Skip to content

Introduction to cyber security – Week 7, When your defences fail

05/12/2014

Identity theft

Preventing identity theft – ensure AV software is up to date, do not respond to phising emails.

Detecting identity theft

  • Unexplained bank withdrawals or credit card charges
  • Bills & other expected official letters don’t arrive
  • Cards/cheques decline
  • Notified that their information has been breached/compromised
  • Connected by bank/credit card company about suspicious activity

Loss of data

Destruction or deletion of data. Unauthorised copies no longer under control.

Either via direct access or over network.

Insider attacks

  • Security risk posed by employee of organisation
  • Ranked as bigger threat than cyber attacks and device security

Examples include Chelsea (born Bradley) Manning leaking US Army documents to Wikileaks.

Risks of data loss

Consequences can be expressed as series of costs, such as:

  • Cost of recreating data – hardware/software, re-entering data
  • Cost of continuing without data
  • Cost of informing others about loss

Can also be loss in reputation.

Example – JournalSpace, database corrupt by disgruntled employee, users lost their data only able to regain some from Google’s big cache servers. Company reborn but lost most of users.

Internal breaches not always from malicious users but also inadvertently by such ways as:

  • copying data to external websites/devices
  • opening infected emails
  • clicking malicious links
  • installing software

Better staff training can reduce risks.

Most companies may have security policies to secure computers, networks and data but not many train employees on risk awareness.

Laws and computers

  • Data Protection Act 2008
  • Regulation of Investigatory Powers Act 2000
  • Computer Misuse Act 1990
  • Fraud Act 2006

Criminal Law – punishing behaviour such as murder, serious injury & fraud. Brought to court by the State. “Beyond reasonable doubt” evidence required. Punished by fines, imprisonment depending on severity.

Civil Law – Disputes. Brought to court by individuals. Concerns including property law, contracts and noise. “Balance of probability” proof required. Usually punished by fines.

Bills, Acts & Laws

Act of Parliament – law approved by British Parliament. Law not passed through Parliament called Common Law.

Act starts as bill, debated in House of Commons. Passed for review and possible changes. Formal vote, Bill passes from House of Commons to House of Lords for scrutiny & amendments. Bill voted on by Lords then passed back to House of Commons – if both houses agree then Bill is given Royal Assent and becomes Act.

Act not always in effect straight away, sometimes needs time to put process in place to achieve compliance.

Bill not law until it becomes Act.

Keeping up with threats – legislation constantly revising to keep pace with changes in cyber security. Outcomes from trials can result in changes to interpretations of existing laws & creation of new laws.

Cyber threats are global, they can be affected by legislation from other jurisdiction.

2002, British hacker Gary McKinnon hacked the US Department of Defence and NASA. Fought extradition for 10 years, British Government block extradition in 2012.

Data Protection Act 1998 (DPA)

Legally obliged to act responsibly with personal information relating to any living individual held in computer databases.

Information Commissioner’s Office (ICO) uphold the DPA, ensures access to information held by public authorities is freely available.

DPA stops data being held or used unnecessarily, exchanged without good reason, ensure it is held securely & provide redress if individuals feel data has been misused.

Data Protection Register held by ICO – list of organisations holding data.

Data – representation of information stored, conveyed or manipulated.

Information – data presented in particular contexts.

Polls collect data from individuals, it is then manipulated and interpreted and presented as information.

Data controllers, in relation to DPA, are employees who store, manipulate or retrieve personal information stored on computers.

DPA based around eight principles of good information handling.

Inadvertent breaches of DPA may be prosecuted although no harm was intended.

Regulation of Investigatory Powers Act 2000 (RIPA)

Governs use of surveillance technologies by public bodies e.g. the police, intelligence services and local authorities.

Ensures strict safeguards in place with regards to intrusive powers such as intercepting communications, bugging, covert CCTV and undercover agents.

Overseen by Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.

Investigatory Powers Tribunal – independent senior lawyers & members of judiciary – hear complaints relating to exercise of the powers under the Act.

