TYPES OF COMPUTER SECURITY

A security attack is the act or attempt to exploit vulnerability in a system. Security controls are the mechanisms used to control an attack. Attacks can be passive where the attacker observes information without interfering with it or its flow or with operations. In active attack there is interference of traffic or message flow and may involve modification, deletion or destruction. This may be done through the attacker masquerading or impersonating another user denies it later. This is a threat against authentication and to some extent integrity.

Information is a strategic resource and a significant portion of organisational budget is spent on managing information. A security system is a set of mechanisms and techniques that protect a computer system, specifically the assets. They are protected against loss or harm including unauthorised access, unauthorised disclosure and interference of information.

Assets can be categorised into:

Resources – all instances of hardware, software, communication channels, operating environment, documentation and people

Data – files, databases, messages in transit, etc.

Purposes or Goals of Computer Security

To retain a competitive advantage and to meet basic business requirements, organisations must endeavour to achieve the following security goals:

  • Confidentiality – protect information value and preserve the confidentiality of sensitive data. Information should not be disclosed without authorization.
  • Integrity – ensure the accuracy and reliability of the information stored on the computer systems. Information has integrity if it reflects some real world situation or is consistent with real world situation. Hardware designed to perform some functions has integrity if it  performs those functions correctly. Software has integrity if it  performs according to its specifications. Communication channels should relay messages in a secure manner to ensure that integrity.
  • Availability – ensure the continued availability of the information system and all its assets to legitimate users at an acceptable level of service or quality of service. Any information systems should be efficient and functional in offering requested data.
  •  User Identification- Computer security enables the control and access to sensitive hardware and software resources.
  • Asset Identification – This is monitoring and mapping of network resources e.g. server to multi-users
  • Conformity – Ensure conformity to laws, regulations and standards.

 

1.2 Hazards (exposures) to information security

An exposure is a form of possible loss or harm. Examples of exposures include:

  •  Unauthorised access resulting in a loss of computing time
  • Unauthorised disclosure – information revealed without authorisation
  • Destruction, especially with respect to hardware and software
  • Theft
  • Interference with system operation.

1.3 Threats to information security

These are circumstances that have potential to cause loss or harm i.e. circumstances that have a potential to bring about exposures.

  • Human error
  • Disgruntled employees
  • Dishonest employees
  • Greedy employees who sell information for financial gain
  • Outsider access – hackers, crackers, criminals, terrorists, consultants, ex-consultants, ex-employees, competitors, government agencies, spies (industrial, military etc), disgruntled customers
  • Acts of God/natural disasters – earthquakes, floods, hurricanes
  • Foreign intelligence
  • Accidents, fires, explosion
  • Equipment failure
  • Utility outage
  • Water leaks, toxic spills
  • Viruses – these are programmed threats

1.4 Vulnerability

A vulnerability is a weakness within the system that can potentially lead to loss or harm. The threat of natural disasters has instances that can make the system vulnerable. If a system has programmes that have threats (erroneous programmes) then the system is vulnerable.

1.5 Security controls

These include:

  1. Administrative controls – they include
  2. Policies – a policy can be seen as a mechanism for controlling security
  3. Administrative procedures – may be put in place by an organization to ensure that users only do that which they have been authorised to do
  4. Legal provisions – serve as security controls and discourage some form of physical threats
  5. Ethics
  6. Logical security controls – measures incorporated within the system to provide protection from adversaries who have already gained physical access
  7. Physical controls – any mechanism that has a physical form e.g. lockups
  8. Environmental controls

1.6 Administering security

  • Security policy

Risk analysis

The process involves:

  • Identification of the assets
  • Determination of the vulnerabilities
  • Estimate the likelihood of exploitation
  • Computation of expected annual loss
  • Survey of applicable controls and their costs
  • Projection of annual savings

Security policy

The information systems security policy is the responsibility of top management of an organization who delegate its implementation to the appropriate level of management with permanent control.

The policy contributes to the protection of information assets. Its objective is to protect the information capital against all types of risks, accidental or intentional. An existing and enforced security policy should ensure systems conformity with laws and regulations, integrity of data, confidentiality and availability.

  1. Security in the application level:

Application controls

Application controls are controls over input, processing and output functions. Application controls

include methods for ensuring that:

  • Only complete, accurate and valid data is entered and updated in a computer system.\
  • Processing accomplishes the correct task.
  • Processing results meet expectations.
  • Data is maintained.

These controls may consist of edit tests, totals, reconciliations and identification and reporting of incorrect, missing or exception data. Automated controls should be coupled with manual procedures to ensure proper investigation of exceptions.

2.1 Input/origination controls

Input control procedures must ensure that every transaction to be processed is received, processed and recorded accurately and completely. These controls should ensure that only valid and authorised information is input and that these transactions are processed only once.

Input authorisation

Input authorization verifies that all transactions have been authorised and approved by management. Authorisation of input helps ensure that only authorized data is entered into the computer system for processing by applications. Authorisation can be performed online at the time when the data is entered into the system.

Types of authorisation include:

  •  Signatures on batch forms provide evidence of proper authorization.
  • Online access controls ensure that only authorised individuals may access data or perform sensitive functions
  • Unique passwords are necessary to ensure that access authorisation cannot be compromised through use of another individual’s authorised data access. Individual passwords also provide accountability for data changes.
  • Terminal identification can be used to limit input to specific terminals as well as to individuals. Terminals can be equipped with hardware that transmits a unique identification such as a serial number that is authenticated by the system.
  • Source documents are the forms used to record data. A source document may be a piece of paper, a turnaround document or an image displayed for online data input. A well-designed source document achieves several purposes.

Batch controls and balancing

Batch controls group input transactions in order to provide control totals. The batch control can be based on total monetary amount, total items and total documents.

