ICT Security1. Introduction 1.1 Definition of ICT 1.2 ICT Security in General Terms2. Risk Assessment 2.1 Steps 2.2 Governance3. Security Concerns 3.1 People 3.2 Physical Security of Assets 3.3 Wireless 3.4 Web Threats4. Risk Assessment of a Private School
1. Introduction The globalization and ever changing technological landscape of society influenced our way of life tochange rapidly. We concerned with technology in every parts of daily life. Global economy at the presenttime depends on new technology, knowledge, and information. Whoever contain effective all of the threefactors is easier to success. So, the old tradition of teaching in school that students learn in the fixedperiod of time and wait for only teachers is not enough for the globalization anymore. All students needto find more information outside the class. Learning by themselves is an important thing that causes astudent to differ from one another. “The illiterate of the 21st century,” according to a noted futurist, “willnot be those who cannot read and write, but those who cannot learn, unlearn and relearn.” (Toffler, 2011)Information and communication technologies (ICTs) can be one of the most useful tools for studentlearning. It supports students to learn what they want to know easier than going to join a tutoring center orasking some advices from a teacher. Some mediums of ICT are every effective. Students can learn step bystep according to well-designed products. Not only the ICT components expand student’s knowledge,they also help teacher to access effective knowledge for their students. Teachers will design what to teacheffectively within the fixed period. Students will get the best information from their teachers. Besides, ifthere are some parts that students feel that they do not have enough information, they can find out moreby the ICT mediums. It seems like using the ICTs is very simple. In fact, setting the ICTs into theeducational system is very complicated. It concerns complex process, technique, and budget. Indeed,getting the technology and physically installing it into an environment is the easiest part provided youhave the capital. Other areas of concern include software, training, governance and security. ICT securityin particular is of great import and concern and should be given due consideration when ICT is present inany capacity. 1.1 Definition of ICTInformation and communication technology or ICT is mostly defined as the internet which is technologyproviding accesses to information through telecommunications. Somebody may confuse about itsmeaning because of it is similar to information technology or IT. Intact, ICT includes all kinds oftelecommunications, covering phone, Internet, wireless network, and other telecommunication mediums.ICT is useful for both private and government sectors. The easy example is using ICT in school. WithICT, learning process in schools at all levels will be more effective due to easy access to information.Students in one school can search the Internet to find information from anywhere in the world. It is alsoconvenient for teachers in many aspects such as designing teaching plan, consulting, meeting, and etc.Therefore, the meaning of ICT is some mediums based on telecommunications. 1.2 ICT Security in General Terms Another apt expression of writing regarding ICT states, “Our technological powers increase, but the sideeffects and potential hazards also escalate” (Toffler, 2011). One of the most important of these “sideeffects” and potential hazards in terms of ICT is security. Presently, the meaning of the word securityimplies reflections and reasoning which are different from just a few years ago. In the past, society andbusiness thought about security in terms of physical theft, fraud, sabotage and perhaps more sinistermethods. However, with sensitive information increasingly being entrusted, stored and transmitted usingICT, security has taken on new meanings and relevance. Businesses must therefore take into account thatdefense and the prevention of adverse events with regard to ICT security has become an importantconsideration when conducting business over the internet and in an effort to protect the ability to beproductive and competitive. Security is something any business with ICT cannot do without. Onetechnology writer surmises, “Security is the protection of information, systems and services againstdisasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised”(B o r a n S . , 2003).
