Backup Anytime

Data security for dummies

There is much misunderstanding of data data security. This applies not just at end user level but also quite generally at overall small business level. Much of this is attributable to an ever growing and widely misused information technology vocabulary. Much of this vocabulary is brought about by intended use of trade and company names by interested parties  when producing instructions, guides and white papers.

For this reason, an understanding of data security may only be obtained by reducing the factors affecting and important to information security to micro or atom level. This has been approached by many. Here we are interested in the work of third party academics and not interested business parties.

Three classic data security components are Confidentiality, integrity and availability.
They are known as the CIA triad. CIA being the combined first letters of the three terms and triad being linguistically synonymous with the number three. The CIA triad was later added to in what is now known as the Parkerian hexad. Parkerian because it was proposed by Donn B. Parker and hexad because the number of elements was increased to six.

The six elements of information security (in our case, data security) according to the Parkerian hexad are as follows.

1. Confidentiality
2. Possession or Control
3. Integrity
4. Authenticity
5. Availability
6. Utility

A list can serve to prompt incorrect assumptions so lets take a closer look at these data security principles. You may not want to get in to the academics but someone in or representing your organisation needs to have  a clear insight so you can actively avoid data breach as against simply protect against data loss.

First off, why these six elements? Surely there are thousands of terms applicable to information. These six elements are widely agreed among data academics as being at micro or atomic level. They are considered to be essential and non overlapping from the point of view of information security.
Confidentiality deals with the who in data. Information which is available to nobody is essentially useless and it is therefore agreed that no matter the level of confidentiality required that there must be a default exception list with at least one entry. The confidentiality of data is therefore measured by comparing the required access with the actual access allowed.

Possession and control may seem to an extent to represent an overlap with confidentiality but it is agreed to be a component in it’s own right. An example would be a letter addressed to you arriving to someone else. They may not open it but regardless possession and control have been breached.

Integrity of data deals with state of data and the effect on it of any modification intended or otherwise. Integrity therefore not only applies with point in time condition but potential modifications by users, software and incidents.

 
Data authenticity is not only different to integrity but has a broader focus. Authenticity deals with labeling data. This applies not only to intended managed data store but data introduced to the organisation through communications. An example would be a communication which is received from party claiming to be from an origin different from the actual one. If this is ignored, the recipient may not be the victim of any intended crime but in real terms, just not knowing of the intention regardless of the failure or the perpetrator is in itself a breach. Another more innocent example would be a form filled out incorrectly in which an applicant or respondent accidentally places an email address in a name input box. Any failure to validate this is a data authenticity issue. 
Data availability deals not only with the possibility of accessing required information but any time lag in availing of information in normal and data outage circumstances. Nanosecond delays in normal circumstances may be a technical availability issue but not a concern such as that brought about by an hours delay, a full day delay or total outage scenario. 

Utility of data deals with the practical area of the benefits of data stored. How useful is the data? This applies also to the ability to read the data in so far as to the format it is stored in and any conversions applied or required to read. Even encryption can be said to affect the utility of data due to any time required to decrypt before reading. This is not to say that encryption is not recommended. Encryption is absolutely necessary in most business environments. Utility can be confused with availability. It is however quite distinct from availability. An example highlighting this would be data converted to generate a graphic display. Despite how well matched mathematically and helpful from a human viewpoint a visual display may be, this represents a utility modification.

In summary

Data security represents a process not a task. Data security is never 100% certain. Innocent  parties may suffer a breach despite the best will of the data administrator concerned. All this said, risk reduction is a clear responsibility for which clear steps must be taken. The consequences for everyone should business not make acceptable efforts are also clear as is the distinction between those who tool action to protect data and those who did not.

Ask the data experts.

New! (October 2008)

Following of from the continuing success of the “Who’s who in data” interview series we have decided to allow you to ask the questions! Simply respond to this post using the standard comment option below. Present your question in the comment. Given the question is appropriate we will publish it and ask it of an expert from the “Who’s who in data” interview series. The expert asked will be chosen based on the relevance of their experience and expertise to your question and their willingness to answer. The chosen expert may therefore be from a past, present or yet to be published interview.

The real benefit here is that information on this page will be provided in order of readers wishes rather than the interview chronological order of the main “Who’s who in data” section.

Appropriate questions may be asked regarding any of the following.

Data protection, data management, data law, data backup, data security, data storage, data de-duplicattion, data technology, data privacy and yes you’ve got it. anything of relevance to the data industry.

Go ahead, all you have to do is ask! Click on comment and type your question.