Types of batch controls include:

  • Total monetary amount – verification that the total monetary amount value of items processed equals the total monetary value of the batch documents. For example, the total monetary value of the sales invoices in the batch agrees with the total monetary values of the sales invoices processed.
  • Total items – verification that the total number of items included on each document in the batch agrees to the total number of items processed. For example, the total number of units ordered in the batch of invoices agrees with the total number of units processed.
  • Total documents – verification that the total number of documents in the batch equals the total number of documents processed. For example, the total number of invoices in a batch agrees with the total number of invoices processed.
  • Hash totals – verification that a predetermined numeric field existing for all documents in a batch agrees with the total of documents processed.

Types of batch balancing include:

  • Batch registers – these registers enable manual recording of batch totals
  • Control accounts – control account use is performed through the use of an initial edit file to determine batch totals. The data are then processed to the master file and reconciliation is performed between the totals processed during the initial edit file and the master file.
  • Computer agreement – computer agreement with batch totals is performed through the use of batch header slips that record the batch total.

Input error reporting and handling

Input processing requires that controls be identified to verify that data are accepted into the system correctly, and that input errors are recognised and corrected. specific terminal or individual inputting the data. A supervisor should then review the online batch and release it to the system for processing. This method is preferred over review of the output by the same person preparing the input.

  1. Security in operating system: Access control security function

This is a function implemented at the operating system level and usually also availed at the application level by the operating system. It controls access to the system and system resources so that only authorised accesses are allowed, e.g.

  • Protect the system from access by intruders
  • Protect system resources from unauthorised access by otherwise legitimate system user
  • Protect each user from inadvertent or malicious interference from another The components of an access control system can be categorised into identification, authentication and authorisation components. Typical operating system based access control mechanisms are:

1. User identification and authentication

2. Access control to the systems general objects e.g. files and devices

3. Memory protection – prevent one programme from interfering with another i.e. any form of unauthorised access to another programme’s memory space.

1. Identification

Involves establishing identity of the subject (who are you?). Identification can use:

Identity, full name

Workstation ID, IP address

Magnetic card (requires a reader)

Smart card (inbuilt intelligence and computation capability)

Biometrics is the identification based on unique physical or behavioural patterns of people and may be:

  • Physiological systems – something you are e.g. fingerprints
  • Behavioural systems – how you work

2 Authentication

Involves verification of identity of subject (Are you who you say you are? Prove it!). Personal authentication may involve:

Something you know: password, PIN, code phrase

Something you have: keys, tokens, cards, smart cards

Something you are: fingerprints, retina patterns, voice patterns

The way you work: handwriting (signature), keystroke patterns

Something you know: question about your background, favourite colour, pet name, etc.

3.  Authorisation

Involves determining the access rights to various system objects/resources. The security requirement to be addressed is the protection against unauthorised access to system resources. There is need to define an authorisation policy as well as implementation mechanisms.

4. Logical security

Logical access into the computer can be gained through several avenues. Each avenue is subject to appropriate levels of access security.

5. Telecommunications network – telecommunications networks link a number of computer terminals or PCs to the host computer through a network of telecommunications lines.

TYPES OF COMPUTER SECURITY

HARDWARE SECURITY

This is the precaution against the computer based resources that are physical in nature e.g. computers

SOFTWARE SECURITY

These are the control measures that provide safety to the information system data and programs.

AMENDMENT SECURITY

This is the protection against illegal and unauthorized alteration to hardware and software resources.

COMPUTER SECURITY POLICY

A computer security policy is a set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization’s boundaries of authority.

TYPES OF SECURITY POLICY

1. Data and information security policies

This security policy will view and direct all the information use. It also provides a direction in the development, implementation and management of the information and sets out the requirements that must be met by the information security framework.

2. Program Security Policies

This security policy establishes the organization’s computer security program and its basic structure and sets organizational strategic directions for security and assigns resources for its implementation.

3. User Security Policies

This security policy facilitates authorization of user access, privacy protection; fair and responsible use of the technology is addressed. Often, the users are prohibited from using the information in a manner that can harm others.

4. System Security Policies

System-specific Security Policies often include standards and procedures to be implemented while maintaining of systems. This security policy is also used to address the implementation and configuration of technology as well as the behavior of the people.

CHARACTERISTICS OF A SECURITY POLICY

  1. A security policy should be no longer than is absolutely necessary
  2. A security policy should be written in “plain English
  3. A security policy must be consistent with applicable laws and regulations
  4. A security policy should be reasonable
  5. A security policy must be enforceable

COMPUTER THREATS

A computer threat, in the context of computer security, refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems and networks. Threats are potentials for vulnerabilities to turn into attacks on computer systems and networks. They can put individuals’ computer systems and business computers at risk, so vulnerabilities have to be fixed so that attackers cannot infiltrate the system and cause damage.

TYPES OF THREATS AND VULNERABILITIES

ERRORS AND OMISSIONS

These errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all types of users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. Users, data entry clerks, system operators, and programmers frequently make errors that contribute directly or indirectly to security problems. In some cases, the error is the threat, such as a data entry error or a programming error that crashes a system.

Computer crime exposures

Computer crime encompasses a broad range of potentially illegal activities. Computer systems can be used to steal money, goods, software or corporate information. Crimes also can be committed when the computer application process or data are manipulated to accept false or unauthorised transactions. Stealing computer equipment is a simple, non-technical computer crime. Simply viewing computerised data can provide an offender with enough intelligence to steal ideas or confidential information (intellectual property).

Committing crimes that exploit the computer and the information it contains can result to damaging the reputation, morale and the very existence of an organization, loss of customers, embarrassment to the management and legal actions against the organization.

 Physical Theft

This is stealing information system resources such as valuable computer resources for commercial purposes, destruction to sensitive information or sabotage.

 Fraud

This refers to deliberate stealing by false pretence. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, assuming that small discrepancies may not be investigated. Computer fraud and theft can be committed by insiders or outsiders.\

Employee Sabotage

Sabotage refers to illegal destruction of data and information with the aim of crippling service delivery or causing great loss to an organization. Employees are most familiar with their employer’s computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage.

Hackers And Crackers

A hacker is a person who gains unauthorized access to information just for fun whereas a cracker gains unauthorized access for malicious gains. They both violate the security measures put in place by passing passwords or finding weak access points to the information system.

Industrial Espionage

Industrial espionage is the act of gathering proprietary data from private companies or the government for the purpose of aiding another company or competitor for profit. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries

Surveillance (Monitoring)

Surveillance refers to use of the computer systems using background programs such as spyware and cookies for malicious gains e.g. sabotage

Eavesdropping/ Wire-tapping

Involves eavesdropping on information being transmitted over telecommunications lines.Eavesdropping refers to illegal tapping into communication channels using network monitoring software to capture and potentially modify sensitive data and get information.

Data Tampering

Data tampering refers to the unauthorized modification of data, often as it is passed over the network.

Accidental Access

This refers to unknowingly giving out information to strangers or unauthorized persons.

Piracy

This is a form of intellectual property theft which means illegal copying of software, information or data that are protected by copyright and patent laws.

Malicious Programs/ Technical exposures

Malicious programs refers to viruses, worms, Trojan horses, logic bombs, and other “uninvited” software that affect the smooth running of a system or carry illegal activities such as secretly collecting information from an unknowing user.

This is the unauthorised (intentional or unauthorised) implementation or modification of data and software. They include:

  1. Data diddling involves changing data before or as it is being entered into the computer. This is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect data.
  1. Trojan horses involve hiding malicious, fraudulent code in an authorized computer programme. This hidden code will be executed whenever the authorised programme is executed. A classic example is the Trojan horse in the payroll-calculating programme that shaves a barely noticeable amount off each paycheck and credits it to the perpetrator’s payroll account.
  1. Rounding down involves drawing off small amounts of money from a computerised transaction or account and rerouting this amount to the perpetrator’s account. Since the amounts are so small, they are rarely noticed.
  1. Salami techniques involve the slicing of small amounts of money from a computerised transaction or account and are similar to the rounding down technique. The difference between them is that in rounding down the programme rounds off by the cent. For example, if a transaction amount was 234.39 the rounding down technique may round the transaction to 234.35. The salami technique truncates the last few digits from the transaction amount so 234.39 become 234.30 or 234.00 depending on the calculation built into the programme.
  1. Viruses are malicious programme code inserted into other executable code that can self-replicate and spread from computer to computer, via sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected machine or code. A virus can harmlessly display cute messages on computer terminals, dangerously erase or alter computer files or simply fill computer memory with junk to a point where the computer can no longer function. An added danger is that a virus may lie dormant for some time until triggered by a certain event or occurrence, such as a date (1 January – Happy New Year!) or being copied on  a pre-specified number of times. During this time the virus has silently been spreading.
  1. Worms are destructive programmes that may destroy data or utilise tremendous computer and communication resources but do not replicate like viruses. Such programmes do not change other programs, but can run independently and travel from machine to a machine across network connections. Worms may also have portions of themselves running on many different machines.
  1. Logic bombs are similar to computer viruses, but they do not self-replicate. The creation of logic bombs requires some specialised knowledge, as it involves programming the destruction or modification of data at a specific time in the future. However, unlike viruses or worms, logic bombs are very difficult to detect before they blow up; thus, of all the computer crime schemes, they have the greatest potential for damage. Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. The logic bomb may also be used as a tool of extortion, with a ransom being demanded in exchange for disclosure of the location of the bomb.
  1. Trap doors are exits out of an authorised programme that allow insertion of specific logic, such as programme interrupts, to permit a review of data during processing. These holes also permit insertion of unauthorised logic.
  1. Asynchronous attacks occur in multiprocessing environments where data move asynchronously (one character at a time with a start and stop signal) across telecommunication lines. As a result, numerous data transmissions must wait for the line to be free (and flowing in the proper direction) before being transmitted. Data that is waiting is susceptible to unauthorized accesses called asynchronous attacks. These attacks, which are usually very small pinlike insertions into cable, may be committed via hardware and are extremely hard to detect.
  1. Data leakage involves siphoning or leaking information out of the computer. This can involve dumping files to paper or can be as simple as stealing computer reports and tapes.
  1. Piggybacking is the act of following an authorised person through a secured door or electronically attaching to an authorised telecommunication link to intercept and possibly alter transmissions.
  1. Shut down of the computer can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up lines) to the computer. Only individuals knowing a high-level systems logon-ID can usually initiate the shut down process. This security measure is effective only if proper security access controls are in place for the high-level logon-ID and the telecommunications connections into the computer. Some systems have proven to be vulnerable to shutting themselves down under certain conditions of overload.
  1. Denial of service is an attack that disrupts or completely denies service to legitimate users, networks, systems or other resources. The intent of any such attack is usually malicious in nature and often takes little skill because the requisite tools are readily available.

Viruses

 A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the user. Viruses are a significant and a very real logical access issue. The term virus is a generic term applied to a variety of malicious computer programmes. Traditional viruses attach themselves to other executable code, infect the user’s computer, replicate themselves on the user’s hard disk and then damage data, hard disk or files. Viruses usually attack four parts of the computer:

  • Executable programme files
  • File-directory system that tracks the location of all the computer’s files
  • Boot and system areas that are needed to start the computer
  • Data files

Control over viruses

Computer viruses are a threat to computers of any type. Their effects can range from the annoying but harmless prank to damaged files and crashed networks. In today’s environment, networksare the ideal way to propagate viruses through a system. The greatest risk is from electronic mail (e-mail) attachments from friends and/or anonymous people through the Internet. There are two major ways to prevent and detect viruses that infect computers and network systems.

