Data Security

12. Protection Through Workplace Rules

Staying safe, staying secure

Earlier exercises have looked at some of the different methods used to bring about a security breaches. Individuals and organisations can avoid many these techniques by adopting safe and secure working practices.

Staying Safe
Security breach caused by ... Recommended work practice ...
1. Theft of hardware or files

Hardware is a term used to refer to desktop computers, laptops, tablets and smart-phones.

Files is used to refer to paper files and files stored on electronic media such as CD-discs, DVD's, USB drives and magnetic tape.

Take care over the physical security of hardware and files wherever it is stored. Make sure ...

  • 'Lock down' hardware to its log in screen whenever left alone.
  • Secure the work area by physically locking up hardware and files before leaving them unattended.
  • Don't leave hardware and files visible in empty cars or houses.
  • Shred sensitive paper records before disposing of them to prevent theft from bins etc.
  • Don't leave sensitive information lying around or forgotten on printers, copiers, fax machines or desks.
  • With mobile devices, extra security should be provided in the form of encryption.
2. Hacked Password

Clearly known passwords lead to compromised data and systems with people using accounts without being known about. They don't have to reveal their hand by doing anything malicious at first and just access the data.

Users must take proper precautions with their passwords. Hacked passwords can be avoided by:-
  • Using hard to guess passwords, resistant to brute force attacks.
  • Never share passwords with others. You have no control who they might pass them onto, even accidentally.
  • Use different passwords for different accounts to avoid problems with the 'egg shell' defence. Make sure different passwords are used to distinguish between work and non work accounts.
  • Change default or temporary passwords as soon as possible, to prevent others from getting into accounts ahead of you.
3. Insecure storage of data

Folders where data is stored needs to be accessible by multiple users, especially in organisations. Particular care has to be taken before storing sensitive or confidential information in these folders.

Secure work practices ensure that sensitive data is not stored in publicly accessible folders, so users must make sure:-

  • Know who the folder is shared with before storing restricted data there.
  • Check that the folder is not accessible from the internet without a password.
  • Make sure that sensitive data is transmitted securely in encrypted format.
  • Don't use open WiFi to transmit data.
  • Don't email or message data in plain text.
  • Make sure that any screen shots or even test data is sent in encrypted format.
4. Compromised Third Party devices

Organisations frequently allow suppliers or partner computer networks to connect together to help work place efficiencies.

It has been known for hackers to gain entry to a supplier's computer network and use this as a gateway to enter the network of their target network.

As the data controller, you are responsible for all restricted sensitive data. Third party computers, however are beyond direct control, so make sure that:-
  • Proper contracts are in place and make sure any that any third parties understand their obligations to keep the data safe and secure.
  • Never send, transmit or download and personal data to an unknown computer.
5. Infected Computers

Computers without up to date anti-malware software programmes are vulnerable to hackers who create software that can bypass the protections provided by older anti-malware programmes.

Avoid infections by making sure that devices have:-

  • Installed anti-malware software and keep it up to date.
  • Users avoid 'click-bait' and clicking on unexpected links or attachments.
  • Users avoid files sent by chat/Instant Messaging or peer-2-peer networks as these can bypass anti-malware scanning.
6. Missing 'patches' & OS updates

Hackers discover weaknesses in older software and learn to take advantage of revealed vulnerabilities

Avoid possible attack by making sure that all Operating System (OS) and application patches and update have been installed.

7. Incorrectly configured devices

Setting up devices, software and permissions correctly is extremely important. Hackers are very good at detecting open ports or lines of entry into vulnerable systems.

Take care to:-

  • Don't install unknown programmes. These can include instructions to open 'back doors' that allow hackers entry without the users knowledge.
  • Don't store sensitive data where the access permissions are too broad. Too many people would have access and hackers can take advantage of broad access permissions.
8. Application vulnerabilities

Large on-line databases or custom applications are exposed over the internet allowing site visitors to view information, create accounts, place on-line orders etc. So its vital that these are secure.

Reduce the risks by having trained professional to:-

  • Check for application security vulnerabilities on all new applications.
  • Control are in place to prevent access to secure databases via SQL Injection attacks and from insecure databases.
9. Insecure disposal & recycling

Organisations are constantly updating and replacing equipment. They also print a lot sensitive information containing identifying information. All of these are a rich source of information that can help hackers gain access to other information and systems.

Data controllers have to look after data and not keep it for longer than necessary, so they must:-

  • Destroy or securely delete sensitive data before disposal or recycling of equipment.
  • Shred paper files before disposal.
10. Test & Development Servers left insecure

People often assume that just because a website or application is being developed or tested, then the server doesn't have to be totally secure. It's only being developed right?

Wrong? If real data is being used, then it has to be just as secure as if it was "live".

Insecure test servers, training or development are an easy invitation for hackers so make sure:-

  • Real data is not used for training purposes.
  • If real data is used, then make sure the same precautions are used for a live system. This includes encrypting test data along with screen shots.
  • Truncate, obscure or redact sensitive information wherever possible.

While many breaches of security can be due to successful hacks of software, often accompanied by lapses in physical security, the vast majority of breaches are due to social engineering or personal error.

    The task here, is to prepare a user guide appropriate to the business, that employees have to follow in the use of computers.

  1. Open up your Security Plan.
  2. Add a sub-heading Safe Work Practices and use the information on the page to prepare a guide for the workplace that computers have to follow to protect against attacks through social engineering.
  3. Explain what risk each guide line is supposed to protect against.

Can you now do?

  • Explain the importance of good working practice in maintaining the security of sensitive data
  • Provide examples of the ways good working practice can reduce the risk of successful hacker attacks
  • Be able to create a policy for good safe working practices for an organisation.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee