By Ravi Miranda, on 16 February 2018
Why classify information?
Information should be classified so that everyone with access knows how to protect it.
To protect information consistently, it is of paramount importance that there is a pan-organisational scheme for classifying information. This scheme should also inform users how information should be handled according to its requirements for confidentiality, integrity and availability. To elaborate further, the classification of data helps determine what baseline security controls are appropriate for safeguarding that data. By implementing an information classification scheme the organisation can endeavour to meet its legal, ethical and statutory obligations
Information classification can also protect the interests of the stakeholders of the organisation and about whom the organisation may hold information.
Levels of information classification
There are several levels of classification that can be applied to information. For example, HM Government Security Classification includes: Official, Secret and Top Secret which is based on 4 principles. Not all organisations may require such stringent principles when adopting an information classification scheme. However, each organisation must evaluate the risks in terms of reputational loss, loss of business, lawsuits, inadvertent disclosure of information. In some cases, an external partner may not share any further information if the organisation has been known to share information without appropriate controls e.g. encryption.
I’ve outlined some simple steps to help you get started.
Information Management Policy and guidance
It is important to develop an information management policy and guidance for your organisation. This should be commensurate with risks that your organisation may face and the expectations of your stakeholders. It is necessary to consider the legal and regulatory requirements of the country that your organisation operates in. It is also very helpful if a process for classifying and handling information is developed and adopted.
Staff should undergo awareness training to ensure that they are aware of their responsibilities in managing information that they’ve been entrusted with. This can be tailored according to the kind of information that the staff deal with. Awareness training must be regularly carried out with periodic refresher courses as necessary.
At UCL, we have created a classification tool to help with classifying a specific information asset. See https://opinio.ucl.ac.uk/s?s=45808
By Ravi Miranda, on 8 December 2017
Phishing – What’s that?
Phishing is an email that fools targeted individuals into parting with private information. Mostly this includes credit card details, but could also involve tricking the victim to transfer money or installing malware on their device. In this blog, I will explain how to detect the majority of phishing emails and giveaway clues that might trick you into giving away confidential information
The art of the phish
Cyber criminals may research their targets well in advance in order to gain maximum benefit from the phish. As an example, the attacker may trawl the business social media sites, where the Personal Assistant of the CEO has mentioned their details online. The attacker crafts a very targeted mail to the PA which leads to the PA releasing private information.
You receive email from your bank regularly, but an email that threatens your account will be closed if you don’t respond urgently with your Secret Answer and card information may be a phishing attack.
The Anatomy of a phish
Some quick pointers on how to spot a phish
From Email address
The mail seems to have been sent from a legitimate organisation, but the FROM address is from a personal address. Is the email being sent to other people that you do not work with or do not know them either.
Just because you received an email from your friend does not mean that they sent it. Your friend’s account may have been compromised or their computer may have been infected with malware. If you received an email from a friend or a colleague that seems out of place, call them on the phone and inform them.
Be careful of an email that has a generic salutation. Are you expecting a mail from this organisation? An organisation that emails you should know your name
Check for grammar and spelling mistakes. All reputed businesses proof read their mails before sending them. Is there a threat? Does the email require you to carry out an immediate action? This is not a good sign, as there is an urgency to get the recipient to make a mistake. Companies will not seek your personal information.
Will your mailbox be disabled overnight? Never! Check the University’s webpages, call the Service Desk and verify.
Is there an incentive? Did you win the lottery? Most definitely not! Did a prince leave you his legacy? Really? So offers that are too good to be true, are not true.
Exercise caution here. Are you expecting this link? Hover your mouse over the link, does the link make sense? The link should reflect what is mentioned in the content.
Is there an attachment that you are being asked to open? Are you expecting the attachment? Click only if you are expecting an attachment in the format (extension) that is shown.
3 steps to avoid getting phished
1. Think before clicking on links or attachments
2. If it looks ‘phishy’ it most certainly is. Report it to the ServiceDesk or verify with the sender.
3. You are the last line of defence, if in doubt, throw it out!
By Daniela Cooper, on 24 November 2017
When thinking about what you need to consider about information security when using Excel, the common ones are probably:
- keeping Excel patched and up-to-date,
- not accidentally sending confidential information in an Excel spreadsheet to someone who shouldn’t have access to that information.
Do those considerations extend to being mindful of what information is contained within a vlookup range?
