Information Technology and Cyber Security

CHARTERED INSTITUTE OF RISK AND SECURITY MANAGEMENT
INFORMATION TECHNOLOGY AND CYBER SECURITY
MODULE RSM 106
PREPARED BY
LAZARUS MURINDA
LLB(S) HONS (UNIVERSITY OF ZIMBABWE), MBA (UNIVERSITY OF ZIMBABWE), DIPLOMA IN

LAW (CONCILIATION & ARBITRATION) (UNIVERSITY OF ZIMBABWE)
Contents
ITEM PAGE
1. Course Description 3
2. Course Objectives 4
3. Unit 1:Introduction to Information Technology 5
4. Unit 2: Ethics and Legal Issues 30
5. Unit 3: Classes of Attacks and Threats 58
6. Unit 4: Cyber Security 96
7. Unit 5: Data Hiding Techniques 126
8. Unit 6: Computer Insecurity 161
9. Unit 7: Incident of Cyber Crime 179
10. Unit 8: Electronic Transactions 213
11. Unit 9: Cyber Law and Regulatory Compliance 236
12. Bibliography 251
2
Course Description
The purpose of the course is to develop in the student the knowledge

and skills of information technology and cyber security fundamentals
as they relate to today‘s business world. This course examines the
practices for assuring information security. The various roles and
functions within the Cyber security practice will be combined and
leveraged to produce a secure organization. Case studies will be used
to examine theories and practices drawn from real world situations.
The numerous pitfalls of Cyber security will be presented with every
day practices of securing companies resources form attack. This
course will examine the frameworks, roles, and competencies
involved with information security. The fundamentals of Cyber
security will be examined to include: network and security concepts,
attacker techniques, data security, system and applications security
and incident response techniques. Current literature will be
examined.
This course is intended to give students an overview of information

technology and cyber security. It will cover the foundational
technical concepts as well as managerial and policy topics. The
course presents the principles of information technology and cyber
security as they apply to information technology. Both technical and
non technical aspects of information and cyber security will be
examined through the security framework.
Information security involves a wide range of issues such email

security, server security etc. This module only covers a few salient
features of cyber security to equip students with basic knowledge and
understanding. The area of information security is inherently
complex and highly technical. It is not the intention of this module to
delve into the technical aspects of cyber security in greater detail but
merely introduce students and information security professionals to
key concepts and how they relate to this important field.
3
Course objectives
Upon finishing the course the students will obtain an understanding
and will apply the key concepts including:
 Foundational concepts of cyber and information security and
the key practices and processes for managing security
effectively
 Basic network fundamentals – including (but limited to)
topologies, protocols, address conservation and services and
the security issues in networks
 Basic cryptography and why it is fundamental to computer and
information security
 Software program deficiencies and the vulnerabilities
associated with them
 Access controls and authentication as they are used to secure
systems and how they can be mitigated
 The key elements of incident management, detection,
remediation and recovery
 How to translate security into a business driver that is critical
in meeting the organization‘s mission
 Legal, ethical and regulatory issues that shape policy
development and the ways in which organization implement
and administer security issues.
The purpose of the Information Technology and Cyber Security

Module is to assist students in understanding basic information
systems risk and security concepts as well as specific aspects of
cyber security. As such, the Module is intended to help students
better comprehend the implications of the increasing cyber threats,
the various mechanisms for managing and mitigating against cyber
threats and the general legal framework on cyber crime regulation.
The Module provides a comprehensive overview of the various

facets relating to information technology and cyber security. Due to
the little or limited availability of local literature in the field of
Information Technology and Cyber Security the module necessarily
borrow from sources in other developed and developing countries.
4
UNIT 1
INTRODUCTION TO INFORMATION TECHNOLOGY AND INFORMATION

SECURITY
Objectives of the Unit
By the end of this unit, students will be able to:

 Define Information Technology and information security
 Understand the basic security concepts of confidentiality,
integrity and availability
 Describe the various components of information Technology and
network systems
 Identify Information Security services and properties.
1.0 Introduction
Information technology plays a vital role in business as well as in

society in general. Information technology has become an integral
part of today‘s business operations as it provides a competitive edge
for companies utilizing them over their competitors. Apart from
affecting business organizations, information and communication
technologies (IT) have transformed social and cultural aspects of the
society and every aspect of human life.
Despite numerous benefits of information technology certain

aspects of information security have to be managed in order to
protect the confidentiality, integrity and availability of the
information. As such, information security management systems
have become important in businesses. In this information age, there
is no doubt that security of information is vital for the success of
any organization. Information has become an invaluable asset for
many organizations. As such, failure to safeguard information may
result in enormous and unquantifiable financial losses for
businesses. In addition, this may also inevitably result in damage to
reputation, loss of prospective customers, among other things.
Under this section, an overview information technology and
information security will be given to enable students to have a
general understanding of these pertinent issues.
5
There are number of key terms that will be used in this module. It is
therefore important that the student is familiar with the definitions
of some the terms. The following sections are dedicated to defining
the meaning and scope of terms such information technology,
information security, and so on.
1.1 Defining Information Technology
There is no universally acceptable definition of information

technology as different authors have provided different definitions.
However, as we will see below, most definitions incorporate the
concept of devices capable of collecting, storing, processing and
disseminating information. According to Laudon & Laudon (2014:
45) Information Technology (IT) consists of all the hardware and
software that a firm needs to use in order to achieve its business
objectives.
Thus Information Technology includes, not only computer

machines, storage devices, and handheld mobile devices, but also
software, such as the Windows or Linux operating systems, the
Microsoft desktop productivity suite, and many thousands of
computer programs. Information technology comprises hardware
and software components as well as other programs.‘ It
encompasses all conceivable computer-based information systems
and their underlying technologies.
The Information Technology Association of America (ITAA) has

defined Information Technology as the study, design, development,
implementation, support or management of computer-based
information systems, particularly software applications and
computer hardware. However, information technology is not just
about acquisition, processing, storage and dissemination of
information. The process must be done systematically and securely
for the information to be useful and reliable to users. Therefore,
Information Technology may be described a generic term referring
to the systematic use or application of computer hardware, software
and communication technology to convert, store, protect, process,
transmit and retrieve information, securely.
6
Objectives of Information Technology
The objectives of IT are to provide better means of information of

data messages in the form of written or printed records, electric,
audio or video signals by using wires, cables and
telecommunication techniques, IT plays a vital role in information
handling due to developments such as reduction in computing time,
capabilities of files on video discs, use of T.V as readymade
information screen, telecommunication and satellite communication
facilities etc.
Defining Information Systems

Information technology is closely related to the concept of
information systems. According to Stair & Reynolds (2003:4), an
information system as ‗a set of interrelated components that collect,
manipulate, and disseminate data and information and provide a
feedback mechanism to meet an objective.‘ A similar but more
elaborate definition of an information system is provide by Laudon
& Laudon (2014: 45) as follows:
„An information system can be defined technically as a set of

interrelated components that collect (or retrieve), process,
store, and distribute information to support decision making
and control in an organization. In addition to supporting
decision making, coordination, and control, information
systems may also help managers and workers analyze
problems, visualize complex subjects, and create new
products.‟
What is clear from these definitions is that the concept of

information systems is wider and broader than information
technology. It can be said that information technology is a subset of
information systems or more precisely, information technology may
be described as a computer-based information system. A computer-
based information system (CBIS) consists of hardware, software,
databases, telecommunications, people, and procedures that are
7
configured to collect, manipulate, store, and process data into
information‘ (Stair & Reynolds, 2003:16).
The various components of computer-based information systems,

namely: hardware, software, databases, telecommunications,
people, and procedures that are configured to collect, manipulate,
store, and process data into information are collectively referred to
as the technology infrastructure. Some of the information
technology components will be discussed in greater in the ensuing
sections.
Data and Information

At the heart of any information system is the issue of ‗data‘ and
‗information‘. Although these terms are sometimes used
interchangeably, it is important to highlight that there are subtle but
notable differences between data and information. Despite the
subtle differences, data and information are intricately related
concepts. Data may be described as raw, unorganized and usually
random facts that need to be further processed in order to be useful.
Put differently, data are the facts or details from which information
is derived.
Information is therefore the product of processed, organized or

structured data presented in a form that make it useful. As aptly
observed by Stair and Reynolds (2003), ‗information is a collection
of facts organized in such a way that they have additional value
beyond the value of the facts themselves.‘ Gelbstein and Kamal
(2002) observe that information has three characteristics: it has
substance, it can be recorded and retrieved and it has value. It can
exist in many forms, e.g. written, printed, spoken, electronically
stored, physically transmitted or transmitted in electronic form. It
can be created, processed, used, stored, transmitted, corrupted, lost
and destroyed.
For example, the amount of rainfall recorded over the past ten years
is data. When the data is processed it may show that there was
drought every two years during the period. At this stage the data
8
becomes information as it is useful and may be used to predict
future droughts or changes in rainfall patterns. Information in the
form of processed data is important as decisions and actions may be
predicated on such information. For the decision to be meaningful,
the processed data must meet the following criteria:
(i) Timely - the information should be available when required;

(ii) Accuracy – the information should be accurate for it to be
useful; and
(iii) Completeness – the information should be complete.
One of the fundamental tenets of information security systems is to

ensure the timeliness, accuracy and completeness of information.
Some of these concepts will be discussed in the following chapters.
1.2 Defining Information Security

Information security is defined as the protection of information and
the system, and hardware that use, store and transmit that
information. Information security entails the protection of
information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction. It refers to a set
of strategies for managing the processes, tools and policies
necessary to prevent, detect, document and counter threats to digital
and non-digital information.
According to Whitman and Mattord (2005), information security is

the protection of information and its critical elements, including the
systems and hardware that use, store and transmit that information.
Information security is the collection of technologies, standards,
policies and management practices that are applied to information to
keep it secure. Gelbstein and Kamal (2002) define information
security as the discipline that addresses all the issues involving the
protection of data and information in all forms, the related
technologies used for information processing, storage and
communications, and the computer resources of an individual or an
organization.
9
Information security processes and policies typically involve
physical and digital security measures to protect data from
unauthorized access, use, replication or destruction. The primary
objective of information security is to protect the confidentiality,
integrity and availability of information assets, whether in storage,
processing, or transmission. Information security performs four
important functions for an organization, namely: (i) protect the
organization‘s ability to function, (ii) enable the safe operation of
applications implemented on the organization‘s IT systems, (iii)
protect the data the organization collect and uses, and (iv) it
safeguards the technology assets in use at the organization.
Institutions may implement various security measures to secure

information. There are several internationally recognized
information security standards and frameworks that have been
developed. For instance, the International Standards Organization
(ISO) developed a comprehensive information security management
system (ISO27001) and ISO27002 dealing with control measures
for protecting information.
Information security should be distinguished from computer

security and cyber security. Information security focuses on data
regardless of the form the data may take: electronic, print or other
forms. On the other hand, computer security usually seeks to ensure
the availability and correct operation of a computer system without
concern for the information stored or processed by the computer.
Cyber security is the set of preventative methods used to protect

organizational information and resources from being stolen,
compromised, and attacked by cyber criminals through the use of
computers and the Internet. Organizations are becoming
increasingly vulnerable to cyber security risk due to enhanced
technology connectivity and dependency, exposing them to
significant financial losses, theft of intellectual property, operational
disruption, and reputational damage. The ITU (Recommendation
ITU-T X.1205 (04/2008), Section 3.2.5.) provides the following
comprehensive definition of cyber security:
10
Cyber security is the collection of tools, policies, security concepts,
security safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and technologies that
can be used to protect the cyber environment and organization and
user‟s assets. Organization and user‟s assets include connected
computing devices, personnel, infrastructure, applications, services,
telecommunications systems, and the totality of transmitted and/or
stored information in the cyber environment. Cyber security strives
to ensure the attainment and maintenance of the security properties
of the organization and user‟s assets against relevant security risks
in the cyber environment.
Cyber security therefore extends beyond information security and

computer security. Cyber security involves anything security-related
in the cyber realm (or cyberspace). Information security involves
the security of information or information systems regardless of the
realm it occurs. On the other hand, cyber security is concerned with
the protection of information in the cyber space.
1.3 Basic Security concepts

There are basically six fundamental concepts forming the
cornerstone of information security. The first three concepts relate
to Confidentiality, Integrity and Availability of information, also
known as the ‗CIA triad‘. Every information security professional
and cyber security practitioner must have an appreciation of the
three concepts as they form the crux of information security.
The second set of concepts includes Authentication, Authorization,

and Non-repudiation. Graham et al (2011) aptly observe that
authentication, authorization, and non-repudiation are tools that
system designers can use to maintain system security with respect to
confidentiality, integrity, and availability. Understanding each of
these six concepts and how they relate to one another helps security
professionals design and implement secure information systems.
Each component is critical to overall security, with the failure of
any one component resulting in potential system compromise. This
11
section focuses on the six information security concepts in greater
detail.
Confidentiality
Confidentiality refers to a set of rules or a promise that limits access

or places restrictions on certain types of information. The concept of
confidentiality provides the assurance that information is not
disclosed to unauthorized individuals, processes, or devices.
According to Forouzan & Mosharraf (2011) keeping information
secret from unauthorized access is probably the most common
aspect of information security. Confidentiality guarantees the
privacy of information and prevents disclosure of sensitive
information to unauthorized persons.
There are many reasons why persons or organizations may wish to

keep of certain information confidential and out of the public
sphere. For instance, in the military field, concealment of sensitive
information is critical for national security, while keeping trade
secrets from competitors is crucial to business operations. In
banking industry, the need to preserve customers‘ accounts
confidential is critical for security reasons as well as the need to
keep the financial affairs of the banking community from
unwarranted disclosure.
Organizations also endeavor to keep certain information

confidential for legal reasons. For instance, disclosure of sensitive
information may result in lawsuits with potential payouts of
millions of dollars. In the legal field, lawyers are often required by
law to keep confidential any information pertaining to the
representation of a client (attorney-client confidentiality).
The concept of confidentiality of information assumes are more

important role in the world of computers and networks where
information can be collected, stored and transmitted digitally across
the world in a matter of seconds. Most public networks are far from
being secure and information transmitted over the Internet may be
intercepted or accessed by unauthorized people. As such, aspects of
12
information security seek to guarantee the confidentiality of
information.
There are numerous approaches to providing confidentiality,

ranging from physical protection to mathematical algorithms that
render data unintelligible. The first objective is to ensure sensitive
information is protected from unauthorized users. Similarly,
limitations must be in place to restrict access to the information to
only those who have the authorization to view it. Third, an
authentication system must be in place to verify the identity of those
with access to the data. Authentication and authorization will be
discussed in ensuing sections, as they are vital to maintaining
confidentiality.
Integrity
In the information security realm, integrity normally refers to data

integrity, or ensuring that stored data are accurate and contain no
unauthorized modifications. Integrity is thus interpreted to mean
protection against unauthorized modification or destruction of
information. For data or information to remain useful and relevant
to users, it must not be amenable to haphazard or random changes,
modifications, or any other forms of manipulation.
Information has integrity when it is whole, complete, and

uncorrupted. The integrity of information is threatened when the
information is exposed to corruption damage, destruction, or other
disruption of its authentic state. Corruption can occur while
information is being stored or transmitted. Many computer viruses
and worms are designed with the explicit purpose of corrupting
data.
Data manipulation may include such things as insertion, deletion

and substitution. Any changes to the content of the data or
information should only be done by authorised persons and in
accordance with laid down procedures. For instance, information
contained in medical records should not be changed by anyone
without the requisite approval of those in charge. Similarly, in
13
banking, unauthorized changes to customers‘ bank accounts would
certainly defeat the integrity of the banking information. Data
integrity therefore safeguards against unauthorized alteration or
modification of data. In information security, the integrity of data or
information is ensured by the ability to detect data manipulation by
unauthorized parties.
According to Graham et al (2011), disrupting the integrity of data at

rest or in a message in transit can have serious consequences. A
typical example relates to banking services. For instance, the
attacker could change an account number of the recipient of the
funds his own bank account number. As such, the integrity of data
is a critical component of any information system.
Availability
Availability may be simply defined as timely, reliable access to data

and information services for authorized users. Availability is key as
it would be pointless for an organization to collect and store
information if such information eventually becomes unavailable as
and when required by authorised users. The essence of information
security is to ensure availability of information to authorized users
and applications. Information needs to be readily accessible to those
authorised to access it. Unavailability of information is just as
harmful to an organization as a lack of confidentiality or integrity
(Forouzan & Mosharraf, 2011).
Understanding the components of the CIA triad (confidentiality,

integrity and availability) and the concepts behind how to protect
these principles is important for every security professional. Each
component acts like a pillar that holds up the security of an
information system. If an attacker breaches any of the pillars, the
security of the system will fall. As indicated above, authentication,
authorization, and non-repudiation are the tools used to maintain
these information security pillars.
14
Authentication
Authentication may be defined as a security measure designed to

establish the validity of a transmission, message, or originator, or a
means of verifying an individual‘s authorization to receive specific
categories of information (Graham et al, 2011). The notion of
authentication is essential to any secure information system as it is
the key to verifying the source of a message or that an individual is
whom he or she claims. There are many methods available to
authenticate a person. For instance, a secret password or a
fingerprint may be used as a method of authenticating an entity.
Without a sound authentication system, it is impossible to trust that
a user is who he or she says that he or she is, or that a message is
from who it claims to be.
Apart of identification, authentication also applies to validating the

source of a message, such as a network packet or e-mail. At a low
level, message authentication systems cannot rely on the same
factors that apply to human authentication. Message authentication
systems often rely on cryptographic signatures, which consist of a
digest or hash of the message generated with a secret key. Since
only one person has access to the key that generates the signature,
the recipient is able to validate the sender of a message. Some of the
authenticating systems will be discussed in later chapters of this
module.
Authorization
Authorization in the context of information security refers to access

privileges granted to a user, program, or process. The concept of
authorization is important as not everyone has access to every piece
of information in a computer system. Thus, while authentication
relates to verifying identities, authorization focuses on determining
what a user has permission to do.
It naturally follows therefore that after a secure system authenticates

users, it must also decide what privileges they have. For instance, an
online banking application will authenticate a user based on his or
15
her credentials, but it must then determine the accounts to which
that user has access. Additionally, the system determines what
actions the user can take regarding those accounts, such as viewing
balances and making transfers (Graham et al, 2011).
Non-repudiation
The last of the fundamental pillars of information security is the
concept of non-repudiation. Nonrepudiation refers to the ability to
ensure that a party to a contract or a communication cannot deny the
authenticity of their signature on a document or the sending of a
message that they originated. Non-repudiation prevents an entity
from denying previous commitments or actions and provides a
mechanism for proving that certain actions were taken by the entity.
A digital signature is used on the Internet to ensure that a message

or document has been electronically signed by the person that
purported to sign the document. Since a digital is unique, it ensures
that a person cannot later deny that they furnished the signature.
However, digital signatures alone may not always guarantee non-
repudiation and as such a combination of methods may be used,
such as capturing unique biometric information and other data about
the sender or signer that collectively would be difficult to repudiate.
1.4 Components of Information Technology
In section 1.1 above, information technology has been defined as

the study, design, development, implementation, support or
management of computer-based information systems, particularly
software applications and computer hardware. It is therefore
necessary to consider some of the key components of information
technology. These various components may be grouped into the
following:
Computer technology
Computers are one of the most captivating inventions and

innovations to be created in the history of humanity. In general
terms, a computer is a mechanical and electronic device capable of
16
carrying out mathematical functions at high speed and accuracy.
Computers are capable of storing and processing huge quantities of
data and information and performing computations through the data
processing machine. A computer memory may be of Read Only
Memory (ROM) or Random Access Memory (RAM) variety.
Computers constitute a major component of information

technology. Computers are capable of processing enormous
amounts of data at incredible speeds and with precision and
accuracy. Basically, there are four main types of computers,
namely:
Supercomputers – these are the most powerful type of computers

that operate at exceptionally high speeds relative to all other
computers. Typically, supercomputers are used for scientific and
engineering applications that must handle enormous databases or
carry out a great amount of computation. Super computers are
typically equipped with artificial intelligence and capable of
intermediate level reasoning. Colossal amounts of information can
be systematically stored in the memory of a supercomputer for
subsequent retrieval and use.
Mainframe computers – are high-performance computers used for

large-scale computing purposes that require greater availability and
security. Although not nearly as powerful as supercomputer,
mainframe computers are capable of great processing speeds and
data storage. For instance, mainframe computers are used by
insurance companies to process information about millions of
policyholders. They are also predominantly used by large
organizations for critical applications, bulk data processing, and
transaction processing.
Minicomputers –also known as midrange computers, minicomputers

are typically used by medium sized companies or departments of
large companies for specific purposes such as manufacturing
processes and assembly line operations. It is a computer of medium
power, more than a microcomputer but less than a mainframe. A
17
minicomputer is a type of computer that possesses most of the
features and capabilities of a large computer but is smaller in
physical size. A minicomputer fills the space between the
mainframe and microcomputer, and is smaller than the former but
larger than the latter. Minicomputers are mainly used as small or
midrange servers operating business and scientific applications.
Microcomputers – these are the most extensively used type of

computers consisting of desktops, notebooks, tablet PCs and
handheld computers. Microcomputers are designed for individual
and personal use. This type of computer‘s central processing unit
(CPU) includes random access memory (RAM), read-only memory
(ROM) memory, input/output (I/O) ports, interconnecting wires and
a motherboard.
Computer Hardware
Beynon-Davies (2009) succinctly defines computer hardware as the
physical equipment used for input, processing, and output activities
in an information system. It consists of computers of various shapes
and sizes (including mobile handheld devices); various input,
output, and storage devices; and telecommunications devices that
link computers together. According to Stair & Reynolds (2003),
input devices include keyboards, automatic scanning devices,
equipment that can read magnetic ink characters, and many other
devices.
There are many storage and output devices, including secondary

storage devices, printers, and computer screens. It is important for
professional information security practitioners to be knowledgeable
of the functionalities of different computer hardware as part of the
critical components of information infrastructure.
As highlighted above, a computer uses a host of devices that

facilitates an interface for communicating with human beings. The
followings are of the system components in a computer:
18
(i) Input devices
Input devices include media and techniques used in the process of

human-machine communication such as keyboard, the mouse, input
pen, touch screen, microphone, and many others.
(ii) Processor
Processors consist of a systematic series of operations to achieve the

desired result. Processor is the main component and is the heart of
the computer system.
(iii) Output devices
Output devices refers to devices or processes involved in the

transfer of information out or information transferred from the
internal storage of a computer to any device outside the computer
like display screens, printers, graphics plotter, visual display of
online work station, and so on.
Computer Software
Computer software constitutes an integral and indispensable part of

a computer system. Software carries the lifeblood of information
through an organization. Software consists of computer programs
that govern the operation of the computer. Computer software
consists of the detailed, pre-programmed instructions that control
and coordinate the computer hardware components in information
system (Beynon-Davies (2009). Software therefore allows a
computer to perform various functions. For instance, certain
software programs may enable the computer to process payroll, to
send bills to customers, and provide managers with information on
performance of the business.
Hardware is the physical technology that houses and executes the

software, stores and transports the data, and provides interfaces for
the entry and removal of information from the system. Physical
security policies deal with hardware as a physical asset and with the
protection of physical assets from harm or theft. Applying the
19
traditional tools of physical security, such as locks and keys,
restricts access to and interaction with the hardware components of
an information system. Securing the physical location of computers
and the computers themselves is important because a breach of
physical security can result in a loss of information. Unfortunately,
most information systems are built on hardware platforms that
cannot guarantee any level of information security if unrestricted
access to the hardware is possible.
The software component of information technology comprises

applications, operating systems, and assorted command utilities. In
cyber security software is probably the most difficult component to
secure. The exploitation of errors in software programming
accounts for a substantial portion of the attacks on information.
There are two basic varieties of computer software, viz: system

software and applications software. System software controls basic
computer operations such as start up and printing. An example of
system software is the Windows XP. Applications software allows
specific tasks to be accomplished, such as word processing or
tabulating numbers (Stair & Reynolds, 2003).
It is important to highlight that computer software is more

vulnerable and susceptible to attacks than the physical components
(i.e. hardware). As such, any effective information security system
must of necessity include measures to protect the intangible
component of the computer system (i.e. the software).
Relationship between hardware and software

A symbiotic relationship exists between computer hardware and
software as one of these components cannot work without the other.
It is therefore imperative to understand this important relationship.
Needless to say, hardware and software are mutually dependent on
each other. Both components work together to make a computer
produce useful outputs.
It is impracticable for software to be utilized without supporting
20
hardware. Equally, computer hardware bereft of software programs
to operate upon cannot be operated and therefore unusable. This
means that relevant software must be loaded into the computer
hardware for the computer to be able to carry out specific functions.
It has been said, if hardware is the ‗heart‘ of a computer system,
then software is its ‗soul‘ as both components are complimentary to
each other.
Data and databases
Data contained in computer systems is an important component of

information technology. In the field of cyber security, data stored,
processed, and transmitted by a computer system must be protected
as it is the most valuable asset possessed by an organization and
therefore the main target of cyber attacks. Databases are also an
important facet of information systems. A database is an organized
collection of facts and information.
An organization‘s database can contain facts and information on

customers, employees, inventory, competitors‘ sales information,
online purchases, and much more (Stair & Reynolds, 2003).
Information in databases may be extremely valuable to the
organization for various reasons and should therefore be protected
from unauthorized intrusion. Information security systems are
designed to guarantee the confidentiality, integrity and available of
such information.
People and procedures

People are the most important element in most computer-based
information systems. Information systems personnel include all the
people who manage, run, program, and maintain the system. Users
are any people who use information systems to get results (Stair &
Reynolds, 2003). In the field of cyber security, people can be the
weakest link in an organization‘s information security system unless
policy, education and training, awareness, and technology are
properly employed to prevent people from accidentally or
intentionally damaging or losing information. The devices that
21
facilitate the interface between humans and computer technologies
have been discussed in section 1.4.2 above.
Procedures are also a key component of an information security

system. Procedures include the strategies, policies, methods, and
rules for using the computer based information systems. They are
usually written instructions for accomplishing a specific task.
Procedures are frequently overlooked component of an information
system. However, when an unauthorized user obtains an
organization‘s procedures, this may pose a threat to the integrity of
the information.
Telecommunication technology
Telecommunication technologies are an important component of the

information technology infrastructure. These technologies include
devices and techniques used for transmission of information over
long distances via wire, radio or satellite. Electronic
communication consists of telecommunication and data
communications. Telecommunication involves use of telephone,
telegraph, radio or television and satellite facilities to transmit
information, either directly or via computer. Data communication is
the transfer of data/information between computer devices. The
Internet and many other telecommunication devices have come to
constitute an important and inevitable component of written and
oral communication media network.
Computer networks
Networking and telecommunications technology, consisting of both

physical devices and software, links the various pieces of hardware
and transfers data from one physical location to another. Computers
and communications can be connected in network for sharing voice,
data, images, sound and video. A computer network may be defined
as a collection of computers and devices interconnected by
communications channels that facilitate communications and allows
sharing of resources and information among interconnected devices.
Networks may be classified according to a wide variety of
22
characteristics such as medium used to transport the data,
communications protocol used, scale, topology, and organizational
scope. Typical examples of common networks include the
following:
Local Area Network
A local area network is a private communications network

connecting two or more computers directly by a cable within a
limited local area, such as room, a building or a cluster of buildings.
A local area network is usually confined to a small geographic area.
Local area networks vary in types and number of computers that can
be connected, the speed at which data can be transferred, and types
of software used to control the network. The advantages of a LAN
system are that the hardware costs are reduced as several computers
and uses can share peripheral devices as well as data and software.
Metropolitan Area Network
A metropolitan area network (MAN) is similar to a local area

network but spans an entire city or town. Metropolitan area
networks usual consist of a connection of multiple local area
networks to form a medium-sized area network of computers. Thus,
metropolitan area networks are larger than local area networks but
smaller than wide area networks (WAN). Metropolitan area
networks may provide fast communication via high-speed carriers,
such as fiber optic cables.
Wide Area Network
A wide area network (WAN) is a network covering a large

geographical area. It consists of two or more computers that are
geographically located in distant places and are linked with by
communication channels, such as telephone lines or microwave
relays system. Wide area networks therefore cover large
geographical areas, and use communications circuits to connect the
intermediate nodes.
23
Intranet and Extranet
An intranet is an internal private enterprise network that enables the

organization to share computer data, information or application
resources via Internet Protocol (IP). It is an integration of
computers, software, and databases within a particular organization
into a single system that enables employees and other stakeholders
to access and share information needed to accomplish certain tasks
and activities. Curry and Stancich (2000) also define intranets as
private computing networks, internal to an organization, allowing
access only to authorized users. A key feature of intranets is that
they are private networks that can only be accessed by members of
a specific organization.
Intranet provides typical services such as email, data storage, and

search and retrieval functions. Intranets are frequently used for
electronic dissemination of policies and procedures, internal
directories for employees, and product catalogues for customers,
among a host of other services. Intranets therefore constitute a
critical component of an organization‘s internal communication
systems providing effective and efficient channels of distributing
corporate information to employees, business partners and
customers.
The term extranet is used when access to an intranet is extended to a

privileged user group: customers and suppliers for example. Thus,
in simple terms, extranet is an extended intranet. It is a network that
facilitates a link between or among business partners through the
Internet by providing access to certain areas of the business
partners‘ corporate intranets. Viewed differently, extranets may be
described as a business-to-business ‗intranet‘ that allows limited,
controlled, secure access between a company‘s intranets and
designated, authenticated users from remote locations.
24
Internet
Internet refers to a global computer network providing a variety of

information and communication facilities, consisting of
interconnected networks using standardized communication
protocols. A computer network is interconnection of autonomous
computing systems through communicating systems. The Internet,
commonly known as the network of networks, spans across the
entire globe, compared to limited geophysical area covered by local
area and wide area networks. Consequently, the Internet can be
thought of as vast pool of computers, people and information spread
across the entire world. The Internet is therefore the world‘s largest
computer network, actually consisting of thousands of
interconnected networks, all freely exchanging information.
The technical aspects of the Internet include the connection of a

large number of computers through communication media, such as
telephone lines, Leased lines, Satellites, etc. and communication
hardware/software such as Routes and gateways. Routers and
gateways are switches that will move data from one host to another
host through the media. These provide fast bit carrying capacity to
Internet. The Internet interconnects heterogeneous networks that are
networks comprising of variety of hardware platforms, operating
systems, information storage, etc. The management of such
heterogeneous networks and information exchange is achieved by
adoption of the following methodology:
(i) Client Server Architecture
Client-server architecture (client/server) is a network architecture in

which each computer or process on the network is either a client or
a server. Servers are powerful computers or processes dedicated to
managing disk drives (file servers), printers (print servers), or
network traffic (network servers). Clients are personal computers or
workstations on which users run applications. Clients rely on
servers for resources, such as files, devices, and even processing
power.
25
(ii) TCP/IP Protocol
Transmission Control Protocol/Internet Protocol (TCP/IP Protocol)

is the basic communication language or protocol of the Internet. It
can also be used as a communications protocol in a private network
(either an intranet or an extranet). A protocol is a set of well-defined
rules to be followed by communication partners for reliable and
meaningful exchange of information. Transmission control protocol
takes care of transporting the packet from client to server and
Internet protocol takes care of moving the packet across networks.
(iii) Application Level Protocol
The TCP/IP protocol carries the packets from client to server and
vice-versa, without interpreting what the packet contains. The
function of an application protocol is to interpret and provide the
intended services to the end users such as e-mail, remote login, file
transfer, among others.
Electronic mail
The services of the Internet include applications such as the

electronic mail (e-mail) system. Electronic mail is a facility through
which messages can be exchanged electronically over the Internet.
It provides the ability to compose, send and receive electronic mail
over the Internet. It has message delivery speed as high as that of
telephonic accessing. Unlike telephone messaging, e-mail does not
require that both parties be available at the same instant. It also
leaves a written copy of the message. It has additional features such
as replay to message, broadcast, carbon copy, and blind copy, to
increase the effectiveness of the message exchange.
To avail the services of e-mail, user should have address of the

sender and program to handle mail application. SMTP (Simple Mail
Transfer Protocol) is one of the protocols used for mail.
Transmission of e-mail requires a telecommunication network. The
vast majority of e-mail is transmitted as computer compatible data
and travels along data networks.
26
World Wide Web
The World Wide Web (WWW) is a network of links on the Internet

to documents containing text, graphics, video, and sound.
Information about the documents and access to them are controlled
and provided by tens of thousands of special computers called web
servers. The web is one of many services available over the Internet
and provides access to literally millions of documents.
The web is a client server based, distributed hypertext, and

multimedia information system on the Internet. The web has
developed into the most popular information service and is
associated with accessing and browsing information resources on
the Internet. The web uses a protocol called Hypertext Transfer
Protocol (HTTP). The Uniform Resource Locator (URL) specifies
the location of the documents or web pages.
1.5 Security Properties and Services

Security means the state of being free from danger or threat. It also
refers to the safety of a state or organization against criminal
activity such as terrorism, theft or espionage. A successful
organization should have multiple layers of security in place
including physical security, personal security, operations security,
communications security, network security and information
security. Organizations should therefore procure security services
that protect all manner of assets from potential threats.
Network security and information security are perhaps the most

difficult form of security to guarantee given the susceptibility of
data and information in virtual or cyber environment. Network
security is concerned with the design, implementation, and
operation of networks for achieving the purposes of information
security on networks within organizations, between organizations,
and between organizations and users. Internet security is concerned
with protecting internet-related services and related ICT systems
and networks as an extension of network security in organizations
and at home, to achieve the purpose of security. Internet Security
27
also ensures the availability and reliability of Internet services
(Klimburg, 2012).
Information security cannot be absolute. Although it is possible to

make a system available to anyone, anywhere, anytime, such
unrestricted access poses a danger to the security of the information.
On the other hand, a completely secure information system would
not allow anyone access. Accordingly, there is need to strike a
balance between the two competing interests. To achieve balance by
operating an information system that satisfies the users while at the
same time ensuring adequate security of the information assets, the
security level must allow reasonable access, yet protect against
actual and potential threats.
Securing information assets is in fact an incremental process that

requires coordination, time, and patience. Organizations may adopt
a bottom-up approach or top-down approach to information or cyber
security. The bottom-up approach implies that information security
begins as a grassroots effort in which systems administrators
attempt to improve the security of their systems. The major
advantage of the bottom-up approach is the technical expertise of
the individual administrators. These individuals work with
information systems on a day-to-day basis and possess in-depth
knowledge that can greatly enhance the development of an
information security system. System administrators possess intimate
knowledge and understanding of the threats to their systems and the
mechanisms needed to protect them successfully.
On the other hand, in a top-down approach, the process is initiated

by the senior-level management team through establishing
information security policies, procedures and processes, dictate the
goals and expected outcomes, and determine accountability for each
required action. The top-down approach is more successful as the
information and cyber risks are strategically analysed at the top
level and resources are sufficiently deployed to ensure effective
management of the risks.
28
1.6 Chapter Summary/Conclusion
In this chapter various concepts relating to information technology

and information security have been canvassed. Information
Technology has been defined as the study, design, development,
implementation or management of computer-based information
systems. Various components of information technology have been
identified and discussed, including hardware and software, data,
people and processes as well as various types of networks that
facilitate the interconnectedness of computer systems globally.
Information security has been described as the protection of

information and its critical elements including systems and
hardware that use, store and transmit information. The concepts of
confidentiality, integrity and availability, and the concomitant tools
that support these concepts, namely: authentication, authorization
and non-repudiation, have been identified as the pillars of
information security. The student is expected to understand and be
able to apply these fundamental tenets of information security.
29
UNIT 2
ETHICS AND LEGAL ISSUES IN CYBERSPACE

 Define the phenomenon of cyber crime
 Define ethics, morality and law
 Establish the difference between ethics and law
 Understand various ethical issues arising from information
technologies
 Provide instances of unethical conduct in cyberspace
2.0 Introduction
The world of information and communication technologies

permeates every aspect of human life, businesses, and societies in
general. There is no doubt that technology comes with a plethora of
benefits for users and is a key driver of economic development.
However, the cyberspace environment is extremely complex such
that the dichotomy between what is "right" and what is "wrong"
becomes increasingly blurred or unclear. In addition, the parameters
of acceptable and ethical behavior in cyberspace are not yet clearly
defined and in many instances, there is consensus on what
constitutes unethical conduct. The domain of ethics is interested in
establishing moral issues affecting the society. In the field of
computers and networks there are innumerable legal and ethical
issues associated with the use of information and communication
technologies. In this Unit focus will be on some of these ethical and
legal issues.
2.1 Importance of Ethics
Ethics has risen to the top of the business agenda because the risks
associated with inappropriate behaviour have increased, both in
their likelihood and in their potential negative impact. In the past
decade, we have watched the collapse and/or bailout of financial
institutions. Several trends have increased the likelihood of
unethical behaviour. First, for many organizations, greater
30
globalization has created a much more complex work environment
that spans diverse cultures and societies, making it more difficult to
apply principles and codes of ethics consistently.
2.2 Morals, Ethics and Law

