Controls: what are they?

By Bridget Kenyon, on 12 May 2017

What is a control? If you have spent more than five minutes talking to me or my team, we will probably have spoken of “controls”, and probably risk (but let’s stick to controls for this post).

Definition of a control

A control is a change you make to part (or all) of an organisation to reduce its exposure to information risk. For example, you may decide to put sensitive documents into a shredder when they are not needed any longer, rather than putting them in the standard paper recycling. Or you could encrypt files on shared storage, rather than storing them in clear text.

So a policy is NOT a control, but in fact describes a control. For example, you may create a policy stating that all passwords must be at least ten characters long.

Categorising controls

3D render of files on bookshelves

There is a tendency amongst all people who look at security controls to try to fit them into categories. A common set is:

• Physical
• People
• Technical
• Process/organisational

This helps people to understand what thing a control is changing. A physical control, for example, will be a physical change (e.g. putting a lock on a door, or shredding paper). A technical control could be applying security patches to systems within X days. A process control could be performing a security review when a change is planned to a system. A people control could be doing background checks on people who are to be granted access to sensitive information.

Other attributes

Questions multicolour

There are many other ways of categorising a security control. These can be used as appropriate. Examples include:

• Main purpose: detective, reactive, preventative
• Intended effect on risk: reduction of impact, reduction of likelihood, or both
• Which role(s) it applies to: which are responsible, accountable, consulted and informed
• Which part(s) of the organisation it applies to
• How long it is intended to be in effect for
• What sanctions will apply if it is not applied
• What risk(s) it is intended to affect
• What business process(es) relate to it

Privacy Impact Assessment – An Introduction

By utnvrrv, on 12 May 2017

Privacy

According to The Cambridge Dictionary ‘Privacy’ is defined as “someone’s right to keep their personal matters and relationships secret”. This should be taken to mean that people would like to share information selectively. Informational privacy is the ability of a person to control, edit, manage and delete information about themselves. The person should also be able to  decide how and to what extent such information is communicated to others.

Information Sharing

There are several theories about what constitutes privacy and its application in different cultures. I will not consider these as part of the blog posts. We do not  want to share our personal information with all and sundry. However, in today’s modern world, we share a lot of information with everyone; friends, organisations that we work with, the Government and others. We feel that the information thus shared will remain within the boundaries of the relationship. We share personal information in exchange for services, buying an air ticket, or earnings for tax purposes. We feel dismayed when this doesn’t happen and we should be assured of a decent level of protection when this sharing happens.

Collect just enough information (Short version)

When personal information is to be collected in the course of business working, an organisation must ensure that the collected data is relevant. Organisations should  consider a privacy by design approach. According to the Information Commissioner’s Office (https://ico.org.uk/), Privacy Impact Assessments (PIAs) are a tool, which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective privacy impact assessment will help an organisation to identify and fix problems at an early stage. This will reduce costs and damage to reputation that may possibly occur.

In future blog posts I intend to cover the PIA process in some detail.

Executive consensus, approval

By utnvrrv, on 11 May 2017

Language matters

Write policy statements in a way that can colleagues can read easily and interpret them correctly. Ambiguity is also a key point that one should watch out for. It is all too easy to get caught up in legalese, jargon and verbosity. This makes the policy incomphrehensible and boring to read. Everyone loves a policy that is simple to read, understand and put into practice. Separate out policy statements, guidelines and other content. Distil what should be a policy statement. Try and arrange the statements in a logical sequence of what you expect should happen. You could ask a colleague to critically review it. Once you are happy with the text you can send it out and seek feedback. If your organisation has a standard template, adopt it or design a cover page, use the organisation’s branding in the header, and include relevant text in the footer.

This is based on the information that business uses and the perceived risks to the information. Consider information risk as a driving factor towards a good information security policy. A good policy should not create unnecessary hurdles. A complicated policy may mean that business processes slow down. Colleagues find ways and means of circumventing the controls. Consider how real world threats impact the business, and how the policy statement would safeguard the organisation. Use an exception section only if necessary. A good policy should be between 1 to 2 pages long.

