6.1 How would you feel if all the data about you was stolen and used by someone else?
As a group consider how your life would be affected if all the data about you was:
- stolen so that you could not get to it.
- stolen so that someone else could also use it.
6.1 Principles of information security
Confidentiality – information can only be accessed by individuals, groups and processes authorized to do so
Not only is this a key aspect of information security but it is also a legal requirement under the Data Protection Act 1998. It is the responsibility of the organisation to ensure that data is safe and to take all reasonable measures to protect the data. These measures could be physical, such as ensuring that the data is kept in a lockable cupboard or electronic such as restricting access to a computer network that holds data.
Integrity – information is maintained, so that it is up-to-date, accurate, complete and fit for purpose
This is another practical as well as legal consideration. Inaccurate data can lean to conclusions based on false information or time being wasted on phone calls to numbers that no longer exist or are no longer relevant. The requirement to maintain data is also part of the Data Protection Act 1998.
Organisations should have a planned pattern of data maintenance. This could simply be a process of checking the data periodically, possibly by sending contacts a list of the data that is currently held about them and asking them to confirm that it is correct. Organisations should also have a culture of checking and reporting when data is inaccurate. As an example a tutor may try to phone a parent to pass on information. If they were to find that the student’s home phone number is not correct on the school system the tutor should be able to pass the information (about the phone number being inaccurate) on so that the records can be updated.
Availability – information is always available to and usable by the individuals, groups or processes that need to use it
The challenge here is making sure that the data is available to those who need it (and in a format that they can use) and making sure that it is kept safe from unauthorised access.
One of these challenges is that if the data is not easily accessible, user may decide to make their own copy which is a security risk as the more copies of the data exist the harder it is to protect the data. Therefore, organisations need to ensure that their information systems and associated hardware and software work as intended and that staff do not feel the need to make extra copies.
Unauthorised or unintended access to data
Unauthorised access to data is any time that data is seen or used by those who should not see or use it. The reason for someone seeking to access the data could be espionage, which is for the purpose of gaining an advantage over the original data holder (such as stealing sensitive information) or as a result of having poor information management. This would include accidental access when a member of the public finds a discarded print out or is able to see data while a member of staff is working in a public area.
There are two possible impacts here. Firstly, if the data is sensitive, a competitor may gain an advantage from seeing it and secondly there is a possible infringement of the Data Protection Act 1998 if the lost data includes anything personal.
Accidental loss of data
Accidental loss of data refers to a loss of the data itself rather than a copy or version of the data. Therefore in the previous example the loss of a printout would not result in the loss of the source of the data.
First human error can be at fault. This could be someone deleting a file or throwing away paperwork. The second cause is technical error or equipment fault. For example the computer on which a database is stored could fail. This would result in the loss of data if there was no appropriate backup.
The final impact wold also be that the organisation will have breached the Data Protection Act 1998 if the lost data included personal information and so would be liable to prosecution.
Intentional destruction of data
This is generally seen as being motivated by a desire to harm the organisation that holds the data. Examples include computer viruses that delete or encrypt data that is held or targeted targeted attack that involves a third party accessing the data and destroying it. There are two options when data is lost. Either the data needs to be replaced which could result in a loss of reputation and trust as well as costing money or the loss is ignored. (Or the data can be replaced from the off-site back-up once the breach is detected and the leak sealed.) If the loss is ignored, then any positive impact of having the data in the first place is lost. The impact therefore depends on the relevance of the data that is lost.
As with accidental loss of data there is also a potential impact caused by the failure to comply with the Data Protection Act 1998.
Intentional tampering with data
Tampering with the data means that data is changed in some way, but it is still available to the data holder. There are a number of reasons for this. For example a student wishes to change their exam scores (see the clip below) and so access a teacher's laptop or an organisation may wish to change the figures in a rival company's research or a government may seek to influence the outcome of an election in an other country and obtain a favourable result.
In each case, the impact on the data holding organisation would be that any decisions based on the data would be consequently flawed. A secondary impact may be a negative effect on the reputation of that organisation as they may be seen to have poor data security. (However the person effecting the change wants the change made in secret so that no-one else knows that the data has been changed as once the change is known the original data can be discovered in a back-up copy.)
