Академический Документы
Профессиональный Документы
Культура Документы
CIA
The guiding principles behind information security are summed up in
the acronym CIA (and we’re pretty sure there’s a joke in there
somewhere), standing for confidentiality, integrity and availability.
In addition to the cost of fixing the breach, Sony was fined £250,000
by the Information Commissioner’s Office as a result of a ‘serious
breach’ of the Data Protection Act, stating that ‘The case is one of the
most serious ever reported to us. It directly affected a huge number of
consumers, and at the very least put them at risk of identity theft.’
Information assets
Time for another definition. When talking about valuable data we use
the term ‘information assets’. In the PlayStation case, the information
assets were the data about Sony’s customers.
Malware
Finally, there are a number of terms associated with software that
attempts to harm computers in different ways. Collectively these are
known as ‘malware’ (a contraction of malicious software).
Now that you understand some of the basic concepts and terminology,
you’ll use this knowledge to study real examples of cyber security
breaches.
Phishing
It may be surprising that many cyber security breaches do not result
from technical failures. In fact it is commonplace for attackers to
exploit the goodwill and trust of people to gain access to systems,
using a form of attack that is known as ‘social engineering’. Pretending
to be technical support personnel or crafting emails that ask for
usernames and passwords are common forms of social engineering
attacks. You may have heard the term ‘phishing’ used to describe
these kind of emails. Phishing is a form of social engineering. In the
video, course guide Cory explains how it happened to him.
In the next step you’ll find out about three high profile cyber security
breaches.
Over the years, Adobe had stored the names, addresses and credit
card information of tens of millions of users on its servers. Then, in
October 2013, Adobe admitted that data from 2.9 million accounts had
been stolen. Later, that number was revised to 38 million accounts,
but when the data file was found on the internet it contained no less
than 153 million user accounts. Much of this data could be read and
soon copies of the stolen accounts were in wide circulation. It also
became clear that the people who had stolen user data had also
gained access to Adobe’s development servers – program code,
potentially worth billions of dollars, had also been stolen.
Adobe was forced to change the log in details of every one of its users
and to greatly improve its own security. And, of course, users are
suing Adobe for not protecting their information.
Is Adobe alone, or are other companies holding valuable data but not
protecting it properly?
Once the email had been opened, the hidden software went to work
and retrieved the HVAC company’s Target network authorisations,
allowing them to log on to their real objective. In an ideal system, the
HVAC company’s authorisations should have restricted them to a
network responsible solely for billing and contracts, but, like a lot of big
organisations, Target used a single network for all of its data, allowing
the attackers to eventually locate, and steal, customer data.
Don’t forget you can ‘like’ and reply to other learners’ descriptions if
you found them helpful.
For each type of information, think of its value to you. Label the
most valuable types of information as ‘High’, the least valuable
as ‘Low’ and those that are in between as ‘Medium’.
Do the same exercise for the online activities you engage in. For
example, you might use online banking, shopping or social
networking services. This time, label each one with a value
based on the potential cost of an unauthorised person gaining
access to it.
In the next step, we will ask you to use this information as part of
a survey that will help you get a picture of your exposure to
information security threats but you won’t be asked to share the
details of your list. You’ll use this list later in the course, too.
First, let’s think about how passwords are used and the different ways
attackers try to learn our password.
2.3
View transcript
Download video: standard or HD
RockYou’s problems were made worse when it became clear that they
had known that their database was vulnerable to an attack for more
than ten years. The company had previously been criticised on privacy
grounds for sending emails containing complete lists of their
advertising partners, and for poor security in issuing passwords
through insecure email.
Attacking passwords
The obvious ways that attackers can find or steal passwords,
such as looking over your shoulder when you’re using an ATM or
credit card machine or trying obvious passwords such as
‘abc123’ and ‘password’, are familiar to us.
Salt to protect
The security of stored passwords can be increased by a process
known as salting – in which a random value (called the salt) is
added to the plaintext password before the hashing process.
This greatly increases the number of possible hash values for the
password and means that even if two people choose identical
passwords, their hashed passwords have completely different values.
The hashed password and the relevant salt are stored by the
password server. When the user attempts to log in to the computer,
their password and the salt are added together, hashed and compared
to the stored, hashed value.