Endorsement and Approval

Consult with senior colleagues, accept feedback and finalise a draft version of the final policy. The document should then be sent to key decision makers within the organisation for a final endorsement. Keep a record of the distribution list and feedback received. Incorporate changes as necessary, or suggest suitable modifications. Once all mid-management approvals are in place (don’t forget the minutes), formally send the policy document for final approval from the Board. If you’ve have the endorsements in place, the final approval should be easy.

Congratulations!!

Melding the Management view

By utnvrrv, on 24 April 2017

Management, Business, Information

Management’s role is to focus on the conduct business using the information it has on hand and to generate results. Not all the information or data that management uses would be public or completely private. Senior management should study the types of data that they deal with and how that data helps them make decisions.This would then lead to the development of an Information Classification policy. There would be a need to provide an appropriate guide to information handling. As a supplment an easy flowchart or matrix would be helpful for most end-users.

Governance Framework

All internal stakeholders at various levels should be able to share their views on the proposed information security policies. One way to do this is to have a cross-functional team review the draft policies. These may then be endorsed or approved as necessary. Depending on the size of the organisation this could be 2 to 3 levels of review. Managers/business heads should have a chance to understand how the policies will shape the organisation in the future. As each policy traverses the chain it may be necessary to highlight examples that prove the necessity of key policy statements and how the policy will help safeguard the business.

Information Security Framework Baseline

Work out the baseline framework for the Information Security Policies. Usually, the ISO27000 set of standards (www.iso.org) work well. Alternatively, ISACA (isaca.org) has a framework for the governance and management of enterprise IT. This needs further refinement with management support to derive the overall policy outline. Having a set of policies based around a standard also helps gain the confidence of auditors and external stakeholders. The information security policies must aim to cover the organisation based on organisation processes. One should have a policy that has a few simple mandates rather than an all encompassing one that only a few observe.

Creating encrypted archives

By Tom, on 7 April 2017

In my last post I spoke about the need to encrypt sensitive information if sending it via email. I mentioned a tool called 7zip which is available for free, and allows you to encrypt files with a password. It’s simple and easy, and in this post I will show you how.

Create an archive

First you need to create an archive for your files. Right click the file, hover over 7zip, and select “add to archive”.

Creating an archive with 7zip

This will give you a pop up menu with a number of options.

Encrypt the archive

In the pop up menu to create an archive, there is an  option to encrypt with a password. Choose a strong password and enter it here.

Password protecting an archive

Once you have done this and clicked “OK”, you have finished creating your encrypted archive!

Important considerations

• The files themselves are encrypted, but the file names are not. Do take care to ensure that you are not leaking information through the filename. “John Doe disciplinary meeting notes” for example is still leaking some information about the subject of the meeting. Either select the “Encrypt file names” option when creating the archive, or use an innocuous file name.
• I said it in the last post but it bears repeating; always use a different method to share the password. Use a call, or a text. Sharing it via email undermines the steps taken to encrypt the file and removes the protection by making the password visible to anyone who can intercept the emails.
• It may sound like stating the obvious, but please make sure that you agree with the recipient that they will make sure to only email the encrypted archive too; the information is only protected if all parties maintain it.

Thanks for reading and I hope this is helpful. It really is a simple step to take that can help control who is able to access sensitive information.

Putting it into practice

By Tom, on 7 April 2017

We’ve had a few posts now about email and cryptography, and I thought it would be helpful to look at some real world scenarios involving these topics. Email is a vital part of our work but it can introduce risks that may not be immediately obvious. System admins can see the mail that passes through their systems. This is not to say that they are malicious, simply that they can access it. This does not matter very much in most cases. Problems come when we need to share sensitive information, as in these cases, the risk is much higher. Sensitive information should only be read by the people who need to see it. While it might not be worth the time to take steps to render a normal email unreadable, if you are sharing sensitive information it is always worth it.

So what should I do?

