2. What is Data Security
• Some Definitions – the protecting of a database from destructive forces
and unwanted actions of unauthorized users.
• Some Problems associated with Data Security
-Data Tampering
-Eavesdropping and Data Theft
-Falsifying User Identities
-Password-Related Threats
-Unauthorized Access to tables and Columns
-Unauthorized Access to Data Rows
-Lack of Accountability
IS6120 Data Security 2
4. • Open reel magnetic tape was introduced in the 1950’s, These tapes
could store 5MB to 150MB of data and marked an evolutionary step in
data storage and data protection.
IS6120 Data Security 4
5. • Physical attacks on data can also be known as tampering
• Tampering is a physical action type defined as unauthorized altering or interfering
with the normal state or operation of an asset rather than, for instance, altering
software or system settings. (Verizon 2011)
• Still a Security Threat today due to:
• Sensitive Data Left in Plain View
Unlocked Accessible Computer Systems Data Loss
• Data Cabling Accessible from Public Areas
IS6120 Data Security 5
6. New Avenues to steal data
• Network
• E-mails
• Applications
• Thirty years ago, the first computer virus appeared. Since then, cybercriminals
have created millions of viruses and other malware—email
viruses, Trojans, Internet worms, spyware, keystroke loggers—some spreading
worldwide and making headlines.
• Internet is providing more opportunities for hackers to steal data –
Increasing Data theft.
IS6120 Data Security 6
7. Data Theft
• Data theft is the deliberate theft of information, rather than its accidental
loss. Data theft can take place both inside an organization (e.g., by a
disgruntled employee), or by criminals outside the organization.
• Examples
• 2012- Belgian credit provider, Dexia, where demanded to make payment
(blackmail) of €150,000 (US$197,000) to prevent hackers from publishing
confidential information.
• 2011- Sony Corp suffers breaches that place 100M customer accounts at
risk, costing the company up to $2 billion.
IS6120 Data Security 7
8. What types of threats exist?
• A lot of viruses and other malware exist and can be seen here.
• More than 403 million unique variants of malware detected by Symantec in 2011
• Malware
• A drive-by download
• Denial-of-service (DoS) attack
• Trojan
• Email hoax's – “Good Times”
• Phishing
• Spear-phishing
• SQL Injection
IS6120 Data Security 8
9. Definitions of Threats
• A drive-by download is the infection of a computer with malware when a user
visits a malicious website. Drive-by downloads occur without the knowledge of the
user. Simply visiting an infected website may be sufficient for the malware to be
downloaded and run on a computer.
• SQL Injection is an attack technique used to exploit how web pages communicate
with back-end databases. An attacker can issue commands (in the form of specially
crafted SQL statements) to a database using input fields on a website.
• Spearphishing is targeted phishing using spoof emails to persuade people within a
company to reveal sensitive information or credentials. Unlike phishing, which
involves mass-emailing, spearphishing is small-scale and well-targeted.
IS6120 Data Security 9
10. Security software and hardware
• Antivirus software
• Firewalls
• Device control
• Network access control
• Application control
IS6120 Data Security 10
11. Threat prevention
• Firewall acts as a barrier between networks or parts of a network, blocking
malicious traffic or preventing hacking attempts.
• Anti-malware software can defend you against viruses and other malware threats
including Trojans, worms and, depending on the product, spyware.
• Anti-spam programs can detect unwanted email and prevent it from reaching user
inboxes.
• Appliances are a combination of hardware and software security elements in one
solution. This lets you plug appliances in rather than installing the software
separately.
• Intrusion prevention systems (IPS) monitor network and systems for malicious
activity.
• Network access control (NAC) A NAC solution protects your network and the
information on it from the threats posed by users or devices accessing your
network.
IS6120 Data Security 11
12. Ensure data protection
• Encrypt your computers, emails and other devices and use firewall
• Use device and application control
• Only allow compliant computers to access your network.
• Implement outbound content controls
• Disable AutoRun functionality- In February 2011 Microsoft automatically
disabled AutoRun, preventing malware from copying itself to host
computers and shared network drives from devices such as USB drives.
• With more than 403 million unique variants of malware detected by
Symantec in 2011, enterprises should be updating security virus and
intrusion prevention definitions at least daily, if not multiple times a day.