Ethical standards and legal principles play a critical role in guiding
people on what is proper or improper, right or wrong in a given
society. The manner in which we conduct ourselves, communicate
and interact certainly affects other people in different ways, good or
bad. As such, there must be certain societal rules and moral
standards that govern how people interrelate. Haag et al (2004)
observe that ‗ethics is the set of principles and standards we use in
deciding what to do in situations that affect other people.
Sometimes these principles are so strongly and widely held that
they have become laws.‘
Reynolds (2015:3) defines ethics as ―a set of beliefs about right and

wrong behaviour within a society. Ethical behaviour conforms to
generally accepted norms—many of which are almost universal.
However, although nearly everyone would agree that certain
behaviours—such as lying and cheating—are unethical, opinions
about what constitutes ethical behaviour can vary dramatically.‖
Morals are central to issues relating to ethics although there is a
difference between the two concepts. Morals are one‘s personal
beliefs about right and wrong, while the term ethics describes
standards or codes of behaviour expected of an individual by a
group (nation, organization, profession) to which an individual
belongs (Reynolds 2015).
Laudon & Laudon (2006: 148) also aptly define ethics as ‗the
principles of right and wrong that individuals, acting as free moral
agents, use to make choices to guide their behaviors.‘ Ethics
therefore refers to moral ‗laws‘ that govern a person or a group of
persons‘ behavior. Morality is integral part of ethics. According to
Reynolds (2015) the term morality refers to social conventions
about right and wrong that are so widely shared that they become
the basis for an established consensus. However, individual views
31
of what behaviour is moral may vary by age, cultural group, ethnic
background, religion, life experiences, education, and gender. There
is widespread agreement on the immorality of murder, theft, and
arson, but other behaviours that are accepted in one culture might be
unacceptable in another.
Although ethics and law tend to dovetail and both guide and
regulate human behavior, it is important to appreciate the difference
between ethical (moral) norms and legal principles. According to
Madhuku (2010:1) ‗law refers to rules and regulations that govern
human conduct or other societal relations and are enforceable by the
state. It is the quality of enforceability by the state that distinguishes
law from other rules.‘ Enforcement of laws is done by state
machinery comprising law enforcement agencies (police),
courts/judiciary, and other quasi-judicial institutions. Thus the main
difference between legal rules and ethical principles is that the
former are enforceable by the state and carry certain sanctions or
penalties if they are not observed. On the other hand, ethical
principles may be described as "moral laws" as these are no
enforceable by the state.
Ethics, computers and Information Technology
The growth of the Internet, the ability to capture and store vast
amounts of personal data, and greater reliance on information
systems in all aspects of life have increased the risk that information
technology will be used unethically (Reynolds, 2015). Therefore,
the use of computers and other information technologies inevitably
raises fundamental ethical questions. One should always ask the
question: ―how do I use my computer ethically?‖ In other words,
there must be certain principles that guide the manner in which
technology is used to avoid other people being adversely affected.
However, given the diverse and often conflicting interests in
society, people usually find themselves confronted with ethical
dilemmas. An ethical dilemma usually arises in circumstances
where one has to reconcile conflicting interests, demands,
responsibilities or goals. For instance, an organization may face an
32
ethical dilemma where a decision is to be made to install secret
security cameras at the workplace as this may also affect the privacy
of employees. In this example, the need to safeguard the
organization‘s assets may conflict with the requirement to respect
the privacy of employees.
Broadly speaking, ethics is a wide concept covering many aspects

including branches such as information ethics and cyber ethics. In
fact, every profession has a set of ethical issues relating to that
particular field. For instance, information ethics is the branch of
ethics which focuses on the relationship between the creation,
organization, dissemination, and use of information, and the ethical
standards and moral codes governing human conduct in society
(Joan, 2010). Cyber ethics is an emerging branch of computer ethics
concerned with ethical issues related to the Internet or cyberspace.
Cyberspace, and in particular the Internet, may be a haven for

unethical, illicit and illegal behavior. As observed by Krause
(2000:650), businesses are, for instance, increasingly establishing
policies to inhibit employees from using company resources to
perform unethical behavior on the Internet. Laudon & Laudon
(2006: 148) also highlight that ‗ethical issues in information
systems have been given new urgency by the rise of the Internet and
electronic commerce.
Internet and digital firm technologies make it easier than ever to

assemble, integrate, and distribute information, unleashing new
concerns about the appropriate use of customer information, the
protection of personal privacy, and the protection of intellectual
property‘. Other persistent ethical issues pertaining to information
systems include establishing accountability for the consequences of
information systems, setting standards to safeguard system quality
that protect the safety of the individual and society, and preserving
values and institutions considered essential to the quality of life in
an information society.
33
As indicated above, the world of computing and information
technology raises a number of ethical questions. The following are
some of the most common unethical issues arising from the field of
information technologies:
 It is unethical for a person to use a computer or computer
system to cause harm, loss or any other form of prejudice to
others. Although causing harm or loss to others may or may
not be illegal, it is certainly unethical. Many employers
monitor email and Internet access by employees at the
workplace in breach of the employees‘ privacy rights.
 It is both illegal and unethical for anyone to use a computer or
any information technology device to commit a crime such as
theft or fraud. Many crimes are being committed on the
Internet or through the use of the online platform.
 It is unethical and, in some cases, illegal for one to use or gain
unauthorized access another person‘s computer resources. In
the cyberspace, hackers break into computer systems to steal
valuable information and customer data which is then used to
commit various offences, such as identity theft.
 Copying copyrighted software or other material is not only
unethical but also illegal. Yet millions of people worldwide
download music and movies at no charge in violation of
copyright laws. Similarly, in the academic sphere, students and
researchers download materials from the web and plagiarize
the works of others.
 Compromise the privacy of others by using the computer.
Computer ethics deals with morally acceptable standards for using

computer and computer systems. Basically, there are four primary
issues which form the bedrock of computer ethics: privacy;
accuracy, property and access. These will be discussed in detail as
they form the crux of ethical and legal issues in the domain of
computers and information technology.
Privacy
According to Laudon & Laudon (2006: 155) privacy may be
described as the claim of individuals to be left alone, free from
34
surveillance or interference from other individuals or organizations,
including the state. Information technology and systems threaten
individual claims to privacy by making the invasion of privacy
cheap, profitable, and effective. There are many ways in which
information technology may be used to infringe the privacy of
individuals. Information technology is capable of monitoring,
capturing, and storing vast amounts of data, information and
communications. The following are some of the technologies or
computer programs with a direct bearing on privacy issues:
(i) Cookies
Web sites frequently capture information about users without their
knowledge using ‗cookie‘ technology. ‗Cookies are tiny files
deposited on a computer hard drive when a user visits certain web
sites. Cookies identify the visitor‘s web browser software and track
visits to the web site. When the visitor returns to a site that has
stored a cookie, the web site software will search the visitor‘s
computer, find the cookie, and know what the person has done in
the past‘ (Laudon and Laudon 2014: 166). Website owners may use
the personal data and information collated by cookies from users to
create detailed profiles of people visiting their websites. This
obviously impacts on the privacy of the users and raises important
ethical issues.
(ii) Web bugs

Web bugs (also known as web beacons) are also used by marketers
and website owners to carry out surreptitious surveillance of
Internet users, usually without the knowledge of the users. Web
bugs are tiny graphic files embedded in e-mail messages and web
pages that are designed to monitor users accessing email message or
web pages and transmit that information to another computer. Web
beacons are placed on popular web sites by third-party firms who
pay the web sites a fee for access to their audience. Marketers often
use web bugs as a tool to monitor online behavior.
35
(iii) Spyware
Spyware refers to software that enables a user to obtain covert
information about another's computer activities by transmitting data
covertly from their hard drive. Spyware program is installed on a
computer secretly and hidden from the owner in a bid to collect the
owner's private data or information including passwords, keystrokes
and other valuable data. Other spyware can secretly install itself on
an Internet user‘s computer by piggybacking on larger applications.
Spyware is often display unsolicited advertisements (called adware)
and track personal or sensitive information.
(iv) Spam
It will be recalled that privacy embraces the right of individuals to
be left alone. One common practice that flies in the face of the right
to be left alone is the nuisance caused by spam especially where
recipients have expressed no interest in receiving unsolicited
messages. Spamming is the abuse of electronic messaging systems
to send unsolicited, undesired bulk messages. Spam media includes:
email spam; instant messaging spam; usenet newsgroup spam; web
search engine spam, mobile phone messaging spam and spam in
blogs.
Spam refers to any unsolicited commercial electronic message or

junk email usually sent to a large number of recipients for purposes
of marketing a product or service. Apart from being a nuisance,
spam can be a source of scams, computer viruses and offensive
content such as pornography or other undesirable products such as
drugs. Spam also takes up valuable time and increases costs for
consumers, business and governments in cases where recipients
have to go through or delete bulk unsolicited emails. Computer
abuse acts involving the use of a computer that may not be illegal
but that are considered unethical.
In some countries, laws have been promulgated proscribing or

restricting spamming. However, spamming may also be considered
a form of computer abuse. For example, in South Africa, section 45
of the Electronic Communications and Transactions Act provides
36
that a sender of spam must provide receivers with an opportunity to
unsubscribe from the mailing list whereupon the spammer must stop
sending the unwanted mail or message. Failure to desist from
sending the unsolicited mail or message after a recipient
unsubscribes constitutes a criminal offence. Thus South African law
provides an opt-out mechanism to manage spam. Opt-out means
that one can send spam provided the recipient is given an
opportunity to indicate whether or not they want to receive further
spam.
Privacy and the Law

From a legal standpoint, the right to privacy is enshrined in section
57 of the Constitution of Zimbabwe which stipulates that ―every
person has the right to privacy, which includes the right to have (a)
their home, premises or property entered without their permission;
(b) their person, home, premises or property searched; (c) their
possessions seized; (d) the privacy of their communications
infringed; or (e) their health condition disclosed.‖ Information
technology and the Internet potentially violate the constitutional
right to privacy particularly where it relates to the infringement of
the privacy of communications and disclosure of personal
information like health records.
In other countries, laws have been promulgated to provide for the

individual‘s information rights as well as the protection of personal
data. In Zimbabwe, data protection laws include the Access to
Information and Protection of Privacy Act [Chapter 10:27] (AIPPA)
and the Interception of Communications Act [Chapter 11:20]
(IoCA). The AIPPA provides, inter alia, members of the public
with a right of access to records and information held by public
bodies and prevent unauthorized collection, use or disclosure of
personal information by public bodies and protect personal privacy.
The IoCA prohibits unlawful interception and monitoring of certain
communications in the course of their transmission through a
telecommunication, postal or any other related service or system in
Zimbabwe.
37
Managing online privacy
An opt-out model of informed consent permits the collection of
personal information until the consumer specifically requests that
the data not be collected. An opt-in model of informed consent is
where a business is prohibited from collecting any personal
information unless the consumer specifically takes action to
approve collection and use. (Laudon & Laudon 2014: 168)
Etiquette on the Internet

Many users use the Internet and the web for different purposes.
Issues of ethics and etiquette on the Internet have become
paramount. The term ‗netiquette‘ has been coined to describe rules
of etiquette that ought to be observed on the Internet. Persons using
information technologies need to be considerate, polite and
courteous to other users.
Intellectual Property
According to Laudon & Laudon (2006: 162) ‗contemporary
information technologies, especially software, pose severe
challenges to existing intellectual property regimes and, therefore,
create significant ethical, social, political issues. Digital media
differ from books, periodicals, and other media in terms of ease of
replication; ease of transmission; difficulty classifying a software
work as a program, book or even music; compactness – making
theft easy; and difficulties in establishing uniqueness.
In cyberspace, it is difficult to ascertain ownership of information

and the channels through which it is transmitted. Intellectual
property is considered to be intangible property created by
individuals or corporations. Information technology has made it
difficult to protect intellectual property because computerized
information can be so easily copied or distributed on networks. The
central ethical issue concerns the protection of intellectual property
such as software, digital books, digital music, or videos. The
material question is whether one should copy for my own use a
piece of software or other electronic document or program protected
by trade secret, copyright, and/or patent law? The law provides for
38
the protection of intellectual property under three different legal
traditions, namely: (i) trade secrets, (ii) copyright, and (iii) patent
law. These will be canvassed below:
(i) Trade secrets

A trade secret may be described as any intellectual work product,
such as a formula, device, pattern, or compilation of data with a
commercial value used for a business purpose and is kept secret and
out of the public domain. A trade secret can include, for example, a
method or technique that would give a business or company
competitive advantage. For instance, software that contains
innovative or unique elements, procedures, or compilations is
usually considered as a trade secret. Trade secrets are valuable to
the business or company and therefore protected by the law on the
protection of confidential information. Unauthorized disclosure of
trade secrets may also result in legal action in order to protect the
information.
It is important to note that not all information is considered a trade

secret. For information to be considered a trade it must meet certain
criteria. The courts will usually consider the following when a party
is seeking to protect trade secrets:
 That the information was confidential to the business/company;
 The information has been disclosed in breach of a promise of
confidence; and/or
 The information was used in an improper way that resulted in
financial damage to the business or company.
In the world of computer and computer networks, it is relatively

easy for trade secrets and other confidential information to be
accessed by hackers. For business, the major threat to trade secrets
emanates from the risks posed by cyber espionage. Cyber espionage
entails the use of computer networks to gain illegal access to
confidential information held by the government or an organization.
Organizations should therefore put in place effective measure to
protect their trade secrets. These measures may include:
 restricting the number of people who can access such
39
confidential information;
 requiring employees to sign non-disclosure agreements to
maintain confidential information including trade secrets;
 incorporating covenant in restraint of trade clauses in
employment contracts to prevent employees using trade secrets
when the leave employment; and
 Signing non-disclosure agreements with any third parties who
come into contact with the business or company, such as
consultants and vendors.
(i) Copyright
Copyright law protects creators of intellectual property from having
their work copied by others for any purpose without the permission
of the author. The law protects the copyright owner against
reproduction of the work in any manner or form without the
owner‘s permission. There are a number of ways in which copyright
infringement of a work may be perpetrated in this regard. These
include saving a work on the hard disk of a computer or on a CD
ROM disk, downloading a work placed on a website, displaying a
work on a computer screen uploading a work on a website. For
instance, the making of temporary or permanent electronic copies of
works amount to copyright infringement. Thus the objective of
copyright laws is to encourage creativity and authorship by ensuring
that creative people receive the financial and other benefits of their
work.
(iii) Patents
The law also protects inventors insofar as their inventions are
concerned. A patent grants legal rights to the inventor in the form of
exclusive monopoly on the ideas behind the invention over a period
of time. The rationale behind patent laws is to ensure that inventors
of new machines, devices, or methods receive the full financial and
other rewards of their labour. Other people intending to use a
patented design, device or program requires a licence from the
registered patent‘s owner. The key concepts in patent law are
originality, novelty and invention.
40
Common ethical issues in organizations
This section discusses a few common ethical issues in

organizations.
Software Piracy
Software piracy is sometimes facilitated or committed by IT

professionals themselves in corporate organisations. Corporate IT
usage policies and management should encourage users to report
instances of piracy and to challenge its practice. Sometimes IT users
are the ones who commit software piracy. A common violation
occurs when employees copy software from their work computers
for use at home or where few software licences by use by more
users than those licensed.
Inappropriate Use of Computing Resources
Perhaps the most common ethical issue in organizations revolves

around improper utilisation of computer resources by employees. It
is not unusual for employees to spend excessive amounts of time
using company resources to surf the Internet during working hours.
Employees may also play computer games and access and share
objectionable content via company email facilities. Such conduct by
employees may result in loss of productivity time and exposing the
organisation to possible cyber attacks given that viruses and other
malware are often planted on websites offering undesirable content.
It is therefore imperative for organisations to develop codes of
ethics and information technology (IT) policies discouraging
employees from using computing resources inappropriately. Non-
compliance with the ethics code and IT policies may result in
disciplinary action or dismissal.
Inappropriate content
The Internet provides an opportunity for people to download and
send inappropriate content such as pornographic materials.
Businesses have taken a stern position on employees surfing the
web, sending inappropriate messages, and downloading
41
pornographic materials from the Internet. This is due to a negative
impact on productivity, as well as the legal view that companies are
liable for the actions of their employees. Many companies have
established policies for appropriate use and monitoring of
computers and computing resources, as well as etiquette on the
Internet (Krause, 2000: 650).
Unauthorised disclosure of information
Employees have access to vast amounts of valuable data or

information, some of which may be classified as either private or
confidential. For instance, employees may access salary
information, information about customers (such as credit card
information, contact details) as well as confidential information
relating to trade secrets, product formulas and strategic plans. If
employees divulge such information to third parties without being
authorised, the company may stand to lose business to competition,
get sued by customers for violating their privacy. The reputation
and goodwill of the business may be damaged.
Monitoring and surveillance
Claims to privacy are also involved at the workplace: Millions of

employees are subject to electronic and other forms of high-tech
surveillance (Ball, 2001). This raises fundamental questions on
whether it is ethical to carry out electronic monitoring and
surveillance of employees in the name of security? The issue
remains debatable but the inevitable conclusion is that there is need
to balance security issues with the need to safeguard the privacy of
individuals.
Code of Ethics
A code of ethics is a collection of principles intended as a guide for

employees in an organisation. A code of ethics serves as a guideline
for ethical decision-making, promotes high standards of practice
and ethical behaviour, enhances trust and respect from the general
public, and provides an evaluation benchmark. However, a code of
ethics is not an end in itself, as other measures must be adopted to
42
make the cyberspace a better place for all users. In other words,
codes of conduct will not be sufficient in themselves, and should be
viewed as an integral part of integrating ethics management within
the broader framework of cyber security.
Computer crime
Apart from ethical issues arising from usage of computer systems, a
number of legal issues are common in cyberspace. The most
worrying issue pertains to the high incidence of computer crime and
its overall adverse impact on society, businesses and individuals.
Computer crime is the commission of illegal acts through the use of
a computer or against a computer system. Computers or computer
systems can be the object of the crime (destroying a company‘s
computer center or a company‘s computer files), as well as the
instrument of a crime (stealing valuable financial data by illegally
gaining access to a computer system using a home computer).
Computer crime may be classified in various ways for ease of
comprehension. The following is one way of classifying computer
offences:
(a) Offences against confidentiality, integrity and availability of

computer data
This class includes computer crimes such as unauthorized access to
computer systems, illegal interception of information transmitted
through telecommunication channels, data and system interference
and misuse of computer devices. This classification of computer
crimes is particularly important for cyber security as it identifies
with the four pillars of information security, namely:
confidentiality, integrity and availability.
(b) Computer-related crimes

These include crimes such as forgery and fraud committed using
computer systems. Most crimes committed online such as phishing,
vishing etc fall under this taxonomy of computer crimes.
43
(c) Content-related computer offences
Content related computer crimes include offences such as child
pornography, hate speech etc.
(d) Offences pertaining to copyright infringement

Another class of computer crimes pertains to copyright
infringement and related rights.
It is also important to understand that a computer can be subject of

an attack and/or the object of an attack. It is the subject of an attack
when a computer is used as an active tool to conduct attack. It is the
object of an attack when the computer is the entity being attacked.
There are two main categories that define the make up of cyber-
crimes. Firstly those that target computer networks or devices such
as viruses, malware, or denial of service attacks. The second
category relate to crimes that are facilitated by computer networks
or devices like cyber-stalking, fraud, identity-theft, extortion,
phishing (spam) and theft of classified information.
How cyberspace facilitates cybercrime

According to Laudon & Laudon (2006) new technologies, including
computers, create new opportunities for committing crime by
creating new valuable items to steal, new ways to steal them, and
new ways to harm others. The Internet has also been described as ‗a
natural playground for illicit, illegal and unethical behavior.‘
(Krause, 2000: 647). The following factors account for the reasons
why the cyberspace is frequently used as a haven for unethical and
criminal activities:
(a) Anonymity
The Internet provides a degree of anonymity to users such that
criminal elements can take advantage without the risk of being
easily identified. It is common for a person to masquerade as
another person or assume a different persona on the internet. This
anonymity makes it difficult to detect computer crimes and to
prosecute cyber criminals in courts of law.
44
(b) Complexity of computer environment
The sophistication of the computer environment makes it highly
attractive to criminal elements. Computer crime transcends national
borders and extremely difficult to detect, investigate and prosecute.
For instance, a criminal in Europe may commit cyber crimes in
Zimbabwe by remotely accessing computer systems.
(c) Lack of regulation

The lack of regulation of cyberspace makes it easy for individuals to
commit of sorts of criminal and dishonest activities. Cyberspace is a
complex phenomenon that is difficult to regulate and control. Cyber
laws and regulations in different countries are not only diverse and
fragmented, but often overlap and are sometimes contradictory.
Criminals take advantage of the loopholes in the law to commit
offences, as enforcement of cyber laws is extremely difficult.
(d) Computer evidence

Computer evidence is inherently prone to manipulation and
therefore courts exercise extreme caution before admitting such
evidence in criminal proceedings. This means cyber criminals may
get away scot-free by challenging the integrity and admissibility of
computer evidence.
2.3. Ethical Disclosure
Inherent errors or vulnerabilities in computer hardware and software

that may result in poor system performance are common. There are
three main sources of poor system performance namely, (i) software
bugs and errors (ii) hardware or facility failures caused by natural or
other causes, and (iii) poor input data quality. Cyber security ethics
raises fundamental questions on whether computer hardware or
software manufacturers and users should disclose vulnerabilities
once they are discovered.
Computer security professionals are confronted with an ethical

dilemma on whether or not to reveal details of computer software or
process vulnerability when discovered? The advantage of disclosing
the vulnerability is that the details may help software developers to
45
share the details and avoid similar errors in future. The flipside of
disclosing the vulnerabilities is that hackers and cyber may take
advantage of the vulnerabilities to launch attacks to the computer
system. This is the domain of ethical disclosure in information
technologies.
The security of information technology used in business is of

utmost importance. Confidential business data and private customer
and employee information must be safeguarded, and systems must
be protected against malicious acts of theft or disruption. Although
the necessity of security is obvious, it must often be balanced
against other business needs. Business managers, IT professionals,
and IT users all face a number of ethical decisions regarding IT
security, such as the following:
 Should an organization remain silent when it becomes a victim

of cyber crime to avoid negative publicity or publicise the
attack and inform affected customers?
 What actions should be taken by a software developer who
realizes that it has produced software with vulnerabilities
which may be exploited by hackers to attack customer data and
computers?
 How does an organization maintain a balance between its
computer or information security requirements and the need to
maintain convenience to users?
Vulnerability disclosure
As discussed above, organizations may a face an ethical dilemma on
whether to disclose computer vulnerabilities or cyber attacks. The
notion of vulnerability disclosure involves the practice of publishing
information about a computer security problem. An organization
may put in place a policy on disclosure of computer vulnerabilities
which involves alerting the computer or software vendors or
reporting the nature of the vulnerability to a professional or industry
body. The policy should contain guidelines for making the
vulnerability disclosures.
46
The organization may choose to disclose the vulnerability to
software companies and system designers; other security
researchers; business customers and end users. The timing of the
disclosure may be immediately; after the vulnerability has been
fixed or after the software vendors or system designers have been
afforded sufficient time to address the problem, regardless of
whether or not the problem is eventually fixed.
However, there is lack of consensus among computer security

professionals, researchers and other experts in the field on whether
computer security is enhanced through the full disclosure of security
vulnerabilities or non-disclosure of such vulnerabilities. The
amount of information to be disclosed and the timing of he
disclosure also remain debatable in the field of computer security.
One school of thought advocates for a full and immediate disclosure
while the other is in favour of what is called ‗responsible disclosure‘
which calls for limited disclosure after the problem has been fixed.
The ethical and legal dimensions relating to full disclosure and
responsible disclosure of computer vulnerabilities will be discussed
below.
Full disclosure
Full disclosure entails publishing the details of the vulnerability as
early as possible and making the information available to everyone
without restriction. For instance, information on the vulnerabilities
may be released to the public through online forums or websites.
Proponents of full disclosure argue that there is an ethical and moral
obligation to disclose vulnerabilities so that potential victims of
attacks are well informed about the nature of attacks.
Responsible disclosure
In computer security terminology, responsible disclosure is a
vulnerability disclosure model based on the requirement that
vulnerabilities should not be disclosed until a solution is available.
Responsible disclosure is similar to full disclosure save for the fact
that all stakeholders agree to allow a period of time for the
vulnerability to be patched before publishing the details. Thus
47
responsible disclosure supports the notion that limited information
should be made available to a selected group after some specified
amount of time has elapsed from the time of discovery of the
vulnerability.
The rationale behind responsible disclosure is that cyber criminals

may take advantage of the vulnerability if it is publicly disclosed
much quicker than the victims of attack can fix the issue.
Responsible disclosure therefore allows for window to find a
solution to the problem before the nature of the vulnerability or
attack is publicized. The process of responsible disclosure involves
the submission of a confidential report to the organization by the
person who discovers the vulnerability. The organization may then
work with the security or computer experts to patch the
vulnerability and agree on the period within which this must be
done. Once the agreed upon time period expires and the
vulnerability is patched or the patch is available for installation by
the users of the software, the vulnerability is then publicly
disclosed.
There is much debate on how to define "Responsible Full

Disclosure", but a few of the general principles include:
 Telling the vendors about the vulnerability and giving them
time to fix it (sometimes referred to as giving them time to
patch).
 Let the public know enough so that the risk can be mitigated,
but hopefully not enough so that criminals can use the
vulnerability in an attack.
 Once the vulnerability has been patched the full details of the
vulnerability may be released.
The following Table 2.1 shows the various vulnerability options
available to organizations.
48
Option Description
Complete non-disclosure The organization decides to keep all the details of the
vulnerability secret.
Partial disclosure The organization provides sufficient information for end users
and business clients to mitigate vulnerabilities but not sufficient
for criminals to attack systems
Full disclosure All details of the vulnerability are disclosed to the public.
Limited disclosure The disclosure of the vulnerability is made to a specific group of
people such as the vendor, and perhaps some corporate clients.
Immediate and full public All details of the vulnerability are disclosed to the public
disclosure immediately upon discovering them.
Table 2.1: Vulnerability disclosure options
2.4 Surveillance vs Attacks
Organizations face ethical dilemma when it comes to surveillance in

order to avert attacks and the need to protect the privacy of
individuals. Threats of cyber terrorism have also resulted in mass
surveillance of citizens as party of aggressive security measures.
Security monitoring devices such as CCTV are usually
implemented secretly without consulting or notifying the people
subject to the monitoring. The invasion of privacy and the lack of
transparency in these network-monitoring programs have caused
great controversy. Such wide and random monitoring programs
raises vital ethical questions such as:
 what information will precisely be collected?
 who will have access to the collected information?
 when and how the information will be used?
 what controls will be put in place to prevent the information
from being used for unrelated purposes, and
 when and how the information will be disposed of?
Widespread examples abound showing how vulnerable the average

netizen‘s communications are to interception and surveillance. This
demonstrates how surveillance activities can negatively affect the
cyber security of all Internet users. It is tempting to think that more
―cyber security‖ would be a means of countering the global privacy
invasion caused by mass surveillance. Issues of cyber security are
49
usually dominated by states and corporations focusing mainly on
their security, rather than the security of citizens and Internet users.
Creating a cyber security environment that protects human rights,
including the right to privacy, while also ensuring an open and
secure Internet, will not be possible unless there is a paradigm shift.
Managing Ethical Challenges
Businesses and other institutions need to create an ethical and legal

environment, which enables the use of information technologies for
the greater benefit of society. Such an ethical and legal culture is
paramount given that information technology has many advantages
and equally many downsides. The rapid advancement in
technologies requires businesses, institutions and individuals to
continuously conduct a legal, ethical and social impact analysis of
new technologies as and when they evolve.
In addition, institutions should develop and implement

comprehensive corporate ethics policies and codes of conduct that
are responsive to current and emerging issues in cyberspace.
Employees, customers, and other institutional stakeholders should
be educated on information systems ethical standards and behaviors
expected of them in an information society.
2.5 Brief history of computer security
The field of computer and cyber security has tremendously

developed since the advent of the first computer in …In this section a
brief history of computer security will be given to assist the student
appreciate important milestones in cyber security.
Advent of the computer

The word "computer" was first used and recorded as being used in
1613 to describe a human who performed calculations or
computations. The definition of a computer remained the same until
the end of the 19th century, when the industrial revolution gave rise
to machines whose primary purpose was calculating.
50
However, the first automatic computing machine called the
Difference Engine was developed in 1822 by Charles Babbage. The
machine was capable of computing several sets of numbers and
making hard copies of the results. However, Babbage was never able
to complete a full-scale functional version of this machine due to
funding challenges. Between 1936 and 1938, Konrad Zuse created
the Z1 which is considered to be the first electro-mechanical binary
programmable computer, and the first really functional modern
computer.
The Turing Machine was first proposed by Alan Turing in 1936 and
became the foundation for theories about computing and computers.
The machine was a device that printed symbols on paper tape in a
manner that emulated a person following a series of logical
instructions. In 1943 Tommy Flowers developed the Colossus as the
first electric programmable computer mainly to help the British code
breakers read encrypted German messages. This was followed by the
development of the Atanasoff Berry Computer (ABC) as the first
digital computer by John Vincent Atanasoff and Cliff Berry between
1937 and 1942. The ABC was an electrical computer that used
vacuum tubes for digital computation, including binary math and
Boolean logic and had no CPU.
Between 1943 and 1946, J. P. Eckert and J. Mauchly invented the

ENIAC as the first fully functional digital computer after the ABC.
The ENIAC occupied about 1,800 square feet and used about 18,000
vacuum tubes, weighing almost 50 tones. Thereafter, Eckert and J.
Mauchly released a series of mainframe computers under the
UNIVAC name. The first commercial computer was manufactured
by Konrad Zuse in 1942 (Z4) and was sold to Eduard Stiefel, a
mathematician.
The first desktop and mass market computer (Programma 101) was
unveiled in 1964 by Pier Giorgio Perotto. However, in 1968, Hewlett
Packard began marketing the HP 9100A, considered to be the first
mass marketed desktop computer. The first workstation was the
Xerox Alto introduced in 1974. The computer was revolutionary for
51
its time and included a fully functional computer, display, and mouse.
The computer operated like many computers today utilizing
windows, menus and icons as an interface to its operating system. In
1975, Ed Roberts coined the term "personal computer" when he
introduced the Altair 8800. In 1975, the IBM 5100 was introduced as
the first portable computer. Today, computers and hand held devices
come in different shapes and size with massive computing power and
much functionality.
History of computer security

The first recorded computer security threats actually didn‘t come
from a human but from a moth found by Murray Hopper in 1945
among the relays of a Navy computer and called it a ―bug.‖ From
this, the term ―debugging‖ was born. However, the first security
threats involved criminals tapping into phone systems. In the 1960s,
AT&T decided to closely monitor calls in order to catch ―phone
freaks.‖ These ―phreakers,‖ used ―blue boxes‖ to generate the right
tone to get free calls. This surveillance eventually led to 200
convictions. The focus on phone networks paved the way for greater
risks to computers.
The first viruses and worms developed were at first harmless. In

1979, the first worm was developed at a Xerox research station and
its goal was to actually help make more efficient computers. Later on,
hackers took the worms, modified them, and began using them to
destroy or alter data. The first personal computer virus called ―Brain‖
was developed in 1986, but it was not destructive in nature. In fact,
the men behind it actually included their names and contact
information buried within the code. More harmful viruses eventually
followed, including ―Form‖ and ―Michelangelo.‖ Self-modifying
viruses were first created in 1990, but rapid infection rates didn‘t take
off until several years later.
Rise of the Internet and Hackers

In 1992, business started to use the Internet as a commercial tool.
The Internet became more attractive with applications for computer
games, video, and music (Santanya, 2011). With these new
52
applications, came the greater danger of information theft. Private
users gained regular access of the internet. As more computer users
gained Internet access, companies began to use the net as a ―virtual
store‖.
From 1995, viruses started spreading at an alarming pace, starting

with the first Microsoft Word-based virus. This saw the emergence of
computer hackers. In 1998, an incident known as ―Solar Sunrise‖
occurred, where teenage hackers gained control of hundreds of
computer systems used by the military, government, and private
sectors. Two years later, other hackers used distributed denial of
service (DDOS) attacks to shut down Yahoo, eBay, Amazon and
others.
In 2001, the Code Red worm was unleashed, infecting tens of

thousands of systems and causing around $2 billion in damage. The
development of computer security has a military origin. The
American government has been ―a major force behind security
research and technology‖ because it has information on national
defense and intelligence (Santanya, 2011). The military used
encryption techniques to protect data stored in computer memory on
backup media. Unclassified data became protected by data
encryption.
Thus computer security has existed since the end of the 1960s
(Santanya, 2011). Since computers were small and were not broadly
used by the public, protection of data was easier. Today, however,
most households in developed nations have at least one computer.
The developments in information technologies and the increased
dependence on computer systems and networks have resulted in
cyber security becoming a critical field in response to cyber threats.
Landwehr (2001) notes that for many years security systems mainly
focused on confidentiality, integrity and availability. However, other
security concepts have developed such as such as authentication,
authorization and non-repudiation in cyber security. Today,
fingerprints and iris scan can also be used for
53
identification. Nissenbaum (2005) states that threats to security
multiply ―in number and sophistication‖ as information technologies
increase in society.
2.6 Policy, law and cyber security community
At the country level, there is need for a comprehensive national cyber

security policies and specific cyber crime legislation. Currently,
Zimbabwe is characterised by the absence of necessary cyber laws
and comprehensive legislative provisions governing and regulating
cyber-related activities in the country. The National Information and
Communication Technology Policy of Zimbabwe developed by the
Ministry of Information and Communication Technology, Postal and
Courier Services in 2015 acknowledges the need to come up with
national Cybersecurity policies and cyber laws.
Despite the global cyber risks and threats attended to information and
communication technologies, Africa remains lagging behind other
continents in terms of cyber security strategies and policies. In spite
of the breathtaking growth of ICT use in African countries, the
development of national cybersecurity legislation has been relatively
stagnant in the region. Mauritius has the most advanced cyber
security policy in Africa and legislation addressing cybercrime, e-
commerce, data protection, and privacy as well as an established
Computer Emergency Response Team (CERT).
Zimbabwe is also behind in terms of establishing cyber security

policies and cyber laws. In December 2015, South Africa adopted its
National Cybersecurity Policy Framework (NCPF) and is developing
its cyber security laws. Other countries in the region are also working
on introducing national cyber security policies and laws in response
to the global cyber security threats.
In general, the purpose of a national cyber security policy is to focus

on the following major areas, namely:
 defending national infrastructures from cyber attacks and threats;
54
 advancing a country‘s information technologies and cyber
security strategies;
 encouraging cooperation on cyber security issues among
academia, industry, and the private sector as well as between
government agencies and the security community;
 Advancing research and development in cyberspace and
supercomputing;
 Consolidating the administrative aspects of cyber regulation and
advances parliamentary and secondary regulation in the cyber
field.
There is also need for a National Computer Emergence Response

Team (CERT) which conducts on-going assessment among various
essential civil, security and defence organizations while constituting
a first hand national defensive layer for the entire for the entire
country‘s administration. According to Benoliel (2015), a national
cyber security policy should clearly define cyber security from the
following standpoints:
(a) the range of cyber threats: ranging from deliberate attacks for
military or political advantage to the forms of cybercrime, cyber
warfare, and cyber terror against civil and military objects;
(b) the types of cyber security risks: ranging from concealment
(Trojan horse), infectious malware, malware for profit (vector,
control, maintenance and payload), Botnets, cybercrime business
models (advertising, theft, support) and chokepoints (anti-
malware, registrars, payments, site takedown and blacklisting);
and
(c) the cyber security policy model ought to map cooperative
international arrangements involving governments and civil
society to reduce risks to cyber security.
2.7 Cyber security laws development in Zimbabwe
As indicated above, there is no comprehensive cybersecurity

framework in Zimbabwe. The National Information and
Communication Technology Policy of Zimbabwe highlights that the
ICT sector has been faced with a number of challenges which
55
includes the absence of cybersecurity framework. The National ICT
Policy of Zimbabwe defines cybersecurity as:
Cybersecurity is the collection of tools, policies, security

concepts, security safeguards, guidelines, risk management
approaches, actions, training, best practices, assurance and
technologies that can be used to protect the cyber
environment and related assets. Such assets include
connected computing devices, personnel, infrastructure,
applications, services, telecommunications systems, and the
totality of transmitted and/or stored information in the cyber
environment. Cybersecurity strives to ensure the attainment
and maintenance of the security properties of the country‟s
assets against relevant security risks in the cyber
environment. The overall security objective is to ensure the
availability, integrity and confidentiality of data in
cyberspace.
It is noted that the absence of a national cybersecurity policy retards

the development of a comprehensive strategy on national response
to cyber risks and threats. It also impedes the crafting and
promulgation of specific cyber security laws to deal with the ever-
increasing risks of cyber attacks and cybercrime. The lack of
regulation and legislation regarding cybersecurity renders the
country increasingly vulnerable to significant security risks. Indeed,
in Zimbabwe there are currently no comprehensive laws dealing
with cybercrime apart from a few generalized computer-related
crimes outlined in Chapter VIII of the Criminal Law (Codification
and Reform) Act of Zimbabwe [Chapter 9:23].
Accordingly, Zimbabwe as a country needs to urgently come up

with a national cyber security policy and comprehensive cyber
security laws given the magnitude of cyber security threats in this
information age. The Postal and Telecommunications Regulatory of
Zimbabwe (POTRAZ) has been reportedly working with the
Ministry of Information and Communication Technology, Postal
and Courier Services to introduce a raft of specific laws on
56
computer and cybercrime, data protection and electronic
transactions and electronic commerce. Such laws are long overdue
if Zimbabwe is to have a comprehensive legal and regulatory
framework consistent with the developments in the field of cyber
security.
2.8. Chapter Summary and Conclusion
This Unit covered a number of issues including ethical and legal

issues relating to the cyber environment. Various ethical dilemmas
pertaining to the use of computer systems and behaviors in
cyberspace have been highlighted and discussed. The discourse on
ethics also touched on ethical disclosures as well as security issues
relating to surveillance and cyber attacks. A brief history has been
outlined on the development of computers and cyber security. The
final sections of the Unit covered issues of cyber security policies
and cyber laws. The importance of coming up with national cyber
security policies and comprehensive cyber security legal and
regulatory framework has been emphasized.
57
UNIT 3
CLASSES OF ATTACKS AND THREATS
By the end of this Unit, students will be able to:

 Define threats, vulnerabilities and attacks
 Understand the various classes of computer threats and attacks
 Explain computer viruses, worms, Trojan horses and other
malware
 Identify Information Security services and properties
 Identify and understand the threats posed to information
security
 Identify and understand the more common attacks associated
with those threats.
3.0 Introduction
Information technology has become an integral facet of society,

business and individuals. Data and information in computer systems
are valuable assets without which organizations cannot survive.
Computer systems however face formidable risks and threats from
attackers. The advancement of computer technology increases
opportunities for criminals to create and spread malignant programs
or ‗computer contaminants‘ targeted at causing harm or damage to
computer systems. Such programs are broadly known as malicious
software (or ―malware‖) and consist of computer viruses and
worms, spyware, Trojans and Bots, among others. The objective
behind disseminating malware is generally two-fold: causing
unauthorised modification or impairment of data in computers
and/or accessing confidential information to facilitate fraud or other
criminal activities. In this chapter the focus will be on the various
types of vulnerabilities, threats and attacks.
3.1 Definition of terms
Cyber security risks are a constantly evolving threat to an

organisation‘s ability to achieve its objectives and deliver its core
functions. There are various types of vulnerabilities, threats and
58
attacks and thus it is important to grasp meaning of some these
terms used in computer security.
Threats
In cyber security, a threat is a generic term referring to a potential
danger or risk that might exploit a vulnerability to breach security
thereby causing possible harm. Numerous definitions of the term
have been proffered by different organizations. For instance, the
International Organization for Standardization (ISO 27005:2008)
defines a threat in simple terms as ‗a potential cause of an incident,
that may result in harm of systems and organization.‘ A threat may
be an object, person, or other entity that represents a constant
danger to an asset.
A more comprehensive definition is provided by the Federal

