CyberSecurity September 17, 2005

Pages
- Home
- About
- Archives
- ArchivesList
- Contact
- email scam
- hacked
  - remove malware
- internet scam check
- Quiz
  - Security+ Module1
- Report A Scam
- scams
- DIACAP
Archives
- May 2020
- May 2019
- April 2019
- September 2018
- August 2018
- July 2018
- June 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- December 2016
- November 2016
- October 2016
- August 2016
- July 2016
- June 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- June 2015
- April 2015
- March 2015
- January 2015
- December 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- December 2013
- October 2013
- September 2013
- August 2013
- June 2013
- May 2013
- April 2013
- March 2013
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- March 2011
- February 2011
- January 2011
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
Calendar

September 2005

S M T W T F S

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30

« Aug Oct »
Categories

September 2005
S	M	T	W	T	F	S
	1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Archive for September 17th, 2005

September 17th, 2005

Written by Michael Hart

The 1998 Data Protection Act was not an extension to, but rather a
replacement which retains the existing provisions of the data
protection system established by the 1984 legislation. The Act was to
come into force from 24 October 1998 but was delayed until 1st March
2000.

In addition to data, manual records were to be brought within the terms of the new data protection system, thus allowing
subject access rights to access to such records.

Due
to the allowances made for existing institutions to be brought into
compliance with the new legislation, manual data processing that began
before 24 October 1998 was to comply with the new subject access
accommodations of the Act until 2001.

Now 4 years later there are
still unresolved issues such as the security threats presented by
computerisation, these can be broadly divided into 3 broad categories:

Incompatible usage:
Where the problem is caused by an incompatible combination of
hardware and software designed to do two unconnected but useful
things which creates weak links between them which can be
compromised into doing things which they should not be able to.

Physical:
Where the potential problem is caused by giving unauthorised persons
physical access to the machine, might allow user to perform things that
they should not be able to.

Software:
Where the problem is caused by badly written items of “privileged”
software which can be compromised into doing things which they should
not be able to.

Security philosophy:
A systems security implementations (software, protected hardware, and
compatible) can be rendered essentially worthless without appropriate
administrative procedures for computer system use.

The following
details the results of the threat analysis. If a computer system was
setup to mimic the current running of the health practice the following
considerations should be understood:

Assets To Be Protected:
That due to the nature of the institution, stable arrangements would need to be made to protect the:

Data: Programs and data held in primary (random access and read only memory) and secondary (magnetic) storage media.

Hardware: Microprocessors, communications links, routers, and primary / secondary storage media.

Security Threats:
The following details the relevant security threats to the
institution and the more common causes of security compromise.

Disclosure:
Due to both the sensitive nature of the information to be stored and
processed there are more stringent requirements of the new data
protection legislation, all reasonable precautions must be taken to
insure against this threat.

Attackers:
Although the vast majority of unauthorized access is committed by
hackers to learn more about the way computer systems work, cracker
activities could have serious consequences that may jeopardize an
organisation due to the subsequent violation of the seventh data
protection principle ie that personal data shall be surrounded by
proper security.

The staff:
It is widely believed that
unauthorized access comes from the outside, however, 80% of security
compromises are committed by hackers and crackers internal to the
organisation.

operators:
The people responsible for the installation and configuration of a
system are of critical risk to security. Inasmuch as they may:

[1] Have unlimited access to the system thus the data.

[2] Be able to bypass the system protection mechanisms.

[3] Commit their passwords for your system to a book, or loose notes.

[4] A tendency to use common passwords on all systems they create, so that a breach on one system may extend to others.

The data subject:
The data subject invoking the right to access personal data creates a
breach in security by definition. To comply with such a request the
data must be ‘unlocked’ to provide access to it, thus creating
additional risks to security. Inasmuch as:

[1] If copies have to be made, this will normally be by clerical staff who would not normally have such rights themselves.

[2] The copies may go astray whilst being made available.

[3] Verification of the identity of the data subject becomes very important.

