3. 1. What is personal data?
2. What‟s the difference between privacy and
security?
3. Why should we be concerned about privacy
of data?
4. What do we mean by intrinsic value of data?
5. What do we mean by commercial value of
data?
4. Make a list of organisations that you think
store information about you
What is personal data
◦ Facts and opinions about a living person
Should we be worried about organisations
storing personal data?
5. Privacy
◦ The right of an individual to keep certain aspects of
their life private
Security
◦ The mechanism in place to protect the privacy of
information
6. To answer this question, we should consider the
following questions:
◦ Who will be able to access the data?
Identity theft
◦ Is the data accurate?
If not can have adverse effect on individual e.g. bills aren‟t
pay paid, refused a credit card
◦ Will the data be sold on?
Health details sold on to insurance company
◦ How long will the data be kept?
Failed job applications, is personal data kept?
7. How valuable is this?
Value is often determined by demand and
supply
8. How valuable is this to American
Airlines?
It is unlikely that anyone would
want to buy this information BUT
The information in its own right
is valuable
If the data in a flight booking
system was lost or stolen it
could cause customer
dissatisfaction, the airline‟s
reputation would then be
damaged
9. “Data has an intrinsic value”
MEANS
Data has a value in it‟s own
right
Another example:
A record can have intrinsic
value because of its
association with famous
people
10. Data is now a commodity i.e.
it has financial value
It‟s value might be
determined by how much
time and effort it takes to
collate the data
It‟s value might also be
determined by its potential
use
Who might sell data?
Who might buy data? Why?
http://www.myhouseprice.com/Default.cfm
11. 1. What is computer crime?
2. What is malpractice?
3. What are the weak points in an ICT System?
4. What methods could be used to protect
parts of a system?
5. State 3 internal threats to an ICT system
6. State 3 external threats to an ICT system
12. Involves an illegal activity using a computer
e.g.
◦ Theft of money
◦ Theft of information
◦ Theft of goods
◦ Malicious vandalism
13. Negligence or improper professional
behaviour when providing computer related
services e.g.
◦ Software developers who do not properly test
their software and distribute it full of bugs may
be guilty of malpractice
◦ Failing to keep a password secure could be
enabling unauthorised access to data.
◦ Failing to adhere to company procedures (code of
conduct)
◦ Sending offensive material in e-mails
14. Viruses /
Illegal
programs
Networks Data Entry
Weak Links Not
Within an IT following
Hacking
System procedures
Use of
portable
IT computers
Personnel Data
Stored
Off line
15. Data could be entered into the system with
criminal intent e.g.
◦ A corrupt data entry clerk could purposely enter the
wrong account number for a transaction so that an
unsuspecting account holder is debited
Possible Methods of prevention:
◦ Monitoring all access
◦ Automatic logging
◦ Separating the various stages involved in processing
(no single person responsible)
16. Acceptable use and Security policies are usually
shared with employees during induction training, it
can sometime be included in their contract.
If Employees do not follow procedures such as “
Log off from your machine when unattended”
Then security becomes a risk
Possible Methods of prevention:
◦ Staff training
◦ Staff monitoring
◦ Disciplinary procedures shared with staff
17. The use of laptop and palmtop computers produces risks
whenever sensitive data is being stored.
Such devices are likely to be removed from an
organisation‟s premises, where security can be controlled.
Possible Methods of prevention:
◦ Keep portable computers within the premises of the
organisation
◦ If removed from the premises of the organisation keep in a
secure place e.g. fire proof safe
18. Data that is stored off-line, on CD-R, memory
stick or other devices is vulnerable to loss or
theft.
Possible Methods of prevention:
◦ Disk stores kept locked when left unattended
◦ Formal clerical systems in place so that details are
recorded whenever files leave the store
◦ Filing and recoding system should be maintained
rigorously to ensure that files are not mislaid
19. Security procedures are only as good as the people using and
enforcing them.
Disgruntled, dishonest and greedy employees can pose a big
threat to an organisation as they have easy access to the
information system.
Employees might:
◦ take bribes to provide information to a rival.
◦ Alter or erase data to sabotage the efforts of the company
Possible Methods of prevention:
◦ Affective interview procedures – checking references and previous
employees when recruiting staff
◦ Audit trails
20. Hacking is defined as:
◦ Unauthorised access to data held on a computer system.
It is possible that a hacker will access the system to
commit fraud or to steal commercially valuable data.
However a large number of hackers appear to break into
systems simply to prove that they can do it.
Hackers profile:
◦ Grudge against company or society in general
◦ Techno-terrorists
◦ Criminal purpose
21. Possible Methods of prevention:
◦ Password discipline
◦ Terminals logged off
◦ Restricted access privileges
◦ All access monitored
◦ Off line storage of data and software (for restore)
22. There is NO world wide legislation
In the UK there is the Computer
Misuse Act 1990
23. When data is transferred over a WAN a line can be tapped
to allow eavesdropping.
This has been recognised as a real problem for internet
users (security of using a credit card)
Possible Methods of prevention:
◦ Firewall (used to prevent unauthorised access to an
organisation‟s network)
◦ Virus protection: prevention, detection and repair
◦ Identification of users
◦ Levels of permitted access
24. A virus is a program that is written with the sole purpose of
infecting computer systems
Many viruses spend time infecting documents and software
before moving in to active state. (letting you know that they are
there)
This state is often triggered by an action or a date set on the
program
The fear is that viruses can spread and infect many areas of the
hard drive.
They can also reproduce and copy themselves to floppy disks,
thus infecting the hard drive of the next computer it is used on
25. ORIGINATION TRANSMISSION REPRODUCTION INFECTION
A programmer Often, the virus When another Depending on what
writes a program is attached to a floppy disk is the original
– the virus – to normal program. inserted into the programmer wrote
cause mischief It then copies computer‟s disk in the virus
or destruction. itself to other drive, the virus program, a virus
The virus is software on the copies itself on may display
capable of hard disk. to the floppy messages,,use up
reproducing disk. all the computers
itself. memory, destroy
data files or cause
serious system
errors
26. Form – the most common virus in the world.
◦ This virus makes the speaker beep when you press a
key on the 18th day of each month
Jerusalem – serious virus
◦ Deletes a program you try to run on Friday 13th
Dark Avenger – dangerous virus
◦ Corrupts the hard disk and backup copies
27. Prevention
◦ Don‟t allow users to use their external storage devices e.g. USB pens
on the system
◦ Systems can be set up to only allow specially formatted disks
◦ Use PC‟s without CD Drives and block USB ports
Detection and Repair
◦ Detected and repaired using Anti-Virus Toolkit software – this
software runs in the background whenever the computer is on.
◦ The software is usually able to remove the virus
◦ „Sheep-Dip‟ / „footbath‟ workstations – workstations fitted with the
latest virus detectors
28. Trojan horses
◦ A program that runs as a background task, collecting
user log-in codes and passwords e.g. a program that
simulates the system log-in screen
Logic bombs
◦ Programs that cause system damage when triggered.
◦ Similar to a virus but does not replicate itself.
◦ Often used by employees to destroy firm‟s data when
they leave
29. Macro Virus
◦ Modern virus – exploits security loopholes in word
processors, spreadsheets etc.
◦ Not usually destructive
◦ Can slow down the system, take up memory
E-mail virus
◦ Spreads as an attachment to an e-mail file
◦ Runs when the attachment is downloaded or run
◦ Some very destructive
◦ Spread very quickly by reading address book and re-
sending themselves
30. Phantom virus
◦ Virus does not exist
◦ Problems caused by people e-mailing warnings –
slows network traffic
◦ New variant tells people that a particular system file
is a virus and gets them to delete it, causing system
failure
31. Back up all data regularly
Do not download software from unknown sources
Do not open attachments in e-mails
Firewall
◦ Used to prevent unauthorised access to an organisation‟s network.
◦ The firewall software is placed between the network file server and the
external network, often the internet.
◦ It checks all of the messages sent to the file server and filters the
contents
32. What is it?
◦ Involves an illegal activity using a computer
◦ It is sometimes thought that computer crime is a new
phenomenon but as you will see, it is more the case that
computers have provided new ways to commit old
crimes.
The following slides outline different categories
of computer crime:
33. Unauthorised access
◦ Hacking
Fraud
◦ Stealing credit identities, amending details to financial accounts
Publication of illicit material
◦ Pornography, racial hatred freely available on an international
„ownerless‟ system (the internet)
Theft
◦ Code behind a piece of software, consumer information – physically
or electronically stolen
Industrial espionage
◦ Gaining access to information about a competitor‟s marketing
strategy, latest research etc. (electronically)
Sabotage
◦ Damage effective functioning of an organisation e.g. personal
grudge, political attack, economic (damaging their reputation)
34. We need to protect:
◦ Program files
◦ Data Files
◦ Operating system files
Why?
◦ All of these can be:
Corrupted
Deleted
Altered
(Accidentally or maliciously)
35. Organisations - increasingly dependent on their information systems
More important to protect the systems and integrity of the data they
contain.
Consequences of failing to do the above:
◦ Financial loss – replace the system, compensate customers, restore missing or
compromised data
◦ Loss of reputation – Failure to product client‟s details and business information
will result in the loss of trust
◦ Legal consequences – DPA requires organisations to ensure data stored on
individuals is securely held. Failure to do so can result in legal action
Threats to data security can come from two sources, Internal sources or
external sources (outlined on following slides)
36. Non Deliberate
◦ An organisation‟s employees may accidentally compromise data
security or integrity.
Simple clerical errors during input/processing stages may affect
accuracy of data
Files may be accidentally erased through misuse
Internally produced software may be flawed, consequently damaging
data
E-mail attachments may contain viruses, accidentally opened and thus
activated.
Deliberate
◦ Those responsible for ICT security need to be aware of the „enemy
within‟. Two main threats:
The disgruntled employee – grudge against the company
Employee who decides to defraud the organisation for financial gain
37. Non Deliberate
◦ The main threats of this type are „disasters‟.
◦ These may be natural:
Floods, Extreme weather conditions, earthquakes, volcanoes etc.
◦ Human mechanical
Plane crashes, power cuts, fires, building collapse etc.
◦ Both have potential to wipe out an organisation‟s Information systems.
Deliberate
◦ Threats of this type can take many forms, including:
Criminals wishing to defraud the organisation by accessing and amending
financial data;
Viruses with potential to corrupt data
Industrial espionage, i.e. rival organisations accessing confidential information
in order to gain competitive advantage
Actual theft of hardware/software
Terrorist attack
38. The following headings suggest and describe
ways of preventing computer crime and
malpractice
39. Access privileges define for each user exactly which computers
and what data he or she is allowed to access, and what they are
allowed to do with that data.
Possible access rights include
◦ Full Rights – a user can carry out any action on the file or data
◦ Read only – the data can be accessed to be viewed or printed, but not
altered in any way
◦ Read and write – the user can read or create new data records
◦ Amend – the user can change the data held in a record
◦ Delete – the user can delete a whole record
◦ No Access – the user is barred from any form of access to the data
40. Biometrics is the name given to techniques that
convert a human characteristic such as a
fingerprint in to a digital form that can be
stored in a computer.
These characteristics are unique
Currently the face, the shape of the hand, the
eye and the voice are actually used for
identification as well as a fingerprint.
http://www.sciencedaily.com/news/matter_energy/biometric/
41. It is necessary to protect the hardware from theft and
unauthorised access, how:
◦ Security guards – responsible for permitting access to the
building, logging visits, challenging intruders
◦ Secure areas – some equipment (e.g. main servers) may be
held in a secure area with limited access. This area may be
locked, alarmed and monitored.
◦ Biometric access devices – access to the building using
fingerprints, voice, iris etc.
42. Data can be compromised by errors made at the point of
data entry. In order to optimise data accuracy, there
should be:
◦ Set procedures for data entry
◦ A means to check the validity
This might involve:
◦ Batch-processing
◦ Validation checks (e.g. range checks, presence checks
etc.)
◦ Verification procedures (e.g. checking for double entry of
data and confirming with the client that their address has
been correctly entered)
43. Employees should be made aware of the need to:
◦ Regularly change passwords
◦ Avoid obvious passwords such as:
Postcode
Telephone number
Name
Pet
◦ Avoid other standard passwords like:
FRED
PASS
SECRET etc.
◦ Don‟t write your password down
◦ Your password should incorporate characters other than
letters – such as $ or %
44. Most effective way to prevent employees
unintentionally compromising the security of
systems and data is to ensure that they are well
trained.
Security awareness can be reinforced through
the use of posters, screen messages etc.
45. Data on a network is vulnerable to wire-
tapping when it is being transmitted over a
network.
One method of preventing this is to encrypt the
data, making it incomprehensible to anyone
who does not hold the „key‟ to decode it.
(No system is completely foolproof)
http://www.infosecurity-magazine.com/news/80/encryption/ Encryption news
46. Encryption Explained using the SSL protocol
http://www.youtube.com/watch?v=a72fHRr6MRU
http://www.youtube.com/watch?v=SJJmoDZ3il8&feature=related
47. There are many ways of encrypting data, often
based on either transposition or substitution.
Transposition – Where characters are switched
around
Substitution – Where characters are replaced by
other characters
48. In a Transposition cipher, the message could
be written in a grid row by row and
transmitted column by column.
49. The sentence „Here is the exam paper‟ could be written in
a 5x5 grid:
H E R E *
I S * T H
E * E X A
M * P A P
E R * * *
And transmitted as: HIEMEES**RR*EP*ETHXA**HAP*
50. HERE* HERE*
IS*TH IS*TH
HERE IS THE HERE IS THE
E*EXA HIEMEES**RR*EP*ETHX E*EXA
EXAM PAPER A**HAP* EXAM PAPER
M*PAP M*PAP
ER*** ER***
Message sent Message Message received
(plaintext) Encryption transmitted Decryption (plaintext)
(ciphertext) (ciphertext)
51. Using the same grid, decode the message
ITT*O*E*HRWDNIYA*OS*NITT*
I * W A N
T E D * I
T * N O T
* H I S T
O R Y * *