Home » Posts tagged 'Confidentiality'
Tag Archives: Confidentiality
There is a reason to protect information
This article in the Guardian caught my eye.
Two months after a visit by Chinese officials, a company in Scotland with an innovative Wave Power design was burgled. Several Laptops were stolen. The burglars went straight to the company offices on the second floor of the building, bypassing companies on the lower floors.
A couple of years later, a Chinese company with close ties to the Chinese government, started making very similar Wave Power devices.
The Scottish company is now out of business.
So, assuming that there was nefarious activity here – and that is not proven, just a series of odd coincidences – what can we learn?
Information Security is not just about protecting personal or financial information. It is also important for commercial reasons: the designs, software and business model that a company has is the heart of what the company is actually worth.
There is a cost for the loss of that information. It is not unreasonable to spend an appropriate amount of money securing that information. How much depends on the capability of any threat, and on the risk appetite of the company.
Could the information have been realistically protected against the theft of it on a laptop? Probably, thought we do not know what precautions this company had in place. Realistically, a good hard drive encryption system, tied to the TPM that is in modern Laptops, would have defeated most attackers. Good physical security, alarms, and CCTV. Lock the laptops away when the office is unoccupied. General good security hygiene.
Commercial espionage does happen.
Evolution of Cyber Attacks
There is a common view that malware is something that allows an attacker access to your computer so he can steal your data. Remote Access Trojans delivered the contaminated attachment for example, are a typical example.
The attacker then profits by selling your data to others who exploit it. However, this involves trusting a larger number of people and increases the risks to the attacker of being caught. It also involves a lot of additional work, blending details from many attacks to hide where the data was taken from, and who took it.
Ultimately, criminal activity is driven by a desire to make money. And to survive to be able to enjoy your gains.
There has been a well publicised rise in ransomware where the malware encrypts files or disables a system and money is required by the attacker to release them. This is a result of the attackers wishing to remove the risk from the monetisation of their successful compromise of a system. They are reducing the number of people needed to realise the profit, and exploiting the anonymity of Bitcoin to remain hidden
The consequences of the two types of Malware on a businesses that are unprepared for them are different. The former is an attack against confidentiality, ransomware attacks availability.
Both are Security Incidents, and both are in part mitigated by anti-malware systems, but the method of surviving the attack is different.
Confidentiality losses can be reduced by the appropriate use of encryption, ensuring that if data is compromised there is another layer of defence in place.
Availability losses can be mitigated by a suitable business continuity plan to ensure business can still operate in the absence of whatever technology is being held to ransom. It just has to last long enough for affected items to be repaired or replaced, and data recovered from backups. And keep the backups off-line, finding they have also been encrypted will not improve matters.
The likelihood of both can also be reduced by user education: Be aware of Phishing Attacks, report odd events. The impact is reduced by Incident Response planning.
At the moment, ransomware is commonly attacking traditional IT systems and more recently mobile phones and other devices. In the future ransomware will be deployed against smart connected things.
Pay One Bitcoin to get your Roomba back out from under the sofa.
Why Confidentiality, Integrity, Availability?
Security Standards, such as ISO27001, talk about protecting the Confidentiality, Integrity and Availability of information.
- Loss of Confidentiality is embarrassing, can damage a business’s reputation, result in regulatory fines, and can have legal consequences to the directors.
- Loss of data Integrity means you no longer trust what the business is doing or saying: incorrect orders, false wage payments to non-existent employees, abusive PR from a hacked Twitter account or Website.
- Loss of data availability means you have no information to act on. No customers, no orders, no finances.
These are all Business Issues, not fundamentally technical issues.
