SECURITY THREATS AND CONTROLS Data security core principles€¦ · SECURITY THREATS AND CONTROLS...

COMPILED BY: WESLEY M. NYANDIKA [email protected]

SECURITY THREATS AND CONTROLS

Data security core principles

The three core principles of data security/information security are:

1. Confidentiality

2. Integrity

3. Availability

Confidentiality

This means that sensitive data or information belonging to an organization or government should not be

accessed by or disclosed to unauthorized people.

Integrity

This means that data should not be modified without owner’s authority

Availability

This means that information should be available on demand.

This means that any information system and communication link used to access it, must be efficient and

functional.

Security threats and control measures

Security threats to a computer based information system include:

1. Unauthorized access

2. Alteration

3. Malicious destruction of hardware, software, data or network resources


4. Sabotage

The goal of data security control measures is to provide security, ensure integrity and safety of an

information system hardware, software and data.

Information system failure

Some of the causes of computerized information system failure include:

1. Hardware failure due to improper use

2. Unstable power supply as a result of brownouts or blackout and vandalism

3. Network break down

4. Natural disaster

5. Program failure

Control measures against hardware failure

1. Use surge protectors to protect computers against brownouts or blackouts which may cause

damage or data loss

2. Use fault tolerant systems.

Disaster recovery plans

This involves the establishing of offsite storage of an organization’s database so that incase of disaster of

fire accidents, the company would have backup copies to reconstruct lost data


Threats from malicious programs

Malicious programs may affect the smooth running of a system or carry out illegal activities such as,

secretly collecting information from an unknowing user.

Some types of malicious programs include:

1. Boot sector viruses: they destroy the booting information on storage media

2. File viruses: attach themselves to files

3. Hoax viruses: come as E-mail with attractive messages and launch themselves when E-mail is

open

4. Trojan Horse: they appear to perform useful functions but instead they perform other

undesirable activities in the background

5. Worms: a malicious program that self-replicates hence clogs the system memory and storage

media

6. Backdoors: may be a Trojan or worm that allows hidden access to a computer system

Control measures against viruses

1. Install the latest version of anti-virus software on the computers – make sure that you

continuously update the anti-virus software with new virus definition to counter the new viruses

2. Always scan removable storage media for viruses before using them

3. Scan E-mail attachments for viruses before opening or downloading an attachment

Physical theft

This involves the stealing of computer hardware and software


Control measures against theft

1. Employ security agents to keep watch over information centers and restricted backup sites

2. Reinforce weak access points like the windows, door and roofing with metallic grills and strong

padlocks

3. Motivate workers so that they feel a sense of belonging in order to make them proud and

trusted custodians of the company resources

4. Insure the hardware resources with a reputable insurance firm

Piracy

It is a form of intellectual property theft which means illegal copying of software, information or data.

Control measures against piracy

1. Enforce laws that protect the owner of data and information against piracy

2. Make software cheap enough to increase affordability

3. Use licenses and certificates to identify original software

4. Set installation passwords that deter illegal installation of software

Fraud

This is stealing by false pretense

Sabotage

This is the illegal destruction of data and information with the aim of crippling service delivery or causing

great loss to an organization


Threats to privacy and confidentiality

Privacy means that data belonging to an individual should not be accessed by or disclosed to other

people

Confidentiality means that sensitive data or information belonging to an organization or government

should not be accessed by or disclosed to unauthorized people

Eavesdropping

Refers to tapping into communication channels to get information.

Surveillance

Refers to monitoring use of computer systems and network using background programs such as spyware

and cookies.

Industrial espionage

Involves spying on a competitor to get information that can be used to cripple the competitor

Accidental access

Threat to data and information from people giving out information to strangers unknowingly

Hacking and cracking

A hacker is a person who gains unauthorized access to information just for fun, while a cracker violates

the security measures put in place such as by passing passwords or finding weak access points to

software


Alteration

This is the illegal modification of private or confidential data and information with the aim of

misinforming users.

Control measures against unauthorized access

1. Firewall

This is a device or software system that filters the data and information exchanged between different

networks by enforcing the host networks access control policy

2. Data encryption

This is converting data (plain text-data that is not encrypted) to a form (cipher text-encrypted data) that

only the sender and receiver can understand

An algorithm key is used to encrypt the data while a decryption key is used to decrypt the data

3. Security monitors

This are programs that monitor and keep a log file or record of computer systems and protect them

from unauthorized access

4. Biometric security

Biometric security takes the user’s attributes such as voice, fingerprints and facial recognition

Other access control measures

Access control can also be enhanced by implementing multi-level authentication policies such as

assigning users log on accounts, use of PIN (personal identification number) and smart cards


Policies and laws governing information security

International data security issues are governed by bodies such as ISO (International Organization for

Standards) and ISF (Information Security Forum)

ISO has published an Information technology Security techniques-Code of practice for information

security management

ISF is a global non-profit making body made up of several leading organizations in financial services,

manufacturing, telecommunication, consumer goods and governments

The organization provides research on best practices summarized in its report Standard of Global

Practice

Examples of regulation laws in Kenya, UK and USA

ICT related Acts in Kenya

ICT issues are considered under various legislations including:

The Science and Technology Act Cap 250 of 1977, The Kenya Broadcasting Corporation Act of 1988 and

the Kenya communications Act of 1998

Kenya ICT policy

The government has developed a national ICT policy that seeks to address issues of privacy, e-security,

ICT legislation, cybercrimes, ethical and moral conduct, copyright, intellectual property rights and piracy.


