2.5 safety and security of data in ict systems

INFO 22.5 Safety and Security of Data in ICT Systems

Specification

1. What is personal data?2. Why should we be concerned about

privacy of data?3. What do we mean by intrinsic value of

data?4. What do we mean by commercial value of

data?

To consolidate you should be able to answer these questions…

Make a list of organisations that you think store information about you

What is personal data◦ Facts and opinions about a living person

Should we be worried about organisations storing personal data?

Activity

What should consider the following questions:

◦ Who will be able to access the data? Identity theft

◦ Is the data accurate? If not can have adverse effect on individual e.g. bills aren’t pay

paid, refused a credit card

◦ Will the data be sold on? Health details sold on to insurance company

◦ How long will the data be kept? Failed job applications, is personal data kept?

Why should we be concerned about privacy of data?

How valuable is this?

Intrinsic and commercial data

Value is often determined by demand and supply

How valuable is this to American Airlines?

It is unlikely that anyone would want to buy this information BUT

The information in its own right is valuable

If the data in a flight booking system was lost or stolen it could cause customer dissatisfaction, the airline’s reputation would then be damaged


“Data has an intrinsic value” MEANS

Data has a value in it’s own right

Another example:

A record can have intrinsic value because of its association with famous people


Data is now a commodity i.e. it has financial value

It’s value might be determined by how much time and effort it takes to collate the data

It’s value might also be determined by its potential use

Who might sell data? Who might buy data? Why?

http://www.myhouseprice.com/Default.cfm


http://www.myhouseprice.com/Default.cfm

1. What is computer crime?2. What is malpractice?3. What are the weak points in an ICT

System?4. What methods could be used to protect

parts of a system?5. State 3 internal threats to an ICT system6. State 3 external threats to an ICT system


Involves an illegal activity using a computer e.g.

◦ Theft of money

◦ Theft of information

◦ Theft of goods

◦ Malicious vandalism

Computer Crime

Negligence or improper professional behaviour when providing computer related services e.g.

◦ Software developers who do not properly test their software and distribute it full of bugs may be guilty of malpractice

◦ Failing to keep a password secure could be enabling unauthorised access to data.

◦ Failing to adhere to company procedures (code of conduct)

◦ Sending offensive material in e-mails

Computer Malpractice

Weak Links of an ICT System

Weak LinksWithin an IT

System

Networks

Use of portable

computers

Data Entry

Notfollowing

procedures

Viruses /Illegal

programs

Hacking

DataStoredOff line

ITPersonnel

Data could be entered into the system with criminal intent e.g.

◦ A corrupt data entry clerk could purposely enter the wrong account number for a transaction so that an unsuspecting account holder is debited

Possible Methods of prevention:

◦ Monitoring all access◦ Automatic logging◦ Separating the various stages involved in processing

(no single person responsible)

Data Entry

Not Following Procedures Acceptable use and Security policies are usually shared

with employees during induction training, it can sometime be included in their contract.

If Employees do not follow procedures such as “

Log off from your machine when unattended”

Then security becomes a risk

Possible Methods of prevention:◦ Staff training◦ Staff monitoring◦ Disciplinary procedures shared with staff

Use of portable computers The use of laptop and palmtop computers produces risks

whenever sensitive data is being stored.

Such devices are likely to be removed from an organisation’s premises, where security can be controlled.

Possible Methods of prevention:◦ Keep portable computers within the premises of the

organisation◦ If removed from the premises of the organisation keep in

a secure place e.g. fire proof safe

Data stored off-line Data that is stored off-line, on CD-R, memory

stick or other devices is vulnerable to loss or theft.

Possible Methods of prevention:◦ Disk stores kept locked when left unattended◦ Formal clerical systems in place so that details are

recorded whenever files leave the store◦ Filing and recoding system should be maintained

rigorously to ensure that files are not mislaid

IT Personnel Security procedures are only as good as the people using and

enforcing them.

Disgruntled, dishonest and greedy employees can pose a big threat to an organisation as they have easy access to the information system.

Employees might:◦ take bribes to provide information to a rival.◦ Alter or erase data to sabotage the efforts of the company

Possible Methods of prevention:◦ Affective interview procedures – checking references and previous

employees when recruiting staff◦ Audit trails

Hacking Hacking is defined as:

◦ Unauthorised access to data held on a computer system.

It is possible that a hacker will access the system to commit fraud or to steal commercially valuable data.

However a large number of hackers appear to break into systems simply to prove that they can do it.

Hackers profile:◦ Grudge against company or society in general◦ Techno-terrorists◦ Criminal purpose

Hacking

Possible Methods of prevention:◦ Password discipline◦ Terminals logged off◦ Restricted access privileges◦ All access monitored◦ Off line storage of data and software (for restore)

Hacking – is there a law

There is NO world wide legislation

In the UK there is the Computer Misuse Act 1990

Networks When data is transferred over a WAN a line can be

tapped to allow eavesdropping.