Due to increasing application of information and communication technologies, ICT systems represent thefoundation and the means of transmission for all pieces of information that are fundamental to businesses.ICT systems are more increasingly more complex and in turn vulnerable with the growing presence ofviruses. In fact, launching or acquiring damaging attacks against ICT systems requires less and less skill.Damage can often occur without the knowledge of the users and transmission of viruses can beaccomplished covertly and unwittingly. ICT systems themselves are also becoming more complex and asa consequence are likely to be exposed to intrusions and technology develops. Further, the spread andincreasing use of wireless technology has created new opportunities for attacks, which are difficult todefend as they are literally and figuratively available to anyone. In spite of all these factors, most attacksto ICT systems still take advantage of weaknesses that have no clear solutions in the never ending warbetween attackers and defenders. The different classifications of attacks to ICT are numerous with themost prevalent being: Theft of information storage hardware (laptops, hard drives, hard disks, tapes, etc.) Denial of service Virus contamination Trojan horses Piracy and fraud Unauthorized access or changes to information or system data/settings Unauthorized use 2. Risk Assessment It is nearly impossible to be completely prescriptive about ICT security and one of the first tasksrequired when dealing with ICT security is to identify and assess overall and specific risks. The process isusually divided into four main phases. 1. Identifying the risk 2. Evaluating the risk 3. Analyzing the risk 4. Managing the riskThere will always be a need to assess ICT security, and doing so is good practice for any business thatwants to carry on its function because without knowing what the risks are it is impossible to managethem. Although risks to ICT systems will change and evolve as technology is adopted to support abusiness’ mission, it is not a subject that should be taken lightly or disregarded in any stretch of theimagination. Since ICT is at the core of how businesses operate and function, particular care to this partof an organization, company or business is paramount. 2.1 Steps First, it is important to identify any possible areas of risk and glean the most understanding possible ofwhat those risks may be. Second, once identified thought must be given to how the risk may cause harmto the business and how likely that risk may occur (e.g. high, medium, low likelihood). Next, an analysisis conducted to determine what possible consequences would result if the risk did occur. Finally, once therisk factors have been established and researched, systems, policies and procedures can be put in place toeliminate or at least minimize the risk. ICT security risk assessment needs to be included in any businessorganization’s overall risk management strategy.
2.2 Governance Merely having policies and procedures in place to combat security risks is in itself not enough. Thesepolicies and procedures will need to be enforced and regularly reviewed for relevance. This means thatone or several members of an organization’s staff, depending on the nature of the organization, is clearlyidentified and given the responsibility of assessing, planning for, carrying out, and documenting ICT riskassessments. These staff members will also be given the task of reviewing those policies and proceduresput in place for effectiveness and compliance. The overall decisions on ICT security policy should bemade at the managerial level. It is important that decisions be made within the framework of theorganization’s function and overall goals and thus decisions and recommendations concerning ICTsecurity should be reviewed by management or someone who is aware of the wider strategic issues,whether or not they are technically competent. 3. Security Concerns 3.1 People People are the biggest threat to the security of ICTs, whether inadvertently or deliberately. The very coreidea of human nature is that we are not infallible and that we make mistakes, again often inadvertently.No matter how technically complex an ICT security policy, people are usually the weak link that createsor exacerbates risk. It is important that an organization’s staff be educated about the potential risks andhow they can avoid them. Proper training should be given to all members of an organization regarding thepolicies and procedures of ICT. “Information security (IS) management polls continue to reveal that insider threat, due to disgruntled employees or dishonest employees, is the number one risk to the security of computing resources. Likewise, the 1996 National Retail Security Survey indicates that 42% of inventory shrinkage is due to employee theft. Further, today’s highly competitive, technologically advanced workplace generates an environment where talented technicians move from one organization to another, and take their knowledge with them” (K r a u s e , M i c k i , & T i p t o n , 1997). 3.2 Physical Security of AssetsICT hardware is generally expensive and therefore should be safeguarded from theft, not only from thepoint of the theft itself, but also because of the valuable information housed within. Taking precautionswill reduce the risks associated with ICT hardware and any possible disastrous results. 3.3 WirelessICT systems sometimes become susceptible to risk because of the wireless standards used by anorganization. All standards of wireless fidelity (WiFi) are accessible by anyone with the right equipmentand skills. Therefore any system using wireless could be tapped into and information compromised,altered, or stolen. With the sensitive nature of the information stored on ICT these days, particular careshould be exercised when using wireless as a means of information transmission. Since all datatransmissions using wireless travel through the frequency waves, it becomes possible to intercept or copythe information transferred.
