Introduction to Data Security

MODULE 1
Module Objectives:

At the end of this module you will be able to:

• Understand what data is and the difference between data and information
• Understand how often data is generated
• Understand the importance of personal and organizational data
• Understand the different threats to data
• Understand what data security is and the risks associated with data
compromise
• Understand the elements of security
• Understand the potential losses due to a data breach
• Understand how to implement data security
Data – Digital Building Blocks

• What is Data ?
• In lay terms, data is unorganized facts that can be processed into
meaningful information. It can be in the form of text, numbers,
symbols, pictures, or any other possible form. Anything that tells you
something about an object or an entity is data. For example, your
personal data is constituted by your name, your address, and your
height, among other things.
• How often do we generate data?
•
• People generate data constantly as long as they are awake, and sometimes
even after that, a phone number that you save, a picture that you click on
your phone, a map location that you send someone, a text message, a
voicemail, a credit card transaction, everything is data, and Data gets
generated even without us explicitly initiating it. Things like details of your
last call, last login time on your laptop and even the amount of battery life
left on your device is data. Details about you after you are asleep, such as,
how long your online accounts were inactive, or after how many hours,
was a device accessed again, are also data. Such data may seem useless to
you but can be valuable to a person planning an attack on your digital
assets.
• Data versus Information
• Even though the terms data and information are often used interchangeably,
there is a distinction between them. Information is nothing but processed data
which conveys a specific meaning and is of substantial value. The difference
between data and information is subjective in nature. What is data to one person
can be information to another and hence, the terms are interchangeable. The
difference is exactly like one between music and noise. For example, the route
your cab takes to reach the destination can just be data to you, but it is
information to someone (maybe a parent) who is tracking the cab to see if you
are being taken to the correct place. Similarly, the time at which you reply to an
email is just data for you but can be information for the receiver of the mail if he
wants to know how much time it took for the email to reach its destination inbox.
As a result, people use the terms data and information interchangeably according
to their personal context.
Importance of Data in the Information Age

• Importance of Personal Data

• Little details about people have never been this important in the history of mankind. Everything
from your address to your favourite pet’s name has the potential to do financial damage if they
fall into the wrong hands
• Apart from hurting people financially, personal information can also be used to do emotional and
physical damage. Intimate pictures or videos of you on your phone or computer can be used
against you to blackmail you or to simply embarrass you in public. There is no dearth of cases
where private pictures of celebrities have been stolen and put publicly. In the social networking
era, where people post all sorts of personal details online. It has become increasingly easy for
criminals to find their prey. Simple information like where will you be spending your evening, if
posted online, can be used in the most dangerous ways by stalkers.
• Personal information has reacquired its meaning in this millennium. It is supposed be just that
personal sharing. Sharing of personal information with strangers or online is nothing short of
inviting trouble. There are many ways in which you can protect your personal details, but the
most effective of them all is keeping your information to yourself.
Importance of Organizational Data

• Data belonging to commercial entities, if leaked, can wreak havoc on them. A commercial data breach has
much more implications than just the obvious financial one. A company may be working on a new product
that it is about to launch in the market. If the information about the product is leaked to a competitor who
ends of launching the same product, the repercussions can be never ending. The company may lose market
share and all the potential profits for years to come. Something that happened between Apple and
Microsoft is a classic example of that. A data breach, although a low-tech one, which happened decades
ago, still makes Microsoft the money which should be Apple’s market share.
•
• Apart from this, the company which loses information also loses credibility in the market. People are more
hesitant to do business with them as they are scared for the safety of their own information. Another
implication is the amount of network that goes into generating the same information again. The victim
business loses time, money, and market share every single day that they spend on the network. Losing
customer data may also lead to lawsuits translating into a huge monetary loss for the affected organizations.
• The reason why industrial espionage is a thriving business today is because no longer do people have to go
and physically steal information from companies. Data thefts can be done remotely by targeting the weak
links in the cyber security chains. Often these weak links turn out to be the low or mid-level employees who
are the end users of a company’s digital infrastructure. Companies, even governments are investing in cyber
security like never before as it is more of an investment for them in their business than security.
Threats to Data

• Since data has become so important in today’s world, threats to it

also have risen significantly. Loss of data can cause great emotional
distress apart from financial troubles. There are multiple threats that
our data faces today. Some of them may be from natural forces,
against which we are helpless as mere mortals and some from
humans themselves, regarding which we can do something about.
•
Natural Threats

