Information Security

1
Information Security

• ECDL / Vocational Computing

2
Introduction

• sending, receiving and storing information
• information security
• UK legislation
• threats to information security
• public key cryptography

3
Sending Receiving Information

• 1836 - development of the 'telegraph' - high
  speed communication of information
• connected cities and towns together and allowed
  messages to be sent and received in a matter of
  minutes
• 1866 - transatlantic cable allowed information to
  be sent between the UK and the US in a few
  minutes
• previously, the fastest that information could
  travel was 10 days by ship
• the need to encode information so that it could
  be sent by cable led to the invention of Morse
  Code
• uses a system of 'dots' and 'dashes' or 'dits'
  and 'dahs' to represent the alphabet
• words are coded letter by letter into a series of
  'dits' and 'dahs'
• the 'dits' and 'dahs' are physically represented
  in the cable by the presence of a voltage
• at a remote location, the voltage is detected,
  and the 'dits' and 'dahs' are decoded back into
  letters and words

4
The Morse Alphabet
5
Transmitting Information

• computer scientists represent the high and low
  voltages with '0's and '1's - the 'binary' number
  system
• a 01000001
• b 01000010
• c 01000011
• d 01000100
• etc...
• the '0's and '1's are referred to as bits
• each alphabet character takes up eight bits and
  is called a byte
• a passage of text will be made up of lots of
  bytes - one byte per letter...
• 1024 bytes is called a 'Kilobyte', Kb
• 1024 Kilobytes is called a 'Megabyte', Mb
• 1024 Megabytes is called a 'Gigabyte', Gb
• 1024 Gigabytes is called a 'Terabyte', Tb

6
Storing information

• every part of the computer system uses '0's and
  '1's
• the BIOS program is held as '0's and '1's in the
  system ROM
• the operating system program in RAM is held as
  '0's and '1's
• the report you're typing is held as '0's and '1's
  in RAM while you work on it, and then saved to
  the hard disk as '0's and '1's when you're
  finished
• information is stored as a sequence of bytes
  physically on storage media
• on a DVD there are a series of microscopic
  reflective dots - a laser shines on the disk, and
  if the light is reflected back that's a '1'
• the hard disk is coated with magnetic material -
  '0's or '1's are physically represented by
  magnetised dots
• USB keys (flash memory) use electrostatic charges
  to store '0's and '1's with tiny devices called
  transistors

7
Information Security

• protecting information and systems from
  unauthorized access, use, disclosure, disruption,
  modification or destruction
• unauthorized access - eg username and password to
  university network
• use - eg credit card number
• disclosure - eg revealing medical records to
  future employer
• disruption - eg virus
• modification - eg altering your mark on the
  university's record system
• destruction - eg deleting someone's essay because
  they nicked your beer out the fridge...
• when information security is compromised, we
  should assume that no part of the system remains
  safe

8
Data Protection

• refers specifically to the obligations that
  organisations are under in the UK relating to
  information held on individuals
• most countries have something similar
• are designed to provide a reasonable compromise
  between organisations and individuals where
  personal data is concerned
• set out in the Data Protection Act 1998
• overseen by the Information Officer's Office - a
  government-funded independent organisation
• considers issues relating to the abuse of
  personal information...
• ...hopefully consistent with the principles of
  Information Security

9
Data Protection Act 1998

• gives individuals the right to find out what
  information an organisation holds on them
• organisation may charge a 'reasonable' fee up to
  10
• organisations that 'process' information must
  notify the Information Commissioner and comply
  with eight principles
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without
  adequate protection
• does not apply to employee payroll details or
  marketing information (mailing lists)

10
Computer Misuse Act 1990

• makes it an offence to knowingly secure
  unauthorised access to a computer system
• makes it an offence to modify the contents of a
  system so as to impair operation or hinder access
  
• makes it an offence to cause a computer to do
  either of the above
• carries a maximum sentence of 10 years
  imprisonment
• Police and Justice Act 2006 amended the CMA to
  include
• 'supplying or obtaining articles for use in
  computer misuse offences' - Home Office refers to
  these as 'hacking tools'
• also includes 'Denial of Service' attack -
  flooding a machine with network requests so that
  it stops responding
• as from October 2008 these changes are included
  in the CMA itself

11
Computer Misuse Act 1990

• wording of the act is designed to include pretty
  much anything
• just gaining access is a crime - if you log in
  and then log out again you can still be convicted
  
• using someone else's username and password is a
  crime - you don't have to crack the system to be
  convicted
• Some criticism of the Act and updates
• doesn't distinguish between those who are
  'curious' and those that want to cause damage or
  obtain credit card details, for example -
  trespass vs burglary
• very broad - 'hacking tools' can be used to
  describe many common applications with legitimate
  uses, such as network monitoring programs

12
Problems - network attacks

• Denial of Service - usually aimed at large
  organisations
• attempts to disable systems such as web servers
  by flooding them with network requests
• usually the requests have been altered so that
  they confuse the server 'poisoned packets'
• those that launch the attacks usually have large
  numbers of personal computers all over the world
  under their control via viruses
• solution - 'firewall'
• internet connection passess through a machine
  called a firewall that tries to block bad packets
  and unauthorised requests
• most routers have a firewall capability -
  sometimes you have to 'unblock' access to VPN,
  for example
• 'personal firewall' - software on your own
  machine that tries to block network access, eg
  Zone Alarm
• Windows XP has a firewall under the 'Security'
  control panel - 'feature' that blocks ports that
  should never have been open in the first place...