Information Processing Standards (FIPS) 200, Minimum Security
Requirements for Federal Information and Information Systems,
which defines a threat as
―Any circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or
reputation), organizational assets, or individuals through an
information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service. Also, the
potential for a threat-source to successfully exploit a particular
information system vulnerability.‖
In summary, a threat is therefore any circumstance or event with the

potential to adversely impact an asset through unauthorized access,
destruction, disclosure, modification of data, and/or denial of
service. Hackers and other cyber criminals are known to constantly
search for vulnerabilities to exploit in computer systems. Attackers
may the exploit cyber security vulnerabilities to gather sensitive
data or cause catastrophic damage or destruction. For instance,
hackers may launch cyber attacks against critical infrastructure such
as gas pipelines, water facilities, aviation systems or financial
institutions. It is therefore important to understand different forms
and types of cyber security threats in order to effectively manage
59
them. Some of the different types of cyber threats are discussed in
the ensuing sections.
3.2 Types of cyber threats
A cyber threat is best explained as a potential violation of security

properties. Cyber attack and data breach methods are constantly
evolving and as such organisations have to continuously upgrade
their cyber security systems. Cyber threats may be differentiated as
follows:
Accidental or Intentional Threats
Accidental threats occur without premeditated intent and are usually

caused by equipment or software failure or malfunction. Typical
examples of accidental threats include power faults that may or may
not result in damage to the computer or data loss. On the other hand,
intentional threats result from deliberate acts against the security of
an asset. For instance, illegal processing of data on a computer may
be classified as a deliberate and intentional threat. Intentional
threats range from casual examination of a computer network using
easily available monitoring tools, to sophisticated attacks using
special system knowledge. Intentional threats that materialize
become attacks.
Active or Passive Threats
An active threat may be defined as a threat resulting in some

change to the state or operation of a computer system, such as the
modification of data and the destruction of physical equipment.
Conversely, passive threats are more directed at gleaning
information from a system without affecting the resources of the
system. Common passive threat techniques include eavesdropping,
wiretapping and deep packet analysis or inspections. If a passive
threat is successful it results in what is known as passive attacks.
Threat Source and Threat Actors
The term threat source refers to the objective and method used by
60
cyber attackers to exploit security vulnerabilities or a certain context
in order to compromise an information system. Thus a threat source
may be described as an entity that desires to breach information or
physical assets‘ security controls. In computer security, a threat
actor is an entity that actually performs the attack to the system. For
instance, a competitor works with an employee to steal trade secrets
from an organization, then the competitor is the threat source and
the employee is the threat actor. Profiling threat actors is essential in
order to understand their motivation, learn their modus operandi
and adopt the necessary countermeasures.
Vulnerability
The term ‗vulnerability‘ is extensively used in the field of computer

security to refer to a weakness, which may be exploited by an
attacker to reduce a system's information assurance. It is a weakness
or fault that can lead to an exposure. In general, vulnerability
comprises three elements, viz: a system susceptibility or flaw,
attacker access to the flaw, and attacker capability to exploit the
flaw. The intentions of threat sources and threat actors often
materialize into attacks largely because they exploit weaknesses in
the security controls. The vulnerability may be as a consequence of
software patching or poor configuration.
Security risk
Security risk or cyber risk refers to the probability that a threat will
exploit a vulnerability to breach the security of an asset. It is
common knowledge that functional information technology systems
operate with a degree of exposure to threats given that full
elimination of risk is either too expensive or undesirable. In any
organization, cyber security strategy is a critical component in
managing cyber security risks.
Cyber attacks
Security breaches in the field of computer systems are commonly

known as cyber attacks. A security breach occurs when there is a
61
compromise of security that leads to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to
protected data transmitted, stored or otherwise processed. A cyber
attack is an act or action that exploits vulnerabilities or identified
weaknesses in a controlled system. An attack is described as a
malicious act that attempts to collect, disrupt, deny, degrade or
destroy information system resources or the information itself. A
cyber attack occurs when a threat breaches security controls around
a physical or an information asset.
Cyber attacks may be classified as active and passive attacks. By

way of definition, an ‗active‘ attack is one that aims to change the
state or operation of a computer system, such as the modification of
data and the destruction of physical equipment. Conversely, a
"passive" attack seeks to use information from a computer system
but does not affect the system resources. In other words, passive
attacks are primarily focused on obtaining data from a system. A
typical example is where hackers use packet inspection and analysis
to facilitate offline review of security protocols and thus fine-tune
exploits.
Cyber attacks may also be classified depending on where they are

originating. In other words, cyber attacks may be inside attacks or
outside attacks. An inside attack may aptly be described as one that
is initiated by an entity inside the security perimeter, that is, by an
‗insider‘. A good example of insider attacks is a disgruntled
employee who initiates cyber attacks to spite the organization.
Insider attacks are therefore problematic as the perpetrators take
advantage of access privileges obtained for legitimate business
functions for launching the attackers. On the other hand, outside
attacks involve unauthorized or illegitimate users who initiate
attacks from outside the security perimeter. These include hackers,
organized criminal groups and other cyber criminals outside the
organization. However, more often than not, outsider attackers work
in collusion with internal resources to initiate cyber attacks.
62
Forces of Nature
Forces of nature such as earthquakes, floods, and other natural

disasters are among the most dangerous threats as they not only
disrupt individual lives but also storage, transmission, and use of
information. Organizations must implement controls to limit
damage and prepare contingency plans for continued operations.
Types of Software Threats and Attacks
There are numerous types of computer software attacks, with new

varieties being devised continuously. Various tools and tactics are
used to orchestrate computer attacks. The umbrella term used to
refer collectively to these tools is malicious software or ‗malware.‘
This section discusses some of the more common attacks, including
viruses, worms, Trojan horse, spam, distributed denial-of-service,
and rootkit, among other types of attacks.
(a) Computer Viruses
A computer virus may be defined as ―a rogue software program that

attaches itself to other software programs or data files in order to be
executed, usually without user knowledge or permission‖ (Laudon
and Laudon 2006: 345). According to Grabosky (…), a virus is a
computer program that may spread from computer to computer, as
files containing the program are opened, using up available memory
and degrading the ‗infected‘ systems and their networked
computers.
A computer virus is therefore a self-replicating malicious code

designed to spread from system to system. The effects of a virus on
a computer system or the ‗payload‘ may not have a harmful effect
per se or may be highly devastating to the extent of destroying
programs or data, jamming the computer memory, reformatting a
computer‘s hard drive or causing program malfunction. In some
instance, the viruses may corrupt the file allocation table on a disk
causing files to be inaccessible. Computer viruses are contagious
and can be transmitted from computer to computer via email
63
attachments or copying infected files. Viruses may also spread over
computer systems from infected disks or devices as well as Internet
downloads and web browsing.
Hackers and other attackers deliberately design malicious software

or ‗malware‘ to invade a computer system and interfere with its
operation, and or to copy, corrupt or delete computer data. These
malicious software programs are called ‗viruses‘ as they are
designed not only to infect and damage one computer, but also to
spread to other computers across the network or Internet. Computer
viruses are often hidden in what appear to be useful or entertaining
programs or e-mail attachments, such as computer games, video
clips or photos. Computer users then inadvertently or unwillingly
spread the viruses by sending emails colleagues and friends. A true
virus does not spread by itself from computer to computer depends
on the actions of the users of the ―infected‖ computer.
According to Reynolds (2015: 89), ―Computer virus has become an

umbrella term for many types of malicious code. Technically, a
virus is a piece of programming code, usually disguised as
something else, that causes a computer to behave in an unexpected
and usually undesirable manner.‖ Computer viruses infect
computers in various ways including the following:
 Viruses are usually propagated as file attachments. The virus

executes when an infected file is opened and spreads to other
computers.
 Certain viruses sit in a computer‘s memory and infect files as
the computer opens, modifies, or creates them.
 Other most common viruses deliver what is called a ―payload,‖
or malicious software that causes the computer to perform in
unexpected ways. A typical example is where a virus is
programmed to display a certain message on the computer‘s
display screen, delete or modify a certain document, or
reformat the hard drive.
Examples of some of the most virulent computer viruses ever

created include the ILOVEYOU virus, Melissa virus and Code Red.
64
These and other viruses caused untold havoc and extensive damage
to computer systems worldwide worth millions of dollars.
Accordingly, virus are a form of vicious computer software attacks
that cyber security professionals should be familiar with in order to
prevent or minimize the potency on computer systems.
Organisations must continuously invest in anti-virus software to
protect computer systems from virus attacks and other malware.
(b) Computer worms

Computer worms are another type of software threats to computer
systems. A worm is a computer program that reproduces itself and
spreads through a network, using up available memory. According
to Cobb (2000) worms have a disruptive effect on the host
computers as they can eat up empty space in memory and storage
thereby wasting valuable processing time. Computer worms are
self-replicating. In other words, worms are independent computer
programs with the ability to copy themselves from one computer to
others over a network. Worms are more sophisticated viruses that
can replicate automatically and send themselves to other computers
by first taking control of certain software programs on the
computer.
Although the distinction between viruses and worms is generally

blurred, a computer worm differs from a virus in that it does not
require human intervention, such as the opening of a file, in order to
spread. Thus the major difference between a virus and a worm is
that the latter can operate on its own without attaching to other
computer program files and depend less on human interventions in
order to spread from computer to computer. In other words, worms
can replicate themselves without using host files as carriers.
Reynolds (2015) observes that, unlike a computer virus, which
requires users to spread infected files to other users, a worm is a
harmful program that resides in the active memory of the computer
and duplicating itself and sending copies of themselves to other
computers by email.
65
As with viruses, worms can also be transmitted over the Internet
from files attached to emails and files downloaded from software.
Both viruses and worms can be transmitted to wireless computing
devices. The increased usage of mobile devices such as cellular
phones, and other hand held devices has resulted in enhanced
threats of viruses and worms as many of these devices can connect
to the internet apart from interfacing with computer systems.
Trojan horse
A Trojan horse is another common species of malware. It is a
software program that appears to be harmless in effect but carrying
potential threats to the system. In other words, a Trojan horse is a
computer program that masquerades as a legitimate program when
it is in fact a malicious code. A Trojan horse contains a set of
computer instructions deliberately concealed inside a program. It is
distinguished from a virus on the basis that it does not replicate but
is merely a springboard for introducing viruses or other malicious
code into a computer system.
According to Cavelty (2013) the main goal of Trojan horses is to

gain system intrusion to launch more advanced attacks. Once the
intruders gain full system control they have unrestricted access to
the inner workings of the computer system and can delay, disrupt,
corrupt, exploit, destroy, steal, and modify information at will. A
classic example of Trojan horse is the Trojan.Xombe detected in
2004. This malware masqueraded as an email message from
Microsoft and when an attachment was opened, it downloaded and
installed a malicious code on computers. Once the Trojan horse was
installed on the computer, hackers could access the computer
undetected, steal passwords, and use the computer as a launch pad
for denial of service attacks on other computers.
The program‘s harmful payload might be designed to enable the

hacker to destroy hard drives, corrupt files, control the computer
remotely, launch attacks against other computers, steal passwords or
Social Security numbers, or spy on users by recording keystrokes
and transmitting them to a server operated by a third party. A Trojan
66
horse can be delivered as an email attachment, downloaded from a
Web site, or contracted via a removable media device such as a
CD/DVD or USB memory stick (Reynolds 2015). Once an
unsuspecting user executes the program that hosts the Trojan horse,
the malicious payload is automatically launched as well. Common
host programs include screen savers, greeting card systems, and
games.
Spyware
Spyware refers to programs designed to monitor computer use.

Examples of spyware include ‗sniffer‘ programs, cookies and web
bugs. Bots are computer programs which infect target computers
and allow them to be remotely controlled. Botnets have also been
described as ―zombie army,‖ or collection of compromised
computers, zombies, used to send out spam, viruses or distributed
denial of service attacks. Malicious software takes on many
different forms, but one form, known as spyware, can cause a
victim great hardship. The term spyware describes a class of
malware based on the functionality of its payload. This class differs
from other malware classifications, such as worms and viruses,
which classify the malware based on the propagation method.
Spyware is a type of malware that poses a significant threat to

system information as it spies on users. The fact that spyware
monitors a user‘s activity without his or her consent or knowledge
allows the spyware to steal any information the user unknowingly
exposes. Spyware received its name based on its main intention of
monitoring or spying on a user‘s activity without the user‘s consent.
According to Graham et al (2011), to qualify as spyware, programs
must lack an End User License Agreement (EULA) or a privacy
policy. If a program has an agreement or policy that is intentionally
deceptive, it also qualifies as spyware. Programs that gather
information and have a EULA or privacy policy that specifically
states the software‘s information-gathering and user-monitoring
activities do not qualify as spyware. The specific terms in this
67
agreement or policy allow the user to agree to the terms and gauge
the legitimacy of the program before installation.
Attackers install spyware onto a system to monitor a user‘s activity

without his or her knowledge with the overall goal being to steal
information. Information stolen from spyware-infected systems can
include typed keys, form data, e-mail addresses, and credentials.
Key loggers belong to the spyware category because they monitor a
user‘s keystrokes and then send the stolen information to the
attacker. This type of spyware is very common, and it can expose
sensitive personal information, such as credit card or Social
Security numbers Graham et al (2011). Other spyware samples
employ more specific credential-stealing techniques than key
logging. A typical example is the technique involving form
grabbing, which is the act of stealing information entered into a
form within a Web browser. Spyware also steals usernames and
passwords from other Web browsers, e-mail, and Instant Messenger
clients that store credentials locally.
Spyware may also be programmed to steal cookies. Cookies are text

files on a local system created when a user interacts with a Web
server that requires authentication. The Web browser and Web
server generate information about the user‘s session to store in the
cookie so the user does not constantly have to re-authenticate.
Spyware can steal these cookies and attempt to use them to access a
user‘s account.
Network monitoring also enables spyware to steal information from

a user. Usernames and passwords sent over the network in clear text
reside within network packets, such as those sent for file transfer
protocol (FTP), simple mail transfer protocol (SMTP), and HTTP
requests, that spyware with network-monitoring capabilities can
steal. Spyware also profiles users by monitoring websites they visit
within the network traffic Graham et al (2011). Spyware can also
perform e-mail harvesting on infected systems to collect e-mail
addresses from a user‘s e-mail address book. The spyware then
sends the gathered e-mail addresses back to the attacker.
68
There is no doubt that spyware poses serious risks to the
confidentiality and integrity of data and may result in substantial
financial losses. In summary, data stolen by attackers through
spyware may be used for various reasons including the following:
 Attacker use spyware to steal sensitive information and

credentials resulting in identity theft. An attacker may also use
sensitive information in identity theft schemes to open credit
cards in victims‘ names.
 Attackers may use stolen credentials to have access to personal
accounts, such as online-banking or social-networking
accounts, or other systems for further spyware infection.
 Spyware is also used by attackers to collect intelligence and
sensitive documents from compromised systems, such as trade
secrets, customer data, and intellectual property, among others.
 Email addresses harvested by spyware may be used in spam
campaigns to send unsolicited e-mails or messages.
Denial of Service attacks

A denial of service (DoS) attack is a serious threat to computer
systems as it prevents users from accessing services from the
computer system. As highlighted in chapter 1 section 2.5,
availability is a critical component of information security. A DoS
attack therefore inhibits the server from providing services to users.
The attack usually entails hackers inundating a network server or
web server with numerous false communications or requests for
services with the objective of crashing the network.
Denial of service attacks also pose grave dangers to the business as

it results in unavailability of services. Distributed Denial of Service
attack is when an individual (usually a hacker) gains remote access
to a number of computers and directs them against a target (usually
a computer system belonging to a government or large commercial
entity). By overloading the target computer, the attack impedes
legitimate access and may render the system inoperable. In denial of
service types attacks, a server is overwhelmed with Internet traffic
so that access to a particular website is degraded or denied.
69
The result is that the unusually vast number of queries overwhelms
the network to the extent that it fails to cope up with them, making
services to legitimate requests unavailable. In other words, users are
prevented from accessing services on the computer system. A
deadly type of such an attack is called a distributed denial of service
(DDoS) attack. DDoS attacks will be discussed in detail below. This
uses several computers to flood and overwhelm a network from
numerous launch points. A common feature of DoS attacks is that
they do not destroy information or access restricted areas of a
company‘s information system but can, for instance, cause a web
site to shut down, making it virtually impossible for legitimate users
to access the site.
Logic bomb
Logic bomb is another type of malicious code that can attack
computer systems. Reynolds (2015) defines a logic bond as another
type of Trojan horse, which executes when it is triggered by a
specific event. For example, logic bombs can be triggered by a
change in a particular file, by typing a specific series of keystrokes,
or by a specific time or date. It is a dormant code, the activation of
which is triggered by a predetermined time or event. Thus, a logic
bomb might, for example, start erasing data files when the system
clock reaches a certain date or when the application has been
loaded. In practice, these various elements can be combined, so that
a virus could gain access to a system via a Trojan, then plant a logic
bomb, which triggers a worm (Cobb, 2000).
Ransomware
This is a type of malware that encrypts the victim‘s data, demanding
ransom for its restoration. According to Croall (2011) offenders can
create and control ‗zombie‘ computers and hold companies to
ransom by threatening a Denial of Service (DoS) attack in which
companies‘ websites, particularly those used for commercial sales,
are rendered inoperative through viruses or barraging the site with
so many emails that the system collapses. Ransomware activities
seek to extort money, access, or corporate secrets from victims.
70
Other types of computer threats and viruses
There are other less common but equally destructive types of
computer malicious codes. These include source code and object
code viruses, stealth and polymorphic viruses, among others. Source
code viruses insert malicious instructions into programs at the
source code level and not through the compiled program. An object
code infects an object rather than an executable, making itself less
open to normal methods of detection such antiviruses which usually
focus on protecting and monitoring executable files (Gove 2000).
Stealth viruses, as their name implies, disguise their presence by
staying in memory to monitor and intercept operating system calls.
Lastly, polymorphic viruses are malicious codes that mutate in
order to escape detection by antiviruses.
Hacking
Hacking is major threat to the security of computer systems and
networks. According to Yar (2006) ‗hacking‘ can be likened to
criminal damage or vandalism. Hacking used to require highly
technical skills but is now facilitated by readily available software
packages. ‗Hacktivists‘ are usually politically motivated and are
form of cyber terrorism (Williams 2010). Hackers write the
majority of the viruses that attack computer systems. In simple
terms, hacking involves the act of obtaining or acquiring
unauthorized access to a computer or computer system.
Exploit
In computing, an exploit is an attack on an information system that

takes advantage of a particular system vulnerability. Often this
attack is due to poor system design or implementation (Reynolds
(2015). Once the vulnerability is discovered, software developers
create and issue a ―fix,‖ or patch, to eliminate the problem. Users of
the system or application are responsible for obtaining and installing
the patch, which they can usually download from the Web. For
example, a critical vulnerability was discovered in Oracle‘s Java 7
software that made it possible for a hacker to break into computers.
Oracle released an emergency software fix to correct this problem.
71
Zero-day attacks
Zero-day attacks takes place before the security community or

software developer knows about the vulnerability or has been able
to repair it. In some cases, the knowledge of a vulnerability is sold
on the black market to cyber terrorists, governments, or large
organizations that may then use it themselves in attacks on the
computers of a rival (Reynolds 2015).
Spam
Although spam is not a virus per se, it poses serious threats to the
security of computers and information systems as it may be used as
an effective channel for delivering harmful viruses, worms and
other malware. Email spam is defined as the abuse of email systems
to send unsolicited email to large numbers of people. Most spam is
a form of low-cost commercial advertising, sometimes for
questionable products such as pornography. Spam is also an
extremely inexpensive method of marketing used by many
legitimate organizations. For example, a company might send email
to a broad cross section of potential customers to announce the
release of a new product in an attempt to increase initial sales. Spam
is also used to deliver harmful worms and other malware.
Spam forces unwanted and often objectionable material into email

boxes, detracts from the ability of recipients to communicate
effectively due to full mailboxes and relevant emails being hidden
among many unsolicited messages, and costs Internet users and
service providers millions of dollars annually. It takes users time to
scan and delete spam email, a cost that can add up if they pay for
Internet connection charges on an hourly basis. It also costs money
for Internet service providers (ISPs) and online services to transmit
spam, which is reflected in the rates charged to all subscribers.
Rootkits
Rootkit is a collection of programs that a hacker uses to mask

intrusion and obtain administrator-level access to a computer or
computer network. Reynolds (2015) observe that a rootkit is a set of
72
programs that enables its user to gain administrator-level access to a
computer without the end user‘s consent or knowledge. Once
installed, the attacker can gain full control of the system and even
obscure the presence of the rootkit from legitimate system
administrators.
Attackers can use the rootkit to execute files, access logs, monitor
user activity, and change the computer‘s configuration. Rootkits are
one part of a blended threat, consisting of the dropper, loader, and
rootkit. The dropper code gets the rootkit installation started and can
be activated by clicking on a link to a malicious Web site in an
email or opening an infected PDF file. The dropper launches the
loader program and then deletes itself. The loader loads the rootkit
into memory; at that point, the computer has been compromised.
Rootkits are designed so cleverly that it is difficult even to discover
if they are installed on a computer.
The fundamental problem with trying to detect a rootkit is that the

operating system currently running cannot be trusted to provide
valid test results. Here are some symptoms of rootkit infections:
 The computer locks up or fails to respond to input from the

keyboard or mouse.
 The screen saver changes without any action on the part of the
user.
 The taskbar disappears.
 Network activities function extremely slowly.
When it is determined that a computer has been infected with a

rootkit, there is little to do but reformat the disk; reinstall the
operating system and all applications; and reconfigure the user‘s
settings, such as mapped drives. This can take hours, and the user
may be left with a basic working machine, but all locally held data
and settings may be lost. A recent rootkit, labelled the ―2012 rootkit
virus,‖ is a nasty piece of malware that deletes information from a
computer and makes it impossible to run some applications, such as
Microsoft Word. The longer the rootkit is present, the more damage
it causes. The virus asks users to install what appears to be a
73
legitimate update to their antivirus software or some other
application. By the time the user sees the prompt to install the
software, it is too late, the computer has already been infected by
the rootkit.
Types of Perpetrators
The people who launch these kinds of computer attacks include

thrill seekers wanting a challenge, common criminals looking for
financial gain, industrial spies trying to gain a competitive
advantage, and terrorists seeking to cause destruction to further their
cause. Each type of perpetrator has different objectives and access
to varying resources, and each is willing to accept different levels of
risk to accomplish his or her objective. Each perpetrator makes a
decision to act in an unethical manner to achieve his or her own
personal objectives. However, the greatest threat comes from
disgruntled employees.
Disgruntled employees
According to Kulkarni and Chande (2014) more than 70% of the

attacks and thefts can be attributed to unhappy employees within an
organization or unhappy employees who have left the organization.
Disgruntled employees and former employees pose the most serious
security threats, as they know intimate details of an organization‘s
computer systems. According to Laudon and Laudon (2014), the
largest financial threats to business institutions come from insiders.
Some of the largest disruptions to service, destruction of e-
commerce sites, and diversion of customer credit data and personal
information have come from insiders – once trusted employees.
There are many ways in which employees security threats to
computer systems and these include but not limited to:
 access to privileged information – employees can take
advantage of sloppy internal security procedures and are often
able to roam throughout an organization‘s systems without
leaving a trace.
 Lack of knowledge - users‘ lack of knowledge is the single
greatest cause of network security breaches. Many employees
74
forget their passwords to access computer systems or allow
other coworkers to use them, which compromises the system.
 Social engineering - malicious intruders seeking system access
sometimes trick employees into revealing their passwords by
pretending to be legitimate members of the company in need of
information.
 System errors – employees are also a major source of errors
introduced into an information system. Employees can
introduce errors by entering faulty data or by not following
proper instructions for processing data and using computer
equipment. Information systems specialists can also create
software errors as they design and develop new software
maintain existing programs. (Laudon and Laudon 350)
3.3 Code Injection Attack
Code injection attack refers to an attack by inserting codes into a

computer program or system to interfere with its normal operation,
and thus posing security threats. Attackers usually attack the target
system by exploiting the vulnerable input validation process. Thus,
code injection may be described as the exploitation of a computer
bug that is caused by processing invalid data. Attackers use
injection to introduce or "inject" code into a vulnerable computer
program and alter the course of execution. A successful code
injection is often disastrous as can result in data loss or corruption,
lack of accountability, or denial of access. Injection can sometimes
lead to complete host takeover. Certain types of code injection are
errors in interpretation, giving special meaning to mere user input.
As highlighted above, code injection is the malicious injection or

introduction of code into an application. The code introduced or
injected is capable of compromising database integrity and/or
compromising privacy properties, security and even data
correctness. It can also steal data and/or bypass access and
authentication control. Code injection attacks can infect applications
that depend on user input for execution. These types of attacks are
popular in system hacking or cracking to gain information, privilege
escalation or unauthorized access to a system.
75
Examples of Code Injection Attack
Code injection can be used maliciously for various purposes,

including arbitrarily modifying values in a database through SQL
injection. The impact of this can range from website defacement to
serious compromise of sensitive data. It may also install malware or
execute malevolent code on a server, by injecting server scripting
code. The most common code injection attack is the Structured
Query Language (SQL) injection attack on the Internet. This kind of
attack can lead to sensitive data leakage. It is also possible to make
changes or even delete information. Furthermore, attackers may
possibly bypass user authentication and connect to a system as
another user.
SQL instructions can be used to query data in the database through

an online application. If the online application does not verify the
validity of all inputted SQL instruction variables, attackers can
exploit this loophole to alter or insert SQL instructions and
endanger the system. They may circumvent the system‘s access
control and bypass identity authentication and privilege check to
carry out further attacks.
SQL injection therefore corrupts legitimate database queries to

provide falsified data. Other modes of attacks include script
injection in which the attacker provides programming code to the
server side of the scripting engine. Shell injection attacks, also
known as operating system command attacks, manipulate
applications that are used to formulate commands for the operating
system. In a dynamic evaluation attack, an arbitrary code replaces
the standard input, which results in the former being executed by
the application. The difference between code injection and
command injection, another form of attack, is the limitation of the
functionality of the injected code for the malicious user. Another
typical code injection attack is Cross Site Scripting (XSS) Attack.
Attackers exploit the security loopholes on web applications and
alter the website‘s script program to carry out destructive
76
behaviours, such as website defacement, implanting computer
worms, among others.
Security Measures
Checking program coding manually or conforming to stringent

coding requirements are more effective measures. For example:
organizations should consider adopting the least privilege principle
by not granting administrative rights to an applications program so
that the unauthorised program cannot modify system files. Other
security measures to prevent code injection attack are to ensure that
program source codes do not contain any passwords and to carry out
data input verification, such as, setting restrictions on data that can
be inputted or verifying all data inputted by the user.
Organizations should also assess the risks and potential security

loopholes on computer programs and systems with respect to such
areas as user input, access control, configuration management,
interface, authentication and operation system. Security audit tools
may be used to conduct regular or real-time scans on applications.
This helps reduce the possibility of code injection attack.
3.4 Time of check to time of use race condition
Another form of attack to computer systems involves what is know

as time to check to time of use race condition. According to Lowery
(2002) time of check to time of use (TOCTTOU) vulnerabilities
exist due to race conditions arising from an invalid assumption. In
fact, it is quite possible that the security of an environment changes
with respect to the assertion during this interval. If these changes
are cleverly timed and orchestrated, the operation may result in a
security breach.
The software checks the state of a resource before using that

resource, but the resource's state can change between the check and
the use in a way that invalidates the results of the check. This can
cause the software to perform invalid actions when the resource is
in an unexpected state. This weakness can be security-relevant
77
when an attacker can influence the state of the resource between
check and use. This can happen with shared resources such as files,
memory, or even variables in multithreaded programs.
According to Wikipedia, in software development, time of check to

time of use (is a class of software bug caused by changes in a
system between the checking of a condition (such as a security
credential) and the use of the results of that check. The Wikipedia
illustrates a race condition as follows: consider a Web application
that allows a user to edit pages, and also allows administrators to
lock pages to prevent editing. A user requests to edit a page, getting
a form which can be used to alter its content. Before the user
submits the form, an administrator locks the page, which should
prevent editing. However, since editing has already begun, when the
user submits the form, those edits, which have already been made,
are accepted. When the user began editing, the appropriate
authorization was checked, and the user was indeed allowed to edit.
However, the authorization was used later, at a time when edits
should no longer have been allowed.
Some of these vulnerabilities in computer systems are due to poor

software quality. Software quality can suffer for a number of
reasons ranging from poor design to poor implementation. Software
programmers may not fully comprehend the side effects and timing
issues associated with the integrated components or one may make
other invalid assumptions about their function.
A number of methods may be used to manage TOCTTOU

vulnerabilities. The first technique is the ‗check to near use‘. By
moving the time-of-check closer to the time-of-use, the window of
vulnerability is proportionally reduced. Again, this merely reduces
the window of exposure rather than eliminating it completely. In
other words, it makes it harder for an attacker to penetrate but not
impossible. The second technique involves immutable bindings.
Making a reference such that its resolution is immutable (i.e. cannot
be changed) means that it will always resolve to the same object.
This approach eliminates TOCTOU vulnerabilities but may not be
78
possible in some situations. One effective way to avoid TOCTTOU
errors is to choose resource references that are guaranteed to resolve
consistently at both the check and use steps.
3.5 Sybil Attack
The Sybil attack in computer security is an attack wherein a

reputation system is subverted by forging identities in peer-to-peer
networks. It is named after the subject of the book Sybil, a case
study of a woman diagnosed with dissociative identity disorder
(Wikipedia). In a Sybil attack, the attacker subverts the reputation
system of a peer-to-peer network by creating a large number of
pseudonymous identities, using them to gain a disproportionately
large influence.
A peer-to-peer network relies on assumptions of identity, where

each computer represents one identity. A Sybil attack occurs when
an insecure computer is hijacked to claim multiple identities. An
attacker with many identities can use them to act maliciously, by
either stealing information or disrupting communication. By
masquerading and presenting multiple identities, the adversary may
be able to affect voting outcomes or even substantially control the
network. For example, an Internet poll can be rigged using multiple
IP addresses to submit a large number of votes. Some companies
have also used Sybil attacks to gain better ratings on Google Page
Rank.
There are a number of ways to prevent Sybil attacks. One way is by

using trusted certification or validation techniques in which a single,
central authority establishes and verifies each identity via a
certificate. Validation techniques prevent Sybil attacks and dismiss
masquerading hostile entities. A local entity may accept a remote
identity based on a central authority, which ensures a one-to-one
correspondence between an identity and an entity. An identity may
be validated either directly or indirectly. In direct validation the
local entity queries the central authority to validate the remote
identities. In indirect validation the local entity relies on already
accepted identities which in turn vouch for the validity of the
79
remote identity in question. However, the drawback of this security
technique is that it can use up large amounts of resources and
bottleneck traffic on the network.
Identity-based validation techniques generally provide

accountability at the expense of anonymity, which can be an
undesirable tradeoff especially in online forums that wish to permit
censorship-free information exchange and open discussion of
sensitive topics. A validation authority can attempt to preserve
users' anonymity by refusing to perform reverse lookups, but this
approach makes the validation authority a prime target for attack.
Alternatively, the authority can use some mechanism other than
knowledge of a user's real identity - such as verification of an
unidentified person's physical presence at a particular place and
time - to enforce a one-to-one correspondence between online
identities and real-world users.
Sybil prevention techniques based on the connectivity

characteristics of social graphs can also limit the extent of damage
that can be caused by a given Sybil attacker while preserving
anonymity, though these techniques cannot prevent Sybil attacks
entirely, and may be vulnerable to widespread small-scale Sybil
attacks. Cyber security professionals and Internet users should be
familiar with Sybil attacks and other threats as they can affect the
fabric of Internet commerce and communication.
3.6 Distributed denial of service and other attacks and networks
Denial of service (DoS) attacks have been discussed in greater

detail in previous sections. Under this section, the focus is on a
more deadly form of DoS attack known as distributed denial of
service (DDoS).
Definition of DDoS
Reynolds (2015) defines a distributed denial of service (DDoS)

attack as one in which a malicious hacker takes over computers via
the Internet and causes them to flood a target site with demands for
80
data and other small tasks. A distributed denial-of-service attack
does not involve infiltration of the targeted system. Instead, it keeps
the target so busy responding to a stream of automated requests that
legitimate users cannot access the system. A DDoS attack has been
described as the Internet equivalent of dialling a telephone number
repeatedly so that all other callers hear a busy signal. DDoS attacks
are usually launched from what are called botnets. These are large
clusters of connected devices such as personal computers, cell
phones, or routers, infected with malware that allows remote control
by an attacker.
Reynolds (2015) observes that the term botnet is used to describe a

large group of such computers, which are controlled from one or
more remote locations by hackers, without the knowledge or
consent of their owners. The collective processing capacity of some
botnets exceeds that of the world‘s most powerful supercomputers.
Based on a command by the attacker or at a preset time, the botnet
computers, also known as zombies, go into action, each repeatedly
sending a simple request for access to the target site until the target
computers are so overwhelmed by requests for service that
legitimate users are unable to access service from the target
computer.
Effects of DDoS attacks
DDoS attacks can have serious implications for cyber security of an

organization as they are usually targeted at denying availability of
service. Unlike other kind of cyber attacks typically launched to
establish a long-term foothold and hijack sensitive information, a
DDoS attack does not attempt to breach the security perimeter but
rather render websites and servers unavailable to legitimate users.
The most common victims of DDoS attacks are financial
institutions and e-commerce Web sites. These attacks may render
websites and other online resources unavailable to intended users.
Botnets are also frequently used to distribute spam and malicious

code. A famous example is the Grum botnet detected in 2008 and
operated until 2012 before it was eradicated. The Grum botnet
81
reportedly infected several hundred thousand computers around the
world by generating phenomenal amounts of spam advertising
cheap pharmaceutical products. At its peak, the Grum botnet is
estimated to have been responsible for 35 percent of the world‘s
spam.
Difference between DoS and DDoS

There are major differences between DoS and DDoS attacks. In a
DoS attack, an attacker uses a single Internet connection to either
exploit software vulnerability or flood a target with fake requests,
usually in an attempt to exhaust server resources. Conversely,
DDoS attacks are launched from multiple connected devices that are
distributed across the Internet. This multi-person, multi-device
barrages are generally harder to deflect, mostly due to the sheer
volume of devices involved. Unlike single-source DoS attacks,
DDoS assaults tend to target the network infrastructure in an
attempt to saturate it with huge volumes of traffic. DDoS attacks
also differ in the manner of their execution. Generally speaking,
DoS attacks are launched using homebrewed scripts or DoS tools,
while DDoS attacks are launched from botnets.
Motives behind attacks

Attackers using DDoS techniques usually have different motives.
DDoS attacks are launched by individuals, businesses and even
nation-states, each with their own particular motivation DDoS
attacks are frequently used as a popular weapon of choice by
Hacktivists, cyber vandals, and extortionists. For instance,
Hacktivists may use DDoS attacks as a means to express their
criticism of governments and politicians, and major business
organizations. If their demands are not met, Hacktivists may bring
down a website through DDoS assaults. Extortionists may use
DDoS attacks to demand ransom in exchange for ceasing the
attacks. In Cyber warfare, state-sponsored DDoS attacks may be
used to silence government critics and internal opposition, as well
as a means to disrupt critical financial, health and infrastructure
services in enemy countries.
82
DDoS attacks are increasingly being used as a competitive business
tool. Some of these assaults are designed to keep a competitor from
participating in a significant event, while others are launched with a
goal of completely shutting down online businesses for months. The
motivation behind such attacks is to cause disruption that will cause
customers to flock to the competitor while also causing financial
and reputational damage.
Measures to prevent or minimize attacks

DDoS attacks may have devastating effects on business or any other
organization for that matter. These attacks often last for a long time,
making them extremely destructive to any online organization.
DDoS attacks may therefore result in catastrophic consequences for
an organization as they can cause substantial loss of revenues, erode
consumer trust, force businesses to spend fortunes in compensations
and long-term reputation damage. Security measures should be put
in place to prevent or minimize the impact of DDoS attacks in the
event of occurrence. However, DDoS attacks are almost impossible
to prevent or defend. None-the-less, cyber security professionals
should take proactive measures in readiness for an attack. Such
measures may include:
 installing and maintaining anti-virus software as well as
firewalls configured to restrict traffic coming into and leaving
the computer systems.
 following good security practices for distributing email
addresses such as email filters that may help manage unwanted
traffic.
 constantly monitoring traffic to look for abnormalities,
including unexplained traffic spikes and visits from suspect IP
address and geolocations. All of these could be signs of
attackers performing ―dry runs‖ to test your defenses before
committing to a full-fledged attack. This can help targeted
victims to prepare for the attacks.
 keeping an eye on social media for threats, conversations and
boasts that may hint on an incoming attack.
 using third-party DDoS testing (i.e., pen testing) to simulate an
attack against the organization‘s IT infrastructure as a way of
83
testing the state of preparedness against possible attacks.
 creating a response plan and a rapid response team, whose
responsibility is to minimize the impact of an assault. The
response plan should establish procedures for customer support
and communication teams, among others.
Signs of attack
Organizations must put early detection tools in place and be on the
look out for possible signs of attack. Not all disruptions to service
are the result of a denial-of-service attack these may be caused by
technical problems with a particular network, or system
administrators may be performing maintenance. However,
unusually slow network performance, unavailability of a particular
website, inability to access any website and dramatic increase in the
amount of spam being received may be symptomatic of a DoS or
DDoS attack.
3.7 Managing Cyber Security Operations
Attackers are using more sophisticated and aggressive methods that

require equally assertive measures to detect, respond, and quickly
adapt to new cyber threats that may jeopardize security.
Accordingly, effective management of cyber security operations is
critical in order to prevent cyber threats or minimise the impact of
successful attacks. Managing cyber security risk has become an
integral component of an organization‘s governance, risk
management, and business continuity frameworks. This approach
provides the strategic framework for managing cyber security risk
throughout the organization.
Cyber security standards

Any organization with the objective of effectively managing cyber
security operations must have a comprehensive cyber security
program that leverages on industry standards and best practices to
protect systems and detect potential problems. The International
Standards Organization (ISO) has developed comprehensive
standards/certifications and audits to decide levels of security in an
84
organization. Some such standards include ISO/IEC27001, ISO/IEC
270002, ISO 17799.
It has been established that compliance requirements help

organizations to establish a good cyber security baseline to address
known vulnerabilities, but do not adequately address new and
dynamic threats, or counter sophisticated adversaries. Using a risk-
based approach to apply cyber security standards and practices
allows for more comprehensive and cost effective management of
cyber risks than compliance activities alone.
Security audits
Organizations must constantly carry out security audits as part of
cyber security management. According to Kulkarni and Chande
(2014), the purpose of security audit and certification is to make
sure that an organization is following best practices in this regard
like proper risk assessment and has the controls or processes to
secure its assets. Conducting comprehensive and systematic audits
helps the organization to know that information systems security
and controls are effective.
An audit of the management information systems assists in

identifying all of the controls that govern individual information
systems and assesses their effectiveness. Laudon and Laudon (2006)
observe that the auditor must acquire a thorough understanding of
operations, physical facilities, telecommunications, security
systems, security objectives, organizational structures, personnel,
manual procedures, and individual applications. The audit lists and
ranks all control weaknesses and estimates the probability of their
occurrence. It assesses the financial and organizational impact of
each threat.
Managing cyber security operations is not merely watching for

malicious activity, organizations need systems that proactively
identify those activities most detrimental to the business and support
mitigation decisions. In other words, the traditional information
technology security monitoring needs to become cyber risk
85
monitoring. Thus there is need for a paradigm shift where cyber
security needs to transform from being the domain for the IT
professional to that of executive management team and the board of
directors. This will ensure that cyber security become a strategic
issue for the organization and that appropriate budgetary resources
are allocated to manage cyber risks. A risk-focused monitoring
function is required to enable the organization to advance its
business strategies. But making this transition is not an effort that
can be delegated to technical leaders and their teams. It requires
guidance, collaboration, and ongoing governance at the executive
level.
3.8 Incident Management and Response
Incident management and response techniques must be an integral

component of a cyber security system. An effective incident
management and response system involves understanding the
organization‘s state of preparedness to respond to cyber security
incidents in terms of the following critical areas:
(a) People
This involves assigning an incident response team, providing

sufficient technical skills, enabling decisions to be taken quickly
and gaining access to critical third parties.
(b) Process
This area focuses on knowing what to do, how to do it and when to

do it in the event of a cyber security incident. The organization
should be able to identify and investigate cyber security incidents,
taking appropriate measures to contain the incident and eradicate
the cause of the incident as well as recovering critical data and
connectivity.
(c) Technology
The people in the organization should know the data and network
topology, determine location of internet touch points and creating or
86
storing appropriate event logs. Without sufficient knowledge of the
technology, the organization will not be able to effectively respond
cyber security attacks. An organisation should configure its systems
or networks to assist identify or respond to cyber security incidents,
with inadequate monitoring processes in place. The systems should
be configured to record appropriate events, identify possible
incidents or provide sufficient assistance to investigators.
(d) Information
The organisation should be able to record sufficient details about

when, where and how the incident occurred. This also means
defining business priorities and understanding interdependencies
between business processes, supporting systems and external
suppliers.
Dealing with cyber security incidents – particularly sophisticated

cyber security attacks – can be a very difficult task, even for the
most advanced organisations. Organizations should therefore
develop an appropriate cyber security incident response capability,
which will enable them to adopt a systematic, structured approach
to cyber security incident response, including the selection and
management of external suppliers (Creasy and Glover 2013).
Disaster recovery
Incident management policies also include disaster recovery
systems designed to ensure business continuity after an attack. As
observed by Laudon and Laudon (2006), disaster recovery planning
devises plans for the restoration of computing and communications
services after they have been disrupted by an event such as an
earthquake, flood, or terrorist attack. Disaster recovery plans focus
primarily on the technical issues involved in keeping systems up
and running, such as which files to back up and the maintenance of
backup computer systems or disaster recovery services. Businesses
should establish hot sites housing spare computers at another
location as part of the offsite disaster recovery strategies.
87
Business continuity planning focuses on how the organization can
restore business operations subsequent to a disaster strikes. It
identifies critical business processes and determines action plans for
handling mission-critical functions in the event of systems going
down. A business impact analysis must be conducted to identify the
organization‘s most critical systems and the impact a systems
outage would have on the business. Management must determine
the maximum amount of time the business can survive with its
systems down and which segments of the business must be restored
first.
Fault-tolerant computer systems