Figure1. Illustration of wireless transmission risk mobile device eavesdropping server interference active attack (I m a i , 2006) 3.4 Web ThreatsThe Internet has also played a role in the presence and spread of ICT risk. Just about every aspect of webbased information and communication necessitates the transfer (e.g. downloading, uploading, duplicating)of information and often risks are present at this stage. Just as the common cold is easily transferredbetween people, so also can ICT risk be transferred from device to device, computer to computer, systemto system and network to network. It can then become an amorphous risk to all until it is identified andmanaged. 4. Risk Assessment of a Private School The specific aspects of security mentioned previously were done so because these are also the mostoverlooked areas of ICT security at the scrutinized location of this document, a private educationalfacility in Southeast Asia. The school in question has ICT infrastructure in place throughout the facilityfor use by both staff and students. There is ICT present in most classrooms, two libraries, in the staffoffices, and in various other areas of the school. All of the ICT components operate on a commonnetwork and, with the exception of staff and administration computers, are accessible to the studentpopulation. It is possible to close accessible points to a network. However, the school can provide somebudget and time for the controllers to monitor. If the school does not have enough budgets, frequentchecking is also a powerful method to investigate the happening problem and solve it. Mostly, the risks insecurity concern misconfiguration and poor programming of the staff. The school should search for aneffective specialist to be an administrator. If the network is controlled by proper staff, the risks willreduce. The risks identified at the private educational facility mentioned herein will also be accompaniedby possible and available remedies.4.1 Configuration Errors- These errors create risks that enable attackers to destroy systems. Configuration is the most important part to protect the system; however, there maybe some errors such as incorrect setting file permission, setting poor password, and leaving some services open. The solution to reduce these configuration errors is setting standard procedures for a system administrator to follow. Moreover, there should be a follow-up team to monitor some errors that may happen from configuration. This risk is present at the facility. The administration does not have a schedule for setting or changing default network passwords and any passwords currently in place are not safeguarded. As a possible remedy, a member of the ICT department should be tasked with creating a schedule to change or reset passwords on all facility networks and servers which only the management echelon will be advised of.4.2 Default Accounts- Some applications install with default accounts and passwords. In some instances, the installation programming uses a default user ID and password that the installer uses with the intention of changing at a later time. Most of these default accounts have default passwords
associated with them, and even if administrators have changed the default passwords on these accounts, the accounts themselves are common targets for attack. Once the account is breached, the attacker has administrator rights over the system. System administrators should rename or delete these default accounts so that they are less likely to become targets of attack.4.3 File Permissions- Improper file permissions can also be a source of vulnerability. File permissions determine what the user has access to and what programs that user can run. Additionally, since some programs run under the context of a higher-level user, mis-configuration of security settings on these programs could allow a user to elevate their access. Sometimes, settings directories give full programming access to the “everyone” group, giving any user access into the system programming. The facility should regularly review file permissions and set them at the most restrictive level possible while still achieving the desired level of the sharing.4.4 Network Architecture- A secure network should be designed and constructed to separate the internal network from access by external sources using the Internet and all incoming and outgoing traffic should be filtered through a robust and effective firewall. At present, all ICT resources in classrooms at the facility have direct connections through local access networks (LAN) without the benefit of being monitored or filtered by any security methods. Additionally, students with access to the school’s computers are also in possession of portable information storing devices such as external hard drives, CDs and DVDs, and USB drives. In this way viruses and other forms of malicious software are downloaded from various sources and then transmitted or spread throughout the network. As