Data Security and Control
Content
Data Security and Control
Data and information security involves • Protection of data and information against unauthorized access and modification Denial of data and information to unauthorized users
•
Security threats and control measures
Viruses • A computer virus is a destructive program that attaches itself to other files and install itself without permission on the computer when files are opened for use • Causes havoc to the computer systems e.g. delete files on storage devices, interfere with proper functioning of the computer system
Types of computer viruses
• Boot sector viruses- they destroy the booting information on storage devices • File viruses- attaches themselves to files • Hoax viruses – comes as email with an attractive subject and launches itself when email is opened • Trojans – they appear to perform necessary functions but perform other undesirable activities in the background without user knowledge • Worms- viruses that stick in the computer memory
Control measures against viruses
• Install the latest version of antivirus software on the computer • Avoid foreign removable disks, if they have to be used, they must be scanned for viruses • Avoid opening mail attachments before scanning for viruses
Unauthorized access
Takes the following forms • Eavesdropping – tapping into communication channels to get information. Hackers mainly use eavesdropping e.g. to obtain numbers of credit cards • Surveillance (monitoring)- Person may keep profile of all computer activities done by another person or people.
The information gathered may be used for one reason or the other e.g. spreading propaganda or sabotage Many websites keep track of your computer activities using special programs called cookies
• Industrial espionage – Spying on your competitors to get information that you use to counter or finish the competitors
Unauthorized access can also be as follows
• An employee who is not supposed to view or see sensitive data by mistake or design gets it • Strangers who may stray into computer room when nobody is using the computer • Forced entry into the computer room through weak access points
Control measures against unauthorized access
• Enforce data and information access policies on all employees • Encrypt the data and information during transmission • Keep the computer room closed when nobody is using it • Reinforce weak access points like doors and windows with metallic grills and burglar alarms • Use file passwords to deter any persons who may get to the electronic files
Computer errors and accidental access
• Includes mistakes like printing sensitive reports and unsuspectingly giving them to unauthorized person • People experimenting with features they are not familiar with e.g. a person innocently download a file without knowing that it is self installing and it is dangerous to the system
Control
• Give various file access privileges and roles to the end users and technical staff in the organization i.e. deny access permission to certain group of users of certain files and computers • Set up a comprehensive error recovery strategy in the organization
Computer Crimes
• Hacking A hacker is a person who intentionally breaks codes and passwords to gain unauthorized entry to computer system data and information files. Breaks the security measures put in place
Tapping • A person sends an intelligent program in a host computer that sends him information from the computer or on a networked computer using special programs that are able to intercept messages being sent and received by the unsuspecting computer • Cracking Refers to the use of guesswork over and over again by a person until he/she finally discover a weakness in the security policies or codes of a software • Piracy Making illegal copies of copyrighted software, information or data.
Ways of reducing piracy Enact laws that protect the owners of data and information against piracy Make software cheap enough to increase affordability Use licenses and certificates to identify originals Set installation passwords that deter illegal installation of software
Fraud • Use of computers to conceal information or cheat other people with the intention of gaining money or information. Fraud may also involve production and use of fake documents Alteration • Illegal changing of data and information without permission with the aim of gaining or misinforming the authorized users. Sabotage • Illegal destruction of data and information with the aim of crippling service delivery or causing great loss to an organization • Carried out by disgruntled employees or those sent by competitors to cause harm to the organization
Detection and Protection against Computer crimes
Audit trial • This is a careful study of an information system by experts in order to establish or find out all the weaknesses in the system that could lead to security threats and weak access points for computers. Data encryption • Protecting data on transit over a network by scrambling (mixing it) into the form that only the sender and receivers can be able to understand by reconstructing the original message from the mix.