• Natural disasters or accidents can physically damage or completely destroy data. An

earthquake can collapse a building which we may have computers with important data
on them. Similarly, a fire can wipe out huge amounts of data in a matter of minutes.
Not all data need to be commercial or financial in nature for it to be important. A
memory card with pictures of loved ones who are missed, or of important events of life,
if lost is irreplaceable.
•
• Things like lightning, floods, tornadoes, and hurricanes can destroy data much like
anything else that comes in their way. Even though natural disaster or accidents cant be
predicted or avoided they are easy to prepare for, since we know exactly what to expect
in these cases. The most common method of avoiding natural loss of data due to natural
disasters, is to keep a backup of the data at a remote location. Since we generate an
immense amount of data on a daily basis, it is more feasible to back up only the
important items. It is also important we keep a regular schedule for backups. This will
ensure minimal loss of data if a natural disaster should strike. We will look at more ways
to physically secure ur data.
Threats to Your Data From You

• Threats to the security of data are not only from natural forces or criminals looking to exploit it,
but also from the very person to whom data belongs. It is often said that the biggest threat to
data is from the very person who owns it. Even though nobody would constantly harm their own
data, most people are unaware of the extent to which criminals go to steal it. Ignorance or
accidental lapses on the part of a person can lead to loss of data which otherwise might not have
occurred.
•
• Ignorance about the security of one’s data is almost as good as handing it over to someone with
malicious intent at this age. Many people leave their computers or devices unlocked or
unattended in public. This obviously is an open invitation to a thief to steal it along with all its
data. Even if physically stealing a device is not possible in a situation. An unlocked computer can
be a gold mine for criminals looking to steal data. Leaving the access to a device open in public is
enough for criminals to fish out valuable personal information stored on it. Another way people
may facilitate the theft, of their own data is revealing it to someone in public where they can be
overheard. Attackers are always on the lookout, for information that they can exploit and this is
making it to easy for them. Throwing away credit card or ATM receipts in public bins is another
way of facilitating the theft of your own data.
• One of the most common methods that criminals use to extract
information is befriending a stranger on a train or café. They pose innocent
looking questions to their victims with the intent of knowing their personal
details. Simple questions like, I am from a different country, can I see your
drivers license, I want to see the difference. Details like this are generally
answers to the security questions one gets asked when resetting a bank
account password or getting a new credit card issued.

• A lot of thefts can be avoided by simply being aware of using common

sense. More techniques, of carrying out data breaches and ways to
protect yourself against them are discussed later.
Threats to Your Data From Others

• There are lot of data predators out there who are always on a lookout
for a score. They constantly come up with new and innovative ways
to dupe their victims, making it necessary for the rest of us to stay
abreast with these techniques as well.
• Since the Internet and its uses have grown at meteoric speed, the
world has had enough time to get used to the fact that even personal
information can be of value in the digital age. People still reveal their
personal details to strangers without realizing that they just handed
the keys to their locker. Criminals, like marketing gurus, believe that
simply asking still works and they are not wrong.
• Ignorance also leads to accidental revelation of data by people. Emails or phone calls
from strangers, impersonating some legitimate institution, are the most common
method of extracting data from people. Cyber criminals often place malicious links,
looking like innocent advertisements, on the Internet. When unsuspecting users click on
these ads, they expose themselves to a whole gamut of exploits. These ads, when
clicked, install programs on the computer that lets the attacker in easily. Infecting a
computer with a virus sent as an attachment in an email is another popular way of
gaining entry into people’s computer.
• Apart from these, there are more low-tech techniques that are employed to steal
information that are surprisingly effective. Simple things like peeping over one’s
shoulder or shoulder surfing while the person is entering an ATM PIN is still a very
popular way. The same technique is also effective while someone is entering their
username and password for online banking.
• These are some of the numerous techniques to steal people’s data. Users need to keep
themselves updated about these techniques and take precautions accordingly.
Data Security

• What is Data Security ?

• Security, in terms of technology, is the process of protecting information, and the infrastructure that stores
it, from unauthorized access or misuse. Security aims in protecting computers, smartphones, computer
networks, and the information stored across them.

• Security, apart from physical, also refers to security over a network like the Internet. With millions of people
using various devices to connect with each other over the Internet via a myriad of services like icloud and
whatsapp, the internet has become the host of several complicated and widespread security attacks.
Computer Security is a serious issue for everyone who accesses the Internet.

• Information / computer security is everyone's responsibility. Even if users do not have anything worth
securing on their devices, it is vital to implement security measures such as firewall, antivirus, etc. to protect
computers from attacks. This is because, apart from information, attackers also seek to hijack computing
resources. Various computers are compromised which are then remotely used by attackers to launch
attacks on other computers. For Example, attackers may call up people offering to fix the problem in their
laptops, and trick them into installing malicious software on their systems. The compromised computer is
then used to attacks on other computers.
Why Do We need Data Security

