Cryptography is a highly important concept within Information Security. You may not be aware of it, but we depend on cryptography on a daily basis to secure our data. Whenever you do online shopping, log in to Facebook or check your bank account balance, your information is automatically encrypted. We use encryption to ensure that if someone is able to obtain our data, they aren’t able to read it.

How does it work?

Encryption is the act of transforming information from a readable form (plaintext) into an encrypted form (ciphertext). For example, the text you are currently reading is in plaintext and is therefore unencrypted. To encrypt the text, we need to apply an algorithm or a mathematical formula that will change its content. The most well-known and simplest form of encryption is called the ‘Caesar cipher’. It is said to have been used by Julius Caesar to send secret military orders to his generals. The Caesar cipher works by shifting each letter of the plaintext by a certain number of letters. The number of letters we shift by acts as a key.

For example, if we shift each letter of the word “secret” by 3 we get a ciphertext output of “vhfuhw”. In order for the recipient to then transform the ciphertext back into plaintext, they simply apply the reverse action (shift 3 to the left). Check out this online tool that demonstrates the Caesar cipher in action: http://www.xarg.org/tools/caesar-cipher/. The Caesar cipher was sufficient to encrypt messages 20 centuries ago but it is no longer considered to be secure. Modern day encryption algorithms employ a highly complex formula to ensure that even the most powerful computer systems aren’t able to decrypt the data without the correct key.

The Caesar cipher falls under the category of symmetric cryptography. This means that the same key is used to decrypt the data as the one used to encrypt it. This poses the problem of key exchange. How do we ensure that only our intended recipient has the correct key? If we do not take sufficient precautions when providing our key to the recipient, it can easily be apprehended by a malicious third party rendering the whole process useless.

Asymmetric cryptography

Asymmetric cryptography solves the problem of key exchange by employing two mathematically related keys – a public key and a private key. The public key is shared with everyone and is used to encrypt the data we are sending. The private key, on the other hand, is used to decrypt the data and is only known to its owner. If I want to send an encrypted email to you, I would use your public key to encrypt the message. This ensures that only you are able to decrypt the message as your private key should only be known to you.

Asymmetric cryptography also allows us to sign messages in order to prove that we are the ones that sent them and they haven’t been altered in transit. This is done by encrypting the message using our private key. If others then use our public key to decrypt the message, this proves that the message came from us and is legitimate.

These are just some of the basic concepts within cryptography but they provide all sorts of possibilities to improve security in the digital world.

There is an endless supply of literature on the Internet about usernames and passwords. Yet this is an immensely important topic that will always be relevant.

Tom has already written a blog post about passwords from a risk perspective so I will approach the topic from another angle and explain why the complexity of your password can make a huge difference to the overall security of your information.

However, first it is necessary to take a look at the basic mechanisms behind usernames and passwords. From a security perspective, a username is simply a form of identification. When a system is asking you for a username, it is essentially asking you to identify yourself as a user of its resources. In its basic form, this is the equivalent of someone asking you for your name. You can reply however you like. Whether they believe you or not is a different matter. This is where a password comes in. When you provide your password, you are basically authenticating yourself as the person that the provided username belongs to. Only you should know the password corresponding to your username. This is the equivalent of providing a driver’s license or a passport to confirm that you are indeed who you say you are.

Problems with passwords

Now let’s consider a common problem in the information security world – a compromised account. What I’m referring to here is the case where someone other than the intended individual has access to a specific account. This can come about in a number of ways such as:

• Willingly sharing credentials (e.g. with your colleague)
• Shoulder surfing (the attacker looks over your shoulder while you are typing your password)
• Writing a password down and storing it insecurely (e.g. on a sticky note at your desk)
• Data leak (usernames and passwords are made publicly available without authorisation)
• Brute force/dictionary attacks (the attacker guesses the password. This is done either by trying out every possible combination or going through a dictionary of commonly used passwords)

In relation to most of the points above, but specifically the brute force/dictionary attack, a more complex password can significantly improve security. This comes down to the way that this specific attack is performed. A computer is highly efficient and can test a large number of passwords in a short period of time and the more computer power dedicated to the task, the quicker the password will be correctly guessed.

As you add extra complexity elements to your password (extra characters and different types of characters) you make it increasingly difficult for a computer to be able to successfully guess your password.

Here’s a fun tool to demonstrate this concept: https://howsecureismypassword.net/. Although we don’t recommend that you enter your actual password!

Policy-Writing. One step at a time

This series of posts explains an effective policy writing process. It will take a reader through some of the steps involved in policy writing.