  • Having sound policies and procedures in place
  • Technical means, including anti-virus software

MEASURES TO MITIGATE COMPUTER THREATS AND VULNERABILITIES

MEASURES AGAINST PHYSICAL THEFT

  1. Employment of security guards to keep watch over restricted backup sites.
  2. Reinforce weak access points like windows and doors with metallic grills and strong padlocks
  3. Insure the hardware resources with a reputable insurance firm

MEASURES AGAINST MALICIOUS PROGRAMS

  1. Install latest version of anti-virus software on the computers
  2. Scan removable storage media for viruses before using them
  3. Scan all mail attachments for viruses before opening or downloading them
  4. Quarantine infected piece of hardware or software resources.

MEASURES AGAINST PIRACY

  1. Enforce laws that protect owners of data and information against piracy
  2. Make software cheap and affordable
  3. Use licenses and certificates to identify original software
  4. Set installation passwords to deter illegal installation of software

MEASURES AGAINST ENVIRONMENTAL HAZARDS

  1. Install fire extinguishers and fire proof cabinets
  2. Installation of lightning arrestors
  3. Installation of dehumidifiers and air conditioning systems
  4. Adequate drainage and water proof ceilings
  5. Installation of power stabilizers and stand-by generators
  6. Reporting and terrorist threats to relevant authorities
  7. Training of staff on the use of computer resources

MEASURES AGAINST UNAUTHORISED ACCESS

  1. Installation of firewall – software that filters and monitors control access to and from the network
  2. Data encryption – reconstruction of original message using an encryption key to enhance security
  3. Installation of passwords and entry logs to prevent unauthorized entry
  4. Careful recruitment of staff and employees
  5. Use of virtual private networks to connect to proxy servers
  6. Periodic audit trails and immediate investigation of any illegal access

COMPUTER SYSTEM BASED CONTROLS

Computer controls refers to simple precautionary measures that are aimed to effectively mitigate and control potential information security risks associated with the information system.

TYPES OF COMPUTER CONTROLS

ADMINISTRATIVE CONTROLS

These are the controls that are associated with day to day running activities and routine functions that affect daily human or operation problems to an acceptable and manageable level. These controls include:

  1. Clear policies and procedures regarding the use of the information system
  2. Assigning responsibility on proper administration and operation of activities
  3. Information dissemination mechanism that ensures all personnel are aware of their expectations
  4. Contingency management plan incase of an emergency
  5. Disaster recovery plan and backup procedures
  6. Regular training of the personnel on proper security policies
  7. Personnel security to protect classified information from unauthorized users

PHYSICAL CONTROLS

These are the controls that include the best practices that can be utilized to physically protect classified information and IT resources in order to minimize the business and operational impact due to nature disasters and trespassing. These controls include:

  1. Ensuring the environment is well protected with power supply and proper ventilation
  2. Regular cleaning of the external surfaces of the peripherals by operators
  3. Periodic inspection of computer room and data centers
  4. Measures to protect the equipments in operation and disposal
  5. Measures carried during transportation of backup media to and from the operation site
  6. Ensuring all media with classified information is handled in accordance with security regulations
  7. Ensuring all data is removed or destroyed from office electronic equipments
  8. Ensuring all physical computer equipments have been authorized

ACCESS CONTROLS

These are the controls that ensure that access rights to information are not granted unless authorized by relevant information owners. Access rights shall be granted on a need-to-know basis and are clearly defined, documented and reviewed. Records for access rights approval and review shall be maintained to ensure proper approval processes are followed and the access rights are updated when personnel changes occur. These controls include:

  1. Establish an asset management process for tracking all approved mobile devices
  2. Disable unnecessary network services such as Wi-Fi, infrared (IR) ports and Bluetooth
  3. Prevent users from using passwords shorter than a pre-defined length
  4. Restrict a suspended account to only allow reactivation with manual interventions
  5. Automatically suspend a user account after a pre-defined number of invalid logon attempts
  6. Ensure all user who use the system are properly authenticated on the basis of security mechanisms
  7. Manage and secure access to the information and resources of an organisation
  8. Security measure against unauthorized access to data using well protected passwords
  9. Policy on operational plans and procedures developed and implemented for remote access.

DATA SECURITY CONTROLS

These are controls that ensure classified data is restricted to those who are authenticated and authorized to access. It also ensures that proper protective measures such as access control and encryption should be adopted to ensure the confidentiality of the data. These controls include:

  1. Applying necessary security mechanisms to avoid data tampering during transmission
  2. Enforce strict access control on the file systems in the storage network
  3. Secure any system connected to the storage network
  4. User profiles should be well protected and not accessed by unauthorized persons
  5. Securing printing device and ensuring hardcopies are properly protected from unauthorized access
  6. Good back up strategy to protect data incase of accidental deletions and hardware failure
  7. Erasing all classified and personal data before the media is re-used, transferred or disposed.
  8. Access to file shares should be properly controlled using password protection

OPERATIONAL CONTROLS

These are controls that ensure Segregation of duties in the practice of dividing the steps and functions among different individuals so as to keep out the possibility of a single individual from subverting a process. These controls include:

  1. Ensuring journals are available for users to log every job they run in the system
  2. Ensuring only authorized personnel attend to the required duties
  3. Ensuring there are no abnormal activities such as improper operating procedures
  4. Random inspection of staff working sites
  5. Identification and recording of significant changes

SYSTEM SPECIFICATION AND DESIGN CONTROL

These are controls that ensure that the system designed complies with acceptable accounting policies, accounting and application controls, and with all appropriate legislative measures. These controls include:

  • Document the security architecture.
  • Include a role in the development team for assessing security risks, proposing potential security-related issues, and performing security reviews of the system design and programming code.
  • Document security related programming activities.
  • Conduct code review, if necessary.
  • Ensure that the system designed complies with acceptable accounting policies, accounting and application controls, and with all appropriate legislative measures.
  • Ensure a threat model is built, and threat mitigations are present in all design and functional specifications
  • Review the system design with the user for checking out if there are any loopholes in maintaining the integrity of information
  • Evaluate with the users on how they will be affected if there is a loss to the data processing capability
  • Evaluate with the users the sensitivity of their data

