Week 11 Flashcards
Security for Information Systems
Why are Systems Vulnerable?
- System complexity
– Testing not extensive enough
– Unanticipated problems - Unauthorised access always possible
- Human error
– Procedures not always known
– People couldn’t be bothered with procedures - Use wireless even when wired connections available
- Don’t use virus checkers, etc.
- Fail to back up data
– Poor audit means that nobody checks
Why has IT spend on security grown?
Some of this was driven by more extensive use of IT in the pandemic
- Electronic rather than physical interactions with customers
- Remote working by employees
What is Cyber Risk?
- Cyber Risk is the risk of any financial loss,
disruption or negative reputational impact
because of a failure in IT systems; whether
through people, process or technology. - risks emanating from the use of electronic data and
its transmission, including tools such as the
Internet and telecommunications networks; - physical damage caused by cyber-attacks;
- fraud committed by misuse of data;
- liability arising from data use, storage and transfer
- availability, integrity, and confidentiality of
electronic information – be it related to individuals,
companies or governments.
What does Cyber Insurance Cover?
- Covers expenses resulting from
– Investigation: to determine what occurred, how
to repair damage and how to prevent the same
type of breach from occurring again
– Business losses: network downtime, business
interruption, data loss recovery etc.
– Privacy and notification: to customers and other
affected parties,
– Lawsuits and extortion: includes legal expenses
for the release of confidential information, legal
settlements and fines.
Examples of Cyber Risks
- Business interruption
- Contingent business interruption
– caused by related third parties (supplier/customer) - Data and software loss
- Intellectual property theft
- Network Security/Security
- Breach of Privacy Compensation
- Reputational Damage (excluding legal protection)
- Compensation for crisis management/remediation
actions requiring internal or external experts - Compensation for crisis management/remediation
actions - Cyber ransom and extortion
- Financial theft and/or fraud
- Regulatory & Legal Defence costs
- Incident response costs
– Cyber ransom and extortion
– Financial theft and/or fraud - Fine and Penalties
- Communication and media
Your cyber insurance cover includes:
- Protection against GDPR non-compliance claims
- Compensation for income loss due to a data breach
- Help to recover from reputational damage
- Forensic investigations to aid data recovery, plus
legal advice - Help notifying regulators after an attack
- Repair/replacement for damage to equipment
- Indemnity for supplier losses
- Consultancy support
- Liability support if someone alleges you’ve
transmitted a virus
Cyber First Aid
- Wi-fi
– Change default router password
– Don’t use public wifi without vpn - Passwords
– Secure devices with passwords, pins, biometrics
– Use encryption and two factor authentication - Back up data
– Check the back-ups work! - Use antivirus software
- Review app permission
- Keep personal and work data separate
Belt and Braces Control of Security Planning Principles
Management Control
Each department manage their own controls affecting people, processes and
technology.
Risk Management
Centralised control of the enterprise, including compliance, legal, quality control
and financial control.
Internal Audit
Third force that checks the adequacy of the controls in place. This might include
some external assistance from experts.
Minimum Permissions
- Minimum Permissions
– Access control is limiting who can use resources
AND limiting their permissions
– Permissions are what they are allowed do
– People should be given minimum permissions - the least they need to do their jobs
- so that they cannot do unauthorised things
Types of Controls
- Physical protection
– Restricted physical
access
– Locks
– Barriers
– Security chains - Software controls
– Passwords
– Disk encryption
– IP/location restriction - Biometric controls
– Individuals’ unique
characteristics
– Fingerprints
– Voice prints
– Retinal patterns
Reusable Passwords
– Strings of characters typed to authenticate the use
of a username (account) on a computer.
– They are used repeatedly and so are called
reusable passwords.
Major Incident Response
- Major incidents are incidents the on-duty security
staff cannot handle. - Company must convene a computer security
incident response team (CSIRT). - CSIRTs should include
– members of senior management,
– the firm’s security staff,
– members of the IT staff,
– members of affected functional departments
– firm’s public relations and legal departments.
Managing Internet Threats
- Use of firewalls
– Prevent unauthorised access to company’s system
at point of connection to internet - Adopt procedures for internet usage
- Establish protocol for incoming mail
- Keep all virus checkers and OS software up to
date - Harden new machines before connecting to
Internet
– Install the virus checker first, then other software