Policies as cornerstones

A policy reflects the organisation’s strategy for carrying out its functions. As an example, a Finance policy lays down the ground rules for effective adminstration of its finances that satisfies HMRC. Similarly, an Information Security policy should reflect the organisation’s objectives for security. This policy should satisfy its stakeholders that the data and information it holds is subject to the necessary controls. It also sets the framework for the management strategy for securing information.

Are we in agreement?

In order for any policy to work well, it must be agreed on by the executive management. With proper management support, the policy provides authority for executing the rest of the program, in this case the Information Security Program. It is important to understand the management thinking when defining a policy for the organisation. Besides, management support, the policy writer (security professional) should get the views of key stakeholders in the organisation. It is also important to understand the culture and the ethic of the organisation when defining a policy.

Positive Statement

Post the interviewing process, the policy writer must capture the essence of the discussions in a postive statement. This statement will illustrate how the organisation would like its information protected. The statement should be a faithful representation of views; that is, without overstatement, change of meaning or adding to the content.

Next steps

In the next blog we will look at molding management’s perspective on the subject and emerging with a strategy. Till then..

We’ve all come across these terms in common parlance, but why not a refresher?

Policy

This is a set of high level statements across the business. A policy identifies the issue and the scope. It consists of the What? and the Why? Policies deal with rules related to key issues. A policy contains a statement of intent. A policy could also be said to be a set of rules to abide by. An information security policy of an organisation is the intent to maintain the Confidentiality, Integrity and Availability of its data.

Standard

It may assign a quantifiable measure of achievement. It could also mean something used as a measure, norm, or model in comparative evaluations. The ISO/IEC 27001 standard is the world’s leading standard for information security management. It provides requirements for establishing, implementing, maintaining and continually improving an information security management system. It is intended to be applicable to businesses of all sizes and types.

Process

A Process defines a series of actions taken to achieve a particular end. A process is a set of activities that interact to achieve a result.

Guideline

A guideline provides additional recommended guidance.This ia a piece of advice on how to act in a given situation. A guideline is a recomendation of good practice and is non-mandatory.

I hope that I have simplified the difference between the terms and made it a bit more easier to understand. In the next blog post, I will look at the elements of a good policy process.

My name is Tom Seeler and I work for the Information Security Group doing information risk management. What this means in practice is that I work with people all across the university to help them identify risks to their information as a result of the work that they are doing. This can range from data they are gathering as part of a study or how to share files within their team, through to helping to understand the implications of providing a new service to office staff. Regardless of the specifics of the risk assessment, my first questions are usually “what is the information you are working with” and “where is it going”?

They’re deceptively simple questions but it can lead to some really interesting discussions. You can’t have actual control over your information if you can’t answer them, and you can’t work out how to protect yourself if you don’t know what you’re protecting. Just as important is when you arrive at an “I don’t know”; the first step to removing the confusion is to identify it.

It’s an interesting exercise to apply to the things you work with every day, whether it’s a private social media account or a document workflow at school or your job. Where exactly is valuable information being stored and, now that you’ve visualised it, are you comfortable with how it is protected. These are the basics of risk assessment and I will be going into more detail in my future posts, as well as offering what I hope will be useful and practical advice on reducing information risks.

Yesterday, I went to a meeting with a number of other organisations to talk about the Big New Scary Thing (GDPR). The revised data protection law comes into effect next May. It covers all data relating to a living individual (including me, except on Wednesdays when I am a zombie).

There was a general air of determination, but also some concern regarding what the darned thing actually wanted from us. OK, people agreed that it was a good move for security, but no-one was sure what it meant in practice.

Here’s an example. GDPR requires organisations to notify the ICO immediately in the case of a breach. This sounds really sensible. But what does “immediately” mean? And how certain should you be that it really is an incident before you notify? And, more worryingly, what constitutes awareness of a breach? If one IT staff member notices something a bit odd, does that mean that UCL is “aware”? Oh, and do they mean ALL breaches? The ICO will need another thousand or so staff if they have to get involved in every minor incident.

Fines and other monsters

The other funny thing was that people are really worried about possible fines. The max current fine for a breach is £500k, which is a lot for a corner shop, but not the end of the world for UCL. The new GDPR fines top out at 4% of global annual turnover: £50million approx for UCL. This is indeed scary, but here’s something else which might be a game changer. What if criminal liability comes with the package, as it does with Health and Safety?

In the Health and Safety world, the company is liable for damages, but an individual employee can also be charged and convicted with “corporate manslaughter”, which carries a prison term.

If we apply this model to data protection, I think it might squeak a little, since most GDPR incidents aren’t life threatening- but what about Sarbanes-Oxley in the US? That had teeth because it made the financial director personally responsible for the financial conduct of their company (broadly speaking).

So in conclusion, there are always monsters under the bed. Some have fangs, some do not.