Loss of intellectual property
Intellectual property is everything that has been created by an individual. Therefore a written report, a design for a new machine or a piece of artwork would be considered intellectual property. The impact of its loss depends on the nature of the item taken, copied, changed or accessed. If the hacker removed the plans for a prototype of a new product this would have a significant effect on the the originator of the prototype (although again there should be copies in the off-site back-up files.)
Loss of service and access
A hacker who accesses vital log-on information could use services that you have purchased. This may result in a worsening or total loss of your service. For example a hacker accessing a wi-fi log-on password (or worse still a household not changing the default password to their wi-fi router!) could reduce bandwidth. If the hacker accessed the password and subsequently changed it to something else then the wi-fi service would be inaccessible.
While at home a lost wi-fi password would be easily fixed by resetting related devices (press the reset button to return to factory settings and then reset the password to something stronger). However, where the service is controlled by a third party, they may have to be contacted before any passwords are reset. This would mean that the system was unusable until that third party has been successfully contacted and the changed effected.
Worryingly if the passwords stolen were for systems that were set up internally, loss of passwords could result in the total loss of the system. For example this web site makes use of passwords that can be edited via the admin account, however there is also direct access to the MySQL database that manages passwords that is stored at the hosting location that can also be accessed with out a password by the hosting site's staff should it be necessary.
Failure in security of confidential information
If data is not kept securely, it is accessible to others. Where that data includes confidential data the loss means that confidential data is potentially available to all. The impact of this depends on why the data was confidential in the first place.
Loss of information belonging to a third party
An attack on a business's servers not only impacts on the business but also on any business or individual for whom it holds data. Data in the cloud is held on servers owned by other businesses so if the organisation that loses data provides cloud services then the data lost will belong to third parties.
Loss of reputation
If an organisation fails to keep data safe, they have failed to meet their legal and moral obligations and so may be viewed negatively by many customers and potential customers, leading to a loss in revenue and a net loss of customers. The TalkTalk hacks cost the company at least 100,000 customers but according the Guardian not a loss of revenue. That said, the reputation of its CEO still plummets.
Threat to national security
National security may be defined as protecting the citizens of a country against a direct physical threat to a country. This also includes threats to the financial security of the country as well as its infrastructure.
Therefore, any data or information that is stolen could be a threat to national security. Clearly the theft of the address of a random individual will be less of a threat that the theft of the design of a prototype being developed by a large UK business with international links and a multi-million pound annual turnover, or the location of a military testing station.
Recent cases of failures of information security
Failures of information security are often huge news. These could be failures by the state or by businesses or individuals within the state.
You have been asked to research recent failures of information security for a newspaper article. You need to provide well supported (corroborated) information about three different failures.
Your research needs to focus on:
- The cause of the failure
- The impact of the failure on the business or organisation involved
- The impact of the failure on members of the public
- Any action taken by the organisation to reduce the chance of the failure happening again.
Present your research as a table showing the key data required.
Individually, use your groups research to write the newspaper article.
Organisations need to have policies in place that allow for data to be protected. Staff access rights place limits on which members of staff have access to files. Therefore, the more sensitive the document, the fewer members of staff should have access to it. Individual staff can be made responsible for the security of data in their area. This allows for a more focused security than having one person responsible for all the data. Because it appears in the job description of the individual members of staff, there is greater incentive for staff to take their responsibility seriously. Included with this policy could be staff training on how data of any type should be handled. This may focus on sensitive data, but could also include general training on data protection and other key areas.
A data recovery policy covers how data should be backed up to protect against deletion, corruption or deliberate alteration and is part of a disaster recovery policy.
6.5 Physical protection
Locks, keypads and biometrics
Physical protection may also be used to protect data. Access to individual workstations or server rooms can be physically stopped by locking doors or by locking screens via a keypad or by putting padlocks on machines (though the hole built into the case to prevent the laptop (usually) from being taken away).
Although biometrics uses digital means to gather information, the protection it provides is still physical. For example, a biometric sensor can scan a physical characteristic such as a finger print or retina scan and use these to control access to secure resources and facilities.
Placing computers above known flood levels
One form of information loss that is often overlooked is loss through natural causes, such as flooding. Placing machines on the second floor where flood water cannot reach (it is hoped) is a simple but effective form of protection. A by-product of this is that it makes casual that more difficult as the thief has further to travel through the building.