If you need to share something sensitive, there are steps you can take. The first step is to be certain that this person needs to have it. If you’re not sure, then ISG or the Data Protection Office can help you. Once you’ve done that, you can encrypt the file on your PC, and send the encrypted file as an attachment. One way to encrypt a file is to use 7zip, which is available for free in the UCL Software Database. (When you encrypt, please be sure to use a strong password!) Once you have done this, call or text the person to let them know the password. It’s important not to share the password by email as then anyone else who can see the first email with the attachment can also see the second email with the password.

And that’s it. It’s a small extra step that can help avoid a major headache if the wrong person were to get access to data.

Monitoring and all that jazz!

By cceaica, on 31 March 2017

Hello, this is my obligatory introduction post! My name is Ian Carter and I’m the newest member of ISG, having been working in the team for just under two months.

My role within the team is to look after the monitoring aspect of Information Security. This involves trying to detect and respond to threats against UCL assets.

Some specific tasks that I have are:

• Using monitoring technology to detect and respond to attacks
• Providing metrics to our stakeholders
• Developing and maintaining the monitoring systems that we use

The role also involves a lot of liaison with other people, both within Information Services, and more widely.

Monitoring Tools

We use a number of tools to collect and analyse data, but a brief description of the main ones is below.

Intrusion Detection/Prevention Systems (IDS/IPS)

The most common analogy for an IDS is that of a burglar alarm. Sensors are places at sensitive areas, such as points of entry, and if triggered an alarm is generated that needs a human to take some action.

An IPS takes this a step further by removing the human decision making and automatically taken action if an alarm is generated, such as blocking a malicious user. Obviously you need to be very sure this is not likely to be a false alarm!

Technically these systems work very much like antivirus products, they compare observed behaviour to a number of rules. This means to be effective the rules have to be constantly updated, as attacks are evolving all the time. A part of my role is ensuring the rules are effective and relevant, and don’t generate lots of false alarms.

Security Incident and Event Management (SIEM)

A SIEM is a little like a spiders web. It takes information from lots of systems, like the IDS and servers, which are like the strands in a web.  All this information is correlated together and analysed. Some of the information may be suspicious, which is like the web being tugged, and if enough activity is generated an alarm occurs and the analyst, or spider, pounces. However, there is an awful lot of background noise, much like the wind blowing on a web, that needs to be filtered out so only the important information remains.

The major benefit of this system is the way alarms are prioritised so we can respond to the really important things more quickly. They also provide lots of reports that are useful for generating metrics.

I hope this is useful summary of some of the tools we use, I’ll delve into them a little deeper in future posts.

Phishing

By Daniela Cooper, on 24 March 2017

 

“Phishing is a fraudulent attempt, usually made through email, to steal your personal information”. – PhishTank.

Phishing is unfortunately something that we have to learn to live with, it’s not going to go away any time soon. The best way to protect ourselves against phishing is to learn to identify it.

Things to look out for

1. A sense of:
   1. Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
   2. Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
   3. Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
   4. Guilt or sympathy – “I am dying of…” type of email.
   5. So if an email makes you feel: guilty, panicky, afraid, or greedy, stop and ask yourself why. It’s probably a phishing email.
2. ‘To‘ and ‘From‘ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address, a legitimate email would be addressed to your actual email address.
3. Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely.
4. Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
5. Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
6. Headers and signatures – these can be forged, phishing emails often use them to appear more legitimate.

The consequences of responding to a phishing email (or opening an attachment in a phishing email) are that an attacker can steal your information and/or take control of your machine.

If you are ever unsure whether an email is a phishing email or not, before you click or respond, just ask us – isg@ucl.ac.uk.

In my next blog post I will be talking about test phishing campaigns.

Hello…

By Daniela Cooper, on 22 March 2017

Hello, my name is Daniela Cooper and I am the longest standing member in ISG, 13 years this year to be exact. If you’ve been at UCL a while and had to contact ISG it’s likely that you’ve spoken to me. It’s less likely going forward as our team has since grown quite a lot.

