We recently had the opportunity to speak to two Business Information Security experts from The University of Melbourne who visited UNIMY for an informative talk about cyber security. Here’s a snippet of that interview by two UNIMY students from the Foundation in Computing & Engineering department, Nur Asfia Jamaluddin and Mohd Imran.
|Dr Atif Ahmad|
|Dr. Sean Maynard|
CAN YOU TELL US HOW INFORMATION IN DIGITAL MEDIA SHOULD BE PROTECTED?
Usually, in physical media there are steps for rigorous protection. For example, the army uses safes to store the information and there is proper record keeping on who takes these documents out. You are only supposed to read it in a secured room and return the document once you are done. There is also only one copy of the document – and you are not allowed to copy or scan it. Everything is done in a controlled environment. The problem with this approach is that it is hard to get access to documents. But that is the trade off between high security versus high availability.
Now, when it comes to information in the digital media, a lot of organisations have problems keeping it secured. Many think that there is only one copy of the document but the real fact is there might be 100. Say you get a document via email. You’ll print it or copy to a USB. Then when making changes, not just one copy is changed but 25 copies are changed. This habit of handling information is not ideal. Organisations need to control this, whether it is preventing their employees from making multiple copies or keeping the copy just on one device to avoid the risk of exposure.
TELL US MORE ABOUT INCIDENT RESPONSE TEAMS AND HOW IT WORKS FOR AN ORGANISATION.
The best way for incident response teams (or IRTs) is to learn from what they’ve been doing wrong and how to handle cyber security incidences. However, if there hasn’t been any incidences, there won’t be an opportunity to learn. Which is why it is important to send the team to a consulting firm and undergo proper training.
You can train the IRT military-style – where they are put through different incidences and stresses to create a sense of panic. This is known as stress exposure training and it is helpful in finding out what the breaking point is in terms of how to handle incidences. This helps to properly train the team for whatever incidences that come their way. However, not many companies realise the importance of such training. IRTs instead get very generic training.
There are often three ways IRTs are organised in a company and each has its flaws: First, there isn’t an IRT in the first place and is only created based on incidence. In this instance, you have to vet people on the spot or might not have the right people to choose from. It is important that those in your IRT can be trusted. Then there is a standing IRT already available in an organisation. In this, you need to have enough people watching each other so that there can’t be a coup or sabotage in an organisation. Finally, many organisations have IRTs integrated in security teams. But you need to have the right tools and monitoring techniques to ensure that this works.
HOW IS SOCIAL MEDIA IDENTITY THEFT RELATED TO SECURITY ISSUES?
To be honest, social media identity theft is more of a privacy issue than it is a security issue. With social media nowadays, you are putting it all out there – all the information about yourself. Do a search on yourself and see how much information it out there that you are giving away – it is more than you think! Identity theft is a huge problem and it is growing over time. Social media is making it easier for people to get more information about you. The one rule – don’t put your stuff out there.
But the problem now is that there isn’t much security concerning our social behaviour online. Since we were young, we were taught how to behave around others physically. But not so much so in the digital environment. We simply do not have the same sense of fear when releasing information on social media compared to telling a stranger on the street. And when you release so much information digitally, why are you surprised about identify theft?
UNIMY HAS A BASIC COURSE ON THE FUNDAMENTALS OF CYBER SECURITY. IN YOUR OPINION, WHAT DO YOU THINK SHOULD BE COVERED?
A few things come to mind that’s really not all about technology: First, there needs to be something about modular risk management. Security after all is about managing risk. Then we need to talk about the tools and how to use what’s right in the right time. We need to talk about the different strategies. Then there is culture and training – essentially, security is a people problem before it is a technology problem so there needs to be something that touches on this aspect. There is also the law and managerial aspect of it. And finally, we need to talk about psychology, as in why do people do what they do. You can have all the technology in the world working beautifully but it only takes one person to bypass the entire thing. We need to understand why that person is doing it.