This document outlines strategies for improving cybersecurity, including deterrence, awareness, procedures, and monitoring/logging. Deterrence aims to increase the costs and risks of attacks so attackers are discouraged. Awareness involves educating all users about security risks and improving security culture. Procedures should be realistic and tailored to asset values. Monitoring and logging tracks all system access to detect anomalies and deter insider threats. The overall goal is a multifaceted approach to strengthen defenses through multiple layers of security controls.

1. Making systems more secure
•
Strategies that can be used to improve cybersecurity
Making systems more secure, 2013
Slide 1

2. Improving cybersecurity
•
Deterrence
–
•
Increase the costs of making an attack on your systems
Awareness
–
Improve awareness of all system users of security risks and
types of attack
Making systems more secure, 2013
Slide 2

3. Improving cybersecurity
•
Procedures
–
•
Design realistic security procedures that can be followed by
everyone in an organisation (including the boss)
Monitoring and logging
–
Monitor and log all system operations
Making systems more secure, 2013
Slide 3

4. Deterrence
•
It is impossible to develop a completely secure
personal, business and government system. If an
attacker has unlimited resources and motivation, it
will always be possible to invoke some attacks on a
given system.
Making systems more secure, 2013
Slide 4

5. Deterrence
•
However, attackers NEVER have unlimited resources
and motivation so, an aim of security is to increase
the costs of making a successful attack to such an
extent that attackers will (a) be deterred from
attacking and (b) will abandon attempted attacks
before they are successful
Making systems more secure, 2013
Slide 5

6. Diverse authentication systems
•
Use strong passwords and multiple forms of
authentication
•
Login/password + personal question or biometric
•
Attacker has to break two levels of authentication to
gain access
Making systems more secure, 2013
Slide 6

7. Firewalls
Making systems more secure, 2013
Slide 7

8. Encryption
• Use https protocol to encrypt
information whilst in transit across the
Internet
• Encrypt confidential information stored
on your system
Making systems more secure, 2013
Slide 8

9. Password security
Making systems more secure, 2013
Slide 9

10. Password security
• Password strength measurement
– https://passfault.appspot.com/password_stre
ngth.html#menu
• Calculates how long it would take to
break a password using a brute force
attack, using a standard PC
Making systems more secure, 2013
Slide 10

11. Making systems more secure, 2013
Slide 11

12. Making systems more secure, 2013
Slide 12

13. Making systems more secure, 2013
Slide 13

14. Making systems more secure, 2013
Slide 14

15. Encryption
•
Encryption is the process of encoding information in
such a way that it is not directly readable. A key is
required to decrypt the information and understand it
•
A systematic transformation is applied to the
information, based on the key, to transform it to a
different form.
•
The original information can only be recovered if the
reader has the key that can be used to reverse the
transformation
Making systems more secure, 2013
Slide 15

16. Example of encryption here
Making systems more secure, 2013
Slide 16

17. •
Used sensibly, encryption can contribute to
cybersecurity improvement but is not an answer in
itself
–
Security of encryption keys
–
Inconvenience of encryption leads to patchy utilisation and
user frustration
–
Risk of key loss or corruption – information is completely lost
(and backups don’t help)
–
Can make recovery more difficult
Making systems more secure, 2013
Slide 17

18. Awareness
• Educate users into the importance of
cyber security and provide information
that supports their secure use of
computer systems
• Be open about incidents that may have
occurred
Making systems more secure, 2013
Slide 18

19. Awareness
• Take into account how people really are
rather than how you might like them to
be
• People have human failings and
inevitably will make mistakes
Making systems more secure, 2013
Slide 19

20. • Bad security advice
– Many security guidelines and rules are
unrealistic and cannot be followed in
practice by users
– Use a different password for every website
you visit
Making systems more secure, 2013
Slide 20

21. • Good security advice
– If you use the same password for everything, an
attacker can get access to your accounts if they
find that out
– Use a different passwords for all online bank
accounts and only reuse passwords when you
don’t really care about the accounts
Making systems more secure, 2013
Slide 21

22. Procedures
• Businesses should design appropriate
procedures based around the value of the
assets that are being protected
• If you simply apply the most secure
procedures to all information, this will disrupt
work and users are more likely to try to
circumvent these procedures
Making systems more secure, 2013
Slide 22

23. • If information is not confidential, then it
often makes sense to make it public
• This reduces the need for users to
authenticate to access the information
Making systems more secure, 2013
Slide 23

24. • Cybersecurity awareness procedures
for all staff including the most senior
management
• Recognise reality – people will use
phones and tablets and derive
procedures for their safe use
Making systems more secure, 2013
Slide 24

25. Monitoring and logging
• Monitoring and logging means that
you record all user actions and so
keep track of all accesses to the
system
Making systems more secure, 2013
Slide 25

26. • Use tools to scan log frequently looking
for anomalies
• Can be an important deterrent to insider
attacks if attackers know that they have
a chance of being discovered through
the logging system
Making systems more secure, 2013
Slide 26

27. Summary
• Improving cybersecurity depends on
– Deterrence
– Awareness
– Effective procedures
– Monitoring and logging
Making systems more secure, 2013
Slide 27