unit 6

6.1

Confidential

integrity

availability

Confidential is whether information is disclosed, this can be personal details like salaries, however it wouldn't be disclosed to people who manage finances for example.

Integrity is whether information is up to date and fit for purpose, this can be like an address phone number, as if there was an emergency they would need to contact parents etc.

Availability is whether information is available 24/7 for example phone numbers, addresses. This is information that operators can have access to all the time.

6.2

Unauthorised access

wonga loans got hacked and the hacker exposed 250,000 customers' bank details, which resulted in high levels of customers leaving the company, however it could have resulted in far worse consequences for wonga loans like a fine or possibly being sued, however their brand trust has decreased.

intentinal tampering

D-grade A level student hacks into USA defence and missile systems and removed files on battle management and artificial intelligence. He used nasa to get to this by hacking into their computer and downloading 1.3$million worth of software like temperature and humidity.

accidental loss


Uk prison system employee lost usb containing 8,000 inmates personal information this is dangerous for the inmates and staff of the prison and the employee got fired sue to this and could cause a lot of damage.


intentional destruction


Florida resident sentenced to 7 years for intentionally trying to damage a protected computer belonging to a former employee. He made unauthorised payments with various credit cards.Next he deleted all files of some of the companies servers, which led to him redirecting the companies website to a computer security firm.

6.3

loss of intellectual property

Companies can lose their intellectual property through poor information security or theft. Company insiders or outside parties can remove information via hacking into the company, and can tamper with information or change it. An example of this could be someone hacking into my pc, and gain my ipv4 address .

loss of service and access

is when a person cant access a website / programme, this could be because of a ddos attack, human error etc. these often affect EMP services without a scheduled outage.

failure in security of confidential information

A failure to maintain confidentiality means that someone who is unauthorised has access to a panel to get information that they shouldn't have, through intentional behavior or by accident. Failure of confidentiality, commonly known as a breach, typically affects reputation. Once the secret has been revealed, there's no way to un-reveal it and if withheld can lead to fines.

loss of information beloning to a third party

this is when a third party (like a company) has collected information from you and has now been hacked into, which leads to your information being taken by someone else or shared. For example if youtube was to get hacked the hacker would have access to my email location etc.

loss of reputation

this is normally caused by a business doing unethical things, some of these could include getting hacked and not telling anyone, this would damage their reputation and also if they were to get hacked consistently then the business would develop a really bad reputation. One example could be british airways getting hacked which resulted in hundreds of thousands of people getting their info leaked, if they did not decide to tell them then their reputation would get severely damaged.

6.4

staff access right to information

This is information that staff has the rights to use or look at, for example staff salaries is one type of right to information. This means only certain staff members would be able to access the information, however if a staff member was to intentionally access this information which they did not have the rights to access they are going against policies and can be fired.

responsibilities of staff for security of information

staff needs to make sure to follow procedures correctly, for example staff leaves confidential details on a desk. This could result in a sack or getting punished, depending on how severe it is. Some companies counter this by putting a policy as a forced password change. One example of this could be the teacher has confidential information, they could lock it away or shred it.

disaster recovery

This could be a ddos attack or wifi network crash, and this is how you would address the issue, this could be by getting a vpn on. Then how you would get your data back after the disaster, this could be by backups or a rollback. Github does attack with 2.3tbps, the attackers managed to amplify their attack by 50,000x, by sploofing. It resulted in 126.9milion packets being sent per second. Github was alerted 10minutes later by a system protocol and managed to shut down the attack quickly.

information risk assessment

this is when you would analyse risks and make adjustments to the situation, for example putting a high visible jacket on when crossing the road would lower the risk of getting hit, this is normally used for school trips.

effectiveness of protection measure

this is how well a protection measure (like encryption) is effective wise, how fast/good/easy it is to use and set up. For example if there was a business that need to encrypt their online documents, however for every document you needed to use a different encryption, this would be super effective however it would
take time which wouldn't be as effective as just encrypting all documents together, with a very good encryption method, this wouldn't be as good but would be more effective.

training of staff to handle information

this is the amount of training a staff member has to make sure they follow the appropriate procedures when handling confidential information. This could be leaving the information in a locked door or inside a restricted area e.g staff only, this can vary depending on the information. For example if a staff member was never got the appropriate training necessary then the staff member would find it hard to deal with difficult situations, this also links to the effectiveness of the training as if the staff got 20 hours training however the training was not effective, it would be likely that the staff would also find it tough in difficult situations.

6.5

biometric protection measures

this is a security measure that scans for your identity, this could be scanning your eye, your finger or face. This tends to be expensive equipment and is mainly used by big companies, however this is the most effective security measure. For example an airport took a staff in because he failed to identify himself, they may use a biometric scanner on them to find his or her identity.

security staff

this is when you hire a bouncer / security guard to look over an area, this is to help potential break-ins, this detours the threat. However this protection measure can get very expensive, as it is a constant outflow of cash but can be one of the most effective security measures. For example a nightclub hired a bouncer, the bouncer would deter anyone trying to get in who in unauthorised and help get rid of any threats.

passwords

this is a very common and pretty much free protection measure and depending on the difficulty of the password it would be almost impossible to guess, however these normally are broken or hacked, and doesn't deter any tampering when off site. For example a password can be used at the front gate to enter a site, however it is night and there are no security guards, this could be broken or hacked into.

cameras

this deters threats because it is able to identify any unauthorised access to a site, however these are easy to avoid unless you have multiple, usually by a mask or suit, they won't be able to get any crucial information. For example if there was a bank heist and the robbers were all wearing masks, the robbers wouldn’t be able to be identified.

shredding old paper based records

this is a very cheap protection measure to get rid of information, this is when you shred a document after reading it, this makes sure no one can view this after you have read it. This only works with paper so any online documents etc won't be able to be shredded. An example would be a teacher receiving a confidential document of wages, the teacher should shred the document and all information would be destroyed, preventing students / unauthorised people being able to view the document.

placing computers above flood level

this protection measure could be free unless you pay for labour, this is when you move your systems to a higher level to prevent it from being damaged by a flood. For example if a flood was broadcasted for tomorrow, the company may move the equipment to the 2 or 3rd floor so that the systems are damaged.

backup files in another location

this is when you have a backup file located in another site, this is price and varies for a protection measure as it depends on the size of your data, as it would need storage. For example if a fire was to happen, and the backup was in a fireproof safe, it would be safe or if the data was in another country, it would be safe from the fire.