IS6120 Data Security 12
13. What is Mobile Computing?
• A generic term used to refer to a variety of devices that allow
people to access data and information from where ever they are
• Mobile Computing embraces a host of portable technologies that
makes internet access on the go not only possible, but integral to
every day life
• A recent Gartner report claimed that “Mobile Computing is the
future”
• Report also suggests that mobile phones will overtake PCs as the
most common web access device worldwide
IS6120 Data Security 13
14. Security Risks of Mobile Computing
• Fishnet Security survey
found that Mobile
Computing is the top
security concern for 18%
organizations 35% Mobile Computing
Social Networks
• Of the professionals 20% Other
surveyed: Cloud Computing
35% Mobile Computing 27%
27% Social Networks
20% Other
18% Cloud Computing
IS6120 Data Security 14
15. Security Risks of Mobile Computing
• The popularity of mobile computing is accelerating, as their sales
reach a critical mass smartphones and tablets will become prime
targets of malware attacks
• There’s now more than 1 billion active Smartphones, that’s one for
every seven people on the planet
• As with any computing solution, tablet PC’s and Smartphones are
exposed to software threats
• However, Mobile brings additional risks like theft or accidental loss
where sensitive data can be lost
IS6120 Data Security 15
16. Bring Your Own Device (BYOD)
• The idea behind BYOD is that users can use a personal device such as a
Tablet or Smartphone for both personal and business use
• This scenario of users bringing in their own devices to connect to a
corporate network could result in malware spreading through the
corporate network
• BYOD multiplies the number of networks, applications, and end-points
through which data is accessed
• Moving data across different devices and networks is increasing security
risks by opening sensitive corporate data to leaks and attacks
• This has led to some people dubbing BYOD as “Bring Your Own Disaster”
IS6120 Data Security 16
17. The Issue With Mobile Browsers
• On Mobile Browsers, even experts have trouble
determining the legitimacy of a website due to a lack of an
icon that shows the browser is using Secure Sockets Layer
(SSL)
• These icons, which are present on almost all desktop
browsers, quickly tells users if the site is secure and
legitimate eg. The padlock icon
• Once developers figure out a smart and consistent way to
implement SSL, everyone will be more secure and better
served
IS6120 Data Security 17
18. Mobile Payments
• Despite convenient and futuristic qualities, the
mobile platform not designed as a secure
application environment
• Lots of sensitive data stored or entered in your
Smartphone and because it is connected to the
internet at all times, Smartphone at great risk for
malware designed to grab sensitive information
IS6120 Data Security 18
19. Example: NASA Data Security Breach
• Last year, data breaches occurred in the space agency NASA as a
result of the theft of 48 portable electronic devices
• Among the data compromised were International Space Station
command-and-control codes and employees’ personal information
• As a result NASA has enacted new policies including mandatory full-
disk encryption for NASA-issued computers that go off the premises
• In addition, NASA will forbid employees from storing sensitive
information on mobile devices such as Smartphones and Tablets
IS6120 Data Security 19
20. Possible Steps to Minimise Security
Risks
• You’ll never eliminate all of the potential risks, but you
can minimise the threats
1) Know your hardware and operating systems
2) Think before you store
3) Shop for Apps securely
4) Install updates
IS6120 Data Security 20
21. Social Networks – Problems with Security &
Data Privacy
• Use of the internet is changing
• Huge growth in the volume of personal
information being shared on the web
• Huge opportunities for businesses
IS6120 Data Security 21
22. Issues with Social Networks
• Personal Information
• National incentives are ineffective
IS6120 Data Security 22
23. Security Issues in the Future of Social
Networking
1. Storage of personal data
2. Tools for managing personal data and how it
is viewed
3. Access control to personal data based on
credentials
4. Tools for finding out who has accessed
personal data
IS6120 Data Security 23
25. Examples of Social Networking Sites
• “Just received a job offer. Hooray!”
• “I’m tired of all the rain.”
• “Looking forward to the family vacation next
week at Disney World.”
IS6120 Data Security 25
27. • “The boss just laid off 32 employees. I hear there
may be more coming on Wednesday.”
• “Rumor has it that the Acme Widgets acquisition fell
through.”
• “Working to troubleshoot a major software bug we
just found.”
• “I just posted a funny video of myself frying a rodent
at the restaurant where I work.”
IS6120 Data Security 27
29. How much will providers actually allow the
export and open transfer of their data stores?
• Social Networking is becoming the preferred
way to manage personal data
• Identity Theft & Authentication
• Web of Trust Techniques
IS6120 Data Security 29
31. Possible Steps
1. Each user is issued a token
2. Every time user A is accepted as a friend by a
user, token given positive/negative trust
training
3. User A suspects User B is not who they say
they are
4. User A knows user B personally
5. Scores aggregated
IS6120 Data Security 31
32. ..continued
6. Tokens are visible
7. Tokens are transferable
8. Key can be extended
Source:
http://www.gfi.com/whitepapers/Social_Networking_and_Security_Risks.pdf
IS6120 Data Security 32
33. Password Protection
• Video explaining password protection:
http://www.youtube.com/watch?v=FtqwXzNebeU
• Thanks for listening
IS6120 Data Security 33