RIPA allows certain public bodies to access communications – telephone & internet – when proportionate to special investigation. May include names, addresses & telephone numbers of individuals, time & duration of calls, source & destination of emails and location of mobile devices.

Warrant for interception of communications issued by Secretary of State.

Computer Misuse Act 1990 (CMA)

CMA drawn up after two hackers who hacked Prestel in 1988 failed to be prosecuted under Forgery and Counterfeiting Act 1981 as the high courts determined the Act had not been intended for this purpose.

Original CMA introduced three new criminal offences:

  • Unauthorised access to computer materials
  • Unauthorised access with intent of committing or aiding further offences
  • Unauthorised modification of computer materials

Unauthorised, in this context – attacker must be aware they are not intended to use computer in question.

Amendments include offences such as:

  • Denial of access or service to legitimate users
    • DoS attacks criminal offence in UK
  • Creation and use of hardware or software might aid attack on computer
    • Software used to break passwords
    • Malware
    • Also software sued by forensic experts to investigate computer crime

Fraud Act 2006

Introduced to simplify complex Theft Act.

Only in 1996 that obtaining money via a fraudulent bank transfer became specifically illegal in UK.

Fraud Act defines fraud in three ways:

  • False representation
  • Failing to disclose information
  • Abusing power

Defendant’s conduct must be dishonest with intention of making gain or causing loss, or risk of loss. No actual gain or loss needs to occur, could have been unsuccessful.

Section 11 references electronic fraud, can prosecute in response to:

  • Dishonestly obtaining electronic communications services such as telephone, ISP or television subscription
  • Cloning mobile phones so that calls made on one handset are billed to another
  • Reprogramming mobile phones to interfere with operation or to change unique identifier
  • Breaking encryption on encrypted communications service such as subscription based television services or telephone conversations

Lawful Business Practise Regulations

Under UK law, employers have certain rights to monitor communications made by employees.

Authorised under Telecommunications (Lawful Business Practise) (Interception of Communications) Regulations 2000 SI 2000/2699. Sometimes called IC Regs.

  • Can record telephone calls, store telephone numbers, email and website addresses, storage of email and attachments
  • Employers can ensure networks not used to bring company into disrepute – offensive emails, illegal activities or inappropriate use of resources

Companies monitor networks to meet legal requirements – financial organisations offer ‘health warnings’ to customers.

IC Regs exception to general understanding that it is unlawful to intercept communications unless authorised to. Interception can be made under special conditions, where both parties consent – could be condition of employment.

Employers must still ensure that Human Rights Act and DPA are adhered to when monitoring employees.

European Economic Area

UK also subject to European laws.

Member states have roughly same laws relating to EU directives.

Some leeway in interpretation, may be slight differences between countries laws.

Who should you contact?

Responding to identity theft

  • Loss of important docs (passport, payment cards etc.) reported to issue immediately
  • Report any unexplained transactions to bank/credit card company
  • Credit reference agencies record applications and use of financial products
    • CallCredit
    • Experian
    • Equifax

Personal data and security

  • Don’t enter personal information if site is not secure

Bank card fraud

  • Notify card issuer straight away if there is suspicious transactions on account
  • Card issuer will investigate case and advise
  • Also contact police and complete crime report

Getting your computer working again

Recovering from virus or other malware

  • Update antivirus software
  • Isolate machine
  • Start in safe mode
  • Remove virus
  • Think about cause of how to safe guard in the future

Recovering from accidentally deleting a file

Recovering from lost computer, disk or flash drive containing confidential data

  • Was data encrypted with strong encryption with strong password?
  • If acting as an employee, obliged under DPA to contact either organisation DPA enforcer or Information Commissioner’s Office
  • May need to contact organisation if lost data relates to them

Recovering from operating system failure

  • Microsoft Windows (XP onward) has Restore Point feature
  • Windows saves configuration daily, before updates or before installation of unsigned software
  • Macs (10.5 or later) have Time machine, backs up both files and system configuration
  • Hourly backups for past day, daily backups for past month and weekly backups for anything older

Making your information less vulnerable

User accounts and passwords help secure data.

