Data Security

Planning A Defence

Security Planning


Security Planning

As an ethical hacker, part of your work involves advising others on how to improve their security as well as discovering weaknesses in their defences.

From earlier work, defence planning can vary according to the type of user and size of business. The plans though all have sections in common.

  1. Safe working practices - to guard against common vulnerabilities. Additional advice would be given to cover mobile devices if appropriate (phone, laptops & tablets)
  2. Protection by configuring using the proper software protection
  3. Using the appropriate physical security
  4. How to comply with the appropriate legislation
Tasks

Read the following. In your notebook Create a page title Security Plan Framework.

Create a list of the headings. These will form the main sections of your security plans. Beneath each heading make your own notes for what should be included in the section.

All reports, including security reports or plans all begin more or less the same way.

1. Introduction

The introduction outlines the context of the situation. It is basically a restatement of the problem in your own words, so that others reading it, can understand in broad terms what you are trying to do.

The introduction should also make clear any assumptions that you make. So for example, if you are advising a family, it's fair to assume:-

  • They are not gathering personal data from customers and so don't have to register with the Information Commissioner's Office
  • Neither would you be expected to advise on web or file server security or go into great detail about the ethics of data collection, storage and sharing of data.
  • And because it's a family based in a single location, there would little need to write about Wide Area Network security.

So the introduction is very important because it determines a lot of what is written about in other sections.

A multinational organisation would for example, require:-

  • An extensive staff training program so that staff could avoid typical human engineering attacks.
  • A detailed backup plan, with data copies being maintained on remote sites, in-case of environmental disasters, terrorist attack, fire or hack attack (think WannaCry)
  • Heavy physical security to protect data storage facilities.
  • Common software policy so that employees all use compatible software and with a structured update plan to update software simultaneously.

Think about who will be using the devices and what they will be using it for. Because this will have consequences for you recommend.

2. Users

Social media users for example, may need advice on privacy settings, warning about content (no holidays etc), passwords and 'making friends. Large businesses would need educating to a greater extent with regards to human engineering, the risk of leaving of business equipment about, the need for higher security with BYOD (Bring you own Devices) etc.

In this section, you would be writing about safe working practices or what users can actually do themselves to minimise the risk of a successful hack attack.

Users

Consider the software required to maintain security. Again this might different depending on the context. Large companies would need different security software to families or single users. They would need specialist web-server and file server sharing security software to protect their large infrastructure. For family or single users, much of server protection is provided by their Internet Service Provider (ISP).

3. Software

Apart from keeping application and operating system software up to date don't forget:-

  • Authentication process
  • Antiviral & anti malware software.
  • Firewall, Content & media filtering software.
  • Security software for laptop, tablet and smart-phone devices.
  • Appropriate backup processes & software to restore data in-case of data loss or corruption.
Software Update

Physical security of hardware devices is important for all variety of user. Though the scale of the physical protection required is much larger for big companies than it is for single users or a family.

4. Hardware Physical Security
  • Think about the factors required to maintain the security of the immediate environment. Johnstone-high for example has fences, controlled access, CCTV, alarms & locked rooms and secure server rooms. Security though has to be appropriate to context. For a family this might be over the top?
  • Don't forget the configuration of devices. Would you need CD/DVD players to be included as part of the devices? These could be used to load malware. Similarly would USB sockets be locked down, so that thumb drives couldn't be used to install software? But think about the necessity of such a device. How could data be moved around?
  • Looking after the security of portable devices is important. What recommendations would you make to guard the security of these devices?
  • Would you specify any extra hardware on devices to improve security, for example, fingerprint scanners, cameras for face recognition etc?
Iris Scan

This is where you set out the relevant laws that your 'client' - the person or business that you are advising - has to comply with.

  • Every one has to comply the the Computer Misuse Act & the Copyright & Patents Act, but the consequences can be very different depending on the user. For large companies, breaches can lead to fines of many thousands.
  • Depending on the nature of the business, advice will have to be given on what to do to comply with the Data Protection Act and the rights of the Data Subject. And what the Data subject could do if they had a complaint.
  • You could discuss the need for an ethical policy on how data is handled - how it gathered, stored and shared.
  • For business exchanging data across national boundaries there is a need to discuss GDPR legislation.
Legal Compliance

Can you now do?


  • Know the main sections that have to be included in a security plan.
  • Explain in outline what has to be covered in each section.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee