites.
Exposed bug in OpenSSL’s heartbeat function used to verify connection from remote machine is still established.
Bug allows for fake heartbeat to be returned with it taking potentially site certificate, unencrypted credentials or valuable information.
Introduced in version of OpenSSL released in 2012, present in all versions since until April 2014.
Present of sites including Yahoo and Flickr among others.
Discovered by two groups of researchers including people at Google. Worked together to resolve issue before public announcement. Possible they weren’t the first to find Heartbleed.
Response to Heartbleed
- Fix implementation of OpenSSL
- Create new site certificates
- Request users change passwords
Your questions answered
Keeping data safe in cloud
- User strong password
- Use two-factor authentication where possible
- Encrypt important/confidential files before uploading