Data security is the review of where and how your data is stored to ensure nothing goes wrong. What can go wrong though?
Having been involved in more security audits than I care to remember this article explores some of the more interesting fundamentals that should be asked of all solutions especially those that reside in the cloud.
This article assumes no understanding of science or advanced network but is an introduction to the areas that need attention.
- Security and risk reviews
- The interesting world of the improbable
- The links in the chain
[read more=”Read more” less=”Read less”]
Security and risk reviews
Wikipedia defines data security as “protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyber-attack or a data breach.”
What makes your data interesting and is yours even worth bothering with? In short, if it’s worth something to you then it’s worth stealing, if only to sell it back to you.
The connectivity of the Internet sees any business with an Internet presence open to attack by anyone in the world. Not every citizen on the Internet is subject to the same national laws as you are in your country as a result they can attack you and get away with it.
- Ransomware locks your data until you pay for it to be released.
- PII or Personally Identifiable Information can be used to tailor advertising and potentially break into your bank accounts.
- Getting your password from one system can give you the password to many systems as people generally don’t have different passwords for every system.
- Intellectual property has a value to enable businesses compete.
- Information which can be used to change public perception of people and companies can be used to influence decisions or even sway elections.
- If services people depend on are unavailable / affected and customers get unhappy they move their business to other service providers.
So in short as a business you need to keep yours and the data you manage for clients and customers safe.
The cost of mistakes
Every business is legally responsible for keeping the data safe. This alone is challenging as how does every business become cyber security experts.
In short it’s easier to outsource that security rather than try develop a security team. Security changes so often and bugs and fixes are required so often it’s a complex and fast moving area.
IBM Security commisioned a report on the cost of data breaches. 2018 Cost of Data Breach Study
In America for 2018 every record, that is just one customer in a database, on average costs about $145 with a data breach. In the medical field $408 per record is the cost per record if hacked.
So a lot of things can go wrong. It’s important to manage them all. Where as a business do you even start? The answer is a Risk Register.
A register is just a book which has a list in it. A risk register is a list of risks.
Each risk needs a rating, a metric, to figure out how bad a risk it really is. Metrics improve management.
Each risk has two ratings, usually from 1 to 5.
The first is “damage to” or “impact on” the business. If this event was to happen how much damage is likely to happen. 1 might be low impact whereas 5 might be business ending.
The second rating is likelihood. Some risks are devestating but what is the actual chance of that happening. 1 is very unlikely to happen and 5 is very likely to happen.
You then multiply the two scores together giving a risk rating. This is a guide rather than an exact science. Once you have all your risks and your scores. You sort the list and what ever is closest to 25 gets the most attention immediately.
Within our means
In security there is never enough time or money to solve all problems instantly. Instead businesses work within their means. What can we afford to do with the resources we have available. You don’t NEED to buy health insurance but when you get sick it can change your life.
Building a risk register benefits from external people reviewing your list as they may see things you haven’t recognised.
When you build the list this is a blueprint to destroy your business and is not something you would share with clients. Now you really do have some business information you need to keep secure.
For every risk you can put something in place to mitigate that risk. The mitigation gives you a minus number for your risk from 1 to 25. So you end up with the following equation for every risk.
(Damage * Likelihood) – Mitigation = Risk
There are many approaches to data security and risk management. Security standards help businesses take a formal approach to catch most of the common risks. Why reinvent the wheel is the thinking behind it. Every business is unique so the standards are base lines to ensure that the most common devastating mistakes are managed.
ITIL (formerly an acronym for Information Technology Infrastructure Library) are practices for IT service management (ITSM) that focus on aligning IT services with business needs.
COBIT (Control Objectives for Information and Related Technologies) is a good-practice framework from ISACA for IT management and governance.
ISO 27001 (International Standards Organisation) is the data security standard internationally which is known as BS 7799 (British Standard) in the UK. As technology changes so these standards must update to adapt to a changing world.
PCI (Payment Card Industry) DSS (Data Security Standard) are a set of security standards that are mandatory when dealing with credit card information.
Groups and services such as the G-Cloud in UK require data security compliance.
The interesting world of the improbable
Damage: Significant (5). Likelihood: Low (2).
The sun is a nuclear bomb continuously exploding. The fuel is hydrogen the sames as some nuclear bombs. When two hydrogenous smush into each other they make a helium and give off energy. This energy keeps the reaction going. When the smush happens bits break off and you don’t just get clean helium. Nuclear bits come out in the form of solar winds. These winds blow throughout the heavens. Our atmosphere keeps most of it away.
Sometimes there is more than our atmosphere can handle. The sun has a massive explosion called a Coronoal Mass Ejection. (CME). The wash of this comes to earth and it plays havoc with electromagnetic systems. September 1859 was the biggest on record.
Data security is concerned with the service being available and ensuring unchanged data.