• Malicious programs such as viruses, worms and spyware infect 90 percent of the
devices that users connect to the Internet. These programs not only decrease
the performance of the systems but also pose a security threat as they may cause
critical damage to the user’s device.
•
• Home computers are easy targets for cybercriminals because they are not secure
and are easier to break into an organization. As discussed earlier, apart from
information, cybercriminals also seek computer resources such as a hard drive or
a fast processor. The better of the computer’s performance, the easier it is to use
it to launch attacks on the other computers. In such a case, the compromised
computer used to launch attacks is called a zombie computer. It gets more
difficult to trace and catch attackers with each zombie they add to their attack
network. Hence, even if computer users do not have sensitive information on
their computers, they should take computer security very seriously.
• Phsyical security is also a major concern. The statistics discussed earlier reveal that the
loss / theft of media such as laptops, data cards, phones, etc. account for major security
breach incidents. Since physical security breaches are the highest among personal
devices, individual users must be careful about securing their computing gadgets.

• Moreover, computer infrastructure administration and management have become more

complex with the growing technology. Network environments and network-based
applications have increased and the skills level needed to launch attacks have decreased.
All of these factors call for adopting better security measures. Therefore, it is very
important to have security in all the devices used either at homes or in organizations.

• Therefore, it is important to ensure that users are familiar and up to date with the
different types of security threats, in order to handle them properly.
Elements of Security
• Before we go any further, let us get acquainted with some basic terminology from the perspective of data and its security:
• Confidentiality
• Confidentiality of data refers to it being known or accessible to only authorized users. Data confidentiality is one of the first layers
of data security. For example, only account holders can view their bank account summary.
• Authenticity
• Authenticity refers to the truthfulness of the origin of data. It ensures the claimed source of data is actually the origin of that data
and that the data has not been tampered with since its creation. For instance, an email claiming to contain your bank account
statement as an attachment, can only come from your bank. A bank statement coming from any other source, even though
claiming to be your bank, cannot be considered authentic.
• Integrity
• Integrity is ensuring that the information is accurate, complete, reliable and is in its original form. Incomplete or corrupted data
can do more harm than good. Imagine what can happen if an organization transfers an employee salary to an incorrect account is
owing to corruption of the database holding all employee account numbers.
• Availability
• Availability ensures that once the user captures the data in a computer system, it must make the data available to the users when
they request it. The availability of data to the authorized users at any point of time, is one of the most important purposes of a
computer. Availability is also applicable to the computer hosting the data or the services as well. The computing resources need
to be available to the users whenever needed.
• Non-repudiation
• Non-repudiation is the process that ensures accuracy of the sender
and receiver of a message. It also ensures that the sender of message
can not deny having sent the message and also the recipient can not
deny having received it.
• Potential Losses Due to Security Attacks
• Computer Security is essential for industries and organizations that
directly or indirectly depend on latest communication or other
technologies, as well as for homes that use various computing
devices. Possible losses that users or organizations may suffer due to
security attacks include:
• Financial Loss
• An organization may lose huge amounts of money if attackers make the systems stop working all
of sudden. Security attack may result in loss of sensitive data worth milliions of pesos. Even users
using a system at home may lose money if attackers compromise their systems to gain access to
their bank accounts and credit card information l
• Unavailability of Resources
• Security attacks on a computer may deplete the system’s resources ( such as hard drive
space, memory, or the speed of the processor ), making the system sluggish.
• Identity Theft and Identity Fraud
• Identity theft refers to the process of stealing someone’s personal information with the intention
of using it for illegal activities. Identify fraud refers to the actual usage of the stolen personal
information in illegal activities. Attackers commit identity fraud by impersonating their
victims to take out loans, credit cards, or perform illegal activities.
• This lands their victims in trouble when it is time to pay the bills while the attacker gets away with
the money.
Loss of Trust

• Once attackers breach the security of an organization, they can send

malicious software as attachments in mails to the stakeholders of the
organization to attack their devices. Such attacks look like they were
initiated by the organization which results in loss of trust among the
stakeholders which eventually impacts the business of the
organization.
Data Loss/Theft

• Apart from financial data, other kinds of data are also prone to thefts.
Data like research material, employee information, personal pictures,
and personal emails are all data, which can cause damage to an
organization or an individual if released to the public.
•
Misuse of Computer Resources

• Users tend to configure their devices for high performance and a

faster Internet experience and this minimizes the security of the
devices. In order to increase performance of their computers, users
delete antivirus software and disable firewalls, which make these low
security resources an easy target for cybercriminals.
Implementing Security

• Implementing security practices for devices is one of the most

effective ways of minimizing data theft risks. Securing a computing
device from threats involves three steps:
• Precaution
• Maintenance
• Reaction
• Precaution:
• Precaution is an action taken in advance to protect the system against
threats or dangers. Precautionary measures help in defending against
the threats posed by the Internet. Even when they fail to avoid a
threat completely they ensure any damage done is kept to a
minimum
• Maintenance:
• Reaction:
Cisco.com