a remedy, classroom computers should have their access to the Internet routed through administrator controlled firewalls that are closely monitored. Additionally, use of external information storage devices should be restricted to only those computers that are free of risks and regulated by competent school staff.4.5 Virus and Anti-Virus- Most businesses think anti-virus software is the cure for attacks of this nature. The threat from viruses varies with the type of malicious activity they attempt to perform. Some viruses offer only annoyances with no permanent damage done, while others enable remote attackers to gain unauthorized access to systems, applications and networks. The widespread problems resulting from these viruses demonstrate a person’s abilities to hide malicious code relatively well. It also shows how easy it is for users to unknowingly execute this code and compromise the security of their system. Recent virus-scanning programs are quite advanced, but the scanners are only as good as the virus definitions. Virus scanners must be constantly updated. Additionally, many new viruses may not appear in the database and may be missed. Virus-scanning tools that employ heuristics and sandboxes should be used in an attempt to catch these undefined viruses. Heuristics involve looking for code or programs that resemble or could potentially be viruses. Sandboxes actually execute the code or application in a quarantined environment and examine what the program does. If the program appears to be a virus, the virus package quarantines the program and performs an alert function. The heuristics and sandboxes hopefully catch any newly developed exploits and viruses that may not have been included in the most recent virus definitions update. Here at this facility, while anti-virus software exists, it is often outdated and the definitions seldom updated, a sort of “install and forget” mentality. The remedy for this problem and area of risk is to regularly update the anti-virus software and to ensure that the virus scanning software is current with the level of programming available..4.6 Wireless Networks- The facility regularly stores sensitive information such as student and staff personal information, grades, exams and, more importantly, exam answers, on network computers with wireless capabilities. The area of risk here is that the wireless network is easily accessible. This network and the information stored within should be structured in an intranet with a centralized access point for data transmission to outside sources. That centralized access point should use LAN as opposed to wireless to maintain a better state of security. Currently. Any student with a proper device such as a laptop can access the wireless network and in turn, with the proper skills and knowledge, access the information contained therein.
5. ConclusionThe educational facility scrutinized in this document is quite obviously lax in their approach to networksecurity. In fact, the issues/risks identified here are not the only problems faced by this facility.Additionally, there is an issue of governance. Perhaps that should be the first step in order to get theschool headed in the right direction with regard to ICT security. Currently there appears to be noidentifiable party tasked with regulating the ICT infrastructure. Until this comes about, the risks faced bythe school will continue to be a source of great concern. As stated by the United Nations Educational ,Scientific and Cultural Organization, “The use of ICT cuts across all aspects of economic and social life.Technological developments in ICT are very rapid. Technology quickly becomes obsolete requiring newskills and knowledge to be mastered frequently. Adaptation is only possible when based on a soundunderstanding of the principles and concepts of ICT.” (Daniel J., 2002)
References1. Toffler, Alvin. BrainyQuote.com. Xplore Inc, 2011. 15 February. 2011. http://www.brainyquote.com/quotes/quotes/a/alvintoffl409080.html2. Toffler, Alvin. BrainyQuote.com. Xplore Inc, 2011. 15 February. 2011. http://www.brainyquote.com/quotes/quotes/a/alvintoffl386113.html3. B o r a n , S e a n . " I T S e c u r i t y C o o k b o o k . " b o r a n . c o m . B o r a n C o n s u l t i n g , 0 2 . J u n e . 2 0 0 3 . W e b . 1 6 F e b 2 0 1 1 . < h t t p : / / w w w . b o r a n . c o m / s e c u r i t y / >.4. K r a u s e , M i c k i , a n d H a l T i p t o n . " H a n d b o o k o f I n f o r m a t i o n S e c u r i t y Management." cccure.com. CRC Press LLC, 1997. Web. 16 Feb 2011. http://www.cccure.org/Documents/HISM/ewtoc.html5. Imai, Hideki. Wireless Communications Security. Norwood, MA, USA: Artech House, Inc., 2006. 44. Print.6. Daniel, John. Information and Computer Technology in Education: A Curriculum for Schools and a Programme of Teacher Development. 15 Feb. 2011. United Nations Educational, Scientific and Cultural Organization. 2002 <http://unesdoc.unesco.org/images/0012/001295/129538e.pdf>.