Backup systems in other locations
Backup does not protect data loss or theft but mitigates the effect of data being corrupted, lost or stolen as it provides a copy of the original file or folder. However backups only provide the data from the time when the backup occurred; any data added since that time will be lost.
All organisations should have a backup policy based on the need to protect vital information and at a time when most of the vital data is captured. For example, an overnight backup would be appropriate for an organisation that adds data between 9:00 am and 6;00 pm but adds no more until the next morning.
It is possible that a system can be established that creates a backup simply of the changes to the data as these occur - every time you save a file the operating system saves the file in the location that you have specified and then also makes a copy of the changes (a small file) in a backup location that can be backed up later in the day. Should the original file be in need of replacement then the original file can be recovered together with all the saved changes which should be the lost file in its entirety.
Security staff are sometimes considered to be a form of physical security as they are a physical restriction on access to data simply because they reduce the risk of an unauthorised intruder accessing the storage system.
Shredding old paper records
This form of protection is effective in protecting data falling into the wrong hands. If paper records are not shredded then there is a risk that confidential or sensitive data may be found and used by others.
When the Iranian students took control of the American embassy in Tehran they found many shredded documents that the American embassy staff thought had been put beyond use. However over the next 6 to 9 months the students spend the time laboriously putting the shredded documents back together like a jigsaw puzzle and they managed to recreate the majority of the original documents. Nowadays cross cut shredders cut the strips of paper in to 1 cm pieces so this is not really possible anymore.
The ICO has these suggestions:
6.6 Logical protection
This final level of protection uses digital or logical methods to protect data.
Tiered levels of access to data
This form of protection is the application of the staff access rights policy and is the process of making certain information only accessible to certain staff. Depending on the access relevant to the person’s job role they may not have any access to certain information stored on the system. They may have “read only” rights - they can look but can’t touch. They may have full access which means that they can amend the data as well.
Because firewalls monitor the traffic in and out of a network, any traffic that does not meet the rules for the firewall will be refused passage in or out of that network. Therefore, data is protected from unauthorised access from outside the organisation as well as being protected from being sent out of the network.
Any software that protects a computer from malware would fit into this category. Anti-virus protection is the most common generic type but other types of software such as pop-up blockers and anti-spyware would also be included.
Obfuscation is purposefully making something unintelligible so that it cannot be understood. For example, code may be obfuscated to prevent it from being stolen and modified. A human cannot read obfuscated code but, as the meaning remains the same, computers can still understand it. Obfuscation can be carried out by individuals or more commonly by specialist software. In examination questions you are more likely to be asked about data obfuscation than code obfuscation. Code obfuscation is designed to prevent code being reverse engineered so that a third party can edit the code and pass it off as their own. Data obfuscation or "data masking" as it is sometimes called is to prevent a specific individual being identified from publicly available data.
Encryption of data at rest
Data at rest refers to data that is stored on digital media while it is not being transferred between devices. It is becoming common practice to encrypt data while it is stored as one can never be sure when a hacker may attempt to get into a device or if a device may be lost or stolen.
Encryption of data in transit
Data in transit refers to data that is being sent between two users. Generally this could be via email, but from the work in LO1 you should be aware that there are many ways in which data can be transfered. As with data at rest, is is good practice to protect data while it is in transit. This protects against data interception (such as interception of emails) as well as against theft of the device or media being used to transport the data.
A password could be applied to the file, folder or storage device on which the file is held. This method of protection is effective if the password is strong and in most cases dissuades the casual hacker who simply wants to look at your data. However, unless you are using a really complicated password, determined hackers will eventually get into your file. Even with powerful computers and good password cracking software a good password will take years to crack if it is sufficiently strong.
This does not mean that you should not password protect your data, just that you should be aware that a password does not guarantee that the file will not be accessed.
The ICO has these suggestions:
- 1. Explain how the concepts of confidentiality, integrity and availability each impact on holders of information.
- 2. Explain two ways in which unauthorised access to information may impact on the holders of information.
- 3. What is meant by the term intellectual property?
- 4. Explain two different methods of disaster recovery that could be used by an organisation.
- 5. Describe two physical methods of data protection.