Organizations also need to invest in what are known as fault-
tolerant computer systems as part of cyber incidents management.
These are systems containing redundant hardware, software and
power supply components that create an environment that provides
continuous, uninterrupted service. Fault-tolerant computers contain
extra memory chips, processors, and disk storage devices to back up
a system and keep it running to prevent failure. They use special
software routines or self-checking logic built into their circuitry to
detect hardware failures and automatically switch to a backup
device (Laudon and Laudon 2006).
According to Everret, fault-tolerant architectures run multiple

subsystems in parallel and constantly cross-check results to rapidly
detect, isolate and mitigate faults, which manifest as differences
across the subsystems. Adapting fault-tolerant systems to run
multiple variants of a vulnerable software system in parallel
presents the opportunity to immediately detect and interdict cyber-
attacks before they gain a foothold. These proactive security
techniques may go a long way in managing cyber threats.
Advances in technology have seen the construction of trustworthy

distributed systems: systems that tolerate both malicious attacks and
benign faults while preserving data integrity and confidentiality.
The development of high-assurance systems has been dominated by
work on two separate themes: security and fault tolerance. The
88
security viewpoint holds that a trustworthy system must be able to
defend against malicious attacks, building from a trusted computing
base. The fault tolerance viewpoint is that a trustworthy system
cannot depend on any single component functioning correctly,
because that component becomes a vulnerability. These two views
are incompatible because a trusted computing base could become a
single point of failure, and because efficient fault-tolerant
replication protocols assume non-malicious failures.
Load balancing
Another form of managing cyber threats is through load balancing
techniques. Load balancing distributes large numbers of access
requests across multiple servers. The requests are directed to the
most available server so that no single device is overwhelmed. If
one server starts to get swamped, requests are forwarded to another
server with more capacity (Laudon and Laudon 2006).
Mirroring
Organizations may use site mirroring as part of backup and disaster
recovery planning. The mirroring technique uses a backup server
that duplicates all the processes and transactions of the primary
server. Thus a mirror site is an exact copy of another website or
datacenter that contains the same information as the original. If the
primary server fails, the backup server can immediately take its
place without any interruption in service.
Mirror sites are most commonly used to provide multiple sources of

the same information and as a set up for backup and disaster
recovery as well as to balance the traffic load for numerous
download requests on the Web. Such "download mirrors" are often
placed in different locations throughout the Internet with file servers
that contain a duplicate set of files of another file server, thereby
sharing the burden of distribution to ensure rapid availability of data
when there is heavy demand. The major drawback of server
mirroring is that they are very expensive because each server must
be mirrored by an identical server whose only purposes is to be
available in the event of failure (Laudon and Laudon 2006).
89
3.9 Assessing Cyber Threats
Organizations should evaluate and manage specific cyber risks

affecting them. Identifying critical assets and attendant impacts
from cyber threats unlocks the organization‘s specific risk exposure.
Assessing cyber threats enables the organization to identify and
prioritize specific protective measures, allocate resources, and
develop policies and strategies to manage cyber risks to an
acceptable level. There are methods that can be used to assess cyber
security threats.
Cyber Threat Susceptibility Assessment is a methodology for

evaluating the susceptibility of a system to cyber-attack. This
method quantitatively assesses a system's ability or inability to
resist cyber-attack over a range of cataloged attacks. The process of
cyber threats assessment involves
 identifying the cyber assets most critical to mission
accomplishment
 understanding the threats and associated risks to those assets
 selecting mitigation measures to prevent and/or to defend
against cyber
Organizations should be able to carry out an internal cyber-security

risk assessment as part of its security policies. The process may
involve the following steps:
(a) Identifying information assets

The first step involves considering the primary types of information
that the organization handles and making a priority list in terms of
the information assets to be protected. In other words, the
organization should come up with an inventory of information
assets. Information assets may include social security numbers,
payment card numbers, patient records, designs, and payroll data,
among others.
(b) Locating information assets

The next step in a cyber security risk assessment process entails
identifying and listing where each information asset is located
90
within the organization. Various pieces of information may be
located in file servers, workstations, laptops, removable media,
personal computers, mobile phones and databases. Knowledge of
location of information assets helps in coming up with appropriate
security measures and strategies to protect information systems
from cyber attacks.
(c) Classifying information assets

Classification of information assets helps the organization to rank
the assets based on the level of harm that would ensue if the
information was disclosed, destroyed or deleted from the system.
Useful classifications may include public information (marketing
campaigns, contact information, published financial reports);
internal but not secret information (phone lists, organizational
charts, office policies); sensitive internal information (business
plans, strategic initiatives, payroll figures) and; regulated
information (patient data, classified information, personal customer
data).
(d) Threat modeling

The next step in the process involves threat modeling. This means
rating the threats to the information assets of the organization. The
Microsoft ‗STRIDE‘ method may be used in threat modeling
exercise. This method focuses on six potential threats to information
assets, namely: spoofing of Identity, tampering with data,
repudiation of transactions, information disclosure, denial of
service, and elevation of privilege. The method is then used to
approximate the probability of particular cyber threat actually being
carried out against each asset at the location in question as well as
the impact that a successful exploitation of a weakness would have
on the organization.
In summary, the primary goal of the cyber risk assessment process

is to facilitate cyber security planning. The cyber security plan will
enable organizations to build protective, risk-mitigation strategies
and solutions. It is also important for organizations to align cyber
security spending with specific threats and focus on cost-effective
91
measures to manage cyber threats. A systematic ranking of threats
enables organizations to focus their efforts on critical areas and
avoid spending on security technologies or activities that are less
essential or irrelevant to fixing identified cyber security threats.
3.10 Cyber Security and Cyber Warfare
There is no doubt that, with the increasing technological advances,

cyber threat is one of the most serious economic and national
security challenges faced by nations. Indeed, different countries are
now coming up with national cyber security systems in response to
the increasing threat of cyber warfare and cyber terrorism.
Cyberwarfare is Internet-based conflict involving politically
motivated attacks on information and information systems.
Cyberwarfare attacks can disable official websites and networks,
disrupt or disable essential services, steal or alter classified data,
and destabilize financial systems.
According Carr (2011), any country can wage cyber war on any
other country, irrespective of resources, because most military
forces are network-centric and connected to the Internet, which is
not secure. For the same reason, non-governmental groups and
individuals could also launch cyberwarfare attacks.
Cyber warfare may be conducted using a range of activities using

information and communications technologies. According to
Theohary and Rollins (2015), cyber war is typically conceptualized
as state-on-state action equivalent to an armed attack or use of force
in cyberspace that may trigger a military response with a
proportional kinetic use of force. However, there is no clarity on
when a cyber attack could be considered an act of war by the victim
nation. The Internet transcends many international borders and
perpetrators can launch cyber attacks from anywhere in the world
and route the attacks through servers of third-party countries. As
such, it may be difficult to classify a cyber attack as an act of cyber
warfare.
Technopedia defines cyberwarfare as any virtual conflict initiated as
92
a politically motivated attack on an enemy's computer and
information systems. Cyber warfare attacked are orchestrated via
the Internet, for instance, to disable financial and organizational
systems by stealing or altering classified data to undermine
networks, websites and services. Cyberwarfare usually involves the
following attack methods or security breaches:
(a) Sabotage
Military and financial computer systems are at risk for the
disruption of normal operations and equipment, such as
communications, fuel, power and transportation infrastructures.
(b) Espionage
These illegal exploitation methods are used to disable networks,
software, computers or the Internet to steal or acquire classified
information from rival institutions or individuals for military,
political or financial gain.
On the flip side, systems procedures are continuously developed

and tested to defend against cyberwarfare attacks. For example,
organizations will internally attack its system to identify
vulnerabilities for proper removal and defense. A common
perception of a hacker is that of a teenage geek who fools breaks
into computer systems for fun. While this perception was perhaps
once true, modern cyberwarfare involves well trained, well funded
professionals backed by nation states. Examples, such as the
Stuxnet virus, are given by some experts to demonstrate that much
more is happening behind the scenes, and that the front lines in
future wars will be digital.
Theohary and Rollins (2015) observe that there are currently no

clear criteria for determining whether a cyber attack is criminal, an
act of hactivism, terrorism, or a nation-state‘s use of force
equivalent to an armed attack. Likewise, no international, legally
binding instruments have yet been drafted explicitly to regulate
inter-state relations in cyberspace.
93
The use of distributed denial of service (DDoS) attacks has become
a widespread method of achieving political ends through the
disruption of online services. A classic example of cyber warfare is
the Stuxnet worm, which some consider the first cyber weapon. The
Stuxnet malware was apparently targeted at Iran and attacked the
computerized industrial control systems on which nuclear
centrifuges operate, causing them to self-destruct. Other examples
of cyber warfare include the hacking by the United States into
Serbia‘s air defense system to compromise air traffic control and
facilitate the bombing of Serbian targets in 1998; the attacks in
Estonia where a botnet of over a million computers brought down
government, business and media websites across the country in
2007 and the hacking of high tech and military agencies in the
United States by an unknown foreign party in 2007.
In 2009, a cyber spy network called "GhostNet" reportedly accessed

confidential information belonging to both governmental and
private organizations in over 100 countries around the world. The
above examples are a tip of the iceberg as more and more attacks of
global magnitude continue to be orchestrated. This means that cyber
warfare has become a reality and governments must put in place
national cyber security policies to prevent attacks and mitigate the
impact of cyber warfare and cyber terrorism.
Tabansky (2011) observes that cyber weapons are composed mainly

of software, although hardware may be involved as well. Cyber
weapons may be classified into (a) unequivocally offensive
weapons: different types of malware (viruses, worms, Trojan
horses, logic bombs, and the like); denial of service actions (b) dual
use tools: network monitoring; vulnerability scanning; penetration
testing; encryption; and camouflage of content and communications
(c) unequivocally defensive tools: firewall, disaster recovery
systems.
Hostile activity in cyberspace can be ranked according to types of

activity undertaken and damage caused. Cyber warfare may be
identified using the classifications such as:
94
 an attack on various civilian targets that causes physical damage
 disruption of and attack on critical national information
infrastructures, which causes physical damage
 disruption of and attack on military targets in the state‘s
sovereign territory
 disruption of and attack on military targets outside the state‘s
sovereign territory.
The most effective protection against cyberwarfare attacks is

securing information and networks. Security updates should be
applied to all systems including those not deemed critical as any
vulnerable system can be co-opted and used to carry out attacks.
The increased interconnectedness of computers and critical
infrastructure such as power grids, air defense systems, transport
systems and many others increases the chances of cyber warfare. As
such, there is need for governments, organizations and private
citizens to work together to implement active cyber defenses.
3.11 Unit Summary and Conclusion
Unit 3 focused on various classes of cyber attacks and threats.

These included code injection, time to check to time to use race
conditions as well as Sybil attacks. Other deadly attacks such as
distributed denial of services (DDoS) attacks and their effects have
been highlighted and discussed. Possible methods of managing
cyber security operations and incident management have been
proffered. The Unit concluded by focusing on the need to
systematically assess cyber threats as well as issues relating to the
increasing global risks of cyber warfare.
95
UNIT 4
CYBER SECURITY

 Define the phenomenon of cyber crime
 Identify the channels used to commit cyber crime
 Explain the common cyber crime methods
 Define forms of cyber extortion and cyber cheating
 Explain the global threats of cyber warfare and cyber terrorism
 Understand phishing and hacking in the context of cyber
environment
4.0 Introduction
The security of information and computer systems is inherently at

risk from a multiplicity of cyber threats in this information age. The
Internet has been described as a haven for criminal and other illegal
and/or unethical activities given its global reach and the ability to
provide a level of anonymity to users. In the cyber environment, the
incidence of cyber crime has been exponentially growing with the
increased reliance on information technology by individuals,
organizations and governments all over the world.
Broadly, cyber crime has been, and continues to be targeted against

property (such as breach of intellectual property and cyber
squatting), persons (such as cyber stalking and other forms of online
harassment); and states and the society in general (cyber terrorism
and cyber warfare). In this unit, the focus will be on the cyber crime
phenomena and the various channels and methods used by criminals
to perpetrate criminal activities in the cyber environment.
4.1 Cyber Crime concepts and techniques
Under this section, the meaning and scope of cyber crime will be
canvassed in a bid to highlight the key concepts and techniques used
by cyber criminals.
96
Challenges in defining cyber crime
Despite the growing global interest in fighting cybercrime, there is
no universally accepted definition of ‗cybercrime‘. In some
instances, definitions of cybercrime depend on the purpose and
context in which the term is used. For instance, in the field of cyber
security, the definition of cybercrime may be restricted to various
acts or omissions against the confidentiality, integrity and availability
of computer data or systems. In a broader sense, cyber crime
definitions may encompass other crimes such as identity-related
offences that may result in personal harm or financial loss to the
victims. The long and short of this discourse is that cybercrime is a
term that does not lend itself to a precise definition.
The difficulty in defining cybercrime is compounded by the

challenge of distinguishing older crimes committed using computer
technology and new crimes emerging as a result of technological
developments. For instances, conventional crimes such as theft,
fraud or vandalism where understood in the context of a physical
environment involving tangible goods and services. On the other
hand, cybercrime frequently takes place in the ‗virtual‘ environment.
Thus, while some forms of cyber crime may be widely recognized as

fraud or theft but use the Internet, others are in effect created by the
Internet (Wall 2007 quoted in Croall 2011). A useful test to ascertain
whether an activity is a ‗true‘ cyber crime is whether it could exist
without the Internet or a computer system. For instance, Croall
(2011) observes that advance fee frauds have existed for centuries
but are facilitated by electronic communications, whereas if the
Internet were taken away tomorrow, computer ‗attacks‘ would
disappear.
What is cyber crime?

Despite the difficulties in precisely defining the phenomenon of
cyber crime, different authors and scholars have endeavored to
provide useful definitions. For instance, Yar (2006, quoted in Croall,
2011), defines the term ‗cybercrime‘ as referring to a diverse range
97
of illegal and illicit activities that share in common the unique
electronic environment in which they take place.
Cyber crime may refer to any criminal offence committed on or

facilitated via the Internet. In terms of scope, cybercrime may range
from fraud to unsolicited emails (spam); theft of government or
corporate secrets through criminal trespass into remote systems
around the globe, and incorporates anything from downloading
illegal music files to theft from online bank accounts. Cybercrime
also includes non-financial offenses, such as creating viruses on other
computers or posting confidential business information on the
Internet. Cyber crime may also encompass offenses including
criminal activity against data, infringement of content and copyright,
fraud, unauthorized access, child pornography and cyber-stalking.
Difference between cyber crime and computer crime
There is also need to distinguish between computer crime and

cybercrime. Computer crime may be defined as any illegal act
involving a computer whereas cybercrime entails the commission of
online or internet-based illegal or criminal acts. A person that
commits cybercrime is called a cybercriminal. Cybercriminals may
also use software for their crimes, that kind of software is called
crimeware.
How the Internet facilitates cyber crime
There are a variety of reasons why the Internet and other computer
networks provide a conducive environment for cyber criminals to
commit various offences. In general, technology such as the Internet
has altered time and space relationships enabling people to
communicate with thousands of others on a global basis in
milliseconds. As such, fraudsters and other cyber criminals can target
thousands of potential victims quickly and cheaply and with far
fewer risks of detection.
The cyber environment has therefore reduced the need for face-to-
face interaction and people can easily create multiple identities. The
98
anonymity provided by the cyber environment makes it a favourable
hunting ground for criminals. According to Interpol, more and more
criminals are exploiting the speed, convenience and anonymity of the
Internet to commit a diverse range of criminal activities that know no
borders, either physical or virtual, cause serious harm and pose very
real threats to victims worldwide.
Fraudsters can, for example, attempt to sell goods or services and

pose as satisfied customers to enhance their marketing. The growing
dependency of businesses, individuals and governments on electronic
communications makes them vulnerable to attack – thus the fear of
cyber terrorism (Croall 2011). Laudon and Laudon (2006) aptly
observe that the Internet‘s ease of use and accessibility have created
new opportunities for computer crime. Highly complex
cybercriminal networks are bringing together individuals from across
the globe in real time to commit crimes on an unprecedented scale.
Criminal organizations are increasingly turning to the Internet to
facilitate their activities and maximize their profit in the shortest
time.
Perpetrators of cyber crimes often include individuals acting alone or

in concert, small groups and large organized crime groups who also
take advantage of the Internet. These "professional" criminals find
new ways to commit old crimes, treating cyber crime like a business
and forming global criminal communities. These criminal
communities share strategies and tools and can combine forces to
launch coordinated attacks. They even have an underground
marketplace where cyber criminals can buy and sell stolen
information and identities. It is very difficult to crack down on cyber
criminals because the Internet makes it easier for people to do things
anonymously and from any location on the globe. Many computers
used in cyber attacks have actually been hacked and are being
controlled by someone far away. Crime laws are different in every
country too, which can make things really complicated when a
criminal launches an attack in another country.
99
Causes of cyber crime
There are a number reasons that explain the causes and high
incidence of cyber crime. First and foremost, Cyber crime is billion-
dollar industry for criminal enterprises. Wherever the rate of return
on investment is high and the risk is low, criminals are willing to take
advantage of the situation. Accessing sensitive information and data
and using it means a rich harvest of returns and catching such
criminals is difficult. Hence, this has led to a rise in cyber crime
across the world.
Classification of cyber crime

As indicated above, cyber crime is wide in scope and encompasses a
variety of old and new forms crimes. Accordingly, scholars have
attempted to provide different classifications of cyber crime. For
instance, cyber crime may be classified as
 Offences against confidentiality, integrity and availability of
computer data and systems including but not limited to illegal
interception, data and system interference and misuse if devices;
 Computer-related offences including forgery and fraud;
 Content-related computer offences such as child pornography;
and
 Offences pertaining to copyright infringement and related rights.
The above classification of cybercrime has been criticized for lack of

consistence and overlaps between categories as some of the
cybercrimes fall within several categories. Another typical
classification seeks to broadly categorize cyber crime as:
 Crimes against individuals
 Crimes against property
 Crimes against states, organizations and the society in general.
Cybercrime against individuals

Cyber crimes under this classification are targeted at, and tend to
affect individual persons. Cyber criminals tend to exploit human
weakness like greed and naivety. Some of the popular cybercrimes
against persons include cyber pornography (specially child-
pornography), violation of privacy, harassment of a person through e-
100
mail spoofing, hacking, cracking, cyber stalking, defamation,
cheating, fraud, e-mail spoofing, password sniffing, credit card
frauds, gambling, among others.
Crimes against property

The second category of cyber crimes includes crimes against
property. Typical examples of the most popular cybercrimes against
property include, but are not limited to, intellectual property crimes,
cyber squatting, cyber vandalism, transmission of malware that
disrupt functions of the system or wipe out data or create
malfunctioning of the attached devices, cyber trespassing, Internet
time or bandwidth thefts.
Cybercrimes against government/organizations/society

Needless to say, cyber crimes against governments, organizations
and the society in general tend be directed against or affect these
institutions. The most common types of cybercrimes against
governments and related organizations are cyber warfare and cyber
terrorism. Criminals consisting of individuals and/or groups may use
electronic media and the cyberspace environment to threaten the
international governments and the citizens of a country. Hacktivists
may gain unauthorized access to computer files or networks or
launch cyber attacks in order to further social or political ends.
For instance, a manifestation of this crime manifests when a

government or military websites is hacked and vital information is
retrieved by terrorist organization. Cybercrime against organization
and society mainly includes unauthorized access to computer
systems, password sniffing, denial of service attacks, malware
attacks, crimes emanating from usenet groups, industrial
spying/espionage, network intrusions, forgery, web-jacking, among
many others.
4.2 Channels of Cyber Crime
There are many channels through which offenders perpetrate cyber

crimes. These channels are as varied as the motives behind the
101
attacks are varied. Cyber criminals employ various techniques to
attack their victims. The following are some of the types of attacks
cyber criminals use to commit crimes. One of the most sinister
threats to cyber security is represented by diffusion of botnets,
which are networks of infected computers (bots or zombies)
managed by attackers through malware. The controller of a botnet,
also known as botmaster, controls the activities of the entire
structure giving orders through communication channels.
Botnets are a major tool for cybercrime given that they can be
designed to effectively disrupt targeted computer systems in
different ways. A malicious user with no strong technical skills, can
initiate and cause havoc in cyberspace by simply renting botnet
services from a cybercriminal. Botnets are made up of vast numbers
of compromised computers that have been infected with malicious
code, and can be remotely controlled through commands sent via
the Internet. Hundreds or thousands of these infected computers can
operate in concert to disrupt or block Internet traffic for targeted
victims, harvest information, or to distribute spam, viruses, or other
malicious code.
Not surprisingly, the channels for cybercrime transactions are

virtual ones. Channels initially were largely a combination of
bulletin-board-style web forums, email, and instant-messaging
platforms that support both private messaging or open chat rooms
and email. While these channels are still used today, users now
commonly frequent online stores where buyers can chose their
desired product, pay with digital currency, and receive the goods
without any interaction or negotiation with the seller. As such,
cyber criminals are also targeting these forums to prey on their
targets.
Malware for mobile devices has been growing of late, in part

because attacking mobile devices brings in money faster than
attacking personal computers. SMS (Short Message Service)
Trojans and Fake Installers are the most popular form of mobile
malware: Such malware does not require extensive customization.
102
4.3 Cyber Crime Methods
The methods used by cyber criminals and technology keeps changing

too quickly for law enforcement agencies to catch up. Sophisticated
technical operations that wage wholesale identity fraud for crime
syndicates use many attack methods that interweave into a
formidable capacity that's difficult to counter.
Criminals are delivering worms and viruses through public computer

networks, compromising internet banking and e-commerce
credentials. Simple phishing scams, where users are tricked into
typing their passwords into counterfeit websites, are giving way to
more sophisticated attacks, he said.
Before the advent of the Internet, criminals had to intercept their

physical mail to steal their personal information. This is now a thing
of the past as information is readily available online and criminals
may also use the Internet to steal people's identities, hack into their
accounts, trick them into revealing the information, or infect their
devices with malware. These are some of the most methods used by
cyber criminals.
Cyber Stalking
Cyber stalking is one of the forms of crime against persons in terms
of classification as it is targeted at individuals. In general terms, the
offence is targeted at causing emotional distress and instilling fear of
physical harm in the victim. Goodno (2007) define stalking as
involving repeated harassing or threatening behavior using the
Internet, e-mail or other means of electronic communication to stalk
or harass another individual. Cyber stalking involves express or
implied physical threats that creates fear through the use of computer
technology such as email, phones, text messages, webcams, websites
or videos. Accordingly, cyber stalking is a form of online harassment
where the victim is subjected to an onslaught of online messages and
emails. Cyber security is often motivated by a desire to exert control
over the victim.
103
Cybercrime may include sending threats or false accusations via
email or mobile phone, making threatening or false posts on
websites, stealing a person‘s identity or data or spying and
monitoring a person‘s computer and Internet use. Sometimes the
threats can escalate into physical spaces. Typically, these stalkers
know their victims and instead of resorting to offline stalking, they
use the Internet to stalk. However, if they notice that cyber stalking is
not having the desired effect, they may begin offline stalking along
with cyber stalking to make the victims‘ lives more miserable.
Similarly, the perpetrator may use the Internet to threaten, pursue,

humiliate, or intimidate another person against their will. Goodno
(2007) in this cyber-age, websites, e-mail, chat rooms, anonymous
electronic bulletin boards, instant messaging and other web
communication devices allow cyber stalkers to quickly disseminate
intimidating and threatening messages. The impact of cyber stalking
on a victim can be as devastating as physical stalking. Social media,
email and Instant Messenger are some of the mediums the aggressor
may utilize. Cyber stalking should be taken seriously as it can
escalate to physical stalking and acts of violence.
Nature of cyber stalkers and victims

The cyber stalker could be a former friend or an estranged spouse or
lover, a total stranger met in a chat room, or a teenager playing a
practical joke. Albeit stalkers can target anyone, the majority of
victims are female. Domestic violence victims are some of the most
vulnerable groups to cyber stalking as well.
Forms of cyber stalking

According to Ellison and Akdeniz (1998), cyber stalking may take
various forms or guises including the following:
 A direct form of Internet harassment may involve the sending of
unwanted e-mails which are abusive, threatening or obscene
from one person to another;
 It may involve electronic sabotage in the form of sending the
victim hundreds or thousands of junk email messages
(spamming) or sending computer viruses;
104
 Indirect forms of harassment may involve a cyber stalker
impersonating his or her victim on-line and sending abusive
emails or fraudulent spam in the victim‘s name;
 Victims may be subscribed without their permission to a number
of mailing lists with the result that they receive hundreds of
unwanted emails everyday.
Examples of cyber stalking

A classic example of cyber stalking is the case of an American
woman called Cynthia Armistead who received thousands of
offensive telephone calls after her stalker posted a phony
advertisement on a Usenet discussion group offering her services
as a prostitute and providing her home address and telephone
number.
In yet another bizarre case, a cyber stalker terrorized the victim by

impersonating her in various Internet chat rooms and online bulletin
boards where he posted, along with her telephone number and
address, messages that she fantasized about being raped. On at least
six occasions, sometimes in the middle of the night, men knocked
on the woman's door saying they wanted to rape her. The cyber
stalker later pleaded guilty to the offence.
In the case of AMP v Persons‟ Unknown [2011] EWHC 3454

(TCC) the claimant‘s mobile phone was stolen or lost. The phone
contained the claimant‘s images of an explicit sexual nature taken
for the personal use of her boyfriend (sexting). The unknown person
who recovered the phone initially tried to blackmail the claimant via
Facebook but subsequently uploaded the images using torrents. The
court granted an order by serving a notice on any person making the
images available requiring them to desist and destroy the copies,
failure to comply with this notice may constitute a criminal offence.
The notices were served in UK and EU. Although this worked, the
images were re-uploaded in United States. This case typical shows
the challenges of enforcing cyber laws to stem out criminal
activities like cyber stalking.
105
Cyber stalking and the law
There is no specific law in Zimbabwe dealing with cyber stalking.
However, section 88 of the Postal and Telecommunications Act
deals with offensive or false telephone messages. This Act makes it
a criminal offence for any person to
 send by telephone any message that is grossly offensive or is of
an indecent, obscene or threatening character; or
 send by telephone any message that is false for the purpose of
causing annoyance, inconvenience or needless anxiety to any
other person; or
 make any telephone call or series or combination of telephone
calls without reasonable cause for the purpose of causing
annoyance, inconvenience or needless anxiety.
However, the Act does not define telephone to include mobile
phones or other forms of electronic communications. This implies
that cyber crimes may not be covered by this Act.
Why cyber stalking is difficult to control
Cyber stalking, like most cybercrimes, may be extremely difficult to

control for a number of reasons. Ellison and Akdeniz (1998)
observe that the ease with which users can send anonymous
messages would render legal regulation of on-line harassment a
difficult, if not impossible, task. Tracing a cyber-stalker may prove
an insurmountable obstacle to any legal action when the electronic
footprints which users leave behind are effectively eliminated by re-
mailer technology.
A cyber stalker's true identity can be concealed by using different

Internet service providers and by adopting different screen names.
More experienced stalkers can use anonymous remailers that make
it all-but-impossible to determine the true identity of the source of
an e-mail. Cyber stalkers can stalk their victims from a different
city, state or even country, so long there is access to the Internet.
This makes controlling cyber stalking a formidable task.
106
How to avoid cyber stalking
As indicated above, cases of cyber stalking may be extremely
difficult to control. However, the following ways may be useful in
avoiding being victims of cyber stalking:
 Users should be careful what personal information they share
online including on email, networking sites like Facebook and
Twitter and chat rooms. Cyber stalkers can take advantage of
such personal information as arsenal for attacking potential
victims.
 Users should create a different email account for registering in
social networking sites and other online spaces. This will help
avoid spam by revealing personal email details.
 In online platforms, users should endeavor to select user
profiles that do not identify them such as photos.
 It may be useful to consider using a name that is not the user‘s
real name in email addresses. Instead, it is advisable to pick a
name that is gender- and age-neutral.
 It is good practice to read and check privacy policy on online
platforms and social networking sites to make sure information
is only shared with trusted people and not the general Internet
public.
Cyber Squatting
Cyber squatting is a form of crimes against property. Cyber

squatting is the practice of registering names, especially well-known
company or brand names, as Internet domains, in the hope of
reselling them in future at a profit. It occurs when a person other
than the owner of a well-known trademark registers that trademark
as an Internet domain name and then attempts to profit from it either
by ransoming the domain name back to the trademark owner or by
using the domain name to divert business from the trademark owner
to the owner of the domain name.
Cyber squatters have been characterized as individuals who attempt

to profit from the Internet by reserving and later reselling or
licensing domain names back to the companies that spent millions
of dollars developing the goodwill of the trademark. Hurter (2012)
107
describes cybersquatting as the term most frequently used to
describe the deliberate, bad faith abusive registration of a domain
name in violation of rights in trade-marks or service marks.
In order to successfully challenge the cyber squatter in court and

reclaim the right to use the domain name, certain elements re
required to be established in a cybersquatting claim, namely: (i)
plaintiff's ownership of a distinctive or famous mark entitled to
protection; (ii) defendant's domain name is identical or confusingly
similar to plaintiff's trademark; and (iii) defendant registered
domain name with bad faith intent to profit from it.
The Domain Name System (DNS) maps Internet Protocol (IP)

addresses to equivalent domain names. Computers communicating
through global information networks (such as the Internet) can
exchange information because each connected computer has a
unique numerical IP address. It is important for a company to link
its established trading reputation to a virtual presence in cyberspace
through the registration of a domain name. It is equally important
for a company to prevent the unauthorized use of its trade name or
trade mark as a domain name online (Pistorius, 2009). Cyber
squatting therefore takes away the company‘s entitlement to use its
trading name as a domain name once this is registered by a cyber
squatter.
There are different types of cyber squatters. Ransom grabbers are

the cyber squatters who strategically register trademarks as domain
names in order to sell it to the legitimate trademark holders.
Competitor grabbers are individuals or corporations that register a
domain name corresponding to a competitor‘s trademark in order to
sell their own goods on it or merely to hinder the legitimate
trademark holder‘s use of the domain name. On the other hand,
innocent registrants and concurrent users of domain names may be
considered as cyber squatters. Innocent users register the domain
name based on some unrelated interest in the word itself, without
intending harm to a trademark owner.
108
4.4 Cyber Extortion and Cyber Cheating
Cyber extortion is an offence involving an attack or threat of attack

coupled with a demand for money to avert or stop the attack. Cyber
extortion can take many forms. Originally, denial of service (DoS)
attacks against corporate websites was the most common method of
cyber extortion. For instance, the attacker might initiate a telephone
call to head of the company, demanding that money be wired to a
bank account in a foreign country in exchange for stopping the
attack.
Cyber criminals may also use a variety of tactics, such as

ransomware, and theft of sensitive business and customer
information to extort payment or other concessions from victims. In
some cases, these attacks have caused significant impacts on
businesses‘ access to data and ability to provide services. Other
businesses have incurred serious damage through the release of
sensitive information. Cyber extortion may take two forms, namely:
cyber blackmail or ransomware.
Cyber blackmail
In the case of cyber blackmail, hackers obtain sensitive data from an

organization and then threaten to publicly disclose it unless a
payment is received. The inside information could include trade
secrets, insider financial data, or allegations of an embarrassing
nature. The victim is notified and given just enough evidence to
reasonably confirm that the hackers actually possess the information
that they claim.
Ransomware
Cyber criminals have developed ransomware that encrypts the

victim's data. In a ransomware situation, hackers plant a malicious
program on a corporate network that encrypts data and denies the
organization access to its own files until a payment is received. The
extortionist's victim typically receives an email that offers the private
decryption key in exchange for a monetary payment in Bitcoins, a
digital currency. Unfortunately, as with other types of extortion,
109
payment does not guarantee that further cyber-attacks will not be
launched. Most cyber extortion efforts are initiated through malware
in e-mail attachments or on compromised websites.
Ransomware, as the name implies, involves the demand for a ransom

in exchange for doing or doing certain things. Criminals can hide
links to ransomware in seemingly normal emails or web pages. Once
activated, ransomware prevents users from interacting with their
files, applications or systems until a ransom is paid, typically in the
form of an anonymous currency such as Bitcoin. To mitigate the
risks associated with cyber extortion, experts recommend that end
users should be educated about phishing exploits and back up their
computing devices on a regular basis.
Extortionists often demonstrate their capabilities by performing a

small attack, such as shutting down a Web site for a period of time.
This is followed by an e-mail to the victim requesting payment to
prevent additional, larger attacks. If an attacker is successful in
preventing customer or employee access to a resource or systems, the
financial institution‘s reputation could be affected, in addition to
potentially incurring operational and recovery costs.
Cyber extortion and the law

Extortion is a form of crime against property as it may result in
financial prejudice or other pecuniary loss to the victim. In
Zimbabwe, there are no specific laws on cyber extortion and cyber
cheating. However, a person can still be prosecuted under the
Criminal Law (Codification and Reform) Act [Chapter 9: 23] for
extortion even if this implies that the extortion was done in cyber
space. The Act prohibits any person from intentionally exerting
illegitimate pressure on another person for the purpose of extracting
an advantage from, or causing loss to another person. Illegitimate
pressure include intimidating another person by threatening to do
something that is lawful or unlawful for the purpose of extracting an
unlawful advantage from another person.
110
Example
Once ransomware infects a user‘s system, it either encrypts critical
files or locks a user out of their computer. It then displays a ransom
message that usually demands virtual currency payment in exchange
for a cryptographic key to decrypt or unlock those resources. The
message may also threaten to publicly release compromised data if
the payment demand is not met. Some ransomware can travel from
one infected system to a connected file server or other network hub,
and then infect that system. Once infected, a victim has little
recourse. If they do not pay the ransom, they suffer business down
time, loss of sensitive information or any other penalty specified by
the attacker. And even when they do pay the ransom, they remain
vulnerable to attack from the same attacker or a new one, and reward
attackers for their successful tactics.
Payment of ransom
Ransom payment has always proved a challenge for cybercriminals,

who need a method that is easily accessible to victim and easily
convertible to cash but also untraceable. Previously attackers relied
largely on payment vouchers. The rise of Bitcoin and other
cryptocurrencies provided an alternative that operates outside the
traditional financial system. Although not wholly anonymous,
Bitcoin movements can be obfuscated by moving through chains of
wallets and tumbler services. Bitcoin wallets are free and disposable,
meaning attackers can generate a new, unique wallet for each
infection, making it more difficult for law enforcement to follow all
earnings.
How ransomware is spread
There are various ways through which ransomware may be spread.