13
Problems - malware

• viruses - programs that are installed or run
  without the user's knowledge or authorisation
• are able to replicate themselves and install onto
  other systems
• sometimes able to hide
• sometimes perform malicious actions such as
  deleting files
• Trojan horses - appear harmless but behave
  unexpectedly when run
• worms - make copies of themselves onto other
  machines via a network
• macro worms/viruses - use the macro functions of
  documents such as Word and Excel to replicate and
  spread
• virus checking programs are essential
• without an anti-virus application you don't know
  if there is a virus on your machine (even with
  one, a new virus can sometimes get in)
• your machine could be being used in a Denial of
  Service attack and you wouldn't know (bot-nets)
• a lot of viruses, especially the older ones, wait
  for a particular day before running eg Friday
  13th

14
Problems - loss of data

• Data loss is a fact of life
• PCs crash due to hardare faults and badly behaved
  software
• hard disks fail due to old age and build faults
• storage media degrade - archived data cannot be
  read
• always the risk of theft, fire, etc
• the only solution is to keep backups
• simple steps - always select 'File', 'Save As...'
  and choose a new name when you edit a file (so
  you still have the last version)
• copy everything to a DVD at regular intervals
• where important data is concerned backups should
  be held off-site
• large amounts of data employ 'grandfather -
  father - son' model - rotate backup media to keep
  last two copies of the system

15
Problems - unauthorised access

• the data on your machine is held as '0's and '1's
  
• 'low level' disk editors and network monitors are
  widely available (quite rightly, otherwise
  technicians wouldn't be able to fix problems)
• anyone can get those '0's and '1's once they have
  the storage media or access to your network
• the solution is to use 'Encryption'
• when data is encrypted it is impossible to
  understand without the key to decrypt it
• if someone gets the '0's and '1's of your secret
  file off your disk, it will be indistinguishable
  from 'random data'
• strong encryption cannot be broken within a
  'reasonable period of time' - usually thousands
  of years!

16
Problems - unauthorised access

• network connections can be encrypted
• 'HTTPS' - websites will use a 'secure server'
  which sets up an encrypted connection with your
  browser window
• VPN - virtual private network - encrypts the
  connection between your machine and an
  organisation's network
• files and folders can be encrypted
• applications such as PGP (Pretty Good Privacy)
  can be used to encrypt emails and files on disk
• Windows provides a control panel to encrypt
  folders on your disk
• other applications can encrypt the whole disk,
  including the operating system (eg TrueCrypt)

17
"Public Key Cryptography"

• imagine you want to send someone a message, but
  you're afraid that it will be intercepted and
  read...
• ...but if you encrypt the message you need to
  tell the other person how to decrypt it
• you could send them the instructions on how to
  decrypt the message, but the instructions could
  be intercepted as well!
• there are various solutions that are not wholly
  satisfactory
• meet them and swap cipher keys - may as well just
  swap message?
• meet them once and send lots of messages - what
  if they key is found and you're still sending
  messages?
• base the cipher on something that changes - time
  and date, phase of the moon - what if your system
  is discovered?

18
"Public Key Cryptography"

• public key cryptography solves these problems
• imagine you were able to buy a box made of the
  hardest material in the universe - nothing will
  cut it
• imagine it had a lock that could not be picked in
  less than 10 thousand years, and only you have
  the key
• now if someone wants to send you a message, they
  ask you to send them your box...
• you unlock the box, send it to them. They put the
  message in the box, slam the lid, and send it
  back to you...

19
"Public Key Cryptography"

• this is the principle at work when your browser
  connects to a secure server
• you click a link that points to a secure web
  server (eg an on-line retailer like Amazon)
• your browser requests a 'lock' from Amazon's web
  server
• the server sends the 'lock' - only the server has
  the key to the lock, the key doesn't exist
  anywhere else
• your browser uses the 'lock' to encrypt
  everything that is sent, ie your credit card
  details
• Amazon's server receives the information, and
  uses its key to unencrypt the information so it
  can use your credit card
• your browser also sends its own 'lock' to Amazon
  so that Amazon's server can send messages back to
  you
• if someone monitors your network connection they
  can see all the '0's and '1's, but they can't
  make any sense of them without the key
• there's no way for them to get the key, because
  Amazon's key never leaves their server, and your
  key never leaves your browser

20
Security and Privacy

• we have large amounts of information that we want
  to be kept secure credit card numbers, personal
  information such as photographs, letters to loved
  ones, job applications, etc, etc
• strong encryption enables us to prevent
  unauthorised access
• you can send your credit card to a retailer
• you can email your spouse
• your spouse can send you a photograph
• you can keep information with you on a keyring
  and care if it gets lost
• what happens when someone wants to commit a
  crime?
• employee copies information from work
• someone embezzles funds and all the evidence is
  on a Truecrypt volume
• communications between organised criminals are
  encrypted before sending by email

21
Further information

• Truecrypt - encryption application that can be
  used to encrypt USB drives to protect personal
  information
• Avira Personal - antivirus application that's
  free for personal use
• Information Officer's Office - official
  information about the Data Protection Act and
  lots about privacy and security
• Computer Misuse Act from the Office of Public
  Sector Information