This has been recognised as a real problem for internet users (security of using a credit card)

Possible Methods of prevention:◦ Firewall (used to prevent unauthorised access to an

organisation’s network)◦ Virus protection: prevention, detection and repair◦ Identification of users◦ Levels of permitted access

Viruses A virus is a program that is written with the sole purpose of

infecting computer systems

Many viruses spend time infecting documents and software before moving in to active state. (letting you know that they are there)

This state is often triggered by an action or a date set on the program

The fear is that viruses can spread and infect many areas of the hard drive.

They can also reproduce and copy themselves to floppy disks, thus infecting the hard drive of the next computer it is used on

Viruses – how they work

ORIGINATION TRANSMISSION REPRODUCTION INFECTION

A programmer writes a program – the virus – to cause mischief or destruction. The virus is capable of reproducing itself.

Often, the virus is attached to a normal program. It then copies itself to other software on the hard disk.

When another floppy disk is inserted into the computer’s disk drive, the virus copies itself on to the floppy disk.

Depending on what the original programmer wrote in the virus program, a virus may display messages,,use up all the computers memory, destroy data files or cause serious system errors

Virus examples Form – the most common virus in the world.

◦ This virus makes the speaker beep when you press a key on the 18th day of each month

Jerusalem – serious virus◦ Deletes a program you try to run on Friday 13th

Dark Avenger – dangerous virus◦ Corrupts the hard disk and backup copies

Virus Protection Prevention

◦ Don’t allow users to bring their home floppy disks to use on the system

◦ Systems can be set up to only allow specially formatted disks◦ Floppy disks should be write-protected whenever possible◦ Use PC’s without floppy drives

Detection and Repair

◦ Detected and repaired using Anti-Virus Toolkit software – this software runs in the background whenever the computer is on.

◦ The software is usually able to remove the virus◦ ‘Sheep-Dip’ / ‘footbath’ workstations – workstations fitted with the

latest virus detectors

Illegal Programs Trojan horses

◦ A program that runs as a background task, collecting user log-in codes and passwords e.g. a program that simulates the system log-in screen

Logic bombs◦ Programs that cause system damage when

triggered.◦ Similar to a virus but does not replicate itself.◦ Often used by employees to destroy firm’s data

when they leave

Illegal Programs Macro Virus

◦ Modern virus – exploits security loopholes in word processors, spreadsheets etc.

◦ Not usually destructive◦ Can slow down the system, take up memory

E-mail virus◦ Spreads as an attachment to an e-mail file◦ Runs when the attachment is downloaded or run◦ Some very destructive◦ Spread very quickly by reading address book and re-

sending themselves

Illegal Programs Phantom virus

◦ Virus does not exist◦ Problems caused by people e-mailing warnings –

slows network traffic◦ New variant tells people that a particular system

file is a virus and gets them to delete it, causing system failure

Methods of protection Back up all data regularly

Do not download software from unknown sources

Do not open attachments in e-mails

Firewall

◦ Used to prevent unauthorised access to an organisation’s network.◦ The firewall software is placed between the network file server and

the external network, often the internet.◦ It checks all of the messages sent to the file server and filters the

contents

Computer Crime What is it?

◦ Involves an illegal activity using a computer

◦ It is sometimes thought that computer crime is a new phenomenon but as you will see, it is more the case that computers have provided new ways to commit old crimes.

The following slides outline different categories of computer crime:

Categories of computer crime

Unauthorised access◦ Hacking

Fraud◦ Stealing credit identities, amending details to financial accounts

Publication of illicit material◦ Pornography, racial hatred freely available on an international

‘ownerless’ system (the internet) Theft

◦ Code behind a piece of software, consumer information – physically or electronically stolen

Industrial espionage◦ Gaining access to information about a competitor’s marketing

strategy, latest research etc. (electronically) Sabotage

◦ Damage effective functioning of an organisation e.g. personal grudge, political attack, economic (damaging their reputation)

Protecting data – what do we need to protect?

We need to protect:

◦ Program files◦ Data Files◦ Operating system files

Why?

◦ All of these can be:

Corrupted Deleted Altered(Accidentally or maliciously)

Threats to data security Organisations - increasingly dependent on their information systems

More important to protect the systems and integrity of the data they contain.

Consequences of failing to do the above:

◦ Financial loss – replace the system, compensate customers, restore missing or compromised data

◦ Loss of reputation – Failure to product client’s details and business information will result in the loss of trust

◦ Legal consequences – DPA requires organisations to ensure data stored on individuals is securely held. Failure to do so can result in legal action

Threats to data security can come from two sources, Internal sources or external sources (outlined on following slides)

Internal threats Non Deliberate

◦ An organisation’s employees may accidentally compromise data security or integrity.