The primary method of ransomware infection is through the use of
deceptive e-mails or malicious Web sites that imitate legitimate
organizations or communications. These include the following:
(a) Malicious email

One of the most common methods to spread ransomware and
111
malware in general is through malicious spam mail. This spam is
distributed using botnets, or networks of compromised computers.
The botnet sends out large numbers of spam emails that use social
engineering tactics to trick recipients into compromising their
computers. The infection occurs when the user opens a malicious
attachment that directly installs the ransomware or clicks a link that
points to an exploit kit which ultimately lead to the malware being
installed on the computer.
(b) Exploit kits

Exploit kits are another prevalent infection vector for ransomware.
The toolkits exploit vulnerabilities in software in order to install
malware.
(c) Malvertising
Malicious ads are placed through ad networks whose ads are
distributed through trusted websites with a high volume of visitors.
Preventing cyber extortion
Organizations may not be able to completely prevent incidents of

cyber extortion given that cyber criminals are becoming more and
more sophisticated. However, there are certain measures that may be
implemented to minimize the risk of attacks including the following:
 Organizations should implement awareness and training

programs on the risks of cyber crime including cyber extortion.
End users, employees and individuals are usually targeted and
should be made aware of the threat of ransomware and how it
is orchestrated.
 It is recommended practice to patch operating systems,
software, and firmware on devices, which may be made easier
through a centralized patch management system.
 Anti-virus and anti-malware solutions should be set to
automatically update to carry out regular scans in order to
detect malware.
112
 Organizations should implement the principle of least
privilege, that is, no users should be assigned administrative
access unless absolutely needed and those with a need for
administrator accounts should only use them when necessary.
 It is recommended for organizations to implement software
restriction policies or other controls to prevent programs from
executing from common ransomware locations, such as
temporary folders supporting popular Internet browsers.
4.5 Cyber Warfare and Cyber Terrorism
Cyber warfare and cyber terrorism are some of the distinct

cybercrimes against governments, organizations and the society in
general.
The individuals and groups use electronic media and the cyberspace
to threaten the international governments and the citizens of a
country. This crime manifests itself into terrorism when a
government or military websites are hacked and vital information is
retrieved. Cybercrime against organization and society mainly
includes unauthorized access of computer, password sniffing, denial
of service attacks, malware attacks, crimes emanating from usenet
group, industrial spying/espionage, network intrusions, forgery, web-
jacking etc.
Concern is mounting that the vulnerabilities of the Internet or other

networks could be exploited by terrorists, foreign intelligence
services, or other groups to create widespread disruption and harm.
Such cyber attacks might target the software that runs electrical
power grids, air traffic control systems, or networks of major banks
and financial institutions (Laudon and Laudon 2006). The potential
impact of a well-conducted cyber-attack in which the most likely
targets would be critical infrastructures could be the equivalent of a
full scale cyber-war (Gelbstein and Kamal 2002).
According to Theohary and Rollins (2015), cyberwar is typically

conceptualized as state-on-state action equivalent to an armed attack
113
or use of force in cyberspace that may trigger a military response
with a proportional kinetic use of force. Cyberterrorism can be
considered ―the premeditated use of disruptive activities, or the threat
thereof, against computers and/or networks, with the intention to
cause harm or further social, ideological, religious, political or
similar objectives, or to intimidate any person in furtherance of such
objectives.
Terrorism could also benefit from the fragility of some systems and
infrastructures, including airports, air traffic control, transportation,
financial transaction, power distribution and stations, data centres,
and surveillance centres, developing new methods of attack with
significant impact. We should expect to see the arrival of a
generation of individuals who are skilled in computer technology and
communication, wanting to influence the world from the comfort of
their computer screen. The ability to fully or partially operate
remotely and with impunity will be a powerful incentive to act.
Cyber terrorism refers to premeditated, usually politically-motivated

violence committed against civilians through the use of, or with the
help of, computer technology. Cyber terrorism, which is violence,
commonly politically motivated, committed against a civilian
population through the use of or facilitated by computer technology.
Labeling a ―cyberattack‖ as ―cybercrime‖ or ―cyberterrorism‖ is

problematic because of the difficulty determining with certainty the
identity, intent, or the political motivations of an attacker. Cyber
terrorism may be described as politically motivated hacking
operations intended to cause grave harm such as loss of life or severe
economic damage
Others indicate that a physical attack that destroys computerized

nodes for critical infrastructures, such as the Internet,
telecommunications, or the electric power grid, without ever
touching a keyboard, can also contribute to, or be labelled as cyber
terrorism.
114
Computer hackers may also work with terrorist groups, or terrorist-
sponsoring nations to orchestrate cyber terrorism. Membership in the
most highly-skilled computer hacker groups is sometimes very
exclusive and limited to individuals who develop, demonstrate, and
share only with each other, their most closely-guarded set of
sophisticated hacker tools. These exclusive hacker groups do not
seek attention because maintaining secrecy allows them to operate
more effectively. Some hacker groups may also have political
interests that are supra-national, or based on religion, or other socio-
political ideologies, while other hacker groups may be motivated by
profit, or linked to organized crime, and may be willing to sell their
computer services, regardless of the political interests involved.
Cyber espionage
Cyber espionage involves the unauthorized probing to test a target

computer‘ s configuration or evaluate its system defences, or the
unauthorized viewing and copying of data files. However, should a
terrorist group, nation, or other organization use computer hacking
techniques for political or economic motives, their deliberate
intrusions may also qualify them, additionally, as cybercriminals.
Industrial cyber espionage has become a common part of global
economic competition but secretly monitoring the computerized
functions and capabilities of potential adversary countries may also
be considered essential for national defence.
Some large cybercriminal groups are transnational. Individuals in

these groups reportedly operate from locations all over the world,
working together to hack into systems, steal credit card information
and sell identities, in a very highly structured, organized network.
4.6 Phishing and Hacking
Phishing and hacking are among the most common forms of cyber
attacks in the world. The techniques are employed to illegally obtain
personal information from victims which is then ultimately used for
committing more heinous crimes such as fraud.
115
What is Phishing?
Phishing is one of the fastest growing online crime method used for
stealing personal information. Phishing may be defined as a
criminal activity involving the use of social engineering techniques
to acquire sensitive data, personal data, passwords, credit card
details and other financial information from victims. The
perpetrators usually masquerade as a trustworthy persons or
businesses in online or electronic communications such as email or
instant message. Phishing is any method or technique used by
criminals to entice victims disclose personal information by using
electronic communication technique such as emails, masquerading
to be from a legitimate source.
The word ―phishing‖ was made up by hackers as a cute word to

refer to the concept of fishing for information. Since most phishing
methods rely on social engineering techniques, it is important to
define the term for purposes of clarity. Social engineering is defined
as the exploitation of the trusting nature of human beings to gain
information for malicious purposes. Humans are trusting by nature,
and criminal use social-engineering exploits to take advantage of
this inherent attribute in humans. Cyber criminals use lies and
manipulation to trick people into revealing their personal
information. Social engineering attacks frequently involve very
convincing bogus stories to lure victims into their trap.
Phishing is the act of fraudulently using email to try to get the

recipient to reveal personal data. In a phishing scam, con artists
send legitimate-looking emails urging the recipient to take action to
avoid a negative consequence or to receive a reward. The requested
action may involve clicking on a link to a Web site or opening an
email attachment. Phishing is a method of transmitting a form of
spam containing links to web pages that appear to be legitimate
commercial sites but designed to fool users into submitting
personal, financial, or password data. Clicking on the link may also
lead to infection of one‘s computer by a virus or may allow access
to one‘s computer by a hacker.
116
Phishing may therefore be described as a form of identity theft.
According to Laudon and Laudon (2006), identity theft is a crime in
which an imposter obtains key pieces of personal information, such
as social security identification numbers, drivers‘ licence numbers,
or credit card numbers, to impersonate someone else. The
information may be used to obtain credit, merchandise, or services
in the name of the victim or to provide the thief with false
credentials.
The Internet has made it easy for identity thieves to use stolen
information because goods can be purchased online without any
personal interaction. Credit card files are a major target of web site
hackers. Moreover, e-commerce sites are wonderful sources of
customer personal information – name, address, and phone number.
Armed with this information, criminals can assume a new identity
and establish new credit for their own purposes (Laudon and
Laudon 2006)
Phishing is a form of spoofing that also involves setting up fake

websites or sending e-mail that looks like those of legitimate
businesses to ask users for confidential personal data. The email
message instructs recipients to update or confirm records by
providing social security numbers, bank and credit card
information, and other confidential data either by responding to the
email message or by entering the information at a bogus web site
(Laudon and Laudon 2006).
Common types of Phishing

There are various phishing methods employed by cyber criminals to
illicitly obtain sensitive data from victims. The most common
methods are through emails, websites, and over the telephone.
 Phishing emails: this involves the sending of fake emails

purporting to come from legitimate or trusted sources such as
banks in terms of which the victim is requested to provide
personal information such as bank account details and identity
numbers.
117
 Phishing websites: websites that look similar to those of
genuine companies or banks are setup to mislead the victim
into entering important details such as the username and
password.
 Phishing phone calls: the criminal makes phone calls to the
victims in the name of a bank or similar institution requesting
the victim to enter or tell confidential data such as PIN
numbers.
In phishing attacks, the cyber criminals offer bait to victims so that

they willingly or unknowingly provide their sensitive information.
The bait can be in form of a business proposal, announcement of a
lottery to which the victim never subscribed, and anything that
promises money for nothing or a small favor.
Variants of phishing
Phishing has a number of variants, notably spear-phishing, vishing

and smishing, tabnabbing, among other social engineer campaigns.
Spear-phishing
This is a variation of phishing in which the phisher sends fraudulent

emails to a certain organization‘s employees. It is known as spear-
phishing because the attack is much more precise and narrow, like
the tip of a spear. The phony emails are designed to look like they
came from high-level executives within the organization.
Employees are directed to a fake Web site and then asked to enter
personal information, such as name, Social Security number, and
network passwords. Botnets have become the primary means for
distributing phishing scams.
Smishing
This is another variation of phishing that involves the use of Short

Message Service (SMS) texting. In a smishing scam, people receive a
legitimate-looking text message on their phone telling them to call a
specific phone number or to log on to a Web site. This is often done
118
under the guise that there is a problem with their bank account or
credit card that requires immediate attention. However, the phone
number or Web site is phony and is used to trick unsuspecting
victims into providing personal information such as a bank account
number, personal identification number, or credit card number. This
information can be used to steal money from victims‘ bank accounts,
charge purchases on their credit cards, or open new accounts. In
some cases, if victims log on to a Web site, malicious software is
downloaded onto their phones, providing criminals with access to
information stored on the phones. The number of smishing scams
increases around the holidays as people use their cell phones to make
online purchases.
Pharming
Pharming is another type of social engineering. A user‘s session is

redirected to a masquerading website. At the fake website,
transactions can be mimicked and information like login credentials
can be gathered. With this the attacker can access the real site and
conduct transactions using the credentials of a valid user on that
website.
Vishing
Vishing is similar to smishing except that the victims receive a voice

mail telling them to call a phone number or access a Web site. In an
example of a vishing attack, account holders at a credit union were
sent a text about an account problem and told to call a phone number
provided in the text. If they did so, they were asked to provide
personal information that allowed criminals to steal funds from their
accounts within 10 minutes of the phone call. Similarly, bank
customers received a text stating that it was necessary to reactivate
their automated teller machine (ATM) card. Those who called the
phone number in the text were asked to provide their ATM card
number, PIN, and expiration date. Thousands of victims had money
stolen from their accounts.
119
Tabnabbing
Tabnabbing is a computer exploit and phishing attack, which

persuades users to submit their login details and passwords to
popular websites by impersonating those sites and convincing the
user that the site is genuine. In other words, tabnabbing is a specific
type of attack where a fake, malicious website will replace a
legitimate website already open on a web browser in order to steal
users‘ credentials and passwords.
Characteristics of Phishing attacks

Computer users should be on the lookout for suspicious emails or
websites that request them to disclose personal information in order
to avoid becoming victims of phishing campaigns. The following are
some of the characteristics generally associated with phishing emails
or websites:
 Request for submitting personal information – most companies
do not ask their customers to submit confidential data via
emails. So if you find an email asking for your credit card
number, there is a high probability that it is a phishing attempt.
 Sense of urgency – most phishing emails demand immediate
action. For instance, the email may indicate that your bank
account will be deactivated in a day if you don‘t enter your
credit card number.
 Generic salutation – Phishing emails generally start with a
‗Dear customer‘ instead of the user‘s name.
 Attachments – Phishing emails might also refer victims to open
attachments that mostly contain malware. As such, it is
advisable for users not to open attachments from untrusted
email sources.
 Phony links – victims may be requested to click on link might
show something else but will actually direct to a different
location. Clicking on the link or accessing the website may
trigger an automatic and unnoticeable download of malicious
software to a computer.
 Promise of reward – victims may be advised they have won a
prize or other reward but must give their credit card
120
information in order to receive it.
 Administrator requests – the attacker may call pretending to be
a network or account administrator and asking for the victim's
password to perform maintenance
Methods of preventing phishing
Users of computer systems should wary of suspicious emails,

websites and phone calls requesting them to provide their personal
sensitive information on-line. Where customers are not sure about the
contents of an email, they are advised to call or visit their banks to
verify the authenticity of the request to disclose sensitive
information. In addition, financial institutions, credit card companies,
and other organizations whose customers may be targeted by
criminals through phishing have critical role to play.
For instance, banking employees should always on the alert for

phishing, smishing, and vishing scams. They must be prepared to act
quickly and decisively without alarming their customers if such a
scam is detected. Recommended action steps for institutions and
organizations include the following:
 Customer education on the dangers of phishing, smishing, and

vishing through letters, recorded messages for those calling
into the companies call centre, and articles on the company‘s
Web site.
 Training of call centre service employees to detect customer
complaints that indicate a scam is being perpetrated. They
should attempt to capture key pieces of information, such as
the call back number the customer was directed to use, details
of the phone message or text message, and the type of
information requested.
 Notifying customers immediately if a scam occurs so that they
do not fall victims of the attacks.
Hacking
Traditionally, a hacker is someone who enjoys tinkering with
software or electronic systems. However, the term hacker has
121
assumed a new meaning in a world characterized by high incidence
of cyber crime. Thus a hacking commonly involves breaking into
computer systems with a malicious intent, usually for personal gain,
fame, profit or even revenge. There is a distinction between ethical
(white-hat) hackers and malicious (black-hat) hackers.
Ethical hacking
Ethical hacking refers to hacking performed by a company or
individual to help identify potential threats on a computer or
network. An ethical hacker attempts to bypass system security and
search for any weak points that could be exploited by malicious
hackers. This information is then used by the organization to improve
the system security, in an effort to minimize or eliminate any
potential attacks.
A Certified Ethical Hacker is a qualification obtained by assessing

the security of computer systems, using penetration-testing
techniques. For hacking to be deemed ethical, the hacker must adhere
to the following rules:
 the ethical hacker must have express or written permission
from the computer system to probe the network and attempt
to identify potential security risks;
 the ethical hacker must respect the individual's or company's
privacy;
 ethical hackers must close out their work, not leaving
anything open for them or someone else to exploit the
vulnerabilities in future;
 the ethical hacker will let the software developer or hardware
manufacturer know of any security vulnerabilities located in
their software or hardware so that corrective measures are
taken.
122
Criminal Hacking (Cracking)
Criminal hackers are technically referred to as ‗crackers‘ as they
crack into computer systems and networks with malicious intent.
There are a number of reasons why criminals hack systems:
 Hacking for fun - some hackers make attempts on computers,
servers or network systems just for the personal gratification.
Thus hacking may be done to prove a point or just for the
challenge.
 Hacking for profit or gain – most hackers target businesses for
hacking in order to gain financially or some other form of
reward or advantage. Another reason to hack a system is to steal
information or business secrets. A large portion of hacking
attempts falls into this category of hacking for profit or gain.
Banks and large companies are common targets for hacking jobs.
 Hacking to disrupt - some hackers target a company or
organization just to disrupt business, create chaos or to be a
nuisance. Such hackers would be often trying to make a
statement with their hacking, demonstrate security inadequacies,
or to show general disapproval for the business itself.
 Hacking for revenge – some aggrieved persons may turn to
hacking a system as a way of revenging. A typical example is a
former employee who hacks computer systems as a revenge for
being dismissed by the company.
Typical Hacking methods

The main objective behind hacking is to gain illegal or unauthorized
access to a computer system. Once hackers gain access to the
system simple or sophisticated and well-planned methods, they can
hold data hostage, engage in identity theft, and even use the victim‘s
computer to launch attacks on other networks. The following are
some of the methods used by hackers. However, some of the
methods are discussed in greater detail in other units of this module.
Trojan horses
A Trojan is malware disguised as harmless software. The intent of
the hacker is to get the targeted victim to install the malware by
believing that it is safe. Once installed on the computer, a Trojan can
123
do anything from logging keystrokes, to opening a backdoor and
giving the hacker access to victim‘s computer system.
Drive-By Downloads
Hackers also use what are known as ‗drive-by download‘ attacks to
hack into computers. In this case, the victim does not have to click on
anything to initiate the download and installation of malware. Just
visiting a website that has been compromised is enough to get the
victim‘s computer infected. The stealth and effectiveness of a drive-
by download makes it one of the best methods in a hacker‘s arsenal
today.
Rootkits
A rootkit is a malicious segment of code injected into a computer
system, designed to hide any unauthorized activity taking place.
Rootkits grant administrative control to the attacker and the victim‘s
computer can be used without restrictions and without their
knowledge. A rootkit can attack and replace important operating
system files, allowing it to hide or disguise itself and other malware.
Once a rootkit has buried itself deep within your system, it can cover
an intruder‘s tracks (by altering system logs), cover up evidence of
malicious processes running in the background, hide files of all
types, and open a port to create a backdoor.
Malvertising
Malvertising is a method whereby users download malicious code by
simply clicking at some advertisement on any website that is
infected. In most cases, the websites are genuine but cyber criminals
insert malicious advertisements on the websites without the
knowledge of the website owner. Malvertising is one of the fastest,
increasing types of cybercrime.
This Unit covered a number of pertinent issues relating to cyber

crime and the methods and techniques used by cyber criminals.
Cyber crime has been defined and classified into crimes against
124
persons, property and governments/organizations. Some of the cyber
crimes covered include cyber stalking and cyber squatting; cyber
extortion and cyber cheating; cyber warfare and cyber terrorism, as
well as phishing and hacking.
125
UNIT 5
DATA HIDING TECHNIQUES
Learning Objectives
By the end of this Unit, students will be able to:
 Outline data hiding techniques such as cryptography,

steganography, and obfuscation.
 Define methods used to encode data in order to hide the
original content
 Understand Encryption Methods used to hide data and possible
methods to overcome this obfuscation.
5.0 Introduction
The advances in information and communication technologies

enable information and data to be electronically generated, stored,
disseminated and transmitted anywhere in the world at astonishing
speeds. Data and information have become so precious to every
person, business, or organization in the information society.
However, more often than not, the channels used to store and
transmit information are not sufficiently secure to preserve the
integrity, confidentiality and availability of the information in
computer systems.
Security is of prime concern when transmitting information or data

by electronic means. As such, the need to secure data in a digital
environment is increasingly becoming indispensable. In cyber
security, data hiding techniques are some of the fundamental
methods extensively used to securely transmit data and prevent it
from being accessible to unintended users. This chapter will focus
on data hiding techniques such as cryptography, steganography,
obfuscation and other methods to secure data.
History of data hiding techniques

Historically, people have been using various methods of secret
communication in order to avoid unintended recipients from reading
messages. According to Graham et al (2011) ancient Egyptians
began the first known practice of writing secret messages, using
126
non-standard hieroglyphs to convey secret messages as early as
1900 BC. A classical example of data hiding techniques is found in
a story told of an ancient man called Histiaeus who shaved the head
of his most trusted slave, tattooed a message on his head, and then
waited for his hair to grow back. The slave was send to Aristagoras,
with instructions to shave the slave's head again and read the
message, directing him to revolt against the Persians.
Studies in data hiding techniques such as cryptography heightened

during World War II due to the invention of radio communication.
Anyone within range of a radio signal could listen to the
transmission, leading both sides to spend countless hours studying
the art of code making and code breaking (Graham et al 2011).
Since the invention of modern electronic computers, cryptography
has changed significantly. Messages are now transmitted
electronically as binary data. The increase in computing power also
gives cryptanalysts powerful new tools for analyzing encrypted data
for patterns (Graham et al 2011). Kayarkar and Sanyal (2012)
observe that with the explosive growth of Internet and the fast
communication techniques in recent years the security and the
confidentiality of the sensitive data has become of prime and
supreme importance and concern. To protect this data from
unauthorized access and tampering various methods for data hiding
like cryptography, hashing, authentication have been developed and
are in practice today.
Importance of securing data

The Internet provides an extremely fast and efficient channel of
transmitting enormous amounts of data across vast networks
anywhere in the world. However, most networks are insecure as
sensitive or confidential data may be tampered with, intercepted or
accessed by hackers and other unauthorized users in the process of
transmission. Data in transmission is particularly vulnerable to
threats.
Morkel et al observe that since the rise of the Internet one of the
most important factors of information technology and
communication has been the security of information. Cryptography
127
was created as a technique for securing the secrecy of
communication and many different methods have been developed to
encrypt and decrypt data in order to keep the message secret.
Unfortunately it is sometimes not enough to keep the contents of a
message secret, it may also be necessary to keep the existence of the
message secret. The technique used to implement this, is called
steganography.
According to Gupta et al (2014) ‗the exchange of data among (sic)

two potential parties must be done in a secured method so as to
avoid any tampering. Two types of threats exist during information
exchange. The unintended user who may try to overhear this
conversation can either tamper with this information to change its
original meaning or it can try to listen to the message with intention
to decode it and use it to his/her advantage. Both these attacks
violate the confidentiality and integrity of the message.
The importance of securing data stems from the need to preserve the
confidentiality, integrity and availability of personal data, sensitive
data, confidential data and trade secrets. Data may also be secured
to avoid misuse of the data, inadvertent damage to data, human
error and accidental deletion of data. A variety of methods have
been developed to ensure that information remains safe and secure.
Data hiding techniques provide a level of security of data from
unauthorized users and potential attackers. Conversely,
cybercriminals may also seek to secure information in order to hide
evidence or traces of crime.
Although data hiding is as old as the human race, there are new
techniques for hiding data on mobile devices, operating systems,
virtual images, social networks, and other dominating technologies
in the modern digital society. There are also various analytical
methods for reckoning hidden data, as well as jamming methods for
disrupting data hiding operations. Other emerging technologies and
attack methods, including cloud considerations, privacy protection,
and derivative data hiding and detection theories have developed.
As data hiding detection and forensic techniques continue to
128
advance, so are more sophisticated stealth methods for spying,
corporate espionage, terrorism, and cyber warfare designed to
escape detection. It is therefore important to explore the current and
next generation of tools and techniques used in covert
communications and data concealment tactics.
Knowledge of data hiding techniques is critical for IT

administrators, cyber security professionals, computer forensic
experts as well as other computer users to equip them with skills to
investigate and defend against insider threats, spy techniques,
espionage, and secret communications. By understanding the
techniques and the numerous threats to data security, appropriate
methods may be designed to defend against threats through
detection, investigation, mitigation and prevention.
5.1 Definition of data hiding
In simple terms, data hiding (also known as information hiding) is a

technique used to embed secret data into a cover image. According
to Patil and Katariya (2015) data hiding may be defined as the
process of embedding a message signal into the host or cover of
image to get the composite signal. The art of data hiding therefore
focuses on placing data where it is not supposed to exist. Operating
systems and file structures provide vast possibilities to conceal data
and making it harder to detect.
Bender et al (1996) observe that data hiding represents a class of

processes used to embed data, such as copyright information, into
various forms of media such as image, audio, or text with a
minimum amount of perceivable degradation to the ―host‖ signal.
The result is that the embedded data becomes invisible and
inaudible to a human observer thereby guaranteeing its secrecy.
Accordingly, data-hiding technique is a type of secret
communication technology mainly used to convey messages
covertly by concealing the presence of the communication.
In computer science data hiding is a software development

technique specifically used in object-oriented programming (OOP)
129
to hide internal object details (data members). Data hiding ensures
exclusive data access to class members and protects object integrity
by preventing unintended or intended changes. Data hiding also
reduces system complexity for increased robustness by limiting
interdependencies between software components. Data hiding is
also known as data encapsulation or information hiding.
Functions of data hiding techniques

First and foremost, one of the major functions of data hiding
techniques such as cryptography is to provide information security.
Data hiding methods ensure the confidentiality information by
keeping the data secret. Similarly, these techniques guarantee the
integrity of data by providing ways to determine that information
has not been tampered with. Data hiding techniques are also used to
determine the author of various pieces of information. However,
data hiding techniques are not only used in secret communication
but also for other notable applications such as copyright protection,
tamper-proofing, and augmentation data embedding.
Attributes of data hiding techniques
Information hiding techniques must have certain attributes in order

to be effective in securing data. Gupta et al (2014) highlight four
major attributes of data hiding techniques. First, the technique must
have capacity, that is, the amount of information that can be hidden
in cover medium. The amount of information that can be hidden is
governed by the fact that information hidden should not completely
alter the original message, in order to avoid the attention of
unintended user.
The second key attribute is security. This implies that the

information hiding technique must provide security for the data
such that only the intended user can gain access to it. The second
attribute is probably the most important as it ensures that
unauthorised users are unable to detect the hidden information.
The third attribute relates to the notion of robustness. This alludes

to the quantity of information that can be hidden without showing
130
any adverse effects and destroying hidden information. In other
words, a data hiding technique must be robust enough to preserve
the hidden information. The last attribute of a good data hiding
technique is perceptibility. The data hiding method should hide data
in such a manner that the original cover signal and the hidden data
signal are perceptibly indistinguishable.
The data hiding technique should secure the data in a host media
with minimal or no deterioration in host and provide a method of
extracting the secure data afterwards. However, data hiding
techniques may be classified into reversible data hiding and
irreversible data hiding methods.
(a) Reversible data hiding
In this technique the message signal as well as the original cover

can be with no loss recovered simultaneously. Reversible data-
hidings insert information bits by modifying the host signal, but
enable the exact (lossless) restoration of the original host signal
after extracting the embedded information. Sometimes, expressions
like distortion-free, invertible, lossless or erasable watermarking are
used as synonyms for reversible watermarking.
(ii) Irreversible data hiding

In this case the message signal can be recovered with no loss but the
original cover can be lost.
Types of Data Hiding Techniques
There are various data hiding techniques used in cyber security. The
most common and frequently used techniques are cryptography,
watermarking and steganography. These techniques will be
discussed in greater detail in the ensuing sections.
5.2 Cryptography
Cryptography is one of the most popular methods of hiding data.

The terms cryptography and encryption are frequently used
interchangeably although there are slight differences between the
131
two. Cryptography is a wider concept involved with the science of
secret communication while encryption is one component of
cryptography. In this study the term cryptography will be used
extensively although reference may also be made to encryption.
Definition of cryptography
In simple terminology, cryptography may be defined as the art of
transforming data into an unreadable format to prevent unauthorized
persons from comprehending the message. The etymology of the
word ‗cryptography‘ can be traced back to a Greek word meaning
‗secret writing‘ or ‗hidden writing‘. Similarly, encryption may be
defined as the process of making information unreadable by
unauthorized persons (Gove 2000). The modern concept of
cryptography is therefore synonymous with encryption.
In the field of information security, the term is used to refer to the

science and art of transforming messages to hide their meaning
from an intruder (Forouzan & Mosharraf 2011). Murray (2000)
defines cryptography as the use of secret codes to hide data and to
authenticate its origin and content. Menezes et al (2001) observe
that cryptography is the study of mathematical techniques related to
aspects of information security such as confidentiality, data
integrity, entity authentication, and data origin authentication.
Cryptography is therefore a data hiding technique used to ensure
data confidentiality, authentication and non-repudiation. The
fundamental goal of cryptography is to address four pillars of
information security, namely: privacy and confidentiality, data
integrity, authentication and non-repudiation. These concepts have
been discussed greater detail in previous chapters.
It is important to understand how cryptography works in order to

appreciate how this technique ensures the pillars of information
security. At the elementary level, cryptography involves the
encryption of the data or plain text into unintelligible or unreadable
format called cipher text. The cipher text is then send to the
recipient who in turn decrypts or decodes the cipher text into plain
text using a secret key. This means that only the person with the key
132
is able to read the secret message. Cryptography has three basic
steps, namely: encryption, message transfer and decryption. Since
modern digital cryptography has become synonymous with
encryption, the latter concept is discussed in greater detail below.
Encryption
The first step in cryptography is the encryption process. Voors
(2003) defines encryption as a technique that changes a plaintext
message from its original form by replacing or rearranging the
letters and numbers and converting the message into an
indecipherable form using a mathematical algorithm and a key.
Thus the process entails encrypting the original data (plain text) to
some non-readable form. Gove (2000) describes that process of
encryption as consisting of a sender and a receiver, a message
(called the plain text), the encrypted message (called the cipher text)
and an item called a ‗key‘. The converse of the encryption process
is decryption. A more explicit description is given by Forouzan &
Mosharraf (2011) observe that encryption is analogous to locking a
message in a box, while decryption can be thought of as unlocking
the box using the ‗key‘.
According to Denning and Baugh (1999), the growth of

telecommunications and electronic commerce has led to a growing
commercial market for digital encryption technologies. Business
needs encryption to protect intellectual property and to establish
secure links with their partners, suppliers, and customers. Banks
need it to ensure the confidentiality and authenticity of financial
transactions. Law enforcement needs it to stop those under
investigation from intercepting police communications and
obstructing investigations. Individuals need it to protect their private
communications and confidential data. Encryption is critical to
building a secure and trusted global information infrastructure for
communications and electronic commerce. The following figure
provides a simple illustration on how cryptography works:
Plain Text Encryption Cipher Text
133
Algorithm
Secret Key
Secret Key
Cipher Text Encryption Plain Text

Algorithm
Figure 5.1: How cryptography works
According to Maita et al (2011) ―the formal mechanism of data

encryption uses the method to convert a message into a ciphertext
message by using some encryption algorithm and the ciphertext
message is then sent to the recipient who has the authorization to
receive and get the original message. To receive the original
message which has been sent by the sender, recipient uses a key to
obtain the decrypted message. Any malicious user who does not
have the key cannot break the security of ciphertext which looks
like some meaningless code.
Biometric encryption
According to Silver (2012), biometrics is a branch of biology that

measures and analyzes biological data, so that a person‘s biological
properties—rather than her password—could be used to grant her
secure access to an information system. The advantages of
biometrics over passwords are obvious: rather than encrypt using a
string of characters that one could forget, or that could be captured
by an attacker, biometrics are based on biological characteristics
specific to a particular user and which cannot be as easily captured
by another. Silver (2012) observes that biometric encryption can be
based not only on fingerprints, DNA, and voice samples, but also
134
retinas, and walking and typing patterns. Advances in processing
speed appear to have made biometrics appropriate for everyday use.
Drawbacks of cryptography
Though data encryption is proved to be a secure method to hide
data, it has some weaknesses. For example, sometimes the
appearance of ciphertexts could give a clear impulse (incentive) to
an unauthorized user and this might lead to unauthorized access to
the original content by breaking it. As a result the original receiver
would not be able to receive the ciphertext sent by the sender.
Often unauthorized users may take advantage by destroying the

cipher text when it cannot be recovered. Another major drawback to
encryption is that the existence of data is not hidden. Data that has
been encrypted, although unreadable, still exists as data. If given
enough time, someone could eventually decrypt the data. A solution
to this problem is data hiding. Data hiding techniques could play a
major role to embed important data into multimedia files such as
images, videos or sounds. Because digital images are insensitive to
human visual system, therefore images could be good cover
carriers. Data hiding has two major applications – watermarking
and steganography. These data hiding methods will be discussed in
detail below.
5.3 Cryptography and its application

The art of cryptography has been practiced since time immemorial
chiefly by the military, diplomatic service and government officials
to protect national secrets and strategies. The advent of computer
systems and advanced digital communication channels necessitated
the requirement for new effective ways of protecting and securing
information in digital form. Albeit, governments and militaries still
extensively use encryption methods to protect secret information,
advances in technology and the advent of e-commerce and other
online transactions have seen the increased use of encryption by
businesses and private individuals. Commercial business use
encryption to maintain the trade secrets, customer personal
information, product information and marketing plans confidential.
135
Medical institutions use encryption to safeguard the privacy of
medical records.
Cryptographic methods
Generally, there are three basic cryptographic methods often used in
network security, namely: hash functions, symmetric key encryption
and asymmetric key encryption. ‗Encryption is used to convert data
into a format that can only be read by someone with secret
knowledge.
Symmetric-key cryptography
There are a number of important cryptographic tools that can be
used to secure information. Symmetric key encryption, also known
as private key encryption, is a class of reversible encryption
algorithms that use the same key for both encrypting and decrypting
messages. With symmetric key encryption the secret key is known
by everyone that requiring to encrypt and decrypt the data. In other
words, the encryption and decryption algorithms are the same.
When the key is applied to the original data, it is converted to cipher
text. Basically, encryption is a mathematical function that uses the
key to manipulate the data. The cipher text is converted back to the
original data by using the same key that was used to encrypt the
data.
Symmetric encryption is a fast technique for protecting sensitive

information provided the key remains secret. The major
shortcoming of this technique is that private-key encryption systems
offer limited security because encrypted messages can be read if a
third party intercepts the key when it is transmitted from the sender
to the receiver. Symmetric-key cryptography can be classified into
traditional symmetric-key ciphers and modern symmetric-key
ciphers.
Traditional Symmetric-key ciphers
Conventional ciphers were a popular mode of hiding information in

order to ensure that only those with the right to know would read
the message. The traditional ciphers basically used two techniques
136
for hiding information from intruders, namely: the substitution and
transposition techniques. These techniques will be explored in the
ensuing sections.
(a) Substitution ciphers

A substitution cipher replaces one symbol with another. For
instance, where the symbols in the plaintext are alphabetic
characters, one letter is replaced with another. For example, the
letter A may be replaced with the letter D, B with E and the
sequence is followed for all the letters in the alphabet. The message
is then created using the substituted letters to create the cipher text.
A simple famous cipher is called the ‗Caesar cipher‘ named after
Julius Caesar that used a key of 3 for his communications. For
instance, one could shift the letters of the English alphabet as
shown:
Table: 5.1
a b c d e f g h i j k l m n o p q r S t u v w x y z
d e f g h i j k l m n o p q r s t u V w x y z a b c
The plain text is created from the normal alphabetic from a-z. In
order to create the cipher text the letters are shift so that letter a
corresponds with letter d while letter b with letter e and so on. The
recipient will need to now the key in order to decrypt the secret
message. For instance, when shifting three letters to the right as the
key, the plain text message: ―the secret meeting is on today‖ would
be written in cipher text as ―wkh vhfuhw phhwlqj lv rq wrgdb”. In
other words, the characters in the key are rotated three spaces to the
left. However, Graham et al (2011) observe that substitution ciphers
are very vulnerable to cryptanalysis, the practice of breaking codes.
With enough text, it would be simple to begin replacing characters
in the cipher text with their possible clear text counterparts.
(b) Transposition ciphers

Unlike a substitution cipher, a transposition cipher does not
substitute one symbol for another, instead it changes the location of
the symbols. A symbol in the first position of the plaintext may
appear in the tenth position of the cipher text, while a symbol in the
137
eighth position of in the plaintext may appear in the first position of
the cypher text. In other words, a transposition cipher reorders
(transposes) the symbols. The traditional ciphers had numerous
shortcomings and not safe for use in the modern day cyber world
where attackers can easily break the ciphers.
Modern Symmetric-key ciphers
Modern symmetric-key ciphers have been developed to secure

information. These ciphers generally use an amalgamation of
substitution, transposition and some other complex transformations
to create cipher text from plaintext. Another notable feature of
modern symmetric-key ciphers is that they are bit-oriented (instead
of character-oriented).
Management of keys
There are several security-related issues that need to be considered
with the use of symmetric key encryption. The first is key
distribution. Graham et al (2011) aptly observe that key exchange
and protection are the most important aspects of symmetric
cryptography because anyone who has the key can both encrypt and
decrypt messages. The strength of any system that uses symmetric
key encryption is dependent on the methods used to share and
protect the shared secret (Jacobson 2009).
As observed by (Murray 2000:369), in order for cryptography to be

effective, there is need to properly manage and maintain the secrecy
of the cryptographic keys. This is called the concept of key
management. Key management can be defined as the generation,
recording, transcription, distribution, installation, storage, change,
disposition, and control of cryptographic keys. The major security
challenge is how to keep the keys secret. According to Graham et al
(2011), symmetric encryption depends upon the secrecy of a key.
Key exchanges or pre-shared keys present a challenge to keeping
the encrypted text‘s confidentiality and are usually performed out of
band using different protocols.
138
Similarly, users have to grapple with the possibility of breaking the
encryption. The goal is to make the key sufficiently long so that it is
not easily broken by trying every possible combination. The length
of the encryption key is measured in bits and determines the
strength of the encryption program. For example, an encryption key
that is 40 bits in length yields 1 billion possible keys or
combinations, a key with 56 bits has 72 trillion, and a key that
measures 128 bits produces a gazillion solutions (Voors, 2003).
Attackers often try to attack the key generation methods or the key
distribution system instead of guessing all possible keys. Symmetric
encryption remains fast and effective technique for safeguarding the
confidentiality of the encrypted data despite that it requires a shared
key and therefore depends upon the secrecy of that key.
Asymmetric encryption
Asymmetric key encryption, also known as public key encryption,
uses two keys that are mathematically related. The first key is used
for encryption while the other is for decryption. The essence of
public key encryption is therefore that one of the matched keys is a
public key known by everyone and freely distributed, while the
other matched key is a private key kept secret. Asymmetric
encryption falls under the ambit of cryptography for which the
distinctive aspect of the system is the use of two linked keys for
encryption and decryption, rather than a single key. In other words,
public key system uses one key, known as the public key, to encrypt
data, and a second key, known as the private key, to decrypt the
encrypted data.
A fundamental facet of asymmetric key encryption is the security of

the private key. Gupta et al (2014) observe that public key
cryptography can also be used in digital signatures. Digital
signatures can be permanently tied to the content of the message
being signed. Secret key is used for signing the contents and the
corresponding public key is used to validate the authenticity of the
signature. Jacobson (2009) highlights that the private key is often
protected by encrypting it with symmetric key encryption. This will
ensure that only the person with the password can use the private
139
key to decode the secret message. Asymmetric algorithms therefore
use different keys for encryption and decryption. The process of
asymmetric key encryption is diagrammatically presented as
follows:
Plain Text Encryption Cipher Text

Algorithm
Public Key
Private Key
Cipher Text Encryption Plain Text

Algorithm
Figure 5.2: Asymmetric key cryptography
Figure 2 shows that the process of encrypting and decrypting a
message using the public key method is analogous to the process of
using symmetric encryption with the notable exception that the keys
used in the process are dissimilar. However, public key encryption
has been criticized as a computationally expensive process that is
not suited for bulk data encryption. The computational overhead
resulting from public key encryption schemes is prohibitive for such
an application. Smaller messages and symmetric encryption key
exchanges are ideal applications for public key encryption.
5.4 Data Encryption Standards (DES)

In the US around the 1970s, the Data Encryption Standard (DES)
was developed and has been used extensively in the financial
sectors across the globe. In 1976 the concept of public-key
cryptography was introduced by Diffie and Hellman‘s publication
of New Directions in Cryptography. Notably, the public-key
cryptography led to the significant development of the digital
140
signature. For instance, the first international standard for digital
signatures (ISO/IEC 9796) was adopted in 1991. Various
cryptography standards and infrastructure continue to be developed
to secure information. Data encryption is one of the fundamental
technical measures to enhance the security of information.
Organizations should endeavor to use the latest advanced
encryption algorithms as part of security strategies to safeguard
information.
Steganography
A related but slightly different technique used in secret
communications to is ‗steganography‘, which simply means
‗covered writing‘ or ‗concealed writing‘. Gupta et al (2014) define
steganography as a practice of hiding or concealing a message, file
or image within another message, file or image. A more lucid
definition is provided by Kayarkar and Sanyal (2012), who observe
that steganography is the process of concealing sensitive
information in any media to transfer it securely over the underlying
unreliable and unsecured communication network. According to
Maiti et al (2011) steganography is the art of hiding data in a
seemingly innocuous cover medium. For example, any sensitive
data can be hidden inside a digital image.
Steganography gained importance because the US and the British

government, after the advent of 9/11, banned the use of
cryptography and publishing sector wanted to hide copyright marks.
Modern steganography is generally understood to deal with
electronic media rather than physical objects and texts. Businesses
have also started to realize the potential of steganography in
communicating trade secrets or new product information. Avoiding
communication through well-known channels greatly reduces the
risk of information being leaked in transit. Hiding information in a
photograph of the company picnic is less suspicious than
communicating an encrypted file.
Steganography is the art and science of hiding a message inside

another message without drawing any suspicion to others so that the
141
message can only be detected by its intended recipient (Agarwal,
2013). It is an ancient art of hiding messages for making the
messages not detectable to malicious users. In this case, no
substitution or permutation was used. The hidden message is plain,
but unsuspected by the reader. Steganography includes the
concealment of information within computer files. In digital
steganography, electronic communications may include
steganographic coding inside of a transport layer such as a
document file, image file, program or protocol. Media files are ideal
for steganographic transmission because of their large size. The
essence of steganography is that it disguises sensitive or
confidential data in any cover media such as images, audio, or video
in a way that hides the existence of the data so that unintended
recipients do not detect it. In other words, the main objective of
steganography is to hide messages inside other messages to keep the
communication from the prying eyes of potential attackers or
unauthorized users. The main objectives of the steganographic
algorithms are to provide confidentiality, data integrity and
authentication.
A typical example of steganography is where a secret message is

written in special ink which is only visible when exposed to light at
a certain angle. In the world of computers, any form of data such as
text, images, audio or video can be digitized and it is possible to
insert secret binary information into the data during digitization
process. Some hidden information is not necessarily used for
secrecy – it can also be used to protect copyright, prevent
tampering, or add extra information.
Components of steganography
There are basically four stages involved in using steganography as a
data hiding technique. The first step involves the selection of the
cover media to be used for hiding the data. This could be images,
videos, or audio files. The second component of steganography is
the secret message or information intended to be camouflaged in the
cover media. There is also need for a function that will be used to
hide data in the cover media and its inverse to retrieve the hidden
142
data. The last component is the optional key or password to
authenticate or hide and unhide the data (Gupta et al 2014). Digital
steganography has three basic components (a) obtain the data to be
hidden i.e. secret message (b) embed the secret message into the
cover medium i.e. images, sounds or videos etc and (c) lastly, obtain
the stego-carrier to be sent.
Most steganographic techniques are applied in such a way that the

data to be hidden inside an image or any other medium like audio,
video etc., is broken down into smaller pieces and inserted into
appropriate locations in the medium in order to hide them. The
object is to render the chunks of data not perceivable so that hackers
and unauthorised users cannot detect the concealed data. It is critical
to ensure that the data is hidden in such a way that there is no major
difference between the original image and the ‘corrupted‘ image.
Only the authorized person knows about the presence of data. The
algorithms can make use of the various properties of the image to
embed the data without causing easily detectable changes in them.
Types of steganography
There are various types of steganography but three basic types of
steganographic protocols are available. Some of the types of
steganography techniques can be combined with other data hiding
methods such cryptography. In fact, it is for this reason that
steganography is sometimes confused with cryptography. Gupta et
al (2014) highlight the following types of steganography:
(a) Pure steganography

