Data security and encryption

Question 1

What is encryption?

Answer 1

A method of encoding information in such a way that only authorised parties can access it and those who do not have access cannot

It does not prevent theft, but does deny intelligible content from the interceptor

Plain text (intended information or message) is encrypted using an encryption algorithm, a cipher, which can only be read if decrypted

Question 2

What are the 2 types of encryption?

Answer 2

1. Private (symmertic) key encryption

Communities must have the same key in order to achieve secure communication

e.g. Advanced Encryption Standard (AES)- stronger keys 128/192/256 bit keys

2. Public key encryption
   a. The encryption key is published for everyone to use and encrypt messages
   b. Only the receiving party access to the private key, so only they can decrypt the message

Question 3

What is PGP?

Answer 3

pretty good privacy

Encryption program that provides cryptographic privacy and authentication for data communication

Used for signing, encrypting and decrypting

a. Texts
b. Email
c. Files
d. Directories…

Question 4

What are the 6 steps in PGP?

Answer 4

1. Generate a random key
2. Use random key to encrypt data
3. Use the receivers public key to encrypt the random key
4. Send encrypted data and encrypted key to receiver
5. Receiver decrypts the random key using the private key
6. Receiver decrypts the data using the random key

Question 5

What is the NHS England information security policy?

Answer 5

Security policy to outline how NHS organisations comply with GDPR and other legislation to ensure confidentiality and covers the behaviour of individuals that manage information on behalf of NHS England

Aims to preserve:

1. Confidentiality
   a. Access to data shall be confined to those with the appropriate authority
2. Integrity
   a. Information shall be kept complete and accurate and free from corruption or modification. Inaccuracies can be accidental (e.g. programming error) or maliciously (breaches or hacks)
3. Availability
   a. Information shall be kept available and delivered to the right person at the time when it is needed

Question 6

What are the roles and responsibilities defined in the NHS England’s information security policy?

Answer 6

Chief exec- ultimately responsibility for information security

All staff- responsible for information security and must understand and comply with this policy

Question 7

What should all mandatory data security awareness cover?

Answer 7

1. What information they are handling and how this should be handled
2. What the procedures or sops exist for data sharing
3. How to report a suspected breach
4. Their responsibility for raising concerns

Question 8

What are the requirements of the policy that all trusts must implement? (max 12)

Answer 8

1. Access control
   a. Physical access to areas- must show business need for access
2. Computer access controls
   a. Must show business needs
3. Equipment and safety
   a. All electronic equipment shall be identified, registered and protected from physical/environmental hazards
4. Computers and networks
   a. Management/changes will be documented
5. Information risk assessment
   a. Must be completed annually at a minimum
6. Information security events and weaknesses
   a. All security events, near misses and suspected weaknesses should be reported to the head of IT and incidents should be reported to NHS England
7. Protection from malicious software
   a. IT shall use software counter measures and manage processes or procedures to protect itself from malware
   b. Users shall not install software onto the organisation network without permission
8. Removable media
   a. All removable media will be encrypted
9. Monitoring system access and use
   a. An audit trail is required of all access and staff data use which shall be maintained and reviewed
10. System change control
11. Disaster recovery plans
    a. Must be implemented and align with ISO22301 best practice
12. Training and awareness

Question 9

What is a firewall?

Answer 9

A firewall is a network security system that monitors and control incoming and outgoing network traffic based on predetermined rules

Establishes a barrier between a trusted internal network and an intrusted external network, such as the internet

Question 10

What are the 5 practices do security professionals use to ensure data integrity?

Answer 10

1. Encryption
2. Data back ups
3. Access controls- assignment of read/write privileges
4. Input validation to prevent incorrect data entry
5. Data validation, to certify uncorrupted transmission (check sum)

Question 11

What is a checksum?

Answer 11

A checksum or hash is sequence of letters and numbers of a fixed length which is used to represent a file. The hash is unique and the hash can be compared to see if any changes have occur during file transfer

Question 12

How would you use a check sum to ensure integrity of a file transfer?

Answer 12

1. Use command- md5sum
2. transfer file- mv
3. cd into destination
4. calculate checksum
5. compare

Question 13

Name the different checksums and the benefits of using larger checksums?

Answer 13

MD5, SHA-1, SHA-256

The SHA-256 has is much larger which reduces the change of collisions (where two different files have the same hash). A hacker could use this technique to disguise the file as a legitimate file.