The credit crunch has taken the attention from just about everything. Media column inches are rare territory for any non credit crunch related news. The world still goes on however and data theft is no exception.

Data theft is on the up significantly this year with increments in some regions as high as 70% on the previous year which was in itself not quiet on the data fraud front.

Minnesota is out in front with regard to legislation to combat fraud by requiring retail level protection for purchasers. Nevada is making great strides with encryption being required legally on almost everything bar fax. 

California has been trying but maybe too far. A bill which went as far as placing financial responsibility on retailers was veteod by Guvernor Arnold Schwarzenegger but in a classic case of “I’ll be back” it has reappeared seeking his signature with the bits he didn’t like removed. This bill (AB 1656) still has much to offer. Adequate protection measures would be legally required of merchants and more notable encryption would be a standard feature of everyday personal data transactions. 

It is considered likely that this will come in to place and is believed in some sectors that an element of the financial responsibility spared of retailers may be reintroduced on a less ambitious scale in the future. 

AB 1656 is important not alone for consumer protection but to repel cyber fraudsters (as they will generally operate in states which are legally and technically bereft of protection) and attract investors as they will generally all things being equal, prefer to operate in cyber safe environments.

Another benefit (which was a key attraction to vote holders republican and democrat) is that since AB 1656 is both a protection and a deterrent, it will save considerable on law enforcement person hours, thus allowing law enforcement to focus on more dangerous and essentially solvable crimes.

Guvernor Schwarzenegger is known for saying it as it is and therefore it is likely that those who made the amendments knew what needed to be changed and that these modifications are likely no more or no less than is required to give life to the proposed changes in AB 1656.

If you are watching this space you won’t have to watch for too long but unlike the last time round, don’t expect much broadsheet coverage as the credit crunch seems only willing to travel to inside pages which increase it’s coverage and continue from it’s lead headline position.

The weekend payment system fraud (http://backupanytime.com/blog/?p=131) has been hailed as a high-tech scam. To an extent it was but it is important to see what this has in common with the traditional and far more ugly holdup.

The technology involved was rather simple. A card reader (purchasable in technology stores), a Sim (come anon with prepaid phones) and a smart casing to make it presentable (possibly the cleverest and most difficult part to find) and that was more or less it from a custom hardware viewpoint.

All that was left was for the foot soldiers to enter premises with a standard or deportment and air of confidence which would convince shop staff that the visitors were indeed here to do critical payment services work.

The real problem here is that this type of crime is very easy to commit. Granted they will need to continually reinvent themselves as methods are identified and data security is beefed up. This however is something that criminal gangs have so far in general managed to do without great difficulty.

Beating technology is so far the easy part. This generally results from information gleaned over the Internet. Criminal gangs don’t need a genius, just a technician with good web research skills.

The hard part for the technology criminals is the social engineering. In this case they needed desperate people (they would be on camera in-store if they succeeded) but these desperate people had to be convincing. To be convincing they would have to be healthy, have good communication skills, be confident, have a basic understanding of the technical issues regarding connections and testing and remain calm on exit regardless of the circumstances.

In effect, we are dealing with confidence tricksters here. The technology does not have to belong to those who commit the crime at local level. The can buy the technology, copy it or steal it. In addition, these technicians are rarely the intravert backroom I.T. type. Little Mikey who is still in college will do just fine. Undergraduates are not just learning about malware through each other and the internet but in some cases are being though about it as a part of their course. See should colleges really teach hacking?

This is a far cry from the Hollywood image of a hacker transferring millions from the comfort of his own home. Granted this could be the consequence if the scam succeeds, but at some level some poor unfortunate has to present himself in a business with staff and cameras and take a chance. This is why and how this works. If staff do not receive training in preventative measures for social engineering, it will continue to succeed. Maybe in a different shop but that doesn’t matter as it hits the same pool of banks and account holders.

A question being asked byy many now is why the payment system did not cop this. The short answer is that once these guys replace the hardware they become the payment system at local level and many of the protections put in place work to ensure the criminal system works well.

The long answer is that each device connected to a payment system should have a unique identifier such as a mac address which would be missed and any new component not part of that list would be rejected or reported. Additionally, a chip and pin and Sim system which reports (and even approves manually) purchases to the purchaser as they are being made would make this far more complicated for the criminals.

It is likely that we will see much more of this in the future. The attitude of the Banks would appear to be that card services is profitable even after compensating clients but this does not sort the problem of a criminal gang having your name on a list. Even if your card is cancelled, do you want these people to have any identifiable information about you. How far can they push the social engineering? Could they order new cards? Yes, it has happened. It will continue to happen.