Pure steganography does not require the exchange of cipher such as
a stego-key but the sender and receiver must have access to
embedding and extraction algorithm. In pure steganography the
media cover should be carefully chosen to minimize changes caused
by the embedding process. This type of steganography has been
criticized as not being very secure as the security depends on the
presumption that no other party is aware of the secret message.
143
(b) Secret key steganography
Secret key steganography as a technique uses a key to embed secret
messages into the media cover. The key is only known to the sender
and the receiver. In order to enhance the security of data using this
technique, the key should be exchanged in a secure medium. A
major drawback of secret key steganography is that it may be
susceptible to interception as it involves the sending of the key to
the receiver.
(c) Public key steganography

Public key steganography, like asymmetric key cryptography, uses
two keys: public key stored in a public database and used in the
embedding process and a secret key known only to the sender and
the receiver used to reconstruct the original message.
Other types of Steganographic techniques depend on the cover

media used to mask or conceal the data. Thus steganography can be
classified into image, text, audio and video steganography
depending on the cover media used to embed secret data (Agarwal,
2013). Different digital file formats can be used for hiding data, but
formats with a high degree of redundancy are more suitable.
Redundancy refers to the bits of an object that provide accuracy far
greater than necessary for the object‘s use and display. Thus
redundant bits of an object can be altered without the alteration
being detected easily. Image and audio files especially comply with
this requirement, although there are other file formats that can be
equally used for information hiding. The media-based types of
steganography are discussed below.
(i) Text-based steganography

Text steganography is a type of steganography that hides the
message behind other cover text file. Moreover, hiding the text
behind HTML coding of web pages makes the detection of
steganography impractical, as web pages are a fundamental building
blocks of the Internet. Agarwal (2013) observes that text
steganography can involve anything from changing the formatting
of an existing text, to changing words within a text, to generating
144
random character sequences or using context-free grammars to
generate readable texts.
(ii) Image-based steganography

In this type of steganography the information is hidden exclusively
in images. Image-based steganography is the most popular given the
large amount of redundant bits available in the digital representation
of images. The abundance of digital images, especially on the
Internet, also makes then readily available for use in steganography
to conceal information.
(iii) Audio and video steganography
Similar techniques as used in image steganography can also be

applied to hide information in audio files. However, one different
technique unique to audio steganography is masking. This technique
manipulates the properties of the human ear to hide information
unnoticeably. For instance, a faint, but audible, sound becomes
inaudible in the presence of another louder audible sound. This
property creates a channel in which to hide information (Morkel et
al). However, the larger size of meaningful audio files makes them
less popular to use than images.
IP based steganography
IP based steganography uses Transmission Control

Protocol/Internet Protocol (TCP/IP) for practical data hiding in
communication networks.
Differences between cryptography and steganography

Cryptography means concealing the contents of the message by
enciphering, while steganography means concealing the message
itself by covering it with something else. However, both are data
hiding techniques designed to preserve the confidentiality of
information. Steganography is distinguished from cryptography
which involves ‗secret writing‘. While cryptography scrambles the
message so that it cannot be understood, steganography hides the
data so that it cannot be observed. Steganography‘s intent is to hide
145
the existence of the message, while cryptography scrambles a
message so that it cannot be understood.
Cryptography and Steganography are ways of secure data transfer

over the Internet. Cryptography scrambles a message to conceal its
contents; steganography conceals the existence of a message
(Agarwal, 2013). In the field of cyber security it is not enough to
simply encipher the traffic, as criminals detect, and react to, the
presence of encrypted communications. In this regard, Maiti et al
(2011) opine that steganography provides better security than
cryptography because cryptography hides the contents of the
message but not the existence of the message. So no one apart from
the authorised sender and receiver will be aware of the existence of
the secret data.
Cryptography and steganography are complimentary data hiding

techniques in that the latter builds on the weaknesses of the former
technique. The major weakness of cryptography is that the third
party is always aware of the communication because of the
unintelligible nature of the text. Steganography overcomes this
limitation by hiding message in an innocent looking object called
cover. According to Wang and Wang (2004) Steganography differs
from cryptography in the sense that where cryptography focuses on
keeping the contents of a message secret, steganography focuses on
keeping the existence of a message secret.
Steganography and cryptography are both ways to protect

information from unwanted parties but neither technology alone is
perfect and can be compromised. Once the presence of hidden
information is revealed or even suspected, the purpose of
steganography is partly defeated. The strength of steganography can
thus be amplified by combining it with cryptography.
Steganography is more preferable over encryption as a data hiding

technique because encryption only obscures the meaning of the
information while steganography hides the very existence of the
information. In addition, encrypted data tends to attract attention to
potential hackers or snoopers than steganography.
146
Steganographic messages are often first encrypted by some
traditional means and then a cover image is modified in some way
to contain the encrypted message. The detection of
steganographically-encoded packages is called ―steganalysis.‖ Both
steganography and cryptography techniques may be combined to
create a more secure and robust level of protection to data. This
entails encrypting the message first using cryptography techniques,
that is, the cipher text is encrypted before being embedded in a
cover media.
Conventional use of steganography

The art of hiding information in objects is not a recent phenomenon
but are art of secret communication used since time immemorial.
Steganography has been widely used, including in recent historical
times and the present day. Possible permutations are endless and
known examples include (i) hidden messages within wax tablets,
(ii) hidden messages on messenger‘s body, (iii) hidden messages on
paper written in secret ink, under other messages or on blank parts
of other messages, and (iv) agents used photographically produced
microdots to send information back and forth.
Data hiding, a form of steganography, embeds data into digital

media for the purpose of identification, annotation, and copyright.
Several constraints affect this process: the quantity of data to be
hidden, the need for invariance of these data under conditions where
a "host" signal is subject to distortions, e.g., lossy compression, and
the degree to which the data must be immune to interception,
modification, or removal by a third party.
Watermarking and fingerprinting
Other data hiding methods include watermarking and fingerprinting

techniques. These techniques are closely related to but slightly
different from steganography. However, steganographic techniques
are used to store watermarking in data. Watermarking and
fingerprinting techniques are of particular interest to business
organisations as they primarily focus on the protection of
147
intellectual property such as copyrights. In watermarking all of the
instances of an object are ―marked‖ in the same way. The kind of
information hidden in objects when using watermarking is usually a
signature to signify origin or ownership for the purpose of copyright
protection (Marvel et al, 1999).
Fingerprinting techniques focus on embedding different, unique

marks in distinct copies of the carrier object that are supplied to
different customers. This enables the intellectual property owner to
identify customers who break their licensing agreement by
supplying the property to third parties. In watermarking and
fingerprinting the fact that information is hidden inside the files
may be public knowledge – sometimes it may even be visible –
while in steganography the imperceptibility of the information is
crucial.
From a cyber security standpoint, attackers usually focus, not only

on detecting information hidden in files but also on removing the
watermarking or fingerprinting system in order to defeat intellectual
property claims. Thus it is important to ensure that watermarking
algorithms guarantee that the presence of embedded data is not
visible, the ordinary users of the document or image are not affected
by the watermark, the watermark can be made visible or retrievable
by the creator when needed; and that the watermark is difficult for
eavesdroppers to comprehend and to extract them from the
channels.
5.5 Obfuscation and diversity methods
Obfuscation is one of the various methods of securing information.

The etymology of the word derives from the Latin word obfuscatio
meaning ‗to darken‘. It is a method of obscuring the intended
meaning in communication, making the message confusing,
willfully ambiguous or harder to understand. Data obfuscation is
also known as data scrambling and privacy preservation
In the digital world where computers collect, store and transmit

enormous amounts of data, the security of personal information
148
becomes critical given sensitive data in online databases, such as
government records, medical records, and voters' lists. This poses a
threat to personal privacy. In many jurisdictions laws have been
promulgated to safeguard personal privacy. A number of highly
publicized information breaches have focused the need for
organizations to better understand their data protection obligations -
to understand the risks and how to protect that data.
The term data obfuscation is used to refer to the class of algorithms

that modify the values of the data items without distorting the
usefulness of the data. There are two fundamental areas where data
obfuscation should be deployed. The first is the need to mask real
time data extracts from databases to obscure personal data from, for
example, its support personnel investigating system problems. This
system should also handle the extract of data from production
systems which are routinely sent to other agencies.
Data obfuscation (which is also sometimes referred to as data

anonymisation, data masking, data privacy, data scrambling) - the
test data is built from a sub-set of the production data that has been
subject to a number of techniques designed to obscure the origin of
the data. Specifically those techniques must prevent personally
identifiable information or sensitive information from being
identified from data. The techniques must not allow the original
data to be re-created by reverse engineering.
Data obfuscation enables the hiding of sensitive data from insiders

(e.g. application developers and testers) while keeping the
obfuscated data realistic and therefore testable. Data obfuscation
techniques must satisfy a basic rule: the obfuscated data should
satisfy the same business rules as the real data.
Data obfuscation provides security measures adopted to protect the

data being processed. Data obfuscation is the concealment of
meaning in data or information usage, making it confusing and
harder to interpret.
149
According to Technopedia, data obfuscation is a form of data
masking where data is purposely scrambled to prevent unauthorized
access to sensitive materials. This form of encryption results in
unintelligible or confusing data. Data masking or data obfuscation is
the process of hiding original data with random characters or data.
The main reason for applying masking to a data field is to protect
data that is classified as personal identifiable data, personal
sensitive data or commercially sensitive data, however the data
must remain usable for the purposes of undertaking valid test
cycles.
Data obfuscation techniques are used to prevent the intrusion of

private and sensitive online data. However, issues have stemmed
from an inability to vigorously prevent privacy attacks.
Additionally, Data obfuscation techniques do not preserve data
clusters, and there is not a set of standards for data obfuscation
technique comparison.
Obfuscation can be deliberate or unintentional. This can be done by

using technical jargon or uncommon words so that the ordinary
reader would not be able to comprehend the meaning of the words
with relative ease. Obfuscation techniques are also used in network
security and software to:
 Obscure an attack payload from inspection by network
protection systems
 Come up with software codes that are difficult for an ordinary
human to understand as part of securing information
 conceal the purpose of a software code (security through
obscurity) in order to prevent tampering, or reverse engineering.
Difference between obfuscation and encryption

The terms obfuscation and data encryption are often intermixed
although they are fundamentally different. Encryption prevents non-
authorised users from understanding the data. Typically, encryption
can be applied when the 'data is at rest', in order to protect the data
against data loss; encryption can also be applied 'in transit', which
protects the information from being compromised during
150
transmission. However, with encryption, authorised users can still
have access to the underlying data. Data obfuscation protects
individual's data in non-production environments by replacing it
with representative but fictitious data. In the event of a data loss
involving obfuscated data, a non-authorised user may be able to
read the data (including field headings), however it will not reflect
any individual's details.
Obfuscation transformations obscure yet retain the original

functionality. Typical modifications include encoding,
concatenating, obscuring variable and function names, and adding
or removing white space and new lines. Encryption achieves the
same result as obfuscation but is not an obfuscation method because
it does not retain functionality without the required cipher key
(Graham et al (2011).
Types of data masking techniques

A number of data masking techniques are used to protect data from
intruders. These techniques include substitution, shuffling, number
and date variance, nulling out techniques, among others.
Substitution is one of the most effective methods of applying data
masking and being able to preserve the authentic look and feel of
the data records. It allows the masking to be performed in such a
manner that another authentic looking value can be substituted for
the existing value. The shuffling method is also a very common
form of data obfuscation. It is akin to the substitution method but it
originates the substitution set from the same column of data that is
being masked by randomly shuffling data within the column.
The number and date variance technique has been applied to mask
financial data sets such as payroll. On the other hand, nulling out or
deletion techniques have been used through applying a null value to
a particular field. The null value approach is really only useful to
prevent visibility of the data element. Similarly, masking out
technique is also use to obfuscate data. Data Masking is the
replacement of existing sensitive information in test or development
databases with information that looks real but is of no use to anyone
151
who might wish to misuse it. This technique involves character
scrambling or masking out certain fields sensitive data to prevent it
from being viewed by unauthorized users. Data masking technique
is commonly applied to credit card data in production systems.
Code obfuscation
Obfuscation consists of code transformations that make a program

more difficult to understand by changing its structure, while
preserving the original functionalities, not suitable also to reverse-
engineering. Encryption and firewalls are some of the common
solution to diminish the threat of the attackers who try to crack the
application. But, these approaches do not help to protect the
software, when the attacker is him/herself the end-user. Among the
various techniques available for protecting code from different
attacks, code obfuscation is one of the most popular alternative, for
preventing from code comprehension, code tampering etc.
Code obfuscation is a largely adopted solution, and many different

obfuscation approaches have been proposed. Obfuscation
techniques provide software protection against unauthorized reverse
engineering (Behera and Bhaskari, (2015). The main idea behind
these obfuscation techniques are to hide the original code from the
adversary, as the code will be transformed, but its functionality will
be similar to the original code; but much more difficult to analyse or
understand.
Graham et al (2011) observe that developers use obfuscation

techniques to transform data or source code into obscure or unclear
representations while retaining the original functionality.
Obfuscation techniques are also used to hide the data or the
behavior of an application. In commercial applications obfuscation
techniques reduce the chances of successful decompilation and
increases the difficulty of reverse engineering. Exposed source code
leaks sensitive information by revealing the inner workings of the
application. Legitimate developers use obfuscation in an attempt to
hide possible vulnerabilities, trade secrets, and intellectual property.
152
There are several advantages of automated code obfuscation that
have made it popular and widely useful across many platforms. A
main advantage of automated code obfuscation is that it helps
protect the trade secrets (intellectual property) contained within
software by making reverse engineering a program difficult and
economically unfeasible. Other advantages might include helping to
protect licensing mechanisms and unauthorized access, and
shrinking the size of the executable.
Obfuscation can make reading, writing and reverse engineering a

program difficult and time-consuming. However, obfuscation does
not necessarily make it impossible. Obfuscation methods, no matter
how complex, are susceptible to reverse engineering and
deobfuscation (Graham et al (2011). Like any other data hiding
technique, obfuscation does not completely prevent attackers from
breaching the data or code. A determined attacker may still locate
the functionality of the code after spending sufficient time to inspect
the obfuscated code.
In order to enhance security, obfuscation techniques are usually

implemented with other methods, such as code replacement or
update, code tampering detection, and protections updating so that
attackers get a limited amount of time to complete their objective.
Other techniques commonly used to avoid or challenge detection
engines include encryption, hardware-based security solutions,
tamper proofing, watermarking, and software aging.
Hardware obfuscation
Hardware obfuscation is a technique by which the description or the
structure of electronic hardware is modified to intentionally conceal
its functionality. The notion behind hardware obfuscation is to make
it more difficult to reverse-engineer. Hardware obfuscation
techniques can be classified into two: (i) the passive techniques
which do not directly affect the functionality of the electronic
system and (ii) the active techniques which directly alter the
functionality of the system. Often the active hardware obfuscation
are ‗key-based‘ such that normal functionality of the obfuscated
153
design can only be enabled by the successful application of a single
pre-determined key or sequence of secret keys at the input.
Reverse engineering demands a high level of skill to analyze

precompiled code and a long period to complete the analysis.
Obfuscation methods increase the amount of skill and time required
by adding complexity and confusion to the code. A common anti-
reverse-engineering obfuscation technique involves self-modifying
code. Self-modifying code makes static reverse engineering difficult
because the code changes itself at runtime.‘ Graham et al (2011)
Use of obfuscation for malicious purposes
While legitimate developers of hardware and software use

obfuscation techniques to hide possible vulnerabilities, trade secrets,
and intellectual property, developers of malicious code also use
obfuscation techniques to hide malware. In other words, developers
of malicious programs also use obfuscation to hide the malicious
intent of their code from detection and analysis (Graham et al
2011). Attackers regularly use obfuscation techniques to obscure
code functionality and frustrate mitigation efforts.
Attackers also use obfuscation techniques to evade detection from

signature-based security solutions such as antivirus programs and
intrusion detection and prevention systems. Obfuscating code and
network activity evades detection from antivirus intrusion detection
and prevention systems by altering values within files or packets
that trigger signatures (Graham et al 2011). Cyber security
professional should therefore stay ahead of the game by developing
security solutions to defeat the various obfuscation techniques used
by malicious code developers.
5.6 Differential Privacy

The advent of computers tremendously increased the ability to
collect and store large amounts of electronic data in databases. Most
of the data may be confidential and include personal private data
and other sensitive information. Information in databases is
particularly vulnerable to attacks as it may be accessed by
154
unauthorized users, destroyed or manipulated by hackers for
malicious purposes. Sensitive information in databases may be
prone to disclosure resulting in the privacy of the information being
violated. Similarly, statistical information in database may also be
altered or manipulated resulting in the information being inaccurate.
Data mining techniques may be used to search information and
databases thereby exposing sensitive to the threats of disclosure.
There are security techniques that may be used to protect

information the integrity and confidentiality of information in
databases. One such technique is known as differential privacy.
Differential privacy is therefore a privacy enhancing technology
used in cyber security. Differential privacy may be defined as a
mathematical concept used to measure the extent by which a
database preserves anonymity. Differential privacy is applied to
private data analysis, where the goal is to learn information about
the population as a whole, while protecting the privacy of each
individual (Dwork et al).
Dwork (2006) defines differential privacy as an area of research

which seeks to provide rigorous, statistical guarantees against what
an adversary can infer from learning the results of some randomized
algorithm. In cryptography, differential privacy provides ways to
maximize the accuracy of queries from statistical databases while
minimizing the chances of identifying its records. Providing
aggregate information in statistical databases may reveal some
sensitive information that should not be disclosed. Typical examples
of statistical database include medical records held institutions, and
public records personal information. Differential privacy is a
framework for formalizing privacy is statistical databases
introduced in order to protect against deanonymization techniques.
5.7 Data hiding, crime and the law
Data hiding techniques have important ramifications in terms of

crime and the law. According to Silver (2012) encryption can be
used for purposes both good and bad. It can prevent identity thieves
or the agents of tyrannical governments; but it can also protect
155
child-pornography collections or terrorist plots. In the justice
system, the rise of digital encryption poses a distinct problem: the
unavailability, or indecipherability of encrypted evidence. Thus
whereas cyber crime is on the rise, law enforcement agents have to
contend with the challenges posed by some counter cyber security
measures employed by criminals.
Whilst data hiding techniques play an indispensable role in

safeguarding the confidentiality, integrity and availability of data,
the use of these techniques may have severe public safety and
national security ramifications. For instance, the widespread use of
robust non-key recovery encryption ultimately will devastate the
ability of law enforcement agents to fight crime and prevent
terrorism. In the same vein, criminals such as drug dealers, spies,
terrorists and other unruly elements in society use strong encryption
techniques and other data hiding methods to communicate about
their crimes and their conspiracies with impunity. The situation is
compounded by the fact that modern encryption algorithms are too
strong to be broken with brute force computing. This means that
forensics examiners and law enforcement agents may not be able to
have access to vital evidence for purposes of prosecuting cyber
criminals.
Criminal use of encryption in voice, and data communications,

electronic mail and files stored on the computers of individual
criminals and criminal enterprises have been apparent in the world.
Denning and Baugh (1999) observe that encryption also gives
criminals and terrorists a powerful tool for concealing their
activities and make it impossible for law enforcement agencies to
obtain the evidence needed for a conviction or the intelligence vital
to criminal investigations. Similarly, encryption techniques tend to
frustrate the interception of communications which have played a
significant role in averting terrorist attacks and in gathering
information about specific transnational threats, including terrorism,
drug trafficking, and organized crime.
Use of data hiding techniques also has serious ramifications from a
156
cyber security standpoint. For instance, hackers use encryption to
protect their communication channels from interception. In addition,
hackers can also install their own encryption software on computers
they have penetrated. The software is then used to set up a secure
channel between the hacker's computer and the compromised
computer. The corollary is that cyber attackers and criminals use the
same cyber security techniques to prevent their malicious and
criminal activities from detection and investigation.
Cyber criminals continue to develop anti-forensic techniques to

counter cyber security measures. Some of the anti-forensic tools can
provide complete editing capabilities of the timestamp rendering the
timestamps recovered by forensics tools unreliable in court. Other
tools defeat file signature analysis. Thus anti-forensic techniques
pose serious threats to efforts towards managing cyber crime and
other attacks to computer systems.
As observed by Grabosky (2007), the sophistication of cybercrime

is compounded by the widespread availability of cryptography.
Encryption is ideally suited to those offenders who wish to
communicate in furtherance of criminal conspiracies or who wish to
conceal information that might be used against them is court. Such
information might include records of criminal transactions or illicit
images. In addition to cryptography and steganography,
technologies enable individuals to conceal their identities online or
to impersonate other users. These technologies make it very
difficult to identify suspects. A number of nations are moving
towards compulsory disclosure of cryptographic keys subject to
judicial oversight.
Laws regulating encryption

The use of data hiding techniques in protecting electronic data
raises a number of fundamental legal issues. Laws regulating
cryptography tend to differ from one country to another. For
instance, some countries have laws restricting or outrightly
prohibiting the export of cryptography software and/or encryption
algorithms or cryptoanalysis methods. Other countries make it
157
mandatory for the use of encryption software to be licensed. Yet
some countries forbid citizens from encrypting their Internet
communication while others countries require decryption keys to be
recoverable in case of a criminal investigation.
Some governments have also enacted laws to limit the strength of

cryptographic systems, forcing cyber security professionals and
forensics examiners to study other secure methods of secure
information transfer. The diversity of laws and restrictions on the
use of cryptography shows the intense interest by governments to
control data hiding techniques for national security and law
enforcement.
The Zimbabwean law provides some form of restrictions on

services using encryption. The Interception of Communications Act
[Chapter 11:20] does not specifically ban the use of encryption
technology but provides that a telecommunication service provider
shall acquire facilities and devices required to facilitate lawful
interception of communications. This means that information and
communication technologies which prevent the lawful interception
of communications would fall foul of the law.
For instance, the Postal and Telecommunications Regulatory

Authority (POTRAZ) reportedly banned encrypted messaging
services provided on Blackberry phones, arguing they violated the
Act because the Act requires that all services must have ―the
capability to be intercepted.
The Interception of Communications Act (IoCA) also deals with

disclosure of ‗protected information‘, that is information protected
by passwords or other data security measures or keys. This means
that encrypted data naturally fits the description of ‗protected
information.‘ The law compels any person with a key to protected
information to disclose the protected information for the purposes of
preventing and detecting serious offences or in the interests of the
‗economic well-being of Zimbabwe.
158
It is a serious offence in terms of the IoCA for a person to fail to
make the disclosure of protected information where they are
required to do so by operation of the law. Accordingly, a person is
compelled under sanction of a fine not exceeding level fourteen or
imprisonment for a period not exceeding five years or both to
disclose protected information for purposes of the interception of
communications under the Act.
In South Africa the Regulation of the Interception of

Communications and Provision of Communication-Related
Information Act, 70 of 2002, section 21 thereof, deals with
applications for decryption directions compelling persons with
decryption keys to protected data to provide them. The decryption
direction therefore facilitates access to encrypted information or
converting encrypted information into an intelligible form.
Legal cases
There are various legal cases in which criminal suspects have been
compelled to provide passwords to potentially incriminating data
encrypted on hard drives. An increasing number of individuals and
organizations have been arraigned before the courts on issues
relating to evidence on encrypted hard disks. Legal issues have been
raised pertaining to whether compelling a suspect to reveal a key or
password to encrypted documents constitutes self-incrimination? In
the United States some courts have held that compelling suspects to
provide the password necessary to unencrypt hard drive would be a
violation of the Fifth Amendment assurance that no one shall be
compelled in any criminal case to be a witness against himself.
A typical case is United States v. Fricosu in which a bank fraud

defendant's home was searched pursuant to a warrant, and a
computer seized which held encrypted files. The government
subpoenaed defendant to produce an unencrypted version of the
content of the computer. Defendant argued that the subpoena
violated her Fifth Amendment privilege against self-incrimination
by requiring a testimonial act of production by compelling her to
acknowledge her control over the computer and its contents. The
159
court ordered defendant to reveal the decryption password to the
contents of the hard-drive.
In the American case of In re Boucher, the court had to directly

address the question of whether investigators can compel a suspect
to reveal their encryption passphrase or password, despite the U.S.
Constitution's Fifth Amendment protection against self-
incrimination. The court held that, given Boucher's initial
cooperation in showing some of the content of his computer,
producing the complete contents would not constitute self-
incrimination. Boucher finally gave up his password and
investigators found numerous images and videos depicting sexual
abuse of children.
The dispute between FBI and Apple on encryption revolves around

the extent to which courts in the United States can compel
manufacturers to assist in unlocking cell phones whose data are
cryptographically protected. In 2016 the FBI wanted Apple to create
and electronically sign new software that would enable the FBI to
unlock a work-issued iPhone 5C it recovered from one of the
shooters in a terrorist attack. The above cases show some of the
legal challenges relating to digital evidence held in computers and
protected by encryption.
Various data hiding techniques used in cyber security to protect

information have been discussed in detail. Some of the most common
techniques include cryptography and data encryption methods,
steganography, and obfuscation methods. The application and
effectiveness of some of the data hiding techniques have been
demonstrated during the course of the Unit. Issues relating to
differential privacy have also been highlight insofar as they relate to
cyber security. The Unit concluded by highlighting the relationship
between data hiding techniques and cyber crime and the legal
position relating to the same.
160
UNIT 6
COMPUTER INSECURITY

 Define internet crime and internet fraud
 Identify the common computer glitches
 Explain how bank computers fail
 Explain issues of computer hacking
 Highlight incentives and motivation for cyber attacks
 Know how to reduce systemic cyber security risk.
6.0 Introduction
The Internet provides a perfect place for criminal elements to

commit all sorts of crimes without the risk of being detected. As
such, Internet crime and other online offences are on the rise as the
world become more and come interconnected. This makes the
Internet largely unsafe and insecure, as users may be victims of
cyber crime. In this Unit, issues relating to Internet crime; causes of
computer failures; bank failures and computer hackers will be
discussed. An attempt would also be made to highlight the
incentives and motivation for cyber attacks. In the final analysis, the
issue of systemic cyber security risk and how to manage it will also
be covered in this Unit.
6.1 Internet crime and Internet fraud
Cyber crime has already been defined in Unit 4 of this Module. It

refers to any criminal offence committed on or facilitated via the
Internet. Suffice it to say that there are many types of crimes that
are committed on the Internet. Individuals and groups such as
criminals, thieves, hackers, dissatisfied employees, and spies
commit the crimes. These cyber crimes may include IP theft,
spoofing, destructive attacks, denial of service, and spying attacks
(Kulkarni and Chande 2014). In this Unit the focus is on purely
Internet crimes, that is crimes committed through the Internet.
161
Internet fraud and online scams
A number of fraudulent activities and online scams have and
continue to be reported with the growth of e-commerce transactions.
An Internet fraud or online scam may be defined as the use of
Internet services or software with Internet access to defraud victims
or to otherwise take advantage of them; for example, by stealing
personal information, which can even lead to identity theft. Internet
services can be used to present fraudulent solicitations to
prospective victims, to conduct fraudulent transactions, or to
transmit the proceeds of fraud to financial institutions or to others
connected with the scheme.
The Criminal Law (Codification and Reform) Act of Zimbabwe

[Chapter 9:23] (section 136 thereof) provides that any person who
makes a misrepresentation(a) intending to deceive another person
or realizing that there is a real risk or possibility of deceiving
another person; and (b) intending to cause another person to act
upon the misrepresentation to his or her prejudice, or realizing that
there is a real risk or possibility that another person may act upon
the misrepresentation to his or her prejudice; shall be guilty of
fraud if the misrepresentation causes prejudice to another person or
creates a real risk or possibility that another person might be
prejudiced.
Internet fraud is therefore illegal in Zimbabwe as it involves any

form of misrepresentation intended to deceive other persons with
the result that they suffer prejudice. Beyond just basic email scams,
there are other methods that scammers use to defraud people of their
money through the Internet. The most common internet frauds
include the so-called Nigerian scams in which the fraudsters put
together storylines and plots that appeal to the basic human
emotions of greed, goodwill and love.
A typical example of a Nigerian scam involve the fraudster

outlining a situation in Nigeria that require a massive transfer of
money from that country into the United States for safety. For
assisting with the money transfer, the recipient of the email is
162
promised a percentage of the transfer amount, usually totaling
hundreds of thousands of dollars to a few million. The targeted
victim is then tricked into providing bank account details or
depositing some amount as security. The result is that the victim
ends up losing money due the scam.
Online auction frauds

In an online auction scheme, a fraudster starts an auction on a site
such as eBay with very low prices and no reserve price, especially
for typically high priced items like watches, computers, or high
value collectibles. The fraudster accepts payment from the auction
winner, but either never delivers the promised goods, or delivers an
item that is less valuable than the one offered.
Online automotive frauds

It is common that a fraudster posts a nonexistent vehicle for sale on
a website. An interested buyer, hopeful for a bargain, emails the
fraudster, who responds saying the car is still available but is
located overseas. The scam artist then instructs the victim to send a
deposit or full payment via wire transfer to initiate the "shipping"
process only to subsequently realize that they have scammed.
Pyramid schemes
Pyramid schemes are illegal and very risky ‗get-rich-quick‘
schemes that can end up costing victims a lot of money. Victims
might hear about a pyramid scheme from friends, family or
neighbours. Usually, pyramid schemes recruit members at seminars,
home meetings, over the phone, by email, post or social media. In a
typical pyramid scheme, the victim pays to join. The scheme relies
on convincing other people to join up and to part with their money
as well. In order for everyone in the scheme to make a profit
there needs to be an endless supply of new members. The promoters
at the top of the pyramid make their money by having people join
the scheme. They pocket the fees and other payments made by those
who join under them until the scheme collapses and victims suffer
financial prejudice.
163
Investment fraud and stock scams
According to Investopedia, the Internet is a great tool for investors,
providing a source for researching investments and trading
securities with unprecedented ease. Unfortunately, the lack of rules
on the web also makes it the perfect place for fraud to flourish.
Investment fraud and stock scams occur through the sale of bogus
investments online. The scammer buys the stock at a low price,
spreads false rumors that help drive the stock price up, and the sells
at an artificially high price before the bottom falls out (Stair &
Reynolds 2003). Users are discouraged from dealing with
unregistered securities and brokers.
Advance fee frauds

Advance fee frauds involve promises of high rewards if money is
provided upfront for some rewards which do not materialize.
Classic examples of advance fee frauds are the so-called Nigerian
frauds. Advance fee frauds have a long history although e-mail has
made it much easier and cheaper to reach large numbers of people.
Cyber theft
This involves using a computer to steal. Cyber theft is generally
broad in scope and may include breaking and entering into
computer systems to steal data, embezzlement and unlawful
appropriation, espionage, identity theft, fraud, malicious hacking,
plagiarism, and piracy.
Internet crimes
There are other various Internet crimes which do not necessary
relate to fraud but are considered criminal offences. The following
are some of the Internet crimes:
Advertising or soliciting prostitution through the Internet

Internet crime may also include advertising and offering illicit
services through the Internet. For instance, it is against the law to
access prostitution through the Internet in most countries. However,
the challenge with Internet crimes is the process of accessing the
164
Internet transcend national borders and therefore difficult to
manage.
Drug sales
Electronic commerce enables people across the world to trade in
various goods and services including illegal substances. For
instance, selling illegal and prescription drug through the Internet is
an offence in most countries except through a state-licensed
pharmacy.
Cyber contraband
The Internet may also be used as a vehicle for transferring illegal
items that is banned in some locations. Typical examples of such
Internet crimes include transferring banned encryption technology,
among others.
Cyber laundering
Money laundering is also rampant over the Internet. This involves
the electronic transfer of illegally-obtained monies with the goal of
hiding its source and possibly its destination. The monies may be
proceeds of illegal transactions such as drug dealing, illegal dealing
in minerals, among other things.
Cyber trespass
Cyber trespass involves accessing computer or network resources
without authorization or permission from the owner, but does not
alter, disturb, misuse, or damage the data or system. Cyber trespass
is therefore hacking for the purpose of entering an electronic
network without permission. A typical example is reading email,
files, or noting which programs are installed on a third-party's
computer system without permission just for fun, because you can.
This is sometimes simply called snooping.
Cyber vandalism
This crime involves damaging or destroying data or other
information in computer systems. This can include a situation where
network services are disrupted or stopped. This deprives the
165
computer/network owners and authorized users (website visitors,
employees) of the network itself and the data or information
contained on the network. For instance, cyber vandalism may
involve entering a network without permission and altering,
destroying, or deleting data or files.
It would also appear that deliberately entering malicious code

(viruses, rootkits, trojans) into a computer network to monitor,
follow, disrupt, stop, or perform any other action without the
permission of the owner of the network may be deemed a type of
cyber vandalism. Similarly, attacking the server of the computer
network (DDoS attack) so the server does not perform properly or
prevents legitimate website visitors from accessing the network
resources with the proper permissions may also be classified as an
act of cyber vandalism.
6.2 Computer Failures and Causes
In cyber security, it is important to understand the causes of

computer failures in order to avoid similar failures in future
applications. According to Halderman (2009), inquiries into failure
and its causes are central to technical progress: they delineate the
practical boundaries of what we can achieve with current
technology and highlight areas that are ripe for further research. A
good cyber security professional must be knowledgeable about
some of the computer failures and causes thereof.
Failures may be defined as potentially damaging events caused by

deficiencies in the system or in an external element on which the
system depends. Failures may be due to software design errors,
hardware degradation, human errors, or corrupted data (Cavelty
2013). Accidents include the entire range of randomly occurring and
potentially damaging events such as natural disasters. Usually,
accidents are externally generated events (i.e. from outside the
system), whereas failures are internally generated events. There are
a number of causes of computer and software:
166
User errors
It is a truism that any tool is only as good as the workman who uses
it and computers are no different. Most computer failures are due to
errors of the users. Actions such as not powering down properly,
skipping scan disks or continual button pushing while a computer is
processing can damage a computer's hardware, particularly drives
and processors. Always follow the correct guidance in using a
computer machine.
Faulty manufacture
Computer failures may be attributed to faulty designs by
manufacturers. It seems there are an almost infinite number of
manufacturers and assemblers making computers and while some
have vast experience and resources, others are no more than two
guys in a garage so it is not surprising that an increasing number of
computer systems are faulty when purchased.
Bad upgrades
Software upgrades by inexperienced computer fitters can cause
serious problems. Faulty add-ons such as RAM can kill a processor
instantly, also attempting to 'overclock' or interfere with a processor
can often lead to a fatal melt-down.
USB Devices
Most gadgets can be plugged into a USB port of a computer these
days. However, the USB device may not be suited to the operating
system being used or it may be faulty leading to a fatal short circuit.
Users should therefore be careful when using USB devices to avoid
computer failures.
Failure to load software upgrades

Computer software often comes with various bugs or other
vulnerabilities. These are simply programming mistakes, but they
can make the software susceptible to viruses and glitches. When an
error is discovered, the software designer sends out a ―patch‖ that
requires downloading and rebooting. Failing to upgrade the
software by running the patch can lead to corruption of data. It is
167
therefore good practice for users to constantly load software
upgrades on the computer systems.
Failure to keep virus protection up to date

Virus protection is a critical component of computer and cyber
security. There are several malware protection packages available
for computer rooms or data centers. Once installed, the subscription
must be maintained. Users usually tend to forget or ignore calls to
upgrade their anti-virus software thereby exposing computers to
serious risks.
Environmental factors
A dusty environment will clog a computer and block cooling vents
causing a computer to overheat. Dust can also contain conductive
material and particles can stick to circuit boards and cause a short
circuit. Computers are electrical devices and as with all electrical
equipment, computers and water do not mix as this could result in
permanent damage to the computer. In addition, different
temperatures may also affect computers. For instance, processors
can run exceptionally hot and if a computers cooling system is
inadequate it will only be a matter of time before it packs up for
good. Similarly, extreme cold conditions may affect the computer.
Processors will not operate at all if the operating temperature is too
cold as condensation inside the machine can freeze and expand
damaging the processor and electronics.
Power problems
Power surges or unexpected electrical power cuts may not only
cause instant loss of data but can fry a processor. Lightning can
surge through cables frazzling the computer system. Thus voltage
spikes, that is, momentary changes in the supply of electric power
may cause computer failures. Even a small power glitch can damage
a computer and corrupt data.
6.3 Bank Failures
The rising cases of cyber attacks present a major threat to banks and
financial institutions all over the world. Reports of major banks
168
losing millions of dollars as a result of cyber crime have been
extensively reported. For instance, in February 2016, hackers
successfully stole nearly $100 million from Bangladesh‘s central
bank. This cyber attack was immediately followed by reports that
hackers had successfully stolen more than $31 million from the
Russian central bank.
Given the frequency and magnitude of the cyber attacks, there is no

doubt that the possibility of bank failures instigated by cyber attacks
is more than real. According to Kuepper (2017), cyber security risks
could lead to bank failures. The financial industry has been
struggling to keep abreast with technological innovation thereby
playing second fiddle to sophisticated methods used by cyber
criminals. Other banks have developed effective security systems
such as the use of the two-factor authentication system to protect
consumer bank accounts.
However, some major banks become victims of cyber attacks as

they have not implemented such security systems despite their
effectiveness in keeping cyber attackers at bay. Cyber security has
become a paramount concern for the banking sector although some
banks remain hesitant to implement much-needed security measures
and regulators have been slow to develop a plan to address major
attacks if and when they occur (Kuepper 2017).
Attackers also tend to circumvent secure banks by targeting weaker

links in the information supply chain. Small to medium banks are
particularly prone to attacks as they may not have adequate
financial resources to invest in top-notch security systems. Besides
probing for the weakest link in the banking ecosystem, criminals are
also developing new methods of attack and target new channels of
communication as banks introduce them. For example, the user-
friendly VISA payWave system, in which a customer simply swipes
a card near a reader to buy something, makes it far faster and more
convenient to pay, but also exposes the transaction to unauthorized
users who can steal the information wirelessly.
169
In order to understand their adversaries, banks must anticipate new,
sophisticated forms of attack, or new versions of old tricks. At the
same time, they must also work to ensure that their partners and
stakeholders are secure, as part of strengthening the entire supply
chain of information to minimize attacks against the weakest links.
The following tips may be useful to banks and other financial
institutions:
 Understanding threats - just as the likelihood and impact of

cybercrimes varies, so should the responses to them. In this
effort, banks need to distinguish between financially motivated
attacks and those that are non-financial in nature.
 Cooperating externally - banks are perceived as operating in
silos. However, greater external cooperation enhances their
cyber security efforts more broadly. As indicated above,
criminals often target weaker links in the banking ecosystem,
and it would be in the banks‘ long-term interests to help third-
party actors improve their own cyber security systems.
 Improving awareness - greater communication between the
technical and business functions is necessary to improve cyber
security within enterprises. By raising everyone from end users
and employees to top management, issues of cyber threats may
be minimised.
 Leveraging data assets with advanced analytics - like many
organizations, banks have enormous amounts of data at their
disposal, which they can leverage with analytics tools to detect
trends and create strategies from which to proactively counter
cyber threats.
 Taking risk-based decisions - adopting a holistic view of cyber
threats requires an elevation of the problem to an operational
risk, from which better decisions can be taken faster and in
relation to the relative risk to the enterprise as a whole.
6.4 Computer Hackers
Computer systems are prone to attacks by human adversaries called