Computer and mobile devices should be configured to require login or passcode. Also to lock after period of inactivity.

Network firewall on router and personal firewall on computer help stop attackers getting into computer.

Up to date antivirus helps stop malware from deleting, encrypting or stealing your data.

Consider encryption for very sensitive documents.

User accounts

  • Varying levels of access, includes:
    • Guest – only perform limited tasks, unable to change configuration
    • Administrator – able to do pretty much anything
    • Users – limited access, usually unable to install software
  • Even on own computer, sensible to use a restricted access user account day-to-day and only use admin account for specific tasks

File permissions

  • Files and folders have permissions
    • Write – file can be edited
    • Read – can be read and copied
    • Execute – can be executed as a program
  • Different users have different sets of permissions
    • User A may have read only
    • User B, the owner, may have read, write and execute
    • User C may have no access to the file at all
  • File can be copied (read permissions) and although not edited directly, the information could be extracted to a new file where user has full rights

Disabling ports

  • USB ports can be used to attach external device and copy data to them
  • These ports can be disabled either via the OS or a specific piece of software

Locks

  • Easiest way to steal data is to steal computer/device
  • Most computers/devices have slot to allow locking to table or wall bracket

Protecting your data for the future

Backups protect us from threats including:

  • Accidental deletion of files or programs
  • Lose of disk, computer or memory cards
  • Hardware failures including disk crash
  • Software bugs
  • Disasters such as flooding or fire
  • Crimes including terrorism, theft, sabotage, hacking

Backup Media

Optical storage

  • CDs, DVDs & Blu-ay
  • Most common is writeable DVDs – DVD-R, DVD+r, DVD-RW etc
  • DVD = 4.7GB
  • Dual layer DVD = twice DVD
  • Blu Ray = 25GB
  • Dual layer Blu Ray = 50GB
  • Three layer Blu Ray = 100GB
  • Advantages
    • Hardware and media widely available and cheap
    • Most new devices are backward compatible
    • Small physical size allowing for large amounts of data to be stored in small space
    • Media is robust
  • Disadvantages
    • Slow compares to hard disks
    • Some types of disc not so widely supported
    • Low capacity compared to hard disks, useful for backing up key data but not entire drives

Magnetic disks

  • Most computers have space for second internal hard disk to store backups
  • Can be used as externally attached back up devices
  • Network Attached Storage (NAS) – attached to network via Ethernet or wifi
  • Redundant Array of Independent Disks (RAID) used to provide resilience
  • Advantages
    • Relatively cheap with increasingly large capacity
    • External disks are portable
    • Many manufacturers, widely compatible
    • Many back-up programs to use with hard disks
  • Disadvantages
    • Fragile, easily damaged
    • If used once only and archive becomes expensive

Solid state drives (SSDs)

  • Stores data in memory chips
  • Used in memory sticks
  • More commonly used in nearer laptops
  • Advantages
    • Same as hard disks plus
    • More robust
    • Faster read/write times
    • No noise as no moving parts
  • Disadvantages
    • More expensive than magnetic disks
    • Currently max capacity is 1TB

Remote backups

Offsite backups

  • Specialist companies offer facilities to hold backups
  • Could be extremely secure vault
  • Increasingly they are large server farms on high speed networks
  • UKs largest site is Telehouse UK in London Docklands
  • Facility covers 45,00 square metres

Backing up to the cloud

  • Certain amount of storage space available free in many cases
  • Designed for convenience
  • Can be used to transfer files between computers
  • Backups can be encrypted
  • No protection in case of deleted files

Cloud security

  • Unless further steps are taken, once in cloud can no longer be sure data is safe from prying eyes
  • Example – Apple iCloud leak
  • Some companies may have policies against cloud storage
  • Should use encryption to ensure data in Cloud is safe

Archiving data

Most media is reused after certain period of time, old backups overwritten with new data.

Businesses need to retain backups for number of years due to legal and tax reasons.

Important files of historic or legal interest should be kept indefinitely.

 

Advertisements

From → Cyber Security

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: