2.5 safety and security of data in ict systems

10,344 views

Published on

Presentation coverin

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
10,344
On SlideShare
0
From Embeds
0
Number of Embeds
73
Actions
Shares
0
Downloads
232
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

2.5 safety and security of data in ict systems

  1. 1. INFO 2<br />2.5 Safety and Security of Data in ICT Systems<br />
  2. 2. Specification<br />
  3. 3. What is personal data?<br />Why should we be concerned about privacy of data?<br />What do we mean by intrinsic value of data?<br />What do we mean by commercial value of data?<br />To consolidate you should be able to answer these questions…<br />
  4. 4. Make a list of organisations that you think store information about you<br />What is personal data<br />Facts and opinions about a living person<br />Should we be worried about organisations storing personal data?<br />Activity<br />
  5. 5. What should consider the following questions:<br />Who will be able to access the data?<br />Identity theft<br />Is the data accurate?<br />If not can have adverse effect on individual e.g. bills aren’t pay paid, refused a credit card<br />Will the data be sold on?<br />Health details sold on to insurance company<br />How long will the data be kept?<br />Failed job applications, is personal data kept?<br />Why should we be concerned about privacy of data?<br />
  6. 6. How valuable is this?<br />Intrinsic and commercial data<br />Value is often determined by demand and supply<br />
  7. 7. How valuable is this to American Airlines?<br />It is unlikely that anyone would want to buy this information BUT<br />The information in its own right is valuable<br />If the data in a flight booking system was lost or stolen it could cause customer dissatisfaction, the airline’s reputation would then be damaged<br />Intrinsic and commercial data<br />
  8. 8. “Data has an intrinsic value” MEANS<br />Data has a value in it’s own right<br />Another example:<br />A record can have intrinsic value because of its association with famous people<br />Intrinsic and commercial data<br />
  9. 9. Data is now a commodity i.e. it has financial value<br />It’s value might be determined by how much time and effort it takes to collate the data<br />It’s value might also be determined by its potential use<br />Who might sell data?<br />Who might buy data? Why?<br />http://www.myhouseprice.com/Default.cfm<br />Intrinsic and commercial data<br />
  10. 10. What is computer crime?<br />What is malpractice?<br />What are the weak points in an ICT System?<br />What methods could be used to protect parts of a system?<br />State 3 internal threats to an ICT system<br />State 3 external threats to an ICT system<br />To consolidate you should be able to answer these questions…<br />
  11. 11. Involves an illegal activity using a computer e.g.<br />Theft of money<br />Theft of information<br />Theft of goods<br />Malicious vandalism<br />Computer Crime<br />
  12. 12. Negligence or improper professional behaviour when providing computer related services e.g.<br />Software developers who do not properly test their software and distribute it full of bugs may be guilty of malpractice<br />Failing to keep a password secure could be enabling unauthorised access to data.<br />Failing to adhere to company procedures (code of conduct)<br />Sending offensive material in e-mails<br />Computer Malpractice<br />
  13. 13. Weak Links of an ICT System<br />Viruses /<br />Illegal<br />programs<br />Networks<br />Data Entry<br />Weak Links<br />Within an IT<br />System<br />Not<br />following<br />procedures<br />Hacking<br />Use of <br />portable <br />computers<br />IT<br />Personnel<br />Data<br />Stored<br />Off line<br />
  14. 14. Data could be entered into the system with criminal intent e.g.<br />A corrupt data entry clerk could purposely enter the wrong account number for a transaction so that an unsuspecting account holder is debited<br />Possible Methods of prevention:<br />Monitoring all access<br />Automatic logging<br />Separating the various stages involved in processing (no single person responsible)<br />Data Entry<br />
  15. 15. Not Following Procedures<br />Acceptable use and Security policies are usually shared with employees during induction training, it can sometime be included in their contract.<br />If Employees do not follow procedures such as “<br /> Log off from your machine when unattended”<br />Then security becomes a risk<br />Possible Methods of prevention:<br />Staff training<br />Staff monitoring<br />Disciplinary procedures shared with staff<br />
  16. 16. Use of portable computers<br />The use of laptop and palmtop computers produces risks whenever sensitive data is being stored.<br />Such devices are likely to be removed from an organisation’s premises, where security can be controlled.<br />Possible Methods of prevention:<br />Keep portable computers within the premises of the organisation<br />If removed from the premises of the organisation keep in a secure place e.g. fire proof safe<br />
  17. 17. Data stored off-line<br />Data that is stored off-line, on CD-R, memory stick or other devices is vulnerable to loss or theft.<br />Possible Methods of prevention:<br />Disk stores kept locked when left unattended<br />Formal clerical systems in place so that details are recorded whenever files leave the store<br />Filing and recoding system should be maintained rigorously to ensure that files are not mislaid<br />
  18. 18. IT Personnel<br />Security procedures are only as good as the people using and enforcing them.<br />Disgruntled, dishonest and greedy employees can pose a big threat to an organisation as they have easy access to the information system.<br />Employees might:<br />take bribes to provide information to a rival.<br />Alter or erase data to sabotage the efforts of the company<br />Possible Methods of prevention:<br />Affective interview procedures – checking references and previous employees when recruiting staff<br />Audit trails<br />
  19. 19. Hacking<br />Hacking is defined as:<br />Unauthorised access to data held on a computer system.<br />It is possible that a hacker will access the system to commit fraud or to steal commercially valuable data.<br />However a large number of hackers appear to break into systems simply to prove that they can do it.<br />Hackers profile:<br />Grudge against company or society in general<br />Techno-terrorists<br />Criminal purpose<br />
  20. 20. Hacking<br />Possible Methods of prevention:<br />Password discipline<br />Terminals logged off<br />Restricted access privileges<br />All access monitored<br />Off line storage of data and software (for restore)<br />
  21. 21. Hacking – is there a law<br />There is NO world wide legislation<br />In the UK there is the Computer Misuse Act 1990 <br />
  22. 22. Networks<br />When data is transferred over a WAN a line can be tapped to allow eavesdropping.<br />This has been recognised as a real problem for internet users (security of using a credit card)<br />Possible Methods of prevention:<br />Firewall (used to prevent unauthorised access to an organisation’s network)<br />Virus protection: prevention, detection and repair<br />Identification of users<br />Levels of permitted access<br />
  23. 23. Viruses<br />A virus is a program that is written with the sole purpose of infecting computer systems<br />Many viruses spend time infecting documents and software before moving in to active state. (letting you know that they are there)<br />This state is often triggered by an action or a date set on the program<br />The fear is that viruses can spread and infect many areas of the hard drive.<br />They can also reproduce and copy themselves to floppy disks, thus infecting the hard drive of the next computer it is used on<br />
  24. 24. Viruses – how they work<br />ORIGINATION<br />TRANSMISSION<br />REPRODUCTION<br />INFECTION<br />A programmer writes a program – the virus – to cause mischief or destruction. The virus is capable of reproducing itself.<br />Often, the virus is attached to a normal program. It then copies itself to other software on the hard disk.<br />When another floppy disk is inserted into the computer’s disk drive, the virus copies itself on to the floppy disk.<br />Depending on what the original programmer wrote in the virus program, a virus may display messages,,use up all the computers memory, destroy data files or cause serious system errors <br />
  25. 25. Virus examples<br />Form – the most common virus in the world.<br />This virus makes the speaker beep when you press a key on the 18th day of each month<br />Jerusalem – serious virus<br />Deletes a program you try to run on Friday 13th<br />Dark Avenger – dangerous virus<br />Corrupts the hard disk and backup copies<br />
  26. 26. Virus Protection<br />Prevention<br />Don’t allow users to bring their home floppy disks to use on the system<br />Systems can be set up to only allow specially formatted disks<br />Floppy disks should be write-protected whenever possible<br />Use PC’s without floppy drives<br />Detection and Repair<br />Detected and repaired using Anti-Virus Toolkit software – this software runs in the background whenever the computer is on.<br />The software is usually able to remove the virus<br />‘Sheep-Dip’ / ‘footbath’ workstations – workstations fitted with the latest virus detectors <br />
  27. 27. Illegal Programs<br />Trojan horses<br />A program that runs as a background task, collecting user log-in codes and passwords e.g. a program that simulates the system log-in screen<br />Logic bombs<br />Programs that cause system damage when triggered.<br />Similar to a virus but does not replicate itself.<br />Often used by employees to destroy firm’s data when they leave<br />
  28. 28. Illegal Programs<br />Macro Virus<br />Modern virus – exploits security loopholes in word processors, spreadsheets etc.<br />Not usually destructive<br />Can slow down the system, take up memory<br />E-mail virus<br />Spreads as an attachment to an e-mail file<br />Runs when the attachment is downloaded or run<br />Some very destructive<br />Spread very quickly by reading address book and re-sending themselves<br />
  29. 29. Illegal Programs<br />Phantom virus<br />Virus does not exist<br />Problems caused by people e-mailing warnings – slows network traffic<br />New variant tells people that a particular system file is a virus and gets them to delete it, causing system failure<br />
  30. 30. Methods of protection<br />Back up all data regularly<br />Do not download software from unknown sources<br />Do not open attachments in e-mails<br />Firewall<br />Used to prevent unauthorised access to an organisation’s network.<br />The firewall software is placed between the network file server and the external network, often the internet.<br />It checks all of the messages sent to the file server and filters the contents<br />
  31. 31. Computer Crime<br />What is it?<br />Involves an illegal activity using a computer<br />It is sometimes thought that computer crime is a new phenomenon but as you will see, it is more the case that computers have provided new ways to commit old crimes.<br />The following slides outline different categories of computer crime:<br />
  32. 32. Categories of computer crime<br />Unauthorised access<br />Hacking<br />Fraud<br />Stealing credit identities, amending details to financial accounts<br />Publication of illicit material<br />Pornography, racial hatred freely available on an international ‘ownerless’ system (the internet)<br />Theft<br />Code behind a piece of software, consumer information – physically or electronically stolen<br />Industrial espionage<br />Gaining access to information about a competitor’s marketing strategy, latest research etc. (electronically)<br />Sabotage<br />Damage effective functioning of an organisation e.g. personal grudge, political attack, economic (damaging their reputation)<br />
  33. 33. Protecting data – what do we need to protect?<br />We need to protect:<br />Program files<br />Data Files<br />Operating system files<br />Why?<br />All of these can be:<br />Corrupted<br />Deleted<br />Altered<br />(Accidentally or maliciously)<br />
  34. 34. Threats to data security<br />Organisations - increasingly dependent on their information systems<br />More important to protect the systems and integrity of the data they contain.<br />Consequences of failing to do the above:<br />Financial loss – replace the system, compensate customers, restore missing or compromised data<br />Loss of reputation – Failure to product client’s details and business information will result in the loss of trust<br />Legal consequences – DPA requires organisations to ensure data stored on individuals is securely held. Failure to do so can result in legal action<br />Threats to data security can come from two sources, Internal sources or external sources (outlined on following slides)<br />
  35. 35. Internal threats<br />Non Deliberate<br />An organisation’s employees may accidentally compromise data security or integrity.<br />Simple clerical errors during input/processing stages may affect accuracy of data<br />Files may be accidentally erased through misuse<br />Internally produced software may be flawed, consequently damaging data<br />E-mail attachments may contain viruses, accidentally opened and thus activated.<br />Deliberate<br /> Those responsible for ICT security need to be aware of the ‘enemy within’. Two main threats:<br />The disgruntled employee – grudge against the company<br />Employee who decides to defraud the organisation for financial gain<br />
  36. 36. External threats<br />Non Deliberate<br />The main threats of this type are ‘disasters’.<br />These may be natural:<br />Floods, Extreme weather conditions, earthquakes, volcanoes etc.<br />Human mechanical<br />Plane crashes, power cuts, fires, building collapse etc.<br />Both have potential to wipe out an organisation’s Information systems.<br />Deliberate<br /> Threats of this type can take many forms, including:<br />Criminals wishing to defraud the organisation by accessing and amending financial data;<br />Viruses with potential to corrupt data<br />Industrial espionage, i.e. rival organisations accessing confidential information in order to gain competitive advantage<br />Actual theft of hardware/software<br />Terrorist attack<br />
  37. 37. Protecting systems<br />The following headings suggest and describe ways of preventing computer crime and malpractice<br />
  38. 38. Software measureLevels of permitted access<br />Access privileges define for each user exactly which computers and what data he or she is allowed to access, and what they are allowed to do with that data.<br />Possible access rights include<br />Full Rights – a user can carry out any action on the file or data<br />Read only – the data can be accessed to be viewed or printed, but not altered in any way<br />Read and write – the user can read or create new data records<br />Amend – the user can change the data held in a record<br />Delete – the user can delete a whole record<br />No Access – the user is barred from any form of access to the data<br />
  39. 39. Hardware and Software measureBiometrics<br />Biometrics is the name given to techniques that convert a human characteristic such as a fingerprint in to a digital form that can be stored in a computer.<br />These characteristics are unique<br />Currently the face, the shape of the hand, the eye and the voice are actually used for identification as well as a fingerprint.<br />
  40. 40. Physical Security<br />It is necessary to protect the hardware from theft and unauthorised access, how:<br />Security guards – responsible for permitting access to the building, logging visits, challenging intruders<br />Secure areas – some equipment (e.g. main servers) may be held in a secure area with limited access. This area may be locked, alarmed and monitored.<br />Biometric access devices – access to the building using fingerprints, voice, iris etc.<br />
  41. 41. Clerical Procedures<br />Data can be compromised by errors made at the point of data entry. In order to optimise data accuracy, there should be:<br />Set procedures for data entry<br />A means to check the validity<br />This might involve:<br />Batch-processing<br />Validation checks (e.g. range checks, presence checks etc.)<br />Verification procedures (e.g. checking for double entry of data and confirming with the client that their address has been correctly entered)<br />
  42. 42. Password Procedures<br />Employees should be made aware of the need to:<br />Regularly change passwords<br />Avoid obvious passwords such as:<br />Postcode<br />Telephone number <br />Name<br />Pet<br />Avoid other standard passwords like:<br />FRED<br />PASS<br />SECRET etc.<br />Don’t write your password down<br />Your password should incorporate characters other than letters – such as $ or %<br />
  43. 43. Training Procedures<br />Most effective way to prevent employees unintentionally compromising the security of systems and data is to ensure that they are well trained.<br />Security awareness can be reinforced through the use of posters, screen messages etc.<br />
  44. 44. Software measureData encryption<br />Data on a network is vulnerable to wire-tapping when it is being transmitted over a network. <br />One method of preventing this is to encrypt the data, making it incomprehensible to anyone who does not hold the ‘key’ to decode it.<br />(No system is completely foolproof)<br />
  45. 45. Software measureData encryption (continued)<br />There are many ways of encrypting data, often based on either transposition or substitution.<br />Transposition – Where characters are switched around<br />Substitution – Where characters are replaced by other characters<br />
  46. 46. Software measure Data encryption (continued)<br />In a Transposition cipher, the message could be written in a grid row by row and transmitted column by column. <br />
  47. 47. Software measure Data encryption (continued)<br />The sentence ‘Here is the exam paper’ could be written in a 5x5 grid:<br />And transmitted as: HIEMEES**RR*EP*ETHXA**HAP*<br />H <br />E <br />R <br />E <br />* <br />I <br />S<br />T <br />H <br />* <br />X<br />A <br />* <br />E <br />E <br />P<br />* <br />M<br />P<br />A<br />* <br />* <br />* <br />E<br />R<br />
  48. 48. Software measure Data encryption (continued)<br />HERE*IS*THE*EXAM*PAPER***<br />HERE*IS*THE*EXAM*PAPER***<br />HERE IS THE EXAM PAPER<br />HERE IS THE EXAM PAPER<br />HIEMEES**RR*EP*ETHX A**HAP*<br />Message transmitted<br />Message received (plaintext)<br />Message sent (plaintext)<br />Encryption<br />(ciphertext)<br />Decryption<br />(ciphertext)<br />
  49. 49. Software measure Task – time permitted<br />Using the same grid, decode the message ITT*O*E*HRWDNIYA*OS*NITT*<br />I <br />* <br />W<br />A <br />N<br />T <br />E<br />* <br />I <br />D <br />O<br />T <br />* <br />T <br />N <br />T<br />H <br />*<br />I<br />S<br />* <br />* <br />Y <br />O<br />R<br />
  50. 50. What legislations exist to protect data?<br />To consolidate you should be able to answer these questions…<br />
  51. 51. Exam question 1<br /> Explain using examples, the difference between malpractice and crime as applied to Information Systems.<br />(4)<br />
  52. 52. Past Paper Questions<br />
  53. 53. Past Paper Questions<br />
  54. 54. Past Paper Questions<br />
  55. 55. Past Paper Questions<br />
  56. 56. Past Paper Questions<br />
  57. 57. Past Paper Questions<br />
  58. 58. Past Paper Questions<br />
  59. 59. Past Paper Questions<br />
  60. 60. Past Paper Questions<br />

×