Simple clerical errors during input/processing stages may affect accuracy of data

Files may be accidentally erased through misuse Internally produced software may be flawed, consequently damaging

data E-mail attachments may contain viruses, accidentally opened and

thus activated.

Deliberate◦ Those responsible for ICT security need to be aware of the ‘enemy

within’. Two main threats:

The disgruntled employee – grudge against the company Employee who decides to defraud the organisation for financial gain

External threats

Non Deliberate◦ The main threats of this type are ‘disasters’.◦ These may be natural:

Floods, Extreme weather conditions, earthquakes, volcanoes etc.◦ Human mechanical

Plane crashes, power cuts, fires, building collapse etc.◦ Both have potential to wipe out an organisation’s Information systems.

Deliberate◦ Threats of this type can take many forms, including:

Criminals wishing to defraud the organisation by accessing and amending financial data;

Viruses with potential to corrupt data Industrial espionage, i.e. rival organisations accessing confidential

information in order to gain competitive advantage Actual theft of hardware/software Terrorist attack

Protecting systems

The following headings suggest and describe ways of preventing computer crime and malpractice

Software measureLevels of permitted access Access privileges define for each user exactly which computers

and what data he or she is allowed to access, and what they are allowed to do with that data.

Possible access rights include

◦ Full Rights – a user can carry out any action on the file or data◦ Read only – the data can be accessed to be viewed or printed, but

not altered in any way◦ Read and write – the user can read or create new data records◦ Amend – the user can change the data held in a record◦ Delete – the user can delete a whole record◦ No Access – the user is barred from any form of access to the data

Hardware and Software measureBiometrics Biometrics is the name given to techniques

that convert a human characteristic such as a fingerprint in to a digital form that can be stored in a computer.

These characteristics are unique

Currently the face, the shape of the hand, the eye and the voice are actually used for identification as well as a fingerprint.

Physical Security It is necessary to protect the hardware from theft and

unauthorised access, how:

◦ Security guards – responsible for permitting access to the building, logging visits, challenging intruders

◦ Secure areas – some equipment (e.g. main servers) may be held in a secure area with limited access. This area may be locked, alarmed and monitored.

◦ Biometric access devices – access to the building using fingerprints, voice, iris etc.

Clerical Procedures

Data can be compromised by errors made at the point of data entry. In order to optimise data accuracy, there should be:

◦ Set procedures for data entry◦ A means to check the validity

This might involve:

◦ Batch-processing◦ Validation checks (e.g. range checks, presence checks

etc.)◦ Verification procedures (e.g. checking for double entry

of data and confirming with the client that their address has been correctly entered)

Password Procedures Employees should be made aware of the need to:

◦ Regularly change passwords◦ Avoid obvious passwords such as:

Postcode Telephone number Name Pet

◦ Avoid other standard passwords like: FRED PASS SECRET etc.

◦ Don’t write your password down◦ Your password should incorporate characters other than

letters – such as $ or %

Training Procedures

Most effective way to prevent employees unintentionally compromising the security of systems and data is to ensure that they are well trained.

Security awareness can be reinforced through the use of posters, screen messages etc.

Software measureData encryption Data on a network is vulnerable to wire-

tapping when it is being transmitted over a network.

One method of preventing this is to encrypt the data, making it incomprehensible to anyone who does not hold the ‘key’ to decode it.

(No system is completely foolproof)

Software measureData encryption (continued) There are many ways of encrypting data,

often based on either transposition or substitution.

Transposition – Where characters are switched around

Substitution – Where characters are replaced by other characters

Software measure Data encryption (continued)

In a Transposition cipher, the message could be written in a grid row by row and transmitted column by column.


The sentence ‘Here is the exam paper’ could be written in a 5x5 grid:

And transmitted as: HIEMEES**RR*EP*ETHXA**HAP*

H E R E *

I S T H

E E X A

M P A P

E R

*

*

* * *

*


HERE IS THE EXAM PAPER

HERE*IS*THE*EXAM*PAPER***

HERE*IS*THE*EXAM*PAPER***

HERE IS THE EXAM PAPER

HIEMEES**RR*EP*ETHXA**HAP*

Message sent (plaintext) Encryption

(ciphertext)

Message transmitted Decryption

(ciphertext)

Message received (plaintext)

Software measure Task – time permitted Using the same grid, decode the message

ITT*O*E*HRWDNIYA*OS*NITT*

I * W A N

T E * I

T N O T

* I S T

O R

*

D

* * Y

H

1. What legislations exist to protect data?


Exam question 1

Explain using examples, the difference between malpractice and crime as applied to Information Systems.

(4)

Past Paper Questions

2.5 safety and security of data in ict systems

Technology