Policies and procedures

Some of the policy and procedure controls that should be in place are:

  • Build any system from original, clean master copies.
  • Allow no disk to be used until it has been scanned on a stand-alone machine that is used for no other purpose and is not connected to the network.
  • Update virus software scanning definitions frequently.
  • Write-protect all diskettes with .EXE or .COM extensions.
  • Have vendors run demonstrations on their machines, not yours.
  • Enforce a rule of not using shareware without first scanning the shareware thoroughly for a virus.
  • Commercial software is occasionally supplied with a Trojan horse (viruses or worms). Scan before any new software is installed.
  • Insist that field technicians scan their disks on a test machine before they use any of their disks on the system.
  • Ensure that the network administrator uses workstation and server anti-virus software.
  • Ensure that all servers are equipped with an activated current release of the virus detection software.
  • Create a special master boot record that makes the hard disk inaccessible when booting from a diskette or CD-ROM.
  • Consider encrypting files and then decrypt them before execution.
  • Ensure that bridge, route and gateway updates are authentic. This is a very easy way to place and hide a Trojan horse.
  • Backups are a vital element of anti-virus strategy, Have a backup plan in place for scanning selected backup files for virus infection once a virus has been detected.
  • Educate users so they will heed these policies and procedures.
  • Review anti-virus policies and procedures at least once a year.
  • Prepare a virus eradication procedure and identify a contact person.

Technical means

Technical methods of preventing viruses can be implemented through hardware and software means. Thus:

  • Use workstations without floppy disks
  • Use boot virus protection
  • Use remote booting
  • Use a hardware based password
  • Use write protected tabs on floppy disks
  • Use and update periodically, anti-virus software  as a preventative control and an effective tool against viruses.

Two types of scanners are available:

  • One checks to see if your computer has any files that have been infected with known viruses
  • The other checks for a typical instructions (such as instructions to modify operating system files) and prevents completion of the instruction until the user has verified that it is legitimate.

There are three different types of anti-virus software:

1. Scanners look for sequence of bits called signatures that are typical of virus programmes. Scanners examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus.

2. Active monitors interpret DOS and ROM basic input-output (BIOS) calls, looking for virus like actions. they cannot distinguish between a user request and a programme or virus request.

3. Integrity checkers compute a binary number on a known virus-free programme that is then stored in a database file. The number is called a cyclical redundancy check (CRC). When that programme is called to execute, the checker computes the CRC on the programme about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the programme has occurred.

Access control software

Access control software is designed to prevent unauthorised access to data, use of system functions and programmes, unauthorised updates/changes to data and to detect or prevent an unauthorized attempt to access computer resources. Access control software interfaces with the operating system and acts as a central control for all security decisions.

Access control software generally performs the following tasks:

Verification of the user

Authorisation of access to defined resources

Restriction of users to specific terminals

Reports on unauthorised attempts to access computer resources, data or programmes

Access control software generally processes access requests in the following way:

Identification of users – such as name and account number

Authentication – users must prove that they are who they claim to be. Name, account number and password, objects such as badge, plastic cards and key, Personal characteristics such as fingerprint, voice and signature

Logical security features, tools and procedures

Logon-IDs and passwords

The logon-ID provides individual’s identification and each user gets a unique logon-ID that can be identified by the system.  The password provides individual’ authentication.

 Features of passwords

A password should be easy to remember but difficult for a perpetrator to guess.

Initial password assignment should be done discreetly by the security administrator.

If the wrong password is entered a predefined number of times, typically three, the logon- ID should be automatically and permanently

If a logon-ID has been deactivated because of a forgotten password, the user shouldnotify the security administrator who reactivates it.

Passwords should be internally one-way encrypted. Encryption is a means of encoding data stored in a computer. This reduces the risk of a perpetrator gaining access to other users’ passwords (if the perpetrator cannot read and understand it, he cannot use it).

Passwords should not be displayed

Passwords should be changed periodically.

Password must be unique to an individual.

 

Password syntax (format) rules

  •  Ideally, passwords should be five to eight characters in length. Anything shorter is too easy to guess, anything longer is too hard to remember.
  • Passwords should allow for a combination of alpha, numeric, upper and lower case and special characters.
  • Passwords should not be particularly identifiable with the user .
  • The system should not permit previous password(s) to be used
  • Logon-IDs not used after a number of days should be deactivated to prevent possible misuse.
  • The system should automatically disconnect a logon session if no activity has occurred for a period of time or otherwise forgot to logoff. This is often referred to as ‘time out’.

 Logging computer access

Computer access and attempted access violations can be automatically logged by the computer and reported.

 Token devices, one-time passwords

A two-factor authentication technique such as microprocessor-controlled smart cards generates one-time passwords that are good for only one logon session. Users enter this password along with a password they have memorised to gain access to the system.

Biometric security access control

This control restricts computer access based on a physical feature of the user, such as a fingerprint or eye retina pattern. A reader is utilised to interpret the individual’s biometric features before permitting computer access. This is a very effective access control because it is difficult to circumvent, and traditionally has been used very little as an access control technique. However due to advances in hardware efficiencies and storage, this approach is becoming a more viable option as an access control mechanism. Biometric access controls are also the best means of authenticating a user’s identity based on something they are.

Terminal usage restraints through terminal locks and terminal security.

 Dial-back procedures

When a dial-up line is used, access should be restricted by a dial-back mechanism. Dial-back interrupts the telecommunications dial-up connection to the computer by dialing back the caller to validate user authority.

 Restrict and monitor access to computer features that bypass security

Generally, only system software programmers should have access.

Logging of online activity

Many computer systems can automatically log computer activity initiated through a logon-ID or

computer terminal. This is known as a transaction log. The information can be used to provide a management/audit trail.

 Data classification

Computer files, like documents have varying degrees of sensitivity. By assigning classes or levels of sensitivity to computer files, management can establish guidelines for the level of access control that should be assigned. Classifications should be simple, such as high, medium and low.

