6.1 Introduction and definition
Computer information systems are becoming more and more important in daily life. Governments, private enterprises and individuals have found the need to protect data and information that is in their custody against unauthorized access, disclosure or damage. This is because of the rise of the information age and society leading to the subsequent view of information as a scarce valuable resource. This has posed threats to data and information both from known and unknown sources.
Data and information security
Data security involves:
- Protection of data and information against unauthorized access or Modification.
- Denial of data and information to unauthorized users.
- Provision of data and information to authorized users.
Data security also includes all the measures that will be taken to detect, document and counter the threats to data and information.
Data and information privacy
Private data or information is that which belongs to an individual and must not be accessed by or disclosed to any other person unless with direct permission from the owner. On the other hand, the data or information held by a government or organization about people is confidential data. This data and information may be seen by many authorized persons without the knowledge of the owner. However, it should not be used for commercial gain or any other unofficial purpose without the owner being informed. This data must also be protected against unauthorized access or disclosure.
6.2 Security threats and control measures
A computer virus is a destructive program that attaches itself to other files and installs itself without permission on the computer when the files are opened for use. The virus may cause havoc on the computer system, for example, it may delete data on storage devices or interfere with the proper functioning of the computer system.
Types of computer viruses include:
- Boot sector viruses – they destroy the booting information on storage devices.
- File viruses – attach themselves to files.
- Hoax viruses – Come as e-mail with an attractive subject and launches itself when e-mail is opened.
- Trojans – they appear to perform necessary functions but perform other undesirable activities in the background without user knowledge.
- Worms – viruses that stick in the computer memory.
- Backdoors – may be a Trojan or a worm that allows hidden access to a computer system.
Control measures against viruses
- Install the latest versions of anti-virus software on the computers.
Make sure that you continuously update the anti-virus software with new virus definitions to counter the new viruses that are being manufactured on a daily basis.
- Avoid foreign diskettes in the computer room. If they have to be used, they must first be scanned for viruses.
- Avoid opening mail attachments before scanning them for viruses.
Data and information is always under constant threat from people who may want to access it without permission. Such persons will usually have a bad intention either to commit fraud, steal the information and destroy or corrupt the data. Unauthorized access may take the following forms:
This is tapping into communication channels to get information. Hackers mainly use eavesdropping e.g. to obtain numbers of credit cards.
This is where a person may keep a profile of all computer activities done
By another person or people. The information gathered may be used for one reason or the other e.g. spreading propaganda or sabotage. Many websites keep track of your activities using special programs called cookies.
Spying on your competitor to get information that you can use to counter or finish the competitor. This is mostly done with an aim to get ideas on how to counter by developing similar approach or sabotage.
Also unauthorized access can be as follows:
- An employee who is not supposed to view or see sensitive data by mistake or design gets it.
- Strangers who may stray into the computer room when nobody is using the computers.
- Forced entry into the computer room through weak access points.
- Network access in case the computers are networked and connected to the external world.
Control measures against unauthorized access
- Enforce data and information access control policies on all employees.
- Encrypt the data and information during transmission (data encryption is discussed in details later in the chapter).
- Keep the computer room closed when nobody is using it.
- Reinforce the weak access points like doors and windows with metallic grills and burglar alarms.
- Enforce network security measures.
- Use files passwords to deter any persons who may get to the electronic files.
Computer errors and accidental access
Sometimes, threats to data and information come from people making mistakes like printing sensitive reports and unsuspectingly giving them to unauthorized person(s). Also, if end users have too much privilege that allows them to change or access sensitive files on the computer then accidental access mistakes may occur.
Errors and accidental access to data and information may be as a result of people experimenting with features they are not familiar with. For example, a person may innocently download a file without knowing that it is self-installing and it is dangerous to the system.
Control measures against computer errors and accidents
- Give various file access privileges and roles to the end users and technical staff in the organization i.e. denies access permissions to certain groups of users for certain files and computers.
- Set up a comprehensive error recovery strategy in the organization.
The threat of theft to data and information is a real one. Some information is so valuable that business competitors or some governments can pay a fortune to somebody who can steal the information for them to use. Therefore the following control measures should be taken to prevent theft of hardware, software and information.
Control against theft
- Employ guards to keep watch over data and information centers and Backups.
- Burglar proofs the computer room.
- Reinforce weak access points like the windows, door and roofing With metallic grills and strong padlocks.
- Create backups in locations away from the main computing centre.
The term trespass here refers to two things. One is the illegal physical entry to restricted places where computer hardware, software and backed up data is kept. The other form would be accessing information illegally
Bon a local or remote computer over a network. Trespass is not allowed at all and should be discouraged.