Salting is only effective if:
truly random salts are used for each password (some systems
have either used a single salt for all passwords, or have only
changed the salt when the computer is restarted)
the salt is long enough that, when added to a password, it will
create enough possible hashed values that an attacker cannot
generate a table containing all possible hashes from a salted
dictionary. For instance, the passwords used by UNIX in the
early 1970s were restricted to eight characters and used a 12-bit
salt. When released this was secure enough – it was not feasible
to generate the hashes for every possible password each of
which had been salted with all 4096 possible salts. However, the
rapid advance in computer power and storage capacity meant
that longer salts are required. A typical piece of advice is that the
salt should be the same length as the output of the hashing
function – so if your hashing function generates 256-bit hashes,
a 256-bit salt should be used.
The hashing had been performed using the relatively old SHA-1
hashing algorithm which can be performed at very high speed (a
desktop computer can calculate several tens of millions of SHA-1
hashes per second).
For more advice about how to choose strong passwords read Good
password practices which you can download and keep.
In the next step you’ll get to test the strength of your passwords.
Discuss why the security of the two passwords was different and what
makes a very strong password. Things to consider include:
password length
the range of characters you used
whether any personal information is recognisable in your
passwords (and could be guessed)
how easy or difficult it is for you to remember the new password.
Password manager
While it is possible to create your own strong passwords, it can
sometimes be difficult to remember each one, especially if you
use a number of online services.
You will learn more about digital signatures in Week 5 of the course,
but for now it is sufficient to understand that in this case the digitally
signed token cannot be created or modified by anyone other than the
OAuth provider. Once it receives the token all the website needs to do
is to check that the signature on this token is valid to confirm the
identify of the user.
Two-factor authentication
So, if a password isn’t secure enough, perhaps having two
pieces of information is more secure? This is known as two-
factor authentication and you’ve almost certainly used it without
realising.
When you take money out of an ATM you have to give the bank two
pieces of information – the first is the data stored on your bank card,
the second is the PIN. Individually, neither can access your account,
but when brought together they allow you to withdraw money.
Some banks have given similar two factor authentication to online
banking customers – in this case accounts need to be unlocked with
the combination of a password and a four or six digit number
generated on a hardware security token. If you use online banking and
don’t have a hardware token it will be well worth finding out if your
bank offers them to customers, and if they do not, consider switching
to a more secure banking service.
The organisation that owns the network you are connecting to will give
you a card or device, often called a VPN token, that can be used to
generate a sequence of random characters. When you try to connect
to the VPN, you will first be asked for your password (the secret based
on something you know) and then will be challenged to provide some
information from the VPN token (the secret based on something you
have).
You can find out more at Google’s 2 Step page and set it up using the
instructions in the Setting up two-factor authentication on Google PDF.
Apple
Dropbox – a cloud file sharing service
Evernote – a cloud-based document and note taking service
Microsoft Accounts – used by the Microsoft App Store and its
OneDrive cloud storage service
PayPal – online payments used by many small web retailers and
eBay
Steam – online game delivery
Twitter
Can you find examples connected with your work, for example to
access the company VPN or different areas of the building?
Share your findings from the research you carried out in the
discussion below.
Write a short comment about the type of methods and devices you
came across that offer two-factor authentication, then read at least
four comments from other learners and add to your notes any other
methods and devices you have learned about.
Next, you will have an opportunity to review your learning in the end-
of-week test.
The next step after this one is a test step. Tests on FutureLearn are
usually multiple choice, between 3-10 questions and have tailored
feedback - they’re designed to verify what you’ve learnt so far.
Tests also enable you to get a Certificate of Achievement. If you want
to earn a Certificate for this course you must have completed any
tests on the course and score an average of 70% or higher. You get
three attempts at each test question, but you can only take the test
once. Please make sure you look back over the course to refresh your
knowledge and understanding before taking the test.
You can only access tests on FutureLearn if you have upgraded your
course. By upgrading, you also get unlimited access to this course for
as long as it exists on FutureLearn, and the chance to get a printed
and digital Certificate of Achievement.
If you’d like to do the test and work toward a certificate upgrade now,
or you can find out more.