A typical classification described by US National Institute of Standards and Technology has four data classifications:

Sensitive – applies to information that requires special precautions to ensure the integrity of the information, by protecting it from unauthorised modification or deletion. It is information that requires a higher than normal assurance of accuracy and completeness e.g. passwords, encryption parameters.

Confidential – applies to the most sensitive business information that is intended strictly for use within an organisation.

Safeguards for confidential data on a PC

  • Sensitive data should not be stored in a microcomputer. Remove the storage medium (such as the disk or tape) from the machine when it is not in use and lock it in a safe. Vendors offer lockable enclosures, clamping devices and cable fastening devices that help prevent equipment theft.
  • The computer can also be connected to a security system that sounds an alarm if equipment is moved.
  • Passwords can also be allocated to individual files to prevent them being opened by an unauthorised All sensitive data should be recorded on removable hard drives, which are more easily secured than fixed or floppy disks. Software can also be used to control access to microcomputer data. The basic software approach restricts access to programme and data files with a password system.

 Physical security

Exposures that exist from accidental or intentional violation of these access paths include:

  • Unauthorised entry
  • Damage, vandalism or theft to equipment or documents
  • Copying or viewing of sensitive or copyrighted information
  • Alteration of sensitive equipment and information
  • Public disclosure of sensitive information
  • Abuse of data processing resources
  • Blackmail
  • Embezzlement

Possible perpetrators

  • Employees with authorised or unauthorised access who are:

Disgruntled  on strike, threatened by disciplinary action or dismissal, addicted to a substance or gambling, experiencing financial or emotional problems, notified of their termination, former employees, interested or informed outsiders such as competitors, thieves, organised crime and Hackers, accidental ignorant – someone who unknowingly perpetrates a violation (could be an employee or outsider)

Facilities to be protected include the following:

  • Programming area
  • Computer room
  • Operator consoles and terminals
  • Tape library, tapes, disks and all magnetic media
  • Storage room and supplies
  • Offsite backup file storage facility
  • Input/output control room
  • Communication closet
  • Telecommunication equipment (including radios, satellites, wiring. Modems and external network connections)
  • Microcomputers and personal computers (PCs)
  • Power sources
  • Disposal sites
  • Minicomputer establishments
  • Dedicated telephones/Telephone lines
  • Control units and front end processors
  • Portable equipment (hand-held scanners and coding devices, bar code readers, laptop computers and notebooks, printers, pocket LAN adapters and others)
  • Onsite and remote printers
  • Local area networks

Threats to business include the following:

  • Financial loss – these losses can be direct, through loss of electronic funds or indirect, through the costs of correcting the exposure.
  • Legal repercussions – there are numerous privacy and human rights laws an organisation should consider when developing security policies and procedures. Most companies also must comply with industry-specific regulatory agencies.
  • Loss of credibility or competitive edge – many organisations, especially service firms such as banks, savings and loans and investment firms, need credibility and public trust to maintain a competitive edge. A security violation can severely damage this credibility, resulting in loss of business and prestige.
  • Blackmail/Industrial espionage –a perpetrator can extort payments or services from an organisation by threatening to exploit the security breach.
  • Disclosure of confidential, sensitive or embarrassing information – such events can damage an organisation’s credibility and its means of conducting business.
  • Sabotage – some perpetrators merely want to cause damage due to dislike of the organisation or for self-gratification. Logical access violators are often the same people who exploit physical exposures

Hackers – hackers typically attempt to test the limits of access restrictions to prove their ability to overcome the obstacles. Their intenion is not  destruction but this is quite often the result.

Employees – both authorised and unauthorised employees

Information system personnel – these individuals have the easiest access to computerised information since they are the custodians of this information. In addition to logical access controls, good segregation of duties and supervision help reduce logical access violations by these individuals.

End users

Former employees

Interested or educated outsiders

  • Competitors
  • Foreigners
  • Organised criminals
  • Crackers (hackers paid by a third party)
  • Phreackers (hackers attempting access into the telephone/communication

 

5.2 Physical access controls

Physical access controls are designed to protect the organisation from unauthorised access. They reduce exposure to theft or destruction of data and hardware. These controls should limit access to only those individuals authorised by management. They include:

  • Bolting door locks – these locks require the traditional metal key to gain entry.
  • Combination door locks (cipher locks) – this system uses a numeric keypad or dial to gain entry. The combination should be changed at regular intervals.
  • Electronic door locks – this system uses a magnetic or embedded chip-based plastic card key or token entered into a sensor reader to gain access.
  • Biometric door locks – an individual’s unique body features, such as voice, retina, fingerprint or signature, activate these locks. This system is used in instances when extremely sensitive facilities must be protected, such as in the military.
  • Manual logging – all visitors should be required to sign a visitor’s log indicating their name,  ID,company represented, reason for visiting and person to see. Logging typically is at the front reception desk and entrance to the computer room.
  • Electronic logging – this is a feature of electronic and biometric security systems. All access can be logged, with unsuccessful attempts being highlighted.
  • Identification badges (photo IDs) – badges should be worn and displayed by all personnel. Visitor badges should be a different colour from employee badges for easy identification.
  • Video cameras – cameras should be located at strategic points and monitored by security guards. Sophisticated video cameras can be activated by motion. The video surveillance recording should be retained for possible future playbacks.
  • Security guards – guards are very useful if supplemented by video cameras and locked doors.
  • Controlled visitor access – all visitors should be escorted by a responsible employee.
  • Bonded personnel – all service contract personnel, such as cleaning people and offsite storage services, should be bonded.
  • Deadman doors – this system uses a pair of (two) doors, typically found in entries to facilities such as computer rooms and document stations. For the second door to operate, the first entry door must close and lock, with only one person permitted in the holding area. This reduces risk of piggybacking, when an unauthorised person follows an authorised person through a secured entry.
  • Not advertising the location of sensitive facilities – facilities such as computer rooms should not be visible or identifiable from the outside, that is, no windows or directional signs.
  • Computer terminal locks – these lock devices to the desk, prevent the computer from being turned on or disengage keyboard recognition, preventing use.
  • Controlled single entry point – a controlled entry point monitored by a receptionist should be used by all incoming personnel.
  • Alarm system – an alarm system should be linked to inactive entry points, motion detectors and the reverse flow of enter or exit only doors. Security personnel should be able to hear the alarm when activated.
  • Secured report/document distribution cart – secured carts, such as mail carts, should be covered and locked and should not be left unattended.
  1. Personnel issues