Software:
Many business have database applications that are typically designed to
allow one to two staff to handle a greater work load. Therefore such
software does not allow validation (confirming that data entries are
sensible) of the details the staff enter.

This is a critical
security risk as it allows basic acts of fraud to be committed, such
as, bogus data entry (entering additional unauthorised information).

Importance Of Good Security:
Data is valuable in terms of time and money spent on gathering and
processing it. Poor or inadequate system protection mechanisms canlead
to malicious computer system attacks (illegal penetration and use of
computer equipment).

One
or more devious, vandalising, crackers may damage a computer system and
/ or data, such damage could have serious consequences other than those
of the subsequent violation of the seventh data protection principle
that may jeopardize the organisation. For example:

Loss of information:
Which can cost money to recreate.

False information:
With possible legal action taken.

Bad management:
Due to incorrect information.

Principles Of Computer Security:
The publication and exploration of inefficiencies and bugs in security
programs that exit in all complex computer programs (including
operating systems), methods of entry and ease of access to such
technical information has meant that a system is only as secure as the
people who have access to it and that good system security cannot be
guaranteed by the application of a device or operating system.

Computerisation:
Media reports that draw public attention to the security threats
inherent in the nature of programable technology and the safety of
individuals information has given rise to situations where institutions
entrusted with sensitive information need to spend as much time and
energy to gain public trust in such systems as they do in providing
serveries.

Although
this scenario does not yet apply to the health industry inasmuch as the
public are not yet the end users of the system, such social impressions
must be considered:

This leads us to the question: if life with
computers is so wonderous, how do you leave it? Simply flip a switch
and everything will shut down and you can explore the marvels of the
oustide world. Computers are only tools and, just like an electric
screwdriver, computers can save time and effort without taking anything
away from you. All you have to decide is when you want to use a
computer and when you don't, you're still in complete control of your
life.

Principles Of Inference:
One of the new concepts introduced by the data protection legislation
is ‘inference’, and data is now regarded as itself sensitive if
sensitive data can be inferred from it. For example, if an estate agent
displays complete details about one terraced house, you can infer what
the neighbouring house is like. In a medical practice, full patient
details about three members of a family could probably allow you to
construct the details of a fourth.

This
must be linked to the proposition that, in the last 10 years or so more
information has been stored about individuals than in all of previous
history, and, because of computerisation, all of that information is
capable of being pulled together from the different organisations
(banks, stores, state, etc) which hold it.

Right To Privacy:
It can be seen that the statement ‘The processing of personal
computerised data represents a threat to the individual’s right to
privacy’ is well founded. Unfortunately, until now, there has been no
statutory right in English law to personal privacy.

For
this reason, a right to privacy of that information has been set into
the data protection legislation, and, it is only such legislation that
prevents complete dossiers from being compiled on any given individual.

Health
professionals are exempted from the need for prior approval before
processing personal information, for example, as it is clear the health
of the individual overrides the individual’s right to privacy, and the
consent can be taken for granted.

This does not prevent health
professionals from having the full burden of protecting that
information from unauthorised access, specifically due to the higher
obligations placed on them by the Hippocratic oath which states that a
member of the medical profession should respect the secrets which are
confided them, even after the patient has died.

However,
as can be seen from the exemptions and exceptions, a difficult balance
has to be achieved between the right to privacy, and the needs of the
individual (and/or the organisation).

In the case of the any
entity or practice, the data subject’s rights to the protection of the
data that relates to them creates a conflict of interests between them
and the practice inasmuch the complex security system needed for this
requires extra administration and the navigation of a complex system
every time data is need may place extra stress on the staff, both
things the management may wish to avoid.

© I am the website administrator of the Wandle industrial museum (http://www.wandle.org).
Established in 1983 by local people to ensure that the history of the
valley was no longer neglected but enhanced awareness its heritage for
the use and benefits of the community.

No Comments

Pages

Archives

Calendar

Categories