A hacker is a person who intentionally breaks codes and passwords to gain unauthorized entry to computer system data and information files. The hacker therefore violates the security measures put in place such as breaking through passwords or finding weak access points in software.
There are various motivations for hacking. One is that some people like the challenge and they feel great after successful hacking, while some do it for computer and software producer companies that want to secure their systems by reducing weaknesses discovered after professional hacking. The most vulnerable computers to this crime are the networked computers faced with hackers working remotely.
In this case, a person sends an intelligent program on a host computer that sends him information from the computer. Another way is to “spy” on a networked computer using special programs that are able to intercept messages being sent and received by the unsuspecting computer.
Cracking usually refers to the use of guesswork over and over again by a person until he/she finally discovers a weakness in the security policies or codes of software. Cracking is usually done by people who have some idea of passwords or user names of authorized staff.
Another form of cracking is trying to look for weak access points in software. For example, Microsoft announced a big weakness in some versions of Windows software that could only be sealed using a special corrective program prepared by them. Such corrective programs are called patches. It is advisable therefore to install the latest patches in software.
Piracy means making illegal copies of copyrighted software, information or data. Software, information and data are protected by the copyright law. There are several ways of reducing piracy:
- Enact laws that protect the owners of data and information against. Piracy.
- Make software cheap enough to increase affordability.
- Use licenses and certificates to identify originals.
- Set installation passwords that deter illegal installation of software.
Computer fraud is the use of computers to conceal information or cheat other people with the intention of gaining money or information. Fraudsters can be either employees in the company or outsiders who are smart enough to defraud unsuspecting people. Some fraud may involve production and use of fake documents.
An example of fraud is where one person created an intelligent program in the tax department that could credit his account with cents from all the tax payers. He ended up becoming very rich before he was discovered.
This is the illegal destruction of data and information with the aim of crippling service delivery or causing great loss to an organization. Sabotage is usually carried out by disgruntled employees or those sent by competitors to cause harm to the organization.
This is the illegal changing of data and information without permission with the aim of gaining or misinforming the authorized users. Alteration is usually done by those people who wish to hide the truth. To avoid this, do not give data editing capabilities to just anybody without vetting. Secondly, the person altering data may be forced to sign in order for the system to accept altering the information.
Alteration of data compromises the qualities of good data like reliability, relevance and integrity.
6.4 Detector and protection against computer crimes
After seeing the dangers that information systems are faced with due to threats to data and information and perpetration of computer crimes, it is important to look at some measures that can be taken to detect, prevent computer crimes and seal security loopholes.
This is a careful study of an information system by experts in order to establish or find out all the weaknesses in the system that could lead to security threats and weak access points for crimesters. An audit of the information system may seek to answer the following questions:
- Is. the information system meeting all its originally intended design objectives?
- Have all the security measures been put in place to reduce the risk of computer crimes?
- Are the computers secured in physically restricted areas?
- Is there backup for data and information of the system that can ensure continuity of services even when something serious happens to the current system?
- What real risks face the system at present or in future?
Data on transit over a network faces many dangers of being tapped, listened to or copied to unauthorized destinations. Such data can be protected by mixing it up into a form that only the sender and receiver can be able to understand by reconstructing the original message from the mix. This is called data encryption. The message to be encrypted is called the plain text document. After encryption using a particular order called algorithm or key, it is sent as cyphertext on the network. The recipient receives it and decrypts it using a reverse algorithm to the one used during encryption called a decryption key to get the original plain text document. Hence without the decryption key nobody can be able to reconstruct the initial message. Figure 6.1 is a flow diagram showing how a message can be encrypted and decrypted to enhance message security.
6.5 Log files
This is special system files that keep a record (1og) of events on the use of the computers and resources of the information system. This is because each user is assigned a user name and password or account. The information system administrator can therefore easily track who accessed the system, ‘when and what they did on the system. This unto second information can help monitor and track people who are likely to violate system security policies.
The most dangerous aspect in this case is when genuine users lose or give their passwords to unauthorized users.
A firewall is a device or software system t at filters the data and information exchanged between different networks by enforcing t e host networks access control policy. The main aim of a firewall is to monitor and control access to or from protected networks. People who do not have permission (remote requests) cannot access the network and those within cannot access firewall restricted sites outside the network.
Laws governing protection of information
Although most countries do not have laws that govern data and information handling, the awakening has started and the laws are being developed. The “right to privacy” is expected by all people. For example, the data protection law may have the following provisions:
- Data is not transferred to other countries without the owner’s permission.
- Data and information should be kept secure against loss or exposure.
- Data and information should not be kept longer than necessary.
- Data and information should be accurate and up to date.
- Data and information be collected, used and kept for specified lawful purposes.
Therefore, countries are encouraged to develop a data and information handling legal framework that will protect people’s data and information.