If you think these aren’t regular then think again… the happen all the time. Here is your space weather report https://www.swpc.noaa.gov/products/alerts-watches-and-warnings
When one of these hits your data centre how well are you protected?
The BBC Horizon team in season 20 episode 3 called “Solar Storms- The Threat to Planet Earth” did a wonderful documentary which may be available online.
Damage: Significant (5). Likelihood: Low (2).
A password is essentially a combination lock. The lock is a very long set of switches with some turned on and some turned off. The combination of on and off can stretch into hundreds of thousands of combinations and would take too long to try every combination. The longer and more complicated the password the more combinations it could be and subsequently the longer it would take to guess.
When you make things very cold, i.e. the cold of space when there is no light around the temperature drops to -273.15 decrees Celcius or -459.67 degrees Farenheit.
At this temperate the very strange things happen more specifically the laws of physics start working differently.
At this temperature a switch can be in the on and the off position at the same time! For this reason a password could take seconds to work out instead of lifetimes. This is extremely bad news for passwords and encryption.
We have protection systems such as you only get X attempts to crack a password so that makes this all redundant. Yet if a person got a file with all the passwords in it, then they could try as many times as they like and quantum computing means they’ll get the answer a lot faster.
The solution is easy and two fold. Ensure your solution forces complex passwords and after 3 guesses locks you out. It may be annoying but it’s good for your security.
The technology is here not science fiction. https://www.zdnet.com/article/the-latest-in-quantum-computing-10ft-tall-2000-qubits-15m-price-tag/
Godzilla and Pacific Rim, not just fun movies
Damage: Significant (5). Likelihood: Improbable (1).
I was asked “How prepared are you for a Godzilla attack?”
“If Godzilla rocks up I won’t care if there’s a data centre or not I’ll be running for my life!” I replied.
The same also goes if we’re all about to die with a Kaiju appearing from inter-dimensional rifts in the fabric of space time.
These scenarios though trite are legitimate considerations which pertain to national catastrophes. Nuclear power countries constantly run the risk of nuclear power stations, nuclear weapons or nuclear waste sites suffering terrorist or catastrophic failure issues.
The solution is to have two data centers in two continents preferably a non-nuclear power. Check and carefully review your data centre especially if it is located outside the jurisdiction of your laws. Double check if you’re allowed move people’s data there consequently considering should you.
I also suggest you hope Godzilla’s son or cousin doesn’t show up.
Global warming and Tsunamis
Damage: Significant (5). Likelihood: Medium (3).
Water is a big problem for computers. They don’t really like it. Salt water is especially bad news as its conductivity will make short work of blowing up a circuit board.
A water tank on the roof of the center if it bursts or a water based sprinkler system going off in the comms is not going to be fun for anyone. Data security needs the data to be available as much as being secure.
Rising water and flooding happens so keeping your servers on the ground floor or sub basement floors is BAD news. Data centers built below ground level must consider incoming water.
Check your data centre is on the first floor or higher is the easiest fix.
The links in the chain
Encrypting data at rest and in transit
Thomas Reid’s “Essays on the Intellectual Powers of Man,” published in 1786 contained the line “a chain is no stronger than its weakest link” and in computing data security the same is true.
The following is an example of how an app on your phone interacts with a web based service. The image below would generally describe your banking app on your phone.
Every letter and number and line in this diagram is a weak point.
2 and 9 represent databases which are files / collections of data. The data is sitting on the device not moving as a result is referred to as “data at rest”. Can any user find the contents available to read or encrypted?
Even link A is a risk if your computer has malware or spyware on it. What you type in or see on your screen can be recorded if the system has been compromised.
A business at every point use encryption to stop people spying into your information while also employing tools removing malicious software and viruses. The security department along with infrastructure are responsible for keeping these measures up to date and adapting to emerging threats. As a business you must also ensure that every supplier is also taking the same if not better steps to protect your data.
Data in transit
You visiting your banking website will look something like this. There is an easy way to see this in action on your computer.
Open a dos command window (Windows key and R), then type CMD You will get a window that looks like this.
- tracert www.google.ie
or whatever address you like.
Tracert stands for trace route, i.e. what route does the internet take between me and the service I want to connect to.
Here is my route to www.google.ie Googles’s public website for Ireland.
It wouldn’t take much to work out my Internet provider is eir.
I now have information to start examining each of the devices on the connection and start to question their data security. Securing boxes 3 through 7 must also be considered.
The Internet service called whois allows anyone to whois the IP addresses and see where our connection went.
Using a browser you put in the address https://ipinfo.io/220.127.116.11
Changing the address for each device to see where it is.
- 18.104.22.168 Mountain View, California, United States
- 22.214.171.124 Alameda, California, United States
- 126.96.36.199 Wichita, Kansas, United States
- 188.8.131.52 Mountain View, California, United States
If you would like to see where the cables in the sea are there is a cool map available here https://submarine-cable-map-2018.telegeography.com
The big question as a business you need to ask. “Is every link in the chain reviewed for data security?”