‗threat agents‘ or commonly known as ‗hackers‘. The catchphrase
‗hacker‘ is usually used in two main senses, namely: positively and
170
pejoratively. In the computing profession, hackers refer to a distinct
group of particularly skilled programmers or experts with the
ability to write novel software. In the other sense however, hackers
generally refer to computer intruders or criminals (Cavelty, 2013).
Put differently, hackers may be perceived as benign explorers,

malicious intruders, or computer trespassers. This group includes
individuals who break into computers primarily for the challenge
and peer status attained from obtaining access. In some cases,
hacking is not a malicious activity. This is usually done by a so-
called "white hat" hacker, that is, someone who uncovers
weaknesses in computer systems or networks in order to improve
them, often with permission or as part of a contract with the
owners. In contrast, "black hat" hacking refers to malicious
exploitation of a target system for conducting illegal activities.
The modus operandi used by hackers includes gaining control of

networks or computer systems via malicious programs or through
unauthorized means. Hackers may be motivated to attack those
parts of information infrastructure considered ‗critical‘ for the
functioning of the society. Whereas the single hacker can work
alone, organized crime requires proper networking through lines of
communication between component elements. The need for those
lines of communication is its vulnerability, so that is where the
counter- terrorism efforts will have to concentrate.
6.5 Incentives and Motivation for Attacks
In order to win the war against cyber crime, there is need to first
understand the incentives and motivations for the attacks. In other
words, what motivates cyber attackers to carry out cyber attacks?
According to Gelbstein and Kamal (2002), the most important
defence in cyber-space is twofold. First, having a correct analysis of
one‘s own vulnerabilities and second, trying to determine the
opponent‘s motivations. Vulnerability and motivation are then the
171
two keys to a correct understanding of and reaction to the dangers of
cyber-threats and cyber-attack.
In order to understand the motivation behind attackers, it is necessary

to classify the attackers into different categories. This is important as
different attackers have different incentives and motivations. As aptly
observed by the World Economic Forum (2016), the threat actors
vary (from hacktivists to cybercriminals, to disgruntled or nefarious
insiders or saboteurs, to nation states) as do their motives (from
criminal activity such as fraud, theft or the distribution of child
pornography, to economic or military espionage, to cyberwarfare.
To help understand the common motivations, cyber-attackers may be

categorized in different classes. However, a given attacker may
belong to more than one category (Andress & Winterfeld, 2011). For
example, politically motivated cyber- attacks may be carried out by
members of extremist groups who use cyberspace to spread
propaganda, attack websites, and steal money to fund their activities
or to plan and coordinate physical-world crime (Gandhi et al., 2011).
Figure 6.1 below shows a possible categorisation of cyber attackers.
Figure 6.1: Categories of Cyber Attackers (Adopted from Han and

Gongre, 2014)
172
Some of the categories of cyber attackers will be discussed below in
a bid to highlight the various incentives and motives for committing
cyber crimes.
Organized attackers
As shown in Figure 6.1 above, organized cyber attackers comprise

organizations of terrorists, hacktivists, nation states, and criminal
actors. Each of these may have different motives for orchestrating
cyber attacks. For instance, cyber terrorists seek to make a political
statement or attempt to inflict psychological and physical damage
on their targets, in order to achieve their political gain or create fear
in opponents or the public (Lewis, 2002). Thus the main motivation
behind cyber terrorists is the desire to cause alarm, fear and
despondence in order to make political mileage.
Similarly, Hacktivists may also seek to make a political statement

through cyber attacks but mainly actuated by the desire to raise
awareness and not encourage change through fear. Hacktivism is
the use of hacker techniques such as web-defacement and
distributed denial of service to publicise an ideological cause rather
than for purposes of crime. Hacktivists are therefore motivated by
socio-political causes focused on drawing attention through
disruption and shaming and other methods used by criminal actors.
Nation-state attackers gather information and commit sabotage on

behalf of governments (Cohen et al., 1998), and are generally
highly trained, highly funded, tightly organized, and often backed
by substantial scientific capabilities. Nation-state attackers are
motivated by political or economic advantage; focused on
espionage; late adopters that learn from criminal actors and
hacktivists. Criminal actors are usually organized groups of
professional criminals (Cohen, et. al, 1998), and they may act
within complex criminal ecosystems in cyberspace that are both
stratified and service oriented (Grau & Kennedy, 2014).
Perpetrators of organized crime are typically focused on control,
power, and wealth (Gragido et al, 2012).
173
Hackers
As indicated in section 6.4 above, the "white hat" hackers are

usually incentivised by the need to uncover weaknesses and
vulnerabilities in computer systems or networks in order to improve
them, often with permission or as part of a contract with the owners.
Though most white hat hackers would be expected to lack the
motivation to cause violence or severe economic or social harm
because of the ethics, government officials fear that individuals who
have the capability to cause serious damage could be corrupted by a
group of malicious actors (Cavelty 2013).
On the other, so-called 'black hat‘ hackers or criminal hackers are

frequently hired or sponsored by criminal organization or
governments for financial gain or political purpose. Depending on
the motive for the attack, hacking can involve espionage (i.e., to
obtain secrets without the permission of the holder of the
information, primarily for personal, political, or criminal purposes),
cyber extortion (i.e., to extract money, property, or other
concessions by threatening harm), theft (i.e., to steal valuable data,
information, intellectual property, etc.), vandalism (i.e., to cause
damage) (Shakarian et al, 2013).
Amateurs
Amateurs are a group of less-skilled hackers, also known as "script

kiddies". These often use existing tools and instructions that can be
found on the Internet to hack into computer systems. Their
motivations vary: some may simply be curious or enjoy the
challenge; others may be seeking to build up and demonstrate their
skills to fulfil the entry criteria of a hacker group (Andress &
Winterfeld, 2011). However, benign their intentions may be, the
tools used by amateurs can be very basic but powerful. Despite their
low level skills, script kiddies can cause a lot of damage or, after
gaining enough experience, may eventually "graduate" to
professional hacking (Han and Gongre 2014).
174
6.6 Reducing Systemic Cyber Security Risk
As the world become more and more interconnected and networked,

systemic cyber risks also become more pronounced. The World
Economic Forum (2016) defines systemic cyber risk is the risk that
a cyber event (attack or other adverse event) at an individual
component of a critical infrastructure ecosystem will cause
significant delay, denial, breakdown, disruption or loss, such that
services are impacted not only in the originating component but
consequences also cascade into related (logically and/or
geographically) ecosystem components, resulting in significant
adverse effects to public health or safety, economic security or
national security.
Systemic cyber risk is the risk of a breakdown in an entire computer

network system, triggered by an attack or failure in component of
the interconnected system. The inter-connectedness of various
major government services and large private sector systems has led
to the identification of what is referred to as critical infrastructures.
As such, an attack on a portion of the critical infrastructure may
have a ripple effect on the entire infrastructure.
Systemic risk events can be sudden and unexpected, or the

likelihood of their occurrence can build up through time in the
absence of appropriate policy responses. Risk realized through
common threat vectors across enterprises and ecosystems can result
in large aggregate effects, especially where the ―vulnerability‖ is
integrated in operations common across enterprises. Systemic risk
by its nature requires risk-sharing due to the risk of contagion, as
one loss triggers a chain of others.
Organizations can better address catastrophes by examining

potential systemic cyber risks in the information infrastructure. The
risk can be reduced by addressing the vulnerabilities and/or by
increasing the resilience of business processes in the face of cyber
events. The ability of entities to prepare for the consequences of
systemic risk and build common processes, capabilities and capacity
175
to enhance their cyber resilience, and ensure they are able to recover
from a systemic cyber event, is therefore more important than ever.
Illustrative example of systemic cyber security risk
Systemic cyber security risk is more prominent in businesses or

organizations with reliance on highly connected and interconnected
technologies or networks. This gives rise to the creation of single
points of failure which may have adverse ripple effects across the
interconnected businesses. In other words, such vulnerability in the
network system may have cascading consequences of the cyber risk
materializes. A typical example of systemic cyber risk may be the
global financial systems such as SWIFT.
The Society for Worldwide Interbank Financial

Telecommunications (SWIFT) is one example of several systems
underpinning global financial systems that connect into broader
bank networks and are remotely accessible. Most financial
institutions in the world have a SWIFT connection, which provides
a critical global messaging platform to the financial sector and is
designed to service more than 10,000 financial institutions in 212
different countries. If SWIFT‘s systems are attacked by cyber
criminals, the consequences may affect financial systems of almost
every other country in the world. Therefore, systemic cyber risk for
the global financial sector includes the potential for cyber attacks to
result in:
 failure of an institution‘s ability to meet its payment or

settlement obligations, which could trigger a contagion effect
where other financial institutions would not be able to meet
their settlement obligations;
 failure or severe or prolonged disruption of a core payment
and settlement system, which can be compromised at various
endpoints, affecting multiple country and locations‘ securities
markets;
 the loss or compromise of the availability and integrity of key
financial data; and
176
 widespread loss of trust and confidence in the payment and
settlement systems (World Economic Forum 2016).
Managing systemic cyber risks
Given the complexity of the systemic cyber risk environment, the

cyber risk footprint of any given entity is no longer limited to the
entity‘s owned or controlled systems, networks and assets. In other
words, it is not possible for any entity to address its cyber risk in a
vacuum. An entity‘s cyber risk includes another entity‘s cyber risk
if they are virtually connected, and the aggregated risk becomes the
risk to individual systems and networks.
To understand and manage systemic cyber risk, organizations must

partner with suppliers and upstream or downstream business
partners, customers and other virtually connected entities to
understand the potential scope, scenarios and triggers for systemic
cyber events. It is imperative to identify and jointly assess the
critical infrastructure assets at risk, the vulnerabilities that may
expose those assets and the capabilities and motives of the threat
actors targeting the critical assets.
Entities of all sizes, public and private must work collectively in

partnership using all the capabilities and capacities at their mutual
disposal to address systemic cyber risks. This is important, as many
traditional approaches to risk management and governance that
worked in the past may not be comprehensive or agile enough to
address the rapid changes in the threat environment and the pace of
technology change that is redefining public and private enterprises.
Traditional cyber response or cyber defence tools, such as firewalls

or automated threat indicator sharing, are no longer sufficient when
facing systemic cyber risk. Furthermore, many common defences
have been designed to limit the immediate impact to a particular
individual or company, often with the main objective of protecting
financial information or limiting financial impact. They have not
been designed with persistent attackers with the resources of nation
177
states in mind, nor to address risks that exist outside the realm of a
given entity‘s control.
In this Unit a number of issues relating to computer insecurities

have been covered. It has been highlighted that the Internet is a
stage for a multitude of criminal activities. Examples have been
given of various online activities involving Internet frauds and other
Internet crimes in general. Issues relating to causes of computer
failures; bank failures and computer hackers have also been
canvassed. Incentives and motivation for cyber attacks have been
highlighted for various groups of cyber criminals. In the end, it has
been established that the interdependence and interconnectedness of
computer systems of various entities has resulted in systemic cyber
security risk being a reality.
178
UNIT 7
INCIDENT OF CYBER CRIME
Learning Objectives
 Explain why cyber crimes are on the rise
 Highlight reasons for cyber crime under-reporting
 Explain the cyber crime investigations
 Outline methods of cyber crime management
 Understand the process of evidence collection and chain of
custody
 Explain the process of cyber crime risk management
 Define and understand the concept of cyber forensics
7.0 Introduction
The menace of cybercrime in today‘s information society assumes a

multi-dimensional challenge to the society as it targets citizens,
businesses, organisations of different kinds and governments. The
incidence of cybercrime continues to grow at a phenomenal rate as
the modern society increasingly becomes largely dependent on
information and communication technologies in every sphere of
human life. The cyber environment also facilitates the commission
of most forms of organized crimes including terrorism thereby
posing formidable threats of a global magnitude. The need for all
stakeholders to work together in the fight against the threat of
cybercrime cannot be overemphasized. In this chapter, the focus
will be on the definition and scope of cybercrime, cybercrime
reporting and investigation and cybercrime management. Issues
relating to computer evidence collection and chain custody as well
as cyber forensics will also be covered.
7.1 Definition and scope of cybercrime
Despite the growing global interest in fighting cybercrime, there is

no universally accepted definition of ‗cybercrime‘. In some
instances, definitions of cybercrime depend on the purpose and
context in which the term is used. For instance, in the field of cyber
179
security, the definition of cybercrime may be restricted to various
acts or omissions against the confidentiality, integrity and
availability of computer data or systems. In a broader sense, cyber
crime definitions may encompass other crimes such as identity-
related offences that may result in personal harm or financial loss to
the victims. The long and short of this discourse is that cybercrime
is a term that does not lend itself to a precise definition. As aptly
observed by Yar (2006, quoted in Croall, 2011), the term
‗cybercrime‘ refers to a diverse range of illegal and illicit activities
that share in common the unique electronic environment in which
they take place.
The difficulty in defining cybercrime is compounded by the

challenge of distinguishing older crimes committed using computer
technology and new crimes emerging as a result of technological
developments. For instances, conventional crimes such as theft,
fraud or vandalism where understood in the context of a physical
environment involving tangible goods and services. On the other
hand, cybercrime frequently takes place in the ‗virtual‘
environment.
Thus, while some forms of cyber crime are widely recognizable as

fraud or theft but use the Internet, others are in effect created by the
Internet (Wall 2007 quoted in Croall 2011). A useful test to
ascertain whether an activity is a ‗true‘ cyber crime is whether it
could exist without the Internet or a computer system. For instance,
Croall (2011) observes that advance fee frauds have existed for
centuries but are facilitated by electronic communications, whereas
if the Internet were taken away tomorrow, computer ‗attacks‘ would
disappear.
The term 'cyber-crime' can refer to offenses including criminal

activity against data, infringement of content and copyright, fraud,
unauthorized access, child pornography and cyber-stalking. There is
also need to distinguish between computer crime and cybercrime.
Computer crime may be defined as any illegal act involving a
computer whereas cybercrime entails the commission of online or
180
internet-based illegal or criminal acts. A person that commits
cybercrime is called a cybercriminal. Cybercriminals may also use
software for their crimes, that kind of software is called crimeware.
‗How therefore has the Internet affected crime? In general, it has

altered time and space relationships enabling people to
communicate with thousands of others on a global basis in
milliseconds, without the need for letters, phone calls, or travel (Yar
2006; Wall 2007; Williams 2010). Fraudsters can target thousands
of potential victims quickly and cheaply and with far fewer risks of
detection. There is now less need for ‗hard‘ copies of films, DVDs
or CDs which can be downloaded. It has reduced the need for face
to face interaction and people can easily create multiple identities.
Fraudsters can, for example, attempt to sell goods or services and
pose as satisfied customers to enhance their marketing. The growing
dependency of businesses, individuals and governments on
electronic communications makes them vulnerable to attack – thus
the fear of cyber terrorism‘ (Croall 2011:299-300)
Perpetrators of cybercrime
There are many crimes that are being committed using information
technologies, particularly the Internet. The perpetrators of
cybercrime frequently include computer hackers, cyber stalkers,
cyber terrorists and identity thieves. There are various categories of
cybercrime perpetrators including the following:
(a) Corporate spy

A corporate spy is a person hired by an organization to break into
another organization‘s specific computer with the intention of
stealing its proprietary data and information, or to help identify
security risks within their own organization. This practice of hiring
corporate spies is commonly known as corporate espionage.
(b) Hacker
A hacker is a person who accesses a computer or network illegally.
Some hackers make a claim or justify their intent for hacking, are to
181
improve security.
(c) Cracker
Someone who accesses a computer or network illegally, with the
intent of destroying data, stealing information, or any other
malicious action. A cracker usually has advanced network skills.
Cyber extortionist
A cyber extortionist is a person who uses e-mails as their drive
force for extortion. A cyber extortionist usually performs actions,
such as threatening to expose confidential information about a
company, unless they are paid a certain sum of money.
Cyber terrorist
A cyber terrorist is someone who uses the Internet or a network to
destroy or damage computers for political reasons. Cyberterrorists
are also associated with cyberwarfare, which is described as an
attack whose goal ranges from disabling a government‘s computer
network to crippling a country.
Script kiddie
Someone who has the same intent as a cracker but does not have the
technical expertise, so in turn use pre-written hacking and cracking
programs to breach computers or networks.
Unethical employee
Employees may break into their employer‘s computer or network
maybe either to simply exploit a security weakness or to seek
financial gains from selling confidential information. Some
employees may just want revenge.
7.2 Cyber Crime Reporting
The rapid advancement in information and communication

technologies has resulted in exponential growth in cyber criminal
activities. Despite the fact that cybercrime is increasingly becoming
a global menace, the irony is that cybercrime is seriously under
reported and under investigated for a variety of reasons.
182
Consequently, numerous cybercrimes go undetected, and where
they are detected, victims are usually reluctant to report the cases.
The precise magnitude of the global computer crime problem
remains unknown as many cyber crimes go unreported. According
to Yar (2006), ‗estimating the extent of cyber crime is extremely
difficult. Like fraud, many cyber crimes are not detected and
companies may not want to reveal their vulnerability. Individual
victims may feel that there is little to be gained by reporting
incidents, and would not know who to report them to.‘ Grabosky (
:70) also echoes the same sentiments that ―many institutional
victims, such as banks, may not wish the world to know that their
systems have been successfully attacked. Their main concerns are
securing their systems (i.e. hardening the target) and recovering
their losses, if possible. If the offender is an insider or a disgruntled
former employee, this can, in some cases, be achieved without
resort to prosecution.‖
If cybercrimes are not reported, cyber criminals will unabatedly

continue to unleash a reign of terror by committing also sorts of
illegal online activities. Accordingly, everyone including victims
should be persuaded to report cybercrime and play their part to keep
cyber criminals at bay. The low cybercrime reporting rate may be
attributed to the following reasons:
(i) Fear of further attacks

Some victims of cybercrime feel that reporting incidents of
cybercrime may be an open invitation for a floodgate of further
attacks as this may actually show that the organization does not
have proper controls or adequate security in place. \
(ii) Reputational risk

Business organizations may fear that that their reputation may be
damaged in the eyes of customers, suppliers and other key
stakeholders especially where the business operations largely
depend on efficient and secure information technologies. In other
words, they perceive reporting cybercrime as bad for the business.
As observed by Laudon & Laudon (2006), many companies are
183
reluctant to report computer crimes because the crimes may involve
employees or the company fears that publicizing its vulnerability
will hurt its reputation.‘ For instance, a bank may not wish to report
that it has been hacked as this may result in panic withdrawals of
money by accountholders.
(iii) Lawsuits
Businesses may also be wary of reporting cybercrime for the reason
that customers may institute legal action against them if they feel
that the privacy of their information held by the businesses is
compromised.
(iv) Complexity of cybercrime

Victims may be discouraged from reporting cybercrime as
investigating and prosecuting cases of cybercrime is complex and
may require extensive time and resources. For instance, cyber crime
may be committed remotely by a criminal who is in far away
country making it difficult to carry out investigations and apprehend
the culprit. In addition, statistics on successfully prosecuted
cybercrime cases is exceptionally low thereby discouraging victims
from reporting.
(v) Too few successful prosecutions

According to Welch (2000:601), ‗incidents of computer-related
crime and telecommunications fraud have increased dramatically
over the past decade, but due to the esoteric nature of this crime
there have been very few prosecutions and even fewer convictions.‘
(vi) Protection of trade secrets

Some organizations feel that trade secrets may be leaked by
law enforcement, especially if a case goes to trial.
(vii) Lack of capacity to detect attacks

A sizeable number of organizations lack the capacity to detect
attacks. As such, these organizations may not report cybercrime, as
they are unable to detect attacks in the first place. Awareness
campaigns are critical to enable employees to be able to identify
184
threats and attacks caused by cybercrimes. It is widely known that
victims of Internet crimes are often reluctant to report an offence to
authorities. In some cases the individual or organization may not
even be aware a crime has been committed. Even though facilities
for reporting incidents of cyber-crime have improved in recent years
many victims remain reluctant due essentially to embarrassment.
7.3 Cyber Crime Investigations
One must have thorough understanding of how the technology

works and some working knowledge of the applicable legal
framework in order to be a good investigator of cyber crime.
There are various procedures that may be adopted in carrying out

cyber crime investigations depending on the nature of the crime in
question. The crime may be Internet-based, device-based or
involving data. In each case, a different approach to investigating
the crime may be necessary. The ensuing sections outline some of
the steps that may be taken in investigating cybercrime.
(a) Internet-based crime

Where the investigation involves a crime committed on the Internet,
the first step in the investigation is ascertaining the Internet protocol
(IP) addresses. An Internet Protocol is a set of rules governing the
format of data sent over the Internet or other network. An IP address
consists of a series of numbers and letters that is attached to every
piece of data that moves on the Internet. An IP address comprises
information such the person who owns and operates the network
address, associated domain name or computer name, geolocation,
email addresses and local service provider identifier. The
investigation process may involve obtaining a warrant, subpoena or
court order directing an Internet Service Provider (ISP) to provide
IP addresses.
ISPs are crucial is cybercrime investigations as the maintain records

of all activities carried out by subscribers on the Internet. To this
end, the law in many countries requires ISPs to retain data from
185
subscribers for certain period of time. In Zimbabwe, the Postal and
Telecommunications (Subscriber Registration) Regulations
(Statutory Instrument 142 of 2013) make it mandatory for
telecommunications operators including ISPs to create a central
subscriber database for all of their users. Telecommunications
operators are not allowed to activate any subscriber identity module
(SIM) card without the details of the subscriber such as name,
address, gender, nationality and passport or national identification
numbers. These subscribers may be crucial when investigating cases
of cyber crime.
(b) Device based crime

A cybercrime case may involve a computer device as a target of the
crime or instrument for the commission of the crime. During the
investigation process, it is imperative to ensure that such devices are
properly secured as a crucial piece of evidence. The normal practice
is to immediately place the device in a faraday bag prior to turning
on and examining the device. It is good practice when dealing with
devices such as mobile phones to turn the device into airplane mode
to prevent any reception or remote communication. Cell phone and
other wireless devices should be examined in an isolated and
controlled environment where they cannot connect to networks,
Internet, or other systems.
(c) Data based crime

Perhaps one of the major issues pertaining to electronic data is its
reliability as evidence in a court of law. Computer data is easily
altered or manipulated thereby bringing its credibility into question
when presented in court as evidence. A person investigating data
needs to install a lock on the copy made of the data to enable the
investigator to manipulate the data and view it without making
permanent changes. Appropriate data extraction software may be
used to analyze the data or permit the investigator to view as much
data as possible. When the software is run, the investigator ought to
be able to see all files on the computer drive including any hidden
or partially deleted data.
186
The devices that are subject to an investigation, like any other
physical evidence, should be properly secured and stored might
contain; traces of DNA, fingerprints, and/or other evidence relevant
to the investigation. If evidence is not handled properly it may be
discredited and rendered inadmissible in a court of law. It is
therefore important for cyber security professionals and computer
forensic experts to exercise extreme caution when handling
potential digital evidence.
The software system will also assist your investigation in providing

information such as time stamps (a digital record of the time of
occurrence of a particular event), images, text documents, global
positioning system (GPS) locations, and other encrypted data.
7.4 Cyber Crime Management
Businesses are always at risk of attacks given that cyber criminals

are becoming increasingly effective, and their techniques are fast
evolving. In the face of these threats, organizations should adopt
and implement companywide security policies to minimize
vulnerabilities. Before one talks of managing cyber crime, one must
be able to understand what cybercrime is, the nature and motives of
the perpetrators and why it is important to manage and control cyber
crime. Some of the issues are canvassed in other parts of this
module. Under this section, the focus is on various strategies that
may be employed to manage cyber crime.
In the field of cyber crime management, sight must not be lost of

the fact that preventing and controlling high tech crime is by no
means an easy task given the complexities involved. As such, a
multi-disciplinary approach is required to effectively tackle the
incidents of cyber crime in society. This multi-faceted approach
must of necessity involve various stakeholders such as
governments, law enforcement agents, organizations, individuals
and computer professionals and experts. The following are critical
components of cyber crime management based on the multi-
disciplinary model:
187
(a) Knowledge of information technology
The war against cybercrime can never be won without sufficient
knowledge and understanding of the dynamics of computer systems
and information technologies. The major reason why it is difficult to
combat cybercrime is because the majority of people and
organizations using computers may be victims of cybercrime
without even knowing that this is happening. As such, IT
professionals and computer security experts have a daunting task of
educating users of computers on the various threats and risks
associated with computer and information technology as part of
efforts to manage cyber crime.
While the risk of cyber attacks may not be completely eliminated,

there are various ways organizations can defend their systems or
mitigate the potential impact of cyber attacks. These may include
testing their security systems, protecting their network and
applications, encrypting sensitive data and protecting websites by
using a secure communication protocols.
Computer patches and updates

An effective way of keeping attackers at bay is to regularly update
computer programs and apply patches and other software fixes as
soon as an update is available. Constantly updating computer
systems prevent attackers from exploiting software flaws or
vulnerabilities to break into a computer system. Albeit computer
updates and patches may not completely eliminate the threat of
attacks, they may it hard for hackers to gain access to the computer
system. In addition, this also blocks many basic and automated
attacks completely and also may discourage less-determined
attackers from looking for a more avenues to break into the
computer. A common challenge for computer users is forgetting to
check for latest software updates thereby exposing computers to
threats of attack. Accordingly, computer users may also take
advantage of popular software that can be configured to download
and apply updates automatically. This will so that you do not have
to remember to check for the latest software.
188
Secure Computer configurations
Configuring computers properly and securely is a good step towards
managing potential cyber threats. This is particularly important
when configuring newly purchased computers as they naturally
come with inadequate levels of security. When installing computers
at work or at home, there is need to pay attention to the security
features to ensure that the computer is protected. Equally important,
properly configuring Internet applications such as Web browsers
and email software is of cardinal importance in safeguarding the
computer from online threats. Security and privacy settings on the
computer should also be properly configured as part of efforts to
tame the tide of rising incidence of cybercrime.
Password policy
Password policies are necessary to protect the confidentiality of
information and the integrity of systems by keeping unauthorized
users out of computer systems. Users of computers must have
password policies dealing with how to store and secure passwords,
procedure on and frequency of changing passwords and the
fiduciary duties of the users. A good password policy must specify
certain key features of passwords such as minimum length, allowed
character set, prohibited strings (all numbers, dictionary words,
variations of the username or ID), and the duration of use
(expiration) of the password. In order to prevent social engineering,
a password policy should require that only the employee who needs
access to the computer should know the password. Employees must
not under any circumstances disclose their passwords in an
unsolicited phone call or email message.
Users are encouraged to use complicated passwords that are not

easy to guess. In choosing good passwords users should consider a
mixture of numbers, letters (uppercase and lowercase) and special
characters such as %, $, and +. As such, users should refrain from
using their names or those of their beloved ones as passwords as
hackers may easily guess the same. Similarly, users are discouraged
from using passwords that have been used on the same account
before.
189
Although longer, complex and difficult passwords may be a
challenge for most employees or users to remember, organizations
should still encourage the use of such passwords for security
reasons. The password policy must provide for the requirement for
regularly changing the passwords. For instances, the organization
may have a policy for changing passwords every month. Changing
passwords frequently may be monotonous for users. As such,
organizations may consider using password management software
platforms such as 1Password, PassPack and LastPass.
The following table shows some of the useful tips in managing

passwords:
Table:7.1 Tips on password management
Description Useful Tips
Selecting passwords  Avoid selecting a password that can be easily guessed
 Do not use your login name as password, or anything based on
your personal information such as your last name
 Avoid using words that can be found in the dictionary as
passwords
Attributes of strong  A password should have eight characters or more.
passwords  Use a combination of letters (both lower and upper case),
numbers and symbols (such as $, %, ! or £)
Safety of Passwords  Passwords should be kept in a safe place
 Avoid writing passwords on desktop calendars, diaries or sticky
notes
Changing passwords  Change your password on a regular basis (at least every three
months)
 Avoid using the same password for every service you use
online.
Sharing passwords  Avoid sharing passwords with, for instance, fellow employees.
 Do not provide password details to over phone calls or via email
Additional password  Consider using two-factor authentication features as additional
security security. These may require users to enter an additional pin code
that can be sent to a mobile device, or to input fingerprints to
grant access.
190
Email protection
Email facilities are prone to vulnerabilities if not properly secured.
It is therefore important to ensure that emails are encrypted to
provide another layer of protection against intrusion. Users are
urged to keep their passwords safe and to always log out to prevent
others from hacking their email accounts. It is also recommended
for security reasons that use choose complicated email addresses so
that it is difficult to guess such as when using one‘s name. A good
practice is to combine one‘s name with numbers in the email
address (such as peter2017@gmail.com).
Security software
Software security encompasses firewall and antivirus programs
intended to provide basic online security. The first line of defence is
usually provided by firewalls that monitor the flowing of data in and
out of computer systems and screening out bad traffic. Antivirus
software also plays a critical security role by monitoring online
activities such as email messages and Web browsing thereby
protecting the computer from viruses, worms, Trojan horse and
other types malicious programs. According to Reynolds (2016)
antivirus software should be installed on each user‘s personal
computer to scan a computer‘s memory and disk drives regularly
for viruses. Other renowned antivirus programs, such as Norton
AntiVirus, also provide protection from spyware and adware.
Antivirus and antispyware software should be properly configured
to automatically update itself.
Managing personal information

Management of personal information shared online is an
indispensible security measure to prevent falling victim of
cybercrime and other computer attacks. Personal information may
include names, home addresses, phone numbers, email addresses,
bank account details, among others. Although it may be inevitable
to avoid sharing personal information online in given, for instance,
the pervasiveness of electronic commerce and other online
activities, users must exercise great caution when sharing the
information. The following table illustrates some of the basic safety
191
precautions on how to manage and safely share personal
information online:
Table:7.2 Tips on personal information management
Description Safety Precaution

Phony email messages  Be on the look out for phony email messages. Usually fraudulent
messages have misspellings, poor grammar, and odd phrasings.
 Be wary of emails messages prompting you to act swiftly to prevent
something from happening. For example, phishing messages often tell
you to act quickly to keep your account open, update your security, or
urge you to provide information immediately or else something bad
will happen.
 Avoid the temptation to respond to email messages asking for personal
information even if they purport to come from reputable institutions
like banks. If in doubt, contact the institution by phone.
Websites  Avoid clicking on the links in email messages as these may direct you
to fraudulent or malicious Web sites. Some websites are designed to
steal personal information.
 Type the address (URL) directly into the Web browser when visiting a
website rather than following links provided in emails or instant
messages.
 Read and understand privacy policies on websites before sharing
personal or sensitive. These may show how an organization might
collect and use the personal information.
Email Addresses  Avoid unnecessarily disclosing your email address when carrying out
online activities. Caution must be exercised when posting your email
address online in newsgroups, blogs or online communities.
Online offers  Watch out for online offers that look too good to be true as these are
often sources of fraudulent activities. For example, ‗free‘ software
such as screen savers, promises of fortunes may be used to entice you.
Bank and Credit Cards  It is good practice to constantly review bank and credit card statements
as unusual payments may provide an early warning sign of online
crime. Cases on identity theft and other online crimes may be
prevented or reduced by reviewing for unusual activities on bank
accounts.
192
Training
According to Kaspersky cyber threats are often blamed on outsiders
such as nefarious programmers writing malicious code designed to
pilfer corporate intelligence, siphon confidential customer
information and/or raid financial data. Yet sometimes, the threat
may actually originates from within, when employees‘ ignorance
and/or negligence opens the door for cyber criminals. Therefore, an
organization may invest in the best cyber security systems but
remains exposed if employees are not trained on the risk of cyber
crime. A system is only as secure as the weakest link. Employees,
like all humans, have inherent weaknesses and make errors that may
inadvertently expose the business to threats of cyber attacks.
Awareness and training employees is therefore a critical and
indispensible component of cyber security management.
Employees and other users of computer systems must receive some

basic training on how to recognize and avoid cyber crime in order to
significantly reduce risks of security breach. Users should be
educated to abstain from behaviors that can deliberately or
unwittingly expose the business to the risk of cybercrime. Training
on cyber crime must not only focus on existing employees but
organizations must incorporate cyber crime awareness into their
recruitment and training policies. In general, training on cyber
crime should focus on raising awareness to employees on some of
the following issues:
 the impact of cyber crime incidents on the business, customers
and other key stakeholders in the value chain
 the importance of using smarter passwords, which are crucial to
upgrading cyber security.
 the potential dangers of social media, blogs and suspicious links
from unknown sources in propagating malicious programs
leading to cyber attacks;
 ways of recognizing warning signs, suspicious and/or unusual
activities and reporting potential cyber attacks to the
administrator;
 practicing safe behaviors when using computer resources,
emails, web browsing, mobile devices and social networks.
193
7.5 Evidence Collection and Chain of Custody
Evidence collection at any crime scene is an important of the justice

delivery system. Similarly, digital evidence must be carefully
collected and preserved in order for law enforcement agents to
successfully prosecute cyber crime. More often than not, incidents
of cyber security breaches are usual discovered by systems or
network administrators who usually trample over the evidence in
the haste to contain the attacks. This inevitable results in potential
evidence being destroyed or compromised. This section covers
issues pertaining to evidence collection and chain custody.
Evidence collection
Reynolds (2016:111) underscores the importance of evidence
collection by observing that ―an organization should document all
details of a security incident as it works to resolve the incident.
Documentation captures valuable evidence for a future prosecution
and provides data to help during the incident eradication and
follow-up phases. It is especially important to capture all system
events, the specific actions taken (what, when, and who), and all
external conversations (what, when, and who) in a logbook.
Because this data may become court evidence, an organization
should establish a set of document handling procedures using the
legal department as a resources.‖ There is no doubt therefore that
proper procedures must be followed during evidence collection to
avoid the possibility of such evidence from being challenged and
rendered inadmissible in a court of law.
Digital evidence is in most cases intangible and is often inherently

volatile. The digital evidence may also come in massive quantities,
thereby posing substantial logistical challenges. Utmost care must
therefore be taken when collecting and handling digital evidence to
avoid, for instance, alteration or modification of the data. Any
examination of the intangible evidence must be carried on a copy of
the original data with any changes to the original being explicitly
documented and justified, in order to minimize the chances of the
integrity of the evidence being challenged.
194
Evidence collection entails a number of important activities. This
may include seizing and securing physical pieces of evidence such
as smart phones as well as other mobile devices. The process may
also include the collection of forensic evidence such as fingerprints,
biological samples, DNA, and so on. Welch (2000) observes that
when seizing evidence from a computer-related crime, the
investigator should collect any and all physical evidence, such as
the computer, peripherals, notepads, documentation, etc., in addition
to computer-generated evidence. The following are a few tips on
how to collect and secure pieces of computer evidence:
 At the point of collection, the evidence must be properly
marked so that it can be easily identified as the specific piece
of evidence gathered at the crime scene.
 The collection must be recorded in a logbook identifying the
particular piece of evidence, the person who discovered it, and
the date, time and location discovered. All other types of
identifying marks such as make, model, or serial number,
should also be logged.
 Depending on the nature of the crime, latent fingerprints may
need to be preserved. In that case, the investigator should use
static-free gloves instead of standard latex gloves.
 Data and power cables on computer devices containing
potential evidence should be secured. It may also be useful to
consider collecting computers that may contain device
backups;
 Any devices identified as potential evidence should be properly
packaged to ensure that they are not physically damaged,
deformed or otherwise contaminated. The devices may be
packaged in evidence bags or boxes. Evidence should be
protected against heat, extreme cold, humidity, water, magnetic
fields, and vibration by storing it in proper packing materials.
For instance, hard disks should be packed in sealed, static free
bags, within a cardboard box with a foam container.
 Evidence should be safely transported to a location where it
can be stored and locked. However, where the evidence is too
bulky to be transported, the forensic examination of the system
may need to take place on site.
195
Chain of custody
In order to ensure successful prosecution of criminal activities, the
legal system requires that evidence presented in court must be
authentic and not been tainted or tampered with in any way. The
legal system has developed mechanisms of preserving the integrity
and authenticity of evidence. The notion of chain of custody is one
way in which the law endeavors to guarantee the integrity of
evidence. In legal parlance, the term chain of custody refers to the
logical and chronological documentation or paper trail, showing the
collection, seizure, custody, control, transfer, analysis, and
disposition of physical or electronic evidence.
It concerns documentation that identifies all changes in the control,

handling, possession, ownership, or custody of a piece of evidence.
The chain of custody includes information as to the location of the
evidence, who collected the evidence, how it was collected and each
person who has handled the evidence since its collection. The main
objectives of chain custody procedures are therefore to:
 enable one to sequentially trace the path that evidence takes
from the time it is collected through to the time the evidence is
presented in a court of law.
 prevent the fabrication, manipulation, tampering or
contamination of evidence.
 provide a systematic way of handling evidence and preserve its
integrity.
 identify the persons and processes involved in the collection,
gathering, custody and presentation of evidence.
Put differently, the role of chain of custody in criminal (or to some

extent in civil proceedings) is generally threefold: (i) it shows that a
piece of evidence is what it purports to be (for example, a litigant's
fingerprints); (ii) it indicates each person who handled the evidence
from the time it was collected to the time it was tendered in court;
and (iii) it seeks to prove that the specific piece of evidence
remained in substantially the same condition from the moment it
was collected until the moment that person released the evidence
into the custody of another (for example, the evidence was stored in
196
a secure location where no one but the person in custody had access
to it). The chain of custody process may be best explained by
looking at the evidence life cycle model. The following illustrates
the model:
Figure 7.1: Evidence Life Cycle
Evidence
Discovery &
collection
Evidence
returned to Analysis of
owner/dispo evidence
sed
Evidence
Presentation of storage,
evidence in preservation &
court transportation
The Evidence Life Cycle model commences with the discovery and
collection of the evidence and progresses through various distinct
stages until the evidence is returned to the owner or otherwise
disposed. Each distinct stage in the evidence life cycle is important
and proper procedures must be adhered to in order to preserve the
integrity of the evidence. Therefore, the need to maintain the chain
of custody cannot be overemphasized. For instance, if the evidence
is challenged in a courtroom, one must be able to trace the chain of
custody in a bid to ascertain and prove that the evidence was not in
any way contaminated. However, if the chain of custody is broken
resulting in anomalies in the way the evidence was handled from the
time of collection to the time of presentation in court, the accused
person may move for the evidence to be rendered inadmissible.
International standards on digital evidence