Employee responsibilities for security policy are:

  • Reading the security policy and adhering to it
  • Keeping logon-IDs and passwords secret
  • Reporting suspected violations of security
  • Maintaining good physical security by keeping doors locked, safeguarding access keys, not disclosing access door lock combinations and questioning unfamiliar people Conforming to local laws and regulations
  • Adhering to privacy regulations with regard to confidential information e.g. health, legal Non-employees with access to company systems should be held accountable for security policies and responsibilities. This includes contract employees, vendors, programmers, analysts, maintenance personnel and clients.
  1. Network security

Communication networks (Wide Area or Local Area Networks) generally include devices connected to the network, and programmes and files supporting the network operations. Control is accomplished through a network control terminal and specialised communications software.

The following are controls over the communication network:

  • Network control functions should be performed by technically qualified operators.
  • Network control functions should be separated and duties rotated on a regular basis
  • Network control software must restrict operator access from performing certain functions such as ability to amend or delete operator activity logs.
  • Network control software should maintain an audit trail of all operator activities.
  • Audit trails should be reviewed periodically by operations management to detect any unauthorised network operation activities.
  • Network operation standards and protocols should be documented and made available to the operators and should be reviewed periodically to ensure compliance.
  • Network access by system engineers should be closely monitored and reviewed to direct unauthorised access to the network.
  • Analysis should be performed to ensure workload balance, fast response time and system efficiency.
  • A terminal identification file should be maintained by the communication software to check the authentication of a terminal when it tries to send or receive messages.
  • Data encryption should be used where appropriate to protect messages from disclosure during transmission.

Some common network management and control software include Novell NetWare, Windows NT, UNIX, NetView and NetPass.

7.1 Local Area Network (LAN) security

Local area networks (LANs) facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices also need to provide for the security of these programs and data. Risks associated with use of LANs include:

  • Loss of data and programme integrity through unauthorised changes
  • Lack of current data protection through inability to maintain version control
  • Exposure to external activity through limited user verification and potential public network access from dial-up connections
  • Virus infection
  • Improper disclosure of data because of general access rather than need-to-know access provisions
  • Violating software licenses by using unlicensed or excessive number of software copies
  • Illegal access by impersonating or masquerading as a legitimate LAN user
  • Internal user’s sniffing (obtaining seemingly unimportant information from the network that can be used to launch an attack, such as network address information)
  • Internal user’s spoofing (reconfiguring a network address to pretend to be a different address)
  • Destruction of the logging and auditing data The LAN security provisions available depend on the software product, product version and implementation.
  • Commonly available network security administrative capabilities include:
  • Declaring ownership of programmes, files and storage
  • Limiting access to read only
  • Implementing record and file locking to prevent simultaneous update to the same record
  • Enforcing user ID/password sign-on procedures, including the rules relating to password length, format and change frequency

7.4 Internet threats

The very nature of the Internet makes it vulnerable to attack. Hackers and virus-writers try to attack the Internet and computers connected to the Internet and those who want to invade other’s privacy attempt to crack into databases of sensitive information or snoop on information as it travels across Internet routes.

There are several areas of control risks that must be evaluated to determine the adequacy of Internet security controls:

  • Corporate Internet policies and procedures
  • Firewall standards
  • Firewall security
  • Data security controls

Internet threats include:

1. Disclosure

To eavesdrop on a ‘conversation’ taking place over the Internet.e-mail files, passwords and in some cases key-strokes  seen by other machines as they are being entered in real time.

2. Masquerade

A common attack is a user pretending to be someone else to gain additional privileges or access to otherwise forbidden data or systems. This can involve a machine being reprogrammed to masquerade as another machine (such as changing its Internet Protocol – IP address). This is referred to as spoofing.

3. Unauthorised access

Many Internet software packages contain vulnerabilities that render systems subject to attack. Additionally, many of these systems are large and difficult to configure, resulting in a large percentage of unauthorized access incidents.

4. Loss of integrity

intercepting conversations and changing some of the contents or to repeat a message. This could have disastrous effects if, the message was to a bank to pay money.

5. Denial of service

Denial of service attacks occur when a computer connected to the Internet is inundated (flooded) with data and/or requests that must be serviced. The machine becomes so tied up with dealing with these messages that it becomes useless for any other purpose.

6. Threat of service and resources

Where the Internet is being used as a channel for delivery of a service, unauthorised access to the service is effectively theft. For example, hacking into a subscription-based news service It is difficult to assess the impact of the threats described above, but in general terms the following types of impact could occur:

  • Loss of income
  • Increased cost of recovery
  • Increased cost of retrospectively securing systems
  • Loss of information (critical data, proprietary information, contracts)
  • Loss of trade secrets
  • Damage to reputation
  • Legal and regulatory non-compliance
  • Failure to meet contractual commitments

7.5 Encryption

Encryption is the process of converting a plaintext message into a secure coded form of text called cipher text that cannot be understood without converting back via decryption This is done via a mathematical function and a special encryption/ decryption password called the key.

Encryption is generally used to:

  • Protect data in transit over networks from unauthorised interception and manipulation
  • Protect information stored on computers from unauthorised viewing and manipulation
  • Deter and detect accidental or intentional alterations of data
  • Verify authenticity of a transaction or document The limitations of encryption are that it can’t prevent loss of data and encryption programs can be compromised.

