Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Richard Henson University of Worcester November 2015.

Published byStephanie Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Richard Henson University of Worcester November 2015."— Presentation transcript:

1 COMP3371 Cyber Security Richard Henson University of Worcester November 2015

2 Week 11: The Law and Information Security n Objectives:  Distinguish between criminal law and civil law  Explain basic principles of Computer Misuse Act  Explain UK and EU legislation in the context of Data protection  Explain the eight principles of the Data Protection Act  Explain the law on “cookies”

3 Criminal and Civil Law n Civil… private law suit (i.e. sue) ne.g. “crimes” under the Data Protection Act n Criminal… police involved ne.g. Computer Misuse Act n Further reading: n https://books.google.co.uk/books?id=n-ueBQAAQBAJ n“Cyber Crime: Concepts, Methodologies, Tools and Applications” https://books.google.co.uk/books?id=n-ueBQAAQBAJ https://books.google.co.uk/books?id=n-ueBQAAQBAJ

4 Computer Misuse Act (1990) n Rushed in as UK law after proof that important people had their email messages looked at by unauthorised third parties n Rapidly rendered unfit for purpose as mobile phones (are they computers?) became available  amended in 2006 to include mobiles

5 Data Protection Act (DPA) 1984, updated 1998 n Enforced by the Information Commissioner’s Office, not the police  just as Unfair Trading legislation is enforced by Trading Standards  therefore a CIVIL matter »unless the company fails to register »little excuse for not doing @ £35 pa

6 UK Information Commissioner n The Data Protection Act can be summarised as:  “don’t mess around with your customers’ data… treat it as if it was your own” n Should be a matter of morality for a company NOT to be careless with personal data  agreed by 1984 that morality wasn’t enough!

7 Origins of DPA (EU) n European Charter on Human Rights (1950)…  article 8: protection of personal data  UK part of EU from 1973 n EC Directive 1981 primarily a response to concern about digital personal data  created the 8 principles still used today  EU countries given three years to implement the directive… n Updated as EU Directive 95/46 »http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.EU http://www.dataprotection.eu/pmwiki/pmwiki.php?n=Main.EU

8 Structure for Data Protection n According to EU Directive 95/46:  citizens have their personal data stored known as data subjects  organisations using personal data in any way must: »name a data controller responsible for managing personal data of data subjects »follow all eight principles of handling personal data

9 DPA: Principle 1 n “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –  (a) at least one of the conditions in Schedule 2 is met, and  (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.” n First prosecutions…. October 2015!

10 DPA: Principles 2, 3 n 2: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.” n 3: “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”

11 DPA: Principles 4, 5 n 4: “Personal data shall be accurate and, where necessary, kept up to date.” n 5: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

12 DPA: Principles 6, 7 n 6: “Personal data shall be processed in accordance with the rights of data subjects under this Act.” n 7: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” n Most prosecutions are under principle 7

13 DPA: Principle 8 n “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”  NB countries outside the EEA currently identified as complying: Argentina Canada Guernsey Isle of Man Switzerland Jersey

14 Legitimate Collection of Customer Data n Seller’s site uses cookies to gather customer clicking behaviour data  cookie is stored on the client computer  contains personal data  customer may regard this as private n To be any use for marketing purposes:  the cookie must be externally accessible to the sellers site: n BUT a potential security issue  In EU must NOT be accessible to other external sites n HOWEVER  sites OUTSIDE this jurisdiction not legislated to obey EU Data Protection laws  have a tendency to swap or sell customer details

15 Safe Harbour n An arrangement between EU and another counrtry, through which an organisation agrees to handle data according to EU Directive 95/46 principles n Current agreement between EU and US recently rendered unfit for purpose  negotiations underway for a new safe harbour (2.0)

16 Examples of Use of Cookies n User ID & shopping cart data embedded in the cookie  customer orders the items selected from different pages they will expect to see the items and costs stored in their shopping cart  this happens by the data being written to the cookie  shopping cart system therefore needs to keep track of individual customer “clicking behaviour” to keep their shopping cart up to date… n Selections that are identified via search engine may want to keep track of the previously used search criteria  enables it to re-display those words after the initial search is complete n A forum website may use a cookie to report new additions since a user’s last visit

17 Cookies n Small amounts of information stored on user’s computer from a website that they have visited n Controversial until recently because a lot of people unaware that websites could even do this  2012 law required website to inform users…

18 Types of Cookies n Session cookies:  just active whilst user connected to website  could be stored at: »server end »client end  either way, the data is deleted when the session finishes

19 Embedded cookies n It is possible to embed cookie style information via server scripts in dynamically created pages:  held on the server  NOT on the client computer n However:  if the client stops perusing that the server, the session is finished  When the client returns, a new session-ID will be allocated, and identification of that cookie is lost

20 Long life cookies n To avoid the need for clients returning at a later date and having to start again, cookies with a longer life span may be implemented:  previously input information can be displayed automatically n BUT that data needs to be stored in the meantime…  not a wise thing to do where sensitive information is concerned!!!

21 How secure are cookies? n A cookie will often contain personal data, and that data will be accessible to the server that put it there  it is up to the client whether to trust a web site requesting personal information  EU websites are legally required to look after personal data, but who checks up on them? n 2012: EU Law on Cookies introduced…

22 Identifying a Reputable Site n A clear acknowledgement, on the website, of the legal requirements n An indication that they have reached a standard or kitemark  Ideally ISO 27001 n Customers should beware of…  Java applets downloaded to the client computer  could in theory gather personal data from a cookie and send back to base!!!

23 Cookies & Protection against Applets n Applets: computer programs which could: »download and install themselves on the client machine »run in the background, scanning memory, disks, etc. »store information n If such an applet is later running when the client is logged onto the Web: »it could gather information and send it to a server »client wouldn’t even know this has happened! n HOWEVER…  cookies are stored with a server generated ID which is encrypted, so even applets can’t get at them!

24 What is held on a cookie? n Encrypted text… n Information (mostly identifiers and dates) contained in them cannot hold sensitive details UNLESS those details are already obtained by other means like the client filling out a personal details form nthe only programs that can get through the encryption are those that know the ID and the encryption method nso the cookie data SHOULD be secure…

25 Deleting “Long Life” Cookies n Browsers all provide facility to do so… neach has its own unique navigation

Download ppt "COMP3371 Cyber Security Richard Henson University of Worcester November 2015."

Similar presentations

Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.

Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
TEAM 4 Case Study Mauritius: Mrs Nandini Kissoon-Luckputtya

TEAM 4 Case Study Mauritius: Mrs Nandini Kissoon-Luckputtya
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
Legislation in ICT.

Legislation in ICT.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.

Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.
Data Protection Act.

Data Protection Act.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Health & Social Care Apprenticeships & Diploma

Health & Social Care Apprenticeships & Diploma
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.

EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Research Paper Presentation Software Engineering in agent systems.

Research Paper Presentation Software Engineering in agent systems.
Computers, the law and ethics  Lesson Objective: Understand some of the legal & ethical issues in developing computer systems  Learning Outcome: Know.

Computers, the law and ethics  Lesson Objective: Understand some of the legal & ethical issues in developing computer systems  Learning Outcome: Know.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.

Similar presentations

Ads by Google