Efforts to standardize forensic procedures have occurred on a
number of fronts. The Computer Crime and Intellectual Property
197
Section of the U.S. Department of Justice developed Federal
Guidelines for Searching and Seizing Computers in 1994. The
guidelines have been revised and updated periodically since then,
most recently in 2002. In March 1998, the International
Organization on Computer Evidence (IOCE) was established to
develop international principles for the procedures relating to digital
evidence, to ensure the harmonization of methods and practices
among nations, and to guarantee the ability to use digital evidence
collected by one nation in the courts of another nation. Standardized
forensic procedures have also been developed by the FBI‘s
Computer Analysis Response Team (CART).
Computer security practitioners must be well-versed in rules of

evidence given their role in the collection of requisite evidence
during investigations. As aptly highlighted by Welch (2000), the
submission of evidence in any type of legal proceeding generally
amounts to a significant challenge, but when computers are
involved, the problems are intensified. Special knowledge is needed
to locate and collect evidence, and special care is required to
preserve and transport the evidence. Evidence in a computer crime
case may differ from traditional forms of evidence inasmuch as
most computer-related evidence is intangible-in the form of an
electronic pulse or magnetic charge.‘ Before delving into the area of
evidence collection and preservation in greater detail, it is important
to define the term ‗evidence‘ and also give a brief outline some of
the basic rules of evidence.
Definition of evidence
In simple terms, evidence may be defined as anything tendered in
court to prove the truth or false of a fact at issue. Thus the law of
evidence relates to the proof or principles that govern the proof of a
fact at issue. The proof may take the form of oral testimony of
witnesses, physical objects or documentary evidence. In criminal
proceedings, evidence is anything that proves directly or indirectly
that a person committed an offence. In the field of cyber security,
the terms ‗computer evidence‘, ‗electronic evidence‘ or ‗digital
198
evidence‘ are frequently used. Digital evidence may be defined as
any information or data of value to an investigation that is stored on,
received by, or transmitted by an electronic device. Digital evidence
comes in different shapes and forms such as text messages, emails,
pictures and videos, and Internet searches. In the world of
computers, suspects usually leave a digital trail that may provide
evidence of the identity of the perpetrator, location and time of the
crime, among other important details. Welch (2000) identifies four
types of computer-generated evidence, namely: (i) visual output on
the monitor; (ii) printed evidence on a printer; (iii) printed evidence
on a plotter; and (iv) film recorder (includes magnetic
representation on disk, tape, or cartridge, and optical representation
on CD).
Types of evidence
Evidence comes in different forms. In general, there are three basic

types of evidence, namely: direct evidence, circumstantial evidence
and real evidence. However, a forth type of evidence known as
demonstrative evidence may be particularly important to the field of
computer-related crime. These types of evidence will be discussed
in detail below:
(a) Direct evidence

Direct evidence is what the witness who is testifying before the
court perceived with his/her own senses with a direct bearing on the
case. Direct evidence is therefore oral testimony of a witness. A
typical example is where X saw Y trying to access information in
Z‘s computer without Z‘s authority.
(b) Circumstantial evidence

Circumstantial evidence refers to indirect evidence leading to one
inescapable conclusion. For instance, A was the only person with
the keys to the server room at the time when unknown culprits
tampered with the computer system of the company. The law
permits resolution of cases on the basis of circumstantial evidence.
199
(c) Real evidence
Real evidence is tangible or physical evidence that can be tendered
in court as an exhibit. This may be in the form of a physical object,
a record or any other documentary evidence. In the field of
computer crime, documentary evidence is the most common type of
evidence usually presented in courts in the form of business records,
manuals and printouts. Real evidence may thus include tools used in
the commission of the crime or fruits of the criminal venture. The
main purpose of real or physical evidence is to link the suspect to
the scene of the crime. For example, a laptop computer containing
pornographic images may be tendered in court as real evidence to
prove that a person is guilty of distributing pornography in violation
of the law. Similarly, a compact disc containing software for
hacking computer systems or a fake credit card used by criminal
may be presented as real evidence in court.
(d) Demonstrative evidence
Evidence involving crime may be inherently complex as it may

assume intangible forms such as electronic pulse or magnetic
charge. As such, expert witnesses may be required to present
evidence in court in the form of demonstrative evidence. In short,
demonstrative evidence, as the name implies, entails the use of
demonstrations or illustrations to buttress the evidence being
presented in court. The primary objective is to assist the courts by
using a model, experiment, chart, or an illustration as proof (Welch
2000). Demonstrative evidence is frequently used in cases involving
computer crime in the form of simulations and animations.
A computer simulation may be defined as a prediction or

calculation about what will happen in the future given known facts.
There are many mathematical algorithms used in this type of
program that must be either simulated to or proven to the court to be
completely accurate. It is generally more difficult to admit a
simulation as evidence, because of the substantive nature of the
process (Welch 2000). On the other hand, a computer animation is
simply a computer-generated sequence, illustrating an expert‘s
opinion. Animation does not predict future events but merely
200
supports the testimony of an expert witness through the use of
demonstrations.
Rules of evidence
The rules of evidence are designed to regulate the manner in which

facts are receivable in courts as evidence. In Zimbabwe, the
Criminal Procedure and Evidence Act [Chapter 9:07] governs issues
of evidence in criminal proceedings while the Civil Evidence Act
[Chapter 8:01] regulates issues of evidence in civil proceedings. In
general terms, before evidence can be presented in court it must be
competent, relevant, and material to the issue, and must be
presented in accordance with the applicable rules of evidence. The
following are some of the elementary rules of evidence:
(a) Admissibility
Evidence may or may not be admissible in a court of law. If a
specific piece of evidence can properly be brought before the court,
it is said to be admissible. Thus for evidence to be useful in court in
establishing the veracity of certain facts, it must first pass the key
criterion of admissibility. The court will only assess the depth and
persuasiveness of the evidence after being satisfied that the
evidence is admissible. On the other hand, if evidence cannot be
properly admitted in court for one reason or another, then such
evidence is said to be inadmissible.
(b) Relevance
The basic principle upon which admissibility of evidence is based is
relevance. This means that the evidence being tendered in court
must be relevant to the issues before the court. Thus evidence that is
irrelevant to the issue for determination by the court is inadmissible
as it is immaterial and does not facilitate the resolution of the issue.
Section 252 of the Criminal Procedure and Evidence Act deals with
inadmissibility of irrelevant evidence. It provides that no evidence
as to any fact, matter or thing shall be admissible which is irrelevant
or immaterial and cannot conduce to prove or disprove any point or
fact at issue in the case which is being tried.
201
Similarly, section 26 of the Civil Evidence Act provides that
‗evidence that is irrelevant or immaterial and cannot lead to the
proving or disproving of any point or fact in issue shall not be
admissible.‘ All relevant evidence is admissible unless there is
another rule of law that excludes it. e.g. evidence may be relevant
but privileged. Evidence may also be relevant but unreliable and
therefore inadmissible, e.g. hearsay evidence.
(c) Best evidence rule
The best evidence rule was extensively used as a yardstick for the
test of admissibility of evidence. The principle was that the best
evidence available must be given to prove the facts in issue. This
was a liberal way of admitting evidence in courts. However, the
rules and standards of evidence are much stricter. The best evidence
rule was designed to prevent any intentional or inadvertent
alteration of evidence by requiring the original evidence at trial as
opposed to copies of the evidence. However, the courts would
accept a duplicate in the following circumstances:
 Where the original is lost or destroyed by fire, flood or other
acts of God;
 The original is destroyed in the normal course of business; and
 The original is in possession of a third party who is beyond the
court‘s subpoena power.
The best evidence rule has been relaxed to allow duplicates unless
there is a genuine question as to the original‘s authenticity, or if
admission of the duplicate would, under the circumstances, be
unfair.
(d) Hearsay evidence rule

Hearsay evidence is evidence based on statements made by persons
not called as witnesses tendered for the purpose of proving the truth
of what is contained in the statement. Put differently, hearsay
evidence connotes statements made by persons who are not giving
evidence in court. To this end, hearsay is second-hand evidence
given that it is not gathered from the personal knowledge of the
202
witness but from another source. Such statements are generally
excluded if the purpose of leading such statements is to prove their
contents as the truth. Under common law, hearsay evidence is
inadmissible unless it can be admitted in terms of one of the
recognized exceptions to the hearsay rule. The necessary corollary
is that hearsay evidence falling within the ambit of any of the
common law and/or statutory exceptions is generally admissible as
evidence of the truth of the facts contained in the statement.
The hearsay rule is particularly relevant to the field of computer-

generated evidence. The nature of computer-generated evidence is
that it is considered hearsay from a legal standpoint. As aptly
observed by Welch (2000) its value depends on the veracity and
competence of its source. The magnetic charge of the disk or the
electronic bit value in memory, which represents the data, is the
actual, original evidence. The computer-generated evidence is
merely a representation of the original evidence.
A classic example of statutory exceptions to the hearsay evidence

rule is found in the provisions of the Civil Evidence Act dealing
with documents generated by computers. Section 13 thereof
provides that a document produced by a computer shall be
admissible as evidence of any fact stated therein if direct oral
evidence of that fact would be admissible. Computer documents are
admissible in civil proceedings if the document is produced when
the computer is used regularly to store or process information for
the purposes of any activity regularly carried on; and the computer
was operating properly.
Information shall be regarded as having been supplied to a

computer if it is supplied to the computer in any form, whether on a
disc, tape, card or otherwise, that may be received by the computer,
and whether it is supplied directly or, with or without human
intervention, by means of equipment the operation of which is
compatible with the operation of the computer. Computer
documents may be tendered as evidence by any person who for the
203
time being has custody of the document or is responsible for
managing the activity for which the document was produced.
Section 282 of the Criminal Procedure and Evidence Act may also
be relevant to evidence emanating from computer documents. It
provides that in any criminal proceedings in which direct oral
evidence of fact would be admissible, any statement of such fact
contained in any document would be admissible as evidence of that
fact if that fact relates to any transaction in the course of any trade,
business or occupation. Thus computer information or documents in
the ordinary course of business would be admissible as evidence as
an exception to the rule against hearsay.
(e) Exclusionary rules

In the law of evidence, exclusionary rules are rules stating what
evidence ought to be admitted and what evidence cannot be
admitted. For instance, hearsay evidence is generally inadmissible
by reason of exclusionary rules of evidence. Evidence obtained
through dishonorable means or under dubious circumstances may
be relevant but inadmissible. Evidence may also be excluded if it is
obtained by unlawful means.
(f) Expert opinion evidence
Expert opinion evidence is admissible provided it is relevant. Expert

witnesses are in a position to assist the court by reason of their
expertise, training or specialized knowledge. Expert evidence
ordinarily falls outside the competence of the average reasonable
court. The average judicial officer cannot be expected to be, for
instance, a computer expert. Expert opinion evidence may be
required to facilitate resolution of the fact in issue. The rules of
evidence require that the expert must be a credible witness. In
addition, a party who wishes to call an expert witness must prove to
the court the qualifications and competences of the expert, that is,
that the witness is an expert in the field under consideration by the
court. It is the function of the court to satisfy itself that indeed the
expert has the necessary qualifications and experience.
204
Admissibility of computer evidence
The admissibility of computer-generated evidence is, at best, a
moving target. Computer-generated evidence is always suspect
because of the ease with which it can be tampered - usually without
a trace! Precautionary measures must be taken in order to ensure
that computer-generated evidence has not been tampered with,
erased, or added to. In order to ensure that only relevant and reliable
evidence is entered into the proceedings, the judicial system has
adopted the concept of admissibility.
 Relevancy of Evidence – evidence tending to prove or disprove

a material fact. All evidence in court must be relevant and
material to the case.
 Reliability of Evidence – The evidence and the process to
produce the evidence must be proven to be reliable. This is one
of the most critical aspects of computer-generated evidence.
Once the computer-generated evidence meets the Business Record

Exemption to the hearsay rule, is not excluded for some technicality
or violation, follows the Chain of Custody, and is found to be both
relevant and reliable, them it is held to be admissible. The defence
will attack both the relevancy and reliability of the evidence, so
great care should be taken to protect both (Welch 2000).
7.6 Cyber Crime Risk Management
Managing the risks associated with information in the information

technology (IT) environment, information risk management, is an
increasingly complex and dynamic task. In the budding information
age, the technology of information storage, processing, transfer, and
access has exploded, leaving efforts to secure that information
effectively in a never-ending catch-up mode. For the risks
potentially associated with information and information technology
to be identified and managed cost-effectively, it is essential that the
process of analyzing and assessing risk is well understood by all
parties – and executed on a timely basis.
205
Cyber crime risk management involves systematically identifying
and valuation of assets potentially at risk, an assessment of risk and
cost-effective recommendations for risk reduction. The processes
requires establishing a sound information risk management policy
(IRM) that effectively addresses all elements of information
security. There is also need to establish IRM methodology and
tools. There are two fundamental applications of risk assessment to
be addressed (1) determining the current status of information
security in the target environment(s) and ensuring that associated
risk is managed (accepted, mitigated, or transferred) according to
policy, and (2) assessing risk strategically.
Strategic assessment assures that the risks associated with

alternative strategies are effectively considered before funds are
expended on a specific change in the IT environment. Strategic
assessment allows management to effectively consider the risks
associated with various strategic alternatives in its decision-making
process and weigh those risks against the benefits and opportunities
associated with each alternative business or technical strategy
(Ozier 2000).
Identify and measure risk

Once IRM policy, team, and risk assessment methodology and tools
are established and acquired, the first risk assessment will be
executed. This first risk assessment should be scoped as broadly as
possible, so that (1) management is provided with a good sense of
the current status of information security, and (2) management has a
sound basis for establishing initial risk acceptance criteria and risk
mitigation priorities.
Project sizing
This task includes the identification of background, scope,
constraints, objectives, responsibilities, approach and management
support. Clear project sizing statements are essential to a well-
defined and well-executed risk assessment project.
206
Threat analysis
This task includes the identification of threats that may adversely
impact the target environment. This task is important to the success
of the entire IRM program and should be addressed, at least
initially, by risk assessment experts to ensure that all relevant risks
are adequately considered.
Asset identification and valuation

This task includes the identification of assets, both tangible and
intangible, their replacement costs, and the further valuing of
information assets availability, integrity, and confidentiality. These
values may be expressed in monetary (for quantitative) or
nonmonetary (for qualitative) terms.
Vulnerability analysis
This task includes the qualitative identification of vulnerabilities
that could increase the frequency or impact of threat events
affecting the target environment.
Risk evaluation
This task includes the evaluation of all collected information
regarding threats, vulnerabilities, assets, and assets values in order
to measure the associated chance of loss and the expected
magnitude of loss for each of an array of threats that could occur.
Establish risk acceptance criteria

With the results of the first risk assessment management should
establish the maximum acceptance financial risk.
Mitigate risk
The first step in this task is to complete the risk assessment with the
risk mitigation, costing, and cost/benefit analysis. This task provides
management with the decision support information necessary to
plan for, budget, and execute actual risk mitigation measures.
207
Monitor information risk management performance
Having established the IRM program, and gone this far –
recommended risk mitigation measures have been
acquired/developed and implemented – it is time to begin and
maintain a process of monitoring IRM performance. This can be
done by periodically reassessing risks to ensure that there is
sustained adherence to good control or that failure to do so is
revealed, consequences considered, and improvement, as
appropriate, duly implemented.
A well-run information risk management program – an integrated

risk management program – can help management to significantly
improve the cost-effective performance of its information
technology environment, whether it is mainframe, client-server,
Internet, or any combination, and to ensure cost-effective
compliance with applicable regulatory requirements. The integrated
risk management concept recognizes that many often uncoordinated
units within an organization play an active role in managing the
risks associated with the failure to assure the confidentiality,
availability and integrity of information (Ozier 2000).
7.7 Cyber Forensics
Computer crime investigation and computer forensics are also

evolving sciences which are affected by many external factors:
continued advancements in technology, societal issues, legal issues,
etc. There are many gray areas that need to be sorted out and tested
through the courts. Until then, the system attackers will have a clear
advantage, and computer abuse will continue to increase. We, as
computer security practitioners, must be aware of the myriad of
technological and legal issues that affect our systems and its users,
including issues dealing with investigations and enforcement
(Welch: 601).
According to Reynolds (2014), computer forensics is a discipline

that combines elements of law and computer science to identify,
collect, examine and preserve data from computer systems,
208
networks, and storage devices in a manner that preserves the
integrity of the data gathered so that it is admissible as evidence in a
court of law. A computer forensics investigation may be instigated
for a number of reasons. It may be embarked on
 in response to a criminal investigation or civil litigation;
 to retrace steps taken when data has been lost;
 to assess damage following a computer incident
 to investigate the unauthorized disclosure of personal or
corporate confidential data
 to confirm or evaluate the impact of industrial espionage.
Proper handling of a computer forensics investigation is the key to

fighting computer crime successfully in a court of law. In addition,
extensive training and certification increases the stature of a
computer forensics investigator in a court of law. There are
numerous certifications related to computer forensics, including the
CCE (Certified Computer Examiner) and CISSP (Certified
Information Systems Security Professional). A computer forensics
investigator must be knowledgeable about the various laws that
apply to the gathering of criminal evidence.
Computer forensics is the study of computer technology as it relates

to the law. The objective of the forensic process is to learn as much
about the suspect system as possible. This generally means
analyzing the system using a variety of forensic tools and processes.
The actual forensic process will be different for each system
analyzed, but the following guidelines should help the
investigator/analyst conduct the forensic analysis (Welch 2000).
An effective electronic document retention policy ensures that

electronic documents, email, and other records are well organized,
accessible, and neither retained too long nor discarded too soon. It
also reflects an awareness of how to preserve potential evidence for
computer forensics (Laudon and Laudon 2006).
Computer forensics involves the scientific collection, examination,

authentication, preservation, and analysis of data held on or
209
retrieved from computer storage media in such a way that the
information can be used as evidence in a court of law. It deals with
the following problems:
 Recovering data from computers while preserving evidential
integrity
 Securely storing and handling recovered electronic data
 Finding significant information in large volume of electronic
data
 Presenting the information to a court of law.
Electronic evidence can reside on computer storage media in the

form of computer files and as ambient data, which are not visible to
the average user. An example might be a file that has been deleted
on a PC hard drive. Data that a computer user may have deleted on
a computer storage media can be recovered through various
techniques. Computer forensics experts try to recover such hidden
data for presentation as evidence. An awareness of the need for
computer forensics should be incorporated into a firm‘s contingency
planning process. The Chief Information Officer, security
specialists, information systems staff, and corporate legal counsel
should all work together to have a plan in place that can be executed
if a legal need arises.
There are many tools available to the forensic analysts to assist in

the collection, preservation, and analysis of computer-based
evidence. The make-up of a forensic system will vary from lab to
lab, but at a minimum, each forensic system must have the ability
to:
 Conduct a Disk Image Backup of the Suspect System
 Authenticate the File System
 Conduct Forensic Analysis in a Controlled Environment
 Validate Software and Procedures.
Before analyzing any system it is extremely important to protect the
system and disk drives from static electricity. The analyst should
always use an anti-static or static-dissipative wristband and mat
before conducting any forensic analysis.
210
Conduct a Disk Image Backup of the Suspect System
A disk image backup is different from a file system backup in that it
conducts a bit level copy of the disk, sector by sector, rather than
merely copying the system files. This process provides the
capability to back up deleted files, unallocated clusters, and slack
space. The backup process can be accomplished by using either disk
imaging hardware, such as the ImageMaster 1000, or through a
variety of software programs.
Authenticate the File System

File authentication helps to ensure the integrity of the seized data
and the forensic process. Before actually analyzing the suspect disk,
a message digest is generated for all system directories, files and
disk sectors. A message digest is a signature that uniquely identifies
the content of a file or disk sector. Doing this will help refute any
argument by the defence that the evidence was tampered with.
Conduct forensic analysis in a controlled environment

After restoring at least one of the backup tapes to a disk, of equal
capacity to the original disk, the restored data should be analyzed.
This should be done in a controlled environment on a forensic
system. Everything in the system must be checked, starting with the
file system and directory structure. Deleted file, hidden files, data in
slack space, data in unallocated space, compressed data, encrypted
data, and data generated from search results must all be checked and
analyzed.
Searching for obscure data

Once the basic analysis is complete, the next step is to conduct a
more detailed analysis of more obscure data. The fact that a file is
hidden is a good indicator of its evidentiary value. If someone took
time to hide the file, it was probably hidden for a reason. The
simplest way to hide a file is to alter the file attribute to Hidden,
System or Volume Label. Files with these attributes do not normally
appear in a DIR listing or even in the Windows file manager.
211
A file can also be hidden is slack space. Slack space is the area left
over in a cluster that is not utilized by a file. Files and directories
can also be deleted. But when DOS or Windows deletes a file, it
only changes the first character of the file name to 0xE5, which
merely makes the file space available. The file is not actually
removed. The data in the cluster previously allocated by the file is
still available until overwritten by a new file. On DOS and
Windows systems, the analyst can use the un-erase utility to recover
deleted files.
Steganography
Steganography is the art of hiding communications. Unlike
encryption, which utilizes an algorithm and a seed value to scramble
or encode a message in order to make it unreadable, steganography
makes the communication invisible. This takes concealment to the
next level – that is to deny that the message even exists, if a forensic
analyst were to look at an encrypted file, it would be obvious that
some type of cypher process has been used. It is even possible to
determine what type of encryption process was used to encrypt the
file, based upon the unique signature. However, steganography
hides data and messages in a variety of picture files, sound files, and
even slack space on floppy diskettes. Even the most trained security
specialist or forensic analyst may miss this type of concealment
during a forensic review (Welch 2000: 638).
This Unit covered a diversity of issues relating to cyber crime

reporting, investigation and management. It was highlighted that
cyber crime is being severely underreported thereby stifling efforts
towards investigating and managing the risk of cyber crime in
society. The Unit also covered in great detail the process of
collecting digital evidence and the chain of custody up to the stage
the evidence is tendered in courts of law. Issues relating to cyber risk
management and cyber forensics have also been articulated.
212
UNIT 8
ELECTRONIC TRANSACTIONS

 Define the concept of electronic transactions
 Identify emerging trends pertaining to electronic transactions
 Highlight legal issues arising from electronic transactions
 Outline the functions of global payment systems
 Identify cyber risks involved in payment cards and data security
 Understand fraudulent activities relating to electronic cards.
8.0 Introduction
Recent advances in information and communication technologies

culminated in the rapid growth in electronic and online transactions.
The swift growth in online transactions was matched with an
exponential growth in cyber crime and other risks and threats.
People now predominantly communicate and transact business on
the Internet, via email, video-conferencing, ‗whatsapp‘, ‗facebook‘,
and a host of other social media ―apps‖. Information technology has
brought about enhanced convenience in processing commercial and
business transactions over the Internet as people and organizations
can electronically sell goods and services online, make purchases,
pay bills and effect fund transfers in the comfort of the office or
home. In this chapter the focus will be on electronic commerce and
other online transactions and the associated cyber security issues.
8.1 Electronic commerce

In the world of business, huge volumes of electronic transactions
are processed daily as people engage in electronic commerce
(‗ecommerce‘). Online business transactions account for billions of
dollars annually in developed and developing countries and the
figures continue to grow as more and more people rely on
ecommerce.
213
What is e-commerce?
Stair and Reynolds (2003) define ecommerce as any business
transaction executed electronically between parties such as
companies (business-to-business), companies and consumers
(business-to-consumer), business and the public sector, and
consumers and the public sector. Laudon & Laudon (2014) also
observe that e-commerce is that part of e-business that deals with
the buying and selling of goods and services over the Internet.
E-commerce also encompasses activities supporting those

marketing transactions such as advertising, marketing, customer
support, security, delivery and payment. In its widest sense,
electronic commerce does not only embrace commercial
transactions but also all forms of social intercourse that may take
place electronically such as through the medium of the Internet.
E-commerce and cyber security

There is no doubt that for e-commerce and e-business to flourish,
cyber security must be at the core of online transactions. In other
words, the success of electronic transactions hinges on the existence
of a safe and secure cyber environment conducive for the online
exchange of goods and services and processing of online payments.
A certain level of confidence and security is required for online
transaction processing systems to work effectively and efficiently in
the cyber environment.
In Zimbabwe, people are now extensively using online transactions

using mobile money systems. Kufandirimbwa et al (2013) observe
that mobile money, which is simply the ability for cell phone users
to transfer money from one subscriber to another as well as
withdrawing cash from appointed mobile money agents, has greatly
helped Zimbabwean people whose country is facing liquidity
challenges through facilitating transactions in the financial sector
without the need for Bank account and queues. Such online
payments systems require secure platforms if the success of
electronic transactions is to be guaranteed.
214
8.2 Online Transactions
Online transactions constitute an integral component of e-commerce

and other electronic transactions. However, it is important to take a
close look at online transactions from an electronic payment
perspective in order to unravel some of the pertinent issues relating
to cyber security.
Definition of online transactions

By way of definition, online transactions, also known as PIN-debit
transactions, encompass password-protected payment methods that
authorize transfer of funds over an electronic funds transfer (EFT).
As observed by Laudon & Laudon (2006), special electronic
payment systems have been developed to pay for goods
electronically on the Internet and these include systems for credit
card payments, digital cash, digital wallets, accumulated balance
digital payment systems, stored value payment systems, peer-to-
peer payment systems, electronic checks, and electronic billing
presentment and payment systems.
Typically, there are two payment options available when customers

are using electronic payments for goods or services, namely:
payment may be processed as an offline transaction using a credit
card processing network, or alternatively, as an online transaction
via an EFT system, requiring a personal identification number (PIN)
to complete the process. There are host of challenges associated
with online processing systems. These challenges include the
following:
 The processing systems may be overwhelmed given the

enormous amounts online transactions that must processed
instantaneously across vast networks. For instance, if one
server is down for a few seconds, a huge number of
transactions being processed concurrently are immediately
affected. Similarly, electronic transactions are seriously
affected in the event of hardware failure of online
transaction processing systems.
215
 Online processing systems accumulate and store colossal
amounts of transaction data. For instance, databases store
customer or user data and account information. The servers
may be hacked by intruders resulting in sensitive and
personal customer information being compromised.
Hackers may use the information to commit financial
crimes such as credit card fraud.
Key concepts in online transactions

The major concepts in online transaction processing applications
include concurrency and atomicity, among others, such as
availability, speed, and recoverability. Concurrency refers to system
controls that ensure two users accessing the same data
simultaneously in a database system will not be able to change that
data or the user has to wait until the other user has finished
processing, before changing that piece of data.
On the other hand, atomicity described system controls that

guarantee that all steps in a transaction are completed successfully
as a group. In other words, atomicity ensures that if any step fails in
the process of a transaction, the entire transaction must fail, due to
which the same steps have to be repeated again and again.
8.3 Emerging trends in online transactions

The field of online transactions continues to evolve, as novel
methods are developed to provide convenient and secure payment
systems on the online environment. The following are some of the
emerging trends in online transactions systems:
Digital credit card payment systems

Digital credit card payment systems now extend the functionality of
credit cards for use in online shopping payments. This makes credit
cards safer and more convenient for online merchants and
consumers by providing mechanisms for authenticating the
purchaser‘s credit card to make sure it is valid and arranging for the
bank that issued the credit card to deposit money for the amount of
the purchase in the seller‘s bank account (Laudon & Laudon 2014).
216
Digital wallets
Emerging trends in online transactions also include the introduction
of digital wallets. The essence of digital wallets is to facilitate
efficient payments for purchases made over the web by eliminating
the need for shoppers to enter their address and credit card
information repeatedly each time they buy something. A digital
wallet securely stores credit card and owner identification
information and provides that information at an electronic
commerce site‘s ‗checkout counter‘. Details of the shoppers such as
names, credit card numbers, and shipping information are entered
automatically using the digital wallet when invoked to complete the
purchase.
Micropayment systems
In other developed countries, advances in technology have seen the
use of micropayment systems for purchases for less than $10 mainly
used as payment systems for downloads of individual articles or
music clips that would be too insignificant for conventional credit
card payments. Similarly, accumulated balance digital payment
systems have been developed to enable users to make
micropayments and purchases on the web, accumulating a debit
balance that they must pay periodically on their credit card or
telephone bills.
Other emerging trends in online transactions include stored value

payment systems that enable consumers to make instant online
payments to merchants and other individuals based on value stored
in a digital account. Smart cards are a typical example of stored
value system used for micropayments. A smart card can be
described as a plastic card the size of a credit card that stores digital
information such as health records, identification data, or telephone
numbers, or it can serve as an ‗electronic purse‘ in place of cash
(Laudon & Laudon, (2006).
Digital cash
The increased reliance on electronic transactions has also seen the
emergence of ‗digital cash‘ or electronic cash. Digital cash can be
217
described as currency represented in electronic form that moves
outside the normal network of money (paper currency, coins,
checks, credit cards). Users are supplied with client software and
can exchange money with another e-cash user over the Internet or
with a retailer accepting e-cash. Digital cash can be used for
micropayments or larger purchases. In Zimbabwe, the use of mobile
money over systems such as Ecocash is typical example of digital
cash as people can make payments and transfer funds electronically
without necessarily having the need for physical cash.
Peer-to-peer payment systems

Web-based peer-to-peer payment systems have emerged to facilitate
sending of money to individuals who are not set up to accept credit
card payments. A typical example of a peer-to-peer payment system
is Paypal. The sender of the money uses their credit card to create
an account with the designated payment at a web site designed to
accept peer-to-peer payments. The intended beneficiary logs on to
the web site and supplies information about where to send the
payment such as to a specific bank account or a physical address.
Electronic billing presentment and payment systems

Technology continues to bring convenience to users in many
different ways including accessing and paying routine monthly bills
by simply making a few clicks on a mobile phone or other similar
device. This exemplifies an electronic billing presentment and
payment system that enables users to view their bills electronically
and pay them through electronically. These payment systems enable
users and purchasers to be notified about bills that are due and
process the payments.
8.4 Cyber security issues in online transactions

The field of cyber security is also concerned about the need to
protect online banking and other web-based financial transactions
from rapidly evolving security threats. Given the prevalence of
issues relating to credit card fraud and other cyber threats, multiple
layers of security controls are required beyond the traditional
username/password, particularly out-of-band authentication
218
methods. The major threat to online transactions is phishing that has
become one of the main weapons in the hacker‘s armory. For
instance, hackers use phishing emails to steal online banking
credentials and break into user accounts. In response, banks and
other financial institutions have deployed technologies like device
identification, challenge questions and one-time password tokens.
8.5 Legal issues in online transactions

Electronic commerce and the concomitant online transactions raise
fundamental legal issues warranting consideration. Most of the legal
issues revolve around the formation of electronic contracts,
admissibility of electronic evidence; authentication and integrity of
electronic communications; time and place of receipt and dispatch
of electronic communications, among other pertinent issues.
Legal issues in online transactions mainly relate to laws that govern

the transactions and regulations to control the online environment.
Online transactions take place on the Internet, which itself is largely
unregulated, thereby posing serious risks and concerns over security
issues. Online transactions also take place in cyberspace or a virtual
borderless world. To this end, there are formidable difficulties in
applying uniform legal concepts and laws to effectively govern
online transactions. The Internet remains analogous to a jungle
characterized by the absence of adequate regulation and control.
There is also need to come up with effective consumer protection
laws to protect consumers from being exploited by powerful online
service providers such as financial institutions.
As highlighted above, the widespread use of the Internet has

resulted in physical national boundaries becoming increasingly
blurred against a legal environment where laws are designed to
operate within physical territorial jurisdictions. Given the
complexities involved in trying to regulate the Internet and the
attendant online transactions, various models of regulation have
been considered.
219
Self-regulation model
A self-regulation model has been proposed where service providers
of online services, users and technical infrastructure providers can
work together to develop codes of practice to govern the rights and
obligations of the various stakeholders in online business
transactions. Under the self-regulation model, industry codes of
practice may be developed and used to facilitate secure and
productive use of online services. However, although industry codes
of practice for online service providers may work in regulating the
online services, electronic commerce may require additional
controls at both national and international levels. Participants and
stakeholders in the online transactions ecosystem include mobile
network operators, equipment manufacturers and vendors,
regulators, banks, other institutions, and users.
Regulatory models
Regulatory models include the electronic commerce model, that is,
for instance the all-embracing legal framework based on the United
Nations Commission on International Trade Law (UNICITRAL)
Model Law on Electronic Commerce. These regulatory models
provide legal certainty to undertake electronic activities but are not
so specific so as to tie it to particular technologies or business
models. The advantage of the electronic commerce model is that
works within an international model that has a proven track record
for enforcing contracts in different jurisdictions.
Electronic Contracts and Signatures

The basis for securing Internet transactions as a legal transaction is
the enforceability of electronic contracts that enable a transaction to
effect the transfer of goods and moneys via the Internet. A digital
signature gives these documents legal stature and is basically any
form of electronically generated seal both buyer and seller agrees to
use in a contract generated over the Internet.
In some countries there are specific laws that ensures legal

acceptance of electronic or soft documents and signatures by
mandating their legal equivalence to the traditional tangible
220
manually signed documents. Such laws establish ―equivalence‖ and
impart on electronic records and signatures the same legal standing
as manually signed paper documents.
The law essentially makes electronically created and signed

documents acceptable in a court of law in any dispute case where
before they were not admissible. This admissibility is defined by the
attribution rule which makes any electronically signed document
attributable to the person who has expressed agreement to the terms
and conditions of a transaction by electronically indicating an
expressed acceptance thereto.
Electronic transactions laws also govern security and control

procedures in on-line transactions and prescribe procedures for
determining liability in the event of a breach in security. A digital
signature uses encrypted technology created together with the
transactional documents and contains features like authentication
(proving who the users are), non-repudiation (proving the
transaction is made and messages sent to confirm them) and
integrity checks (proving that data cannot be altered without
detection). Used to authenticate a system-generated document
containing the computer identity and time stamp of use, a digital
signature, just like any written signature, is just as vulnerable to
hackers and online fraud.
The law has its own limitations in terms of regulating counterfeiting

digital signatures. However, players in the e-commerce industry
adopt cryptographic encoding schemes to protect digital signatures
as well as using secure server and virtual private networks in
transactions done over the net. While some technological weakness
remains, almost all e-commerce sites use some form of cryptic
digital certificates to protect digital signatures from frauds.
Online Risks of Fraud

Fraud remains a major risk for both consumers and vendors in
online transactions as one usually transacts with faceless parties. A
typical example includes online auctions that have been fraught
221
with unscrupulous product claims and bids but deliberate fraud is
statistically less of a risk in many online purchases. Purchase
delivery problems as well as credit and debit card failures and plain
misunderstandings between seller and buyer are more widespread
than outright frauds. The risk of online fraud is more pronounced on
the buyers‘ side as they have to pay first before the purchase is
delivered.
The degree with which online payments can be recovered after a

transaction is made determines the degree of consumer protection.
Credit cards afford the most protection and most online sellers
prefer this payment mode over other modes of payments like checks
or money orders that still require days to clear. In general, credit
card users enjoy a more robust protection and are not liable for
transactions made when the card is lost or stolen.
Other online payment systems have made inroads to the e-

commerce business offering both consumers and vendors the basic
protection they need. They often have contractual obligation
between the parties to give them exclusive privilege to transact over
the Internet. Whichever online payment systems are used, the
impetus is there to attain a level of security for online transactions
while enhancing reliability and commercial efficiency and speed
between the buyer and the seller.
Consumer protection
Due to the inherent risks in online transactions, there must be laws
to protect consumers from unscrupulous web traders. In Zimbabwe,
there are currently no specific laws providing consumer protection
in electronic transactions. However, in South Africa the Electronic
Communications and Transactions Act (ECT Act) provide
minimum requirements designed to protect consumers. The ECT
Act requires businesses trading on websites to ensure that the
website incorporates the minimum information prescribed in s 43(1)
Act. These include a transaction summary display for the consumers
to review and correct or withdraw from the transaction, a secure
payment system, a cooling-off period and the execution of the
222
contract within 30 days of receiving an order.
The statutory obligations in this regard are aimed at ensuring the

consumer is given full information about the identity of the web
trader, the nature of the goods and services, the agreement, and the
consumer‘s rights in terms of the ECT Act. The website must
contain, inter alia, the full details and particulars of web trader
including full names and legal status; physical address and
telephone numbers; website address and email address; membership
to and contact details of self-regulatory or accreditation bodies to
which web trader subscribes. The website must have a sufficient
description of the main characteristics of the products or services
offered by the web trader to enable the prospective customers to
make informed decisions before completing the online transaction.
The website must also disclose the full price of the goods or
services including transport costs, taxes and any others costs; the
payment modalities; as well as any terms of agreement such as
guarantees applicable to the transaction and how these terms may be
accessed, stored and reproduced electronically by consumers. The
law also requires that the delivery terms are stipulated on the
website; the manner and period within which consumers can access
and maintain a full record of the transaction; and the return,
exchange and refund policy.
The website must inform prospective users of their right to review

the entire transaction, correct any mistakes and withdraw from the
transaction before finally placing orders to purchase any goods or
services. The website must also include the rights of users to cancel
the transaction without reason and without penalty within seven
days of receiving the product.
Consumer Privacy Rights

Transacting over the Internet entails the collection and transmission
of personal information such as names, home addresses, phone
numbers, dates of birth, credit card numbers, and so on. This has
prompted security concerns over how such private personal data are
used. The potential for consumer identity theft is clearly the
223
overriding concern. Such personal information are taken as a
necessary part of any online payment mode. Accordingly, the
potential for consumer identity theft of such data transmitted over
the telecommunications infrastructure poses a clear threat to
consumer security.
Consumer privacy is taken to mean a user‘s control over their

private data, the use of such data and their disclosures to other
parties. Secure networks and cryptographic schemes used in the
transmission of such information may afford the consumer some
peace of mind every time he makes an online transaction. However,
there is need for specific data protection laws to protect person
private data from unwarranted disclosure in an online environment.
Although most countries have promulgated data protection laws,
there are no such specific laws currently in Zimbabwe.
8.7 Global Payment Processing
With the rapid growth in electronic commerce and other online

business transactions, an efficient and secure global payment system
is required. The global payment system should be able to prevent
inherent risks of fraud and reduce payment security risks.
Customers are now able to transact payments globally by accessing
an array of universal, local and regional payment options. The
payments ecosystem has evolved into a complex global payment
processing which includes card networks, gateways, acquirers,
processors, and more. In this section, an overview will be given on
some emerging payment systems and how payments made on one
side of the world can be received on the other.
How global payment system works

There are basically three stages to processing a card payment.
However, consumers only interface with the first step without really
appreciate the processes beyond the initial swipe that make the
payment process seamless for the users. The first stage in the
process is authorization. When the customer swipes his or her card
at a payment terminal, the transaction data goes through the
terminal to an acquiring bank, which then sends an authorization
224
request to the customer's issuing bank. Barring any issues (such as
lack of funds, a lost or stolen card report, etc.), the issuing bank
sends an authorization code through the card network to the
acquirer, which sends it back to the merchant to complete the
transaction. The entire payment process occurs in a matter of
seconds.
At this point, the consumer can leave with his or her purchase
complete, but the merchant has not actually received any funds. The
second stage involves the processing of the transactions to facilitate
the merchant to receive funds. All transactions for the day must be
batched and cleared before that happens. The batch, or the
aggregation of all the day's transactions, goes to the acquirer, which
then requests payment on the merchant's behalf from the necessary
card networks. These networks then send requests for funds to the
appropriate issuing bank.
The third and final stage involves the actual funding of the
transaction. The issuing bank sends the funds to the acquirer
through the card network, minus a small interchange fee. The card
network also takes a minuscule assessment fee and transfers the
funds to the acquirer, which finishes the clearing process. The card
transaction authorization process is illustrate in Figure 8.1 below.
Security issues in global payment systems

The global payment system should be integrated with end-to-end
fraud management and payment security solution. It must also
prevent the risk of payment failures and customer cancellations. It
must also enable payment authentication services providing online
payment guarantees to minimize customer disputes, receive
chargebacks protection and obtain relief from fraud liability.
Global payment networks

There are number of institutions which provide global payment
systems through credit and debit card processing as well as payment
gateways. For instance, VISA is one of the largest credit and debit
card processing network while Mastercard‘s gateways offer global
225
payment processing services and advance fraud management
solutions. GateKeeper provides end-to-end fraud monitoring,
detection and prevention. Using a multi-dimensional approach it
tackles fraud and risk from every angle by layering security
strategies and technologies that balance protection and profitability
at every stage of