2. More data is collected, storage is ‘free’
Data sets are connected and correlated for many
reasons
They are combined with open source data sets –
credit referencing = identity exists
Data sets are shared internationally
There is a new focus on privacy people are
sensitive to this issue
Privacy sensitive information is valuable and can
easily be sold if stolen
3. Single records unclassified or low classification,
or privacy sensitive only
As set grows 10, 100, 1,000, 10,000, 1m,
10m......100m something changes but traditional
classification did not change
Changes for two reasons damage caused by large
data loss is clearly greater – resign, resign,
resign......
Acquisition of large data sets opens up
opportunities for new insights with dangerous
consequences
4.
5. Forgery and alteration does not work
Better to apply for a real one in a false
identity
All identities checked on application for
‘social footprint’ so must take from a real
person
May already be holder or past holder or
known to agency - fraud will be detected
Need to know in advance use two methods
With target cooperation and without
Access to large data sets reduces risks
6. On line genealogy and credit referencing
Electoral rolls
Travel data sets (if you travel you already have a
passport)
Vulnerable adult data sets addicts, long term
carers
Lists of professionals with issues
All increase the chance of success and reduce the
number of simultaneous applications that need
to be made
7. Standard method was to adopt the identity of
a dead child born about the same time as the
applicant who would not have a passport
Duplicate birth certificate obtained (a legal
right in UK)
Application will not work now as deaths
checked, but for various reasons records not
complete
8. Monitor open source deaths in online local
newspapers
Find a soldier who served abroad, 20-40 yrs
older than target
Use on line regimental histories to establish
when served overseas and what countries
Aim to identify a country where soldier was
around the time the applicant was born with
weak record system
Forge a birth certificate for that country
Apply as the illegitimate child of the dead soldier
– it was always kept a secret
9. Using a cloud makes aggregation happen
inherently
Cloud needs to be set up so penetration is
limited in containers to manage risk
Encryption at rest looks like the answer but it
introduces many other problems
These include key management, escrow, and
penetration of key provider
RSA issue a good example
It’s not just about accessing the data but also the
ability to combine big data sets
WP is a good example
10. Many controls will be traditional
Passport special control process was to cost
Eu 10m
By taking two highly vetted people from a
pool of 24 at random and using a four eyes
process same/better protection was delivered
at a fraction of cost
To break this have to corrupt all 24 people
Basic training and awareness more important
than ever
11. Traditional approach to risk management is
still valid for the cloud but the threats and
risks are different
Controls and mitigations are similar but
applied differently
There is a good opportunity, the risks are
greater if they are not well engineered but
they can be !
Risk management must be done properly by
specialists and asset owners together