Log files • This are special system files that keep record (log) of events on the use of the computers and resources of the information system. • The IS administrator can therefore track who accessed the system, when and what they did on the system. Firewalls • A device or software system that filters the data and information exchanged between different networks by enforcing the host networks access control policy. Control access to or from protected networks
Enacting laws governing protecting of information
The laws may have the following provisions; • Data be not transferred to other countries without the owner’s permission • Data and information should be secure against loss and exposure • Data and information should be accurate and up to date • Data and information be collected, used and kept for specialized lawful purposes
Data and information security involves • Protection of data and information against unauthorized access and modification Denial of data and information to unauthorized users
•
Security threats and control measures
Viruses • A computer virus is a destructive program that attaches itself to other files and install itself without permission on the computer when files are opened for use • Causes havoc to the computer systems e.g. delete files on storage devices, interfere with proper functioning of the computer system
Types of computer viruses
• Boot sector viruses- they destroy the booting information on storage devices • File viruses- attaches themselves to files • Hoax viruses – comes as email with an attractive subject and launches itself when email is opened • Trojans – they appear to perform necessary functions but perform other undesirable activities in the background without user knowledge • Worms- viruses that stick in the computer memory
Control measures against viruses
• Install the latest version of antivirus software on the computer • Avoid foreign removable disks, if they have to be used, they must be scanned for viruses • Avoid opening mail attachments before scanning for viruses
Unauthorized access
Takes the following forms • Eavesdropping – tapping into communication channels to get information. Hackers mainly use eavesdropping e.g. to obtain numbers of credit cards • Surveillance (monitoring)- Person may keep profile of all computer activities done by another person or people.
The information gathered may be used for one reason or the other e.g. spreading propaganda or sabotage Many websites keep track of your computer activities using special programs called cookies
• Industrial espionage – Spying on your competitors to get information that you use to counter or finish the competitors
Unauthorized access can also be as follows
• An employee who is not supposed to view or see sensitive data by mistake or design gets it • Strangers who may stray into computer room when nobody is using the computer • Forced entry into the computer room through weak access points
Control measures against unauthorized access
• Enforce data and information access policies on all employees • Encrypt the data and information during transmission • Keep the computer room closed when nobody is using it • Reinforce weak access points like doors and windows with metallic grills and burglar alarms • Use file passwords to deter any persons who may get to the electronic files
Computer errors and accidental access
• Includes mistakes like printing sensitive reports and unsuspectingly giving them to unauthorized person • People experimenting with features they are not familiar with e.g. a person innocently download a file without knowing that it is self installing and it is dangerous to the system
Control
• Give various file access privileges and roles to the end users and technical staff in the organization i.e. deny access permission to certain group of users of certain files and computers • Set up a comprehensive error recovery strategy in the organization
Computer Crimes
• Hacking A hacker is a person who intentionally breaks codes and passwords to gain unauthorized entry to computer system data and information files. Breaks the security measures put in place
Tapping • A person sends an intelligent program in a host computer that sends him information from the computer or on a networked computer using special programs that are able to intercept messages being sent and received by the unsuspecting computer • Cracking Refers to the use of guesswork over and over again by a person until he/she finally discover a weakness in the security policies or codes of a software • Piracy Making illegal copies of copyrighted software, information or data.
Ways of reducing piracy Enact laws that protect the owners of data and information against piracy Make software cheap enough to increase affordability Use licenses and certificates to identify originals Set installation passwords that deter illegal installation of software
Fraud • Use of computers to conceal information or cheat other people with the intention of gaining money or information. Fraud may also involve production and use of fake documents Alteration • Illegal changing of data and information without permission with the aim of gaining or misinforming the authorized users. Sabotage • Illegal destruction of data and information with the aim of crippling service delivery or causing great loss to an organization • Carried out by disgruntled employees or those sent by competitors to cause harm to the organization
Detection and Protection against Computer crimes
Audit trial • This is a careful study of an information system by experts in order to establish or find out all the weaknesses in the system that could lead to security threats and weak access points for computers. Data encryption • Protecting data on transit over a network by scrambling (mixing it) into the form that only the sender and receivers can be able to understand by reconstructing the original message from the mix.
Log files • This are special system files that keep record (log) of events on the use of the computers and resources of the information system. • The IS administrator can therefore track who accessed the system, when and what they did on the system. Firewalls • A device or software system that filters the data and information exchanged between different networks by enforcing the host networks access control policy. Control access to or from protected networks
Enacting laws governing protecting of information
The laws may have the following provisions; • Data be not transferred to other countries without the owner’s permission • Data and information should be secure against loss and exposure • Data and information should be accurate and up to date • Data and information be collected, used and kept for specialized lawful purposes