There are two common encryption or cryptographic systems:

1. Symmetric or private key system

Symmetric cryptosystem use a secret key to encrypt the plaintext to the cipher text. The same key is also used to decrypt the cipher text to the corresponding plaintext. The key is symmetric because the encryption key is the same as the decryption key. The most common private key cryptography system is data encryption standard (DES).

2. Asymmetric or public key system

Asymmetric encryption systems use two keys, which work together as a pair. One key is used to encrypt data, the other is used to decrypt data. Either key can be used to encrypt or decrypt, but once one key has been used to encrypt data, only its partner can be used to decrypt the data. Generally, with asymmetric encryption, one key is known only to one person – the secret or private key – the other key is known by many people – the public key. A common form of asymmetric encryption is RSA (named after its inventors Rivest, Shamir and Adelman).

Firewall security

A firewall is a set of hardware and software equipment placed between an organisation’s internal network and an external network to prevent outsiders from invading private networks. They are built using routers, servers and a variety of software. They should sit in the most vulnerable point between a corporate network and the Internet and they can be as simple or complex as system administrators want to build them.

There are many different types of firewalls, but many enable organisations to:

  • Block access to particular sites on the Internet
  • Prevent certain users from accessing certain servers or services
  • Monitor communications between an internal and external networks
  • Eavesdrop and record all communications between an internal network and the outside world to investigate network penetrations or detect internal subversions.
  • Encrypt packets that are sent between different physical locations within an organisation by creating a virtual private network over the Internet.
  1. Environmental exposures and controls

Environmental exposures are primarily due to naturally occurring events.

Common exposures are:

Fire

Natural disasters – earthquake, volcano, hurricane, tornado

Power failure

Power spike

Air conditioning failure

Electrical shock

Equipment failure

Water damage/flooding

Bomb threat/attack

Controls for environmental exposures

  1. Water detectors –water detectors should be placed under the raised floor and near drain holes, even if the computer room is on a high floor. When activated, the detectors should produce an audible alarm.
  2. Hand-held fire extinguishers –at strategic locations throughout the information system facility.
  3. Manual fire alarms – hand-pull fire alarms should be strategically placed throughout the facility. The resulting audible alarm should be linked to a monitored guard station.
  4. Smoke detectors – they supplement not replace fire suppression systems. Smoke detectors should be above and below the ceiling tiles throughout the facility and below the raised computer room floor. They should produce an audible alarm when activated and be linked to a monitored station (preferably by the fire department).
  5. Fire suppression system – these systems are designed to activate immediately after detection of high heat typically generated by fire. It should produce an audible alarm when activated. Therefore, fire suppression varies but is usually one of the following:

Water based systems (sprinkler systems) – effective but unpopular because they damage equipment

Dry-pipe sprinkling – sprinkler systems that do not have water in the pipes until an electronic fire alarm activates the water pumps to send water to the dry pipe system.

Halon systems – release pressurised halon gases that remove oxygen from the air, thus starving the fire. Halon is popular because it is an inert gas and does not damage equipment.

Carbon dioxide systems – release pressurised carbon dioxide gas into the area protected to replace the oxygen required for combustion. Unlike halon, however, carbon dioxide is unable to sustain human life and can, therefore, not be set to automatic release.

6. Strategically locating the computer room – to reduce the risk of flooding, fire, smoke and water damage.

7. Regular inspection by fire department(annually) – to ensure that all fire detection systems comply with building codes.

8. Fireproof walls, floors and ceilings surrounding the computer room to contain or block fire from spreading.

9. Electrical surge protectors – these electrical devices reduce the risk of damage to equipment due to power spikes.

10. Uninterruptible power supply system (UPS)/generator – a UPS system consists of a battery or petrol powered generator that interfaces between the electrical power entering the facility and the electrical power entering the computer. The system typically cleanses the power to ensure wattage into the computer is consistent.

11. Emergency power-off switch – there may be a need to shut off power to the computer and peripheral devices, such as during a computer room fire or emergency evacuation.

12. Electrical power lines that feed into the facility are exposed to many environmental hazards – water, fire, lightning, cutting to due careless digging etc. redundant power lines should feed into the facility.

13. Wiring placed in electrical panels and conduit –To reduce the risk of such a fire occurring and spreading, wiring should be placed in fire-resistant panels and conduit.

14. Prohibitions against eating, drinking and smoking within the information processing facility

15. Fire resistant office materials – wastebaskets, curtains, desks, cabinets and other general office materials in the information processing facility should be fire resistant.

16. Documented and tested emergency evacuation plans for human safety, information processing facilities physically secured.

Computer ethics

Some of the issues addressed in computer ethics include:

  • Contribute to society and human well-being: minimise negative consequences of computing systems including threats to health and safety
  • Avoid harm to others: this principle prohibits use of computing technology in ways that result in harm to the users, general public, employees and employers. E.g. intentional destruction or modification of files and programmes leading to serious loss of resources or unnecessary expenditure of human resources
  • Be honest and trustworthy: Do not make deliberately false or deceptive claims about a system or system design, but provide full disclosure of all pertinent system limitations and problems. o Be fair and take action not to discriminate: the values of equality, tolerance and respect for others and the principles of equal justice govern this imperative.
  • Honour property rights including copyrights and patents: violation of copyrights, patents, trade secrets and the terms of license agreement is prohibited by the law  in most circumstances. Copies of software should be made only with proper authorisation.
  • Give proper credit for intellectual property: computing professionals are obligated to protect the integrity of intellectual property.
  • Respect the privacy of others: It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals. This includes taking precautions to ensure the accuracy of data, and protecting it from authorised access or accidental disclosure to inappropriate individuals.
  • Honour confidentiality:  honesty extends to issues of confidentiality of private information directly related to the performance of one’s duties
(Visited 84 times, 1 visits today)
Share this:

Written by