United Kingdom data protection Act 1998

Protects an individual privacy. The act states that no processing of information relating to individuals,

including the obtaining, holding, use or disclosure of such information can be done without owner’s

consent

United Kingdom Computer Misuse Act 1990

It makes computer crime such as hacking a criminal offence. The act has become a model of many other

countries including Kenya, which they have used to draft their own information security regulations

Family Education Rights and Privacy Act (USA)

It is a USA Federal law that protects the privacy of student’s education records. To release any

information from a students’ education record, USA schools must have written permission from the

parent or the student.

Security Breach Notification Laws

Most countries require business, nonprofit, and state institutions, to notify consumers when

unencrypted “personal information” is compromised, lost or stolen

Copyright and software protection laws

Hardware and software are protected by either national or international copyright, design patents laws

or Acts.

These laws seek to address the following:

1. Data should not be disclosed to other people without the owner’s permission

2. Data and information should be kept secured against loss or exposure


3. Data and information should be accurate and up to date

4. Data and information should be collected, used and kept for specified lawful purposes

APPENDIX

DATA SECURITY

This is the protection of programs and data in computer and communication system against

unauthorized access

Data control

Measures taken to enforce the security of programs and data in the computer system

Data security involves:

1. Protection of data and information against unauthorized access or modification

2. Denial of data and information to unauthorized user

3. Provision of data and information to authorized users

Data can be lost in various ways:

1. Viruses

2. Users error

3. Computer crashing

4. Hacking etc.

Viruses

Is a self-replicating segment of a computer code designed to spread to many computers causing

destruction of data.

Viruses are classified into:

1. Benign

It replicates but don’t cause anything i.e. they may beep or display messages on the screen

2. Malignant

They cause damage to the computer resources such as erasing the software

NB: viruses can be dormant for days or month before becoming active

Source of viruses

1. Pirated software

2. Fake computer games


3. Through data transmission from one computer to another i.e. the internet or use of removable

storage devices

4. Freeware and shareware software

5. From software laboratories

6. Through the use of a network

7. An employee introducing such bugs knowingly

Characteristics of computers with viruses

1. Programs taking too long to load

2. Unusual error messages appearing all the time

3. Distortion of computer graphics

4. Changing the dates of files

5. Changing the size of files i.e. files occupying bigger portions of memory

6. Programs giving unusual results

7. Corruption of programs and computer files

Policies of preventing computer viruses

1. Install the latest version of antivirus software

2. Avoid foreign storage devices in the computer room

3. Avoid opening mail attachments before scanning them

4. Create backup of computer files and data regularly

5. Users should be informed on the need of data security and the potential threat to their data

6. Don’t open e-mails from unknown sender

7. All unlicensed software should be examined carefully before loading them in the computer

8. Procedures for evaluating new software should include testing the presence of viruses

9. Always scan the portable devices before using them

Computer viruses

1. Boot sector viruses

They destroy the booting information and procedure in the storage devices

2. File viruses

They attach themselves to files

3. Hoax viruses

They come as e-mail with attractive subject and launches itself when opening the e-mail

4. Trojan horse viruses


That appear to perform necessary function but perform undesirable activities on the background

5. Worms

They attach themselves in the computer memory

6. Back doors viruses

They may be Trojan or worm that allows hidden access to the computer system

Computer crimes

1. Trespass

Illegal entry into restricted areas where it involves computer hardware, software or computer data

It is accessing of information illegally on the computer or a computer on a network

2. Hacking

A hacker is a person who breaks the code and passwords to access computer data and information

3. Tapping

Is the process where someone gains access to information that is being transmitted via communication

links

4. Piracy

Making illegal copies of a copyright software, information or data

5. Fraud

Use of computers to conceal information or cheat other people with the intention of getting money or

information

6. Sabotage

The illegal destruction of data and information with the aim of crippling service delivery or causing lose

to an organization

7. Tracking

Monitoring what someone is doing on the computer system to establish his/her activities or dealings.

8. Cracking

Is the use of guess work over and over until you discover weakness in the security codes

9. Alteration


The illegal changing of data and information without permission with the aim of gaining or misinforming

the authorized user

10. Spam

Done by gaining access to a list of E-mail addresses

Detection and protection against computer crimes

1. Audit trial

Is keeping a record of who accessed the computer system and the operations he performed during a

given time.

It is done to maintain security and recover the lost information

It also detects trespassing and alteration

2. Data encryption

Data on transit over a network is coded by the sender in a form that cannot be understood by tappers

and decrypted upon reception

3. Log files

Are special files that gives a record of events on the use of the computer and its resources

It is done by a software

4. Firewalls

Is a software that filters data and information being received from the network/internet

This controls unauthorized access to restricted areas

SECURITY THREATS AND CONTROLS Data security core principles€¦ · SECURITY THREATS AND CONTROLS...

Documents

Transcript of SECURITY THREATS AND CONTROLS Data security core principles€¦ · SECURITY THREATS AND CONTROLS...