My current role concentrates on the awareness side of information security, I am responsible for the following:

• The ISG website (including the web presence for the Security Working Group, the Information Risk Management Group, the Information Risk Governance Group)
• Promotional materials
• Information security presentations
• Phishing campaigns (more on those in a future blog post)
• Information security awareness campaigns
• The Moodle Information Security Awareness course (https://moodle.ucl.ac.uk/course/view.php?id=35689)

In my next blog post I will talk about phishing.

Applications of Cryptography

By Austin Chamberlain, on 12 March 2017

We’ve talked about the theory of cryptography before; now I will describe some of the main uses of cryptography.

Secure communications

The most obvious use of cryptography, and the one that all of us use frequently, is encrypting communications between us and another system. This is most commonly used for communicating between a client program and a server. Examples are a web browser and web server, or email client and email server. When the internet was developed it was a small academic and government community, and misuse was rare. Most systems communicated in the clear (without encryption), so anyone who intercepted network traffic could capture communications and passwords. Modern switched networks make interception harder, but some cases – for example, public wifi – still allow it. To make the internet more secure, most communication protocols have adopted encryption. Many older protocols have been dropped in favour of newer, encrypted replacements.

The best example is web encryption, since here you can choose between a clear or encrypted version of a website by switching between HTTP and HTTPS in the URL. Most large companies now use the encrypted form by default, and you’ll see that any visit to Google, Facebook, Microsoft Office 365 or other sites will be to the HTTPS version of the site. This is accompanied in recent browsers by extra information, including a padlock to show that it is HTTPS. Something you can try is to click the padlock on an encrypted page, and your browser will tell you more about the page security. It will also tell you the especially relevant fact of the actual site name you’re visiting. Therefore, if you’re entering a password in a page, please do check that it is HTTPS.

End-to-end Encryption

Email is one area where encryption is not widely in use. When email moves from server to server, and from server to you, it is encrypted. On the mail server and on your system, however, an administrator can read it. There are options to implement “end-to-end” encryption for email (I use PGP) but email systems are complex and these options are complex. Truly secure messaging systems – where only the sender and receiver can read the message – are those where encryption has been built in from the start. Whatsapp is good; Signal is better.

Storing Data

We all store a large amount of data, and any data is valuable to at least the person who generated it. Every operating system uses encryption in some of the core components to keep passwords secret, conceal some parts of the system, and make sure that updates and patches are really from the maker of the system.

A more notable use of encryption is to encrypt the entire drive, and require correct credentials to access it. UCL has recently implemented Microsoft’s Bitlocker on Desktop@UCL machines, and this means that without the user logging in the data on the drive is completely opaque. If someone took the drive and tried to read it, they would not be able to access any data. This has the occasional side effect of locking the system, so some UCL readers may have had to request the recovery key.

One notable point is that many encrypted systems nonetheless allow administrators of the system access. Office 365, for example, uses encrypted communications, but many senior Microsoft staff, and a few UCL administrators, can access the data. A relatively recent development is software to create encrypted containers on a drive. I have recommended Veracrypt to some users who need to create an encrypted volume which is completely under their control.

Storing Passwords

A cryptographically hashed password

In the last blog post I briefly introduced cryptographic hashing, a one-way mapping of a string to a fixed-length value. One of the main uses of this is to store passwords. It is very risky to store passwords in an accessible way. If stored in plaintext on a system, anyone who has access to the system – legitimate or malicious – can read the password. Encryption is only a partial answer to storing passwords. If someone has access to the system storing the encrypted passwords, they will probably have access to the encryption key to decrypt the password. Hashing, on the other hand, produces a relatively useless value for the attacker. A system will take the password on login, hash it, and compare to the hashed value. At no point will the system – or an attacker – have access to the plaintext password.

Cryptography is hard

The impression you might get from this is that encryption is difficult to implement properly. This is correct, unfortunately! I encourage everyone to use encryption more, and I’m always happy to give advice. If you have any questions, please contact the team.