Portfolio Evidence 2

[1.3] The importance of and the technologies for backing up data securely

[1.4] How to apply the processes and procedures for the secure handling of data

[1.6] The organisational importance of information security and its management including following
policies and procedures and key legislative requirements

[1.7] The major types of threats and risk that apply to any organisation with a working understanding
of those that apply to their role and the associated best practice for their own secure working

[1.8] Operational aspects of risk including maintaining steady state/business as usual security
principals for individuals and systems including personal data, access, identity management,
encryption and passwords

[1.9] The individual and company risks, responsibilities and requirements in relation to legislation,
professional ethics, privacy and confidentiality and the implications for their role

Although companies should and are keeping data securely on cloud storage or in on-site storage,
there is still a risk of getting that data lost. Companies store very sensitive data like hashed
passwords of clients or records of payments, that they can’t afford to lose, so backing up data is very
important to a company. Backing up data is when you essentially make a copy of all your data and
move it to a different server. This way if the server that you have your data on malfunctions or gets
destroyed, you have a backup which you can use and once you’ve sorted out the other server, you
can just copy your data back. Furthermore, it’s important to keep the “back up” server on a different
site than your main server because if a fire breaks out you can still recover your data. In my work I
work on this mobile app. Now, this backing up the source code is very important and useful. I use a
lot of different machines to work on the app like my laptop, my work computer, and sometimes my
home computer, so instead of carrying around a USB stick with the code on it, I use GitHub, a cloud
file system with some good collaboration tools.

Securely handling data can be a hassle more than anything. I would recommend if you’re backing up
data to do it using a secure SSH connection or by doing it on the root computer. Data can be stolen
very easily if it gets on the wrong computer. Also, I would recommend having the back up server
offline, that means not having it connected to the internet until it needs to. Having the backup
server offline minimises the threat of it being attacked and having the data stolen, and possibly sold
on dark web sites. During my time here at this company I’ve been told many situations that could
happen and a lot of tips and tricks on various subjects. For example, having a backup server sitting
right next to the main server. This is a hazard for data lose because if there is a fire in the building
than it’ll take out both the main server and the backup server.

Customers and potential clients are more willing to trust us with their data if we have good data
security, and ability to maintain the ISO27001 certification. It’s very important that we take the
required steps to ensure that the customers data cannot be accessed by unauthorized users and
there is no risk to their data. Also, following the General Data Protection Regulation (GDPR) should
be critical for a company because it can avoid paying a fine or risking the company’s reputation.

One of the biggest cyberattacks and viruses, the ILOVEYOU virus/malware is a good example of how
easily systems can get hacked. The ILOVEYOU virus was a computer worm, it’s estimated to have
infected over ten million computers in 2000. It started out by sending people emails with the subject
line “ILOVEYOU” with a attachment of “LOVE-LETTER-FOR-YOU.TXT.vbs” now the virus here is
actually the .vbs extension, which is a scripting language used for windows. The scripting language is
quite powerful doing almost anything to a windows computer at elevated permission. At the time of
the virus spreading, windows computers didn’t show .vbs extension by default so the extension
actually read “LOVE-LETTER-FOR-YOU.TXT”, and obviously humans being humans they clicked it. The
virus infects your computer by overwriting certain files such as office files or images. But, the
“worm” part of the virus is that it copied itself to your Windows Address Book and sent out the same
email to everyone in your address book. I think the most important and interesting part of this virus
is the naming, “ILOVEYOU” and the file name “LOVE-LETTER-FOR-YOU.TXT”, because it will incise
almost 90% of people to open it. This is important to train your employees on Social Engineering. A
good example of this too is the “YOU’VE WON £10000” because it wants people to click it and
believe it, same thing with your emotions because you’re curious to see what the “love letter” you
got sent was. It’s very important for your employees to catch this out and not to click it, because it
could get your whole network compromised. I’m not saying your employees are idiots, they’re just
humans and humans are curious.

It’s now illegal to handle client’s data incorrectly, according to the GDPR. There is to much of a risk
because a person’s entire life can be ruined by having their personal data given to hackers. The
GDPR gives fines to companies that don’t handle client’s data properly, this ensures that they
consider how they will handle their client’s data. We use a third-party encryption company called
Auth0, which basically encrypts data twice. So, if our databases get compromised, we don’t need to
do anything about it because those encrypted strings in our database have no correlation to the
user’s actual data. Whenever we need the user’s data, we give Auth0 the encrypted data “key” then
they give us the actual data from their servers, almost like 2FA. It’s very important to encrypt the
client’s data because if you have a dodgy employee or dodgy application, they can’t just read the
users password in plain text, they have to decrypt it first.

I wouldn’t trust a company with my data, despite their reputation. But I need the services they
provide, so this is why the GDPR was made. The GDPR enforces good practices to make sure that the
company that holds your data must treat it properly and not get it compromised. The GDPR gives
out fines as punishment for not treating your data responsibly, but also the company’s reputation
can’t be damaged. GDPR also makes sure that companies are not allowed to use your data without
your explicit consent, which makes it, so you know what your data is being used for. With me
working on the company app, it’s important I know about data security and GDPR, especially when I
was the one who wrote the methods which authenticate the user through an API. Some app
features require a login, so when the user logins in with their email and password, it gets parsed
through HTTPS API. It is incredibly important to parse sensitive data such as passwords through
HTTPS instead of unsecured HTTP.
If you’ve ever watched a YouTube video, it’s most likely you’ve come across a YouTuber who have
been sponsored by a VPN company such as NordVPN or ExpressVPN. The general script these
companies give the YouTubers goes “If you’re in a public café and using their free wifi, a hacker can
get all your data including your bank details. ****VPN uses military-grade encryption…” now I’ve
been in the computer security business for a while but to someone who hasn’t, this looks weird even
for them. So let’s start off with the public Wi-Fi lie. If you go onto a modern website you may see a
little padlock icon in the search bar. This means the website you’re connecting to uses HTTPS, which
means all of your data is being hidden by encryption and is going through something called an
encryption tunnel. Nor the Wi-Fi provider or anyone else can see what data you send to the website,
they just see a bunch of letters and numbers
(94c309224fab36bd66bf0dc38f2c57454d1c5fbb9c90a29d12b3298262b65a7f). Every iPhone app
since 2016 uses HTTPS and every Android App since 2018 too. If you stumble across a website that
doesn’t use HTTPS, you’ll most likely get a big red screen warning from the browser saying this
website is insecure, stopping you from potentially giving up your data to 3 rd parties. One other thing,
was the bit at the end when they said “Uses military-grade encryption” in the IT world, this means
nothing, a part from a advertising ploy to make you want to buy it other the other “non military-
grade encryption” from other VPN providers.