It turns out that Excel caches the information held in a vlookup range, thus making that information available to the spreadsheet where it has been referenced, even when the original information is deleted.
The following page explains it better than I can:
I cannot find anywhere that Microsoft warns its users that this happens and to be careful not to accidentally leak confidential information in this way.
The ICO (Information Commissioners Office) have fined organisations for leaking confidential information is this way, one organisation was fined £185K. The ICO have written a good guide on ‘How to disclose information safely’:
The only advice we can offer is, if you are sharing information in a spreadsheet that uses vlookups:
- save the file as .csv, this format does not support features such as vlookup.
- Export the information to a pdf.
A couple of other considerations:
- When using filters in Excel, don’t forget that others can change those filters and have access to the full information.
- When sending Excel spreadsheets that contain confidential information, password protect them and give the password by phone not email. Password protected Excel files are encrypted using AES 128-bit encryption, just remember to use a good password with upper-case and lower-case characters, numbers and symbols.
Updated to include guidance from the ICO.
By Gen Cralev, on 17 October 2017
Security researchers have announced a major security vulnerability in the WPA2 protocol yesterday called KRACK (Key Reinstallation Attacks). WPA2 (WiFi Protected Access II) is the encryption protocol that secures all modern WiFi networks. It was designed to provide wireless networks with stronger data protection and network access control. The current vulnerability exploits a weakness in the encryption process, allowing an attacker to eavesdrop on wireless traffic. An attacker may also be able to inject and manipulate data (e.g. uploading malware to a website).
Most devices that support WiFi are affected by this vulnerability until the manufacturers release a patch to address it. If exploited, an attacker will be able to steal sensitive information that a client device sends to an access point on a wireless network. This may include credit card details, passwords, chat messages, photos etc. Malicious software can also be loaded onto the device, causing further damage.
What can I do?
Certain precautions can be taken to ensure that you do not fall victim to such an attack. Firstly, ensure that all communication is encrypted – for example, by only browsing sites over HTTPS. Most sites support HTTPS by default. For those that don’t, this feature may be enabled with an extension such as “HTTPS Everywhere” which forces websites to work in HTTPS mode whenever possible. Whenever browsing a website that requires any data input, check to make sure that ‘HTTPS’ is in the address bar and a green padlock is visible. Secondly, use a VPN provider which creates an encrypted tunnel between your device and the VPN host, encrypting all traffic automatically. UCL provies a free VPN service for all staff and students. Lastly, update your wireless devices as soon as patches becomes available. If possible, avoid using WiFi and use a wired connection instead!
By Gen Cralev, on 18 August 2017
There is a well-known model within information security called the CIA triad (a.k.a. AIC triad to avoid confusion with the Central Intelligence Agency). The letters stand for Confidentiality, Integrity and Availability. In this blog post I will briefly define each of these concepts and look at some examples of how they are incorporated into the policies, procedures and standards of an organisation.
Confidentiality refers to data being accessible only by the intended individual or party. The focus of confidentiality is to ensure that data does not reach unauthorised individuals.
Measures to improve confidentiality may include:
- Sensitive data handling and disposal
- Physical access control
- Storing personal documents in locked cabinets
- Logical access control
- User IDs, passwords and two-factor authentication
- Data encryption
Integrity is roughly equivalent to the trustworthiness of data. It involves preventing unauthorised individuals from modifying the data and ensuring the data’s consistency and accuracy over it’s entire life cycle. Specific scenarios may require data integrity but not confidentiality. For example, if you are downloading a piece of software from the Internet, you may wish to ensure that the installation package has not been tampered with by a third party to include malicious code.
Integrity can be incorporated in a number of ways:
- Use of file permissions
- Limit access to read only
- Cryptographic signatures
Availability simply refers to ensuring that data is available to authorised individuals when required. Data only has value if it is accessible at the required moment. A common form of attack on availability is a Denial of Service (DoS) which prevents authorised individuals from accessing the required data. You may be aware of the recent ransomware attack on UCL. This was a DoS attack as it prevented users from being able to access their own files and requested for a ransom in exchange for reinstating that access.
In order to ensure availability of data, the following measures may be used:
- Regular backups
- Off-site data centre
- Adequate communication bandwidth
Each aspect of the triad plays an important role in increasing the overall posture of information security in an organisation. However, it can sometimes be difficult to maintain the right balance of confidentiality, integrity and availability. As such, it is important to analyse an organisation’s security requirements and implement appropriate measures accordingly. The following information classification tool has been developed for use at UCL to help classify the level of confidentiality, integrity and availability of data: https://opinio.ucl.ac.uk/s?s=45808. Have a go – the results aren’t saved.
By Bridget Kenyon, on 31 July 2017
Brace yourself: we are heading into the Unknown Land of Terror and Tedium. Yes, the domain of the Auditor!
Seriously, though, it isn’t as scary, or as boring, as that. Having carried out audits for two different security standards (ISO/IEC 27001 and PCI DSS), I have visited that Land, and am able to unveil its mysteries to you. I’ve also been audited, so have seen both sides of the process.
First, dismiss any thought of auditing being uniform across all standards. Auditors are trained very differently depending upon what they are auditing against. For example, payment card audits are very technical, while 27001 audits can be carried out by non-technical (but trained and experienced) people.
It’s auditing, so there must be a list…
Having said that, there are significant similarities between the audits I have been involved in. As this is about audit, there needs to be a list:
- You have to audit against something, a fixed point of comparison. This is usually a standard. You can audit against policy, too.
- Audits tend to have predefined possible outcomes: e.g. pass or fail.
- Audits also produce “non-conformities”, or “findings” relating to parts of the document which you are auditing against.
- Audits look for evidence of compliance; positives, not negatives. A good auditor is looking for reasons to give their client a pass.
- Hard evidence is key to the whole thing. There is a saying: if it’s worth doing, it’s worth documenting. But proof doesn’t have to be documentation. Some standards can be satisfied by everyone demonstrably doing the same thing.
- Auditors usually test part of the environment to be audited, not the whole thing. So even if you pass an audit, that’s not bullet-proof.
- There are two different types of audit: internal and external.
- External auditors are from a company specialising in audit, which is usually “accredited” to prove that it provides a good quality of audit.
- Internal auditors are often internal to your company, but can be from another company. They do not have to be accredited, as their findings are private to the company being audited.
- Internal audits usually look at part of the standard to be audited against, not the whole thing. More of a spot check than a full review.
- If you are an external auditor from an accredited auditing company, and the company you audit passes the audit, it can say that it is “certified”. Not “accredited”!
- You can be asked to audit part of an environment, not the whole thing. This can get really messy if it isn’t clearly agreed and documented.
- Auditors tend to think of EVERYTHING as a process.
To sum up
I hope that this has given you a little peek inside the world of auditing, and that it wasn’t as tedious or unsettling as you expected!
By Bridget Kenyon, on 31 July 2017
There are a number of special terms which are bandied about in the world of information security. Today let’s look at “governance”. Even in the rest of the business world, the term is a little slippery. People use it in conjunction with “strategy” a lot. Let’s start by taking a look at it by itself; what can we see?
Governance is in the eye of the beholder
I like to think of this as being the proverbial “elephant described by people who have only seen a part of it” situation. People who are in hands-on operational roles see one facet. People in top management see another, and external organisations yet another. It could be a source of edicts; it could be a lever to move the earth (cf Galileo), or it could even be a magic Harry Potter mirror in which one can see what one cares about the most.
What about when it’s not there?
OK, so governance looks different to everyone, depending on what your role is. Next, we can ask ourselves what is it for? Or more interestingly, what happens if you don’t have governance?
One thing you don’t get is a clear idea of where you are going, and how close you are to getting there. Another thing you don’t get is any idea of what is and isn’t allowed. You have a good chance of going round in circles.
The purpose and definition of governance
The main purpose of governance, then, is to provide direction and purpose to an organisation.
As to what it is, I like the definition used by the World Bank:
“[the process] by which authority is conferred on rulers, by which they make the rules, and by which those rules are enforced and modified.”
This makes a bit more sense at last. We can apply this definition very cleanly to the arena of information security, where we consider the rules to be relating to information risk management, and the “rulers” to be the organisation’s top management, e.g. the senior management team, or the board of directors. It incorporates the idea of delegation, of creation, and of enforcement and monitoring.
Do we already address governance in information security?
If you look at the text of ISO/IEC 27001, you will find that it is essentially a blueprint for information security governance. It also goes into a bit of depth on management, which for my money is the way in which governance is enacted.
By Bridget Kenyon, on 27 July 2017
Here’s a question. What’s your tolerance for risk, and do you think it’s the same as your employer’s?
Risk tolerance differs
Let’s look at an example. Seat belts are pretty popular in the UK. In fact, they’re mandatory for almost everyone (except taxi drivers, interestingly). The risk? That you’ll get thrown through the windscreen, and die horribly, if there is an accident. But so many people in the past decided to accept that risk that wearing a seatbelt was made law, to improve the number of people actually using seatbelts. The risk tolerance of many individuals differed from the risk tolerance of the Government. It also differs from the risk tolerance of anyone who has been in a car accident and has benefited from the use of a seat belt.
In the same way, each individual will have a different risk tolerance. Some people wore seat belts before they were mandatory.
What’s the impact?
Where personal risk tolerance is different enough from the risk tolerance of an employer, this can cause real problems.
An individual who has a significantly lower risk tolerance than that of their company will be constantly worried that the security measures are inadequate. They may believe that the company is on the verge of disaster. They may start to try to force other people to apply security measures which are not mandatory, and report risks which are at a level where the organisation will not act. They believe that the organisation should lower its risk tolerance to match theirs.
Conversely, a person whose risk tolerance is higher than that of their organisation will exist in a state of perpetual frustration.
They see unnecessary and pettifogging rules everywhere, designed to get in their way and waste time and money. They may develop work-arounds to evade security measures, or simply refuse to comply with them. They believe that the organisation should raise its risk tolerance to match theirs.
Closing the gap
What’s the solution? There’s no silver bullet here (I feel another blog post about easy answers coming on). However, there are approaches to get everyone on the same page. I’m assuming here that you are acting on behalf of the organisation.
Encourage a neutral perspective
First, stop worrying about who is “right” or “justified”. That basically guarantees fisticuffs at dawn, and other adversarial outcomes. The organisation has its own risk tolerance. There are things which are objectively correct or incorrect, but risk tolerance as a whole is a very qualitative thing.
Awareness is key
Second, ensure that staff have a good understanding of risks and threats. Half of an understanding is worse than none.
Here is an example. Did you know that patient data is used for research without patient consent, sent to multiple universities and even private companies?
That sounds alarming, yes? But you only have half the knowledge you need to make an informed decision!
Now add in the following: There are incredibly strict rules and clearly governed processes to allow identifiable patient data to be used without consent, and the data is very well protected. Much of the research is intended to do things like identify causes of, and potential cures for, deeply unpleasant and lethal medical conditions, and it’s working.
That sounds better. You now know there are benefits to this data sharing, and that the risk is being managed.
In the same way, if people are informed of risks, benefits, and how security measures work to protect them, they are more comfortable with the risk and also more likely to implement the security measures.
A sense of separation
A fundamental truth which is difficult for really committed people to accept: this is actually not their risk. Risk belongs to the organisation, just as the information does. Letting go of this feeling of personal ownership without losing a sense of personal pride in your work can be a really hard balance to strike.
Don’t discount organisational error
Finally, don’t forget that the organisation might have a risk tolerance which really is too high or too low.
By Daniela Cooper, on 21 July 2017
By Ravi Miranda, on 16 May 2017
We looked at what information privacy is and how information sharing affects us all. We also had a brief look at what Privacy Impact Assessment (PIA) is and its contribution to the organisation in terms of safeguarding reputation and reducing costs.
This blog piece covers the basic aspects of a PIA.
Privacy risk is the risk of harm arising through an intrusion of privacy. Privacy harm can be caused through the use or misuse of personal information. This harm can be quantifiable or tangible; an individual could lose their job. It could also be less tangible; damage to personal relationships. Going a bit further, what might not be a great harm to an individual a cumulative loss of data could be a huge damage to society.
Some of the ways that this can arise by personal information:
- being inaccurate, insufficient or out of date,
- excessive or irrelevant
- kept for too long
- disclosed to inappropriate individuals;
- used in ways that are unexpected or unacceptable to the person it is about; or
- not kept securely
The outcome of a PIA should be the minimisation of privacy risk. This involves the understanding of what constitutes privacy and privacy risk. There is no one size fits all as one can imagine. Data collection for visa issuance is far different than that for an admission process even though personal information is collected in both situations. Thus privacy risk involves an understanding of the relationship between the organisation and the individual.
Something to think about .
Does your organisation need to be aware of obligations under the Human Rights Act?
If so, use a PIA to ensure that any actions that interfere with the right ot private life are necessary a proportionate.
That’s all for this blog! In the next blog, I intend to cover the benefits of a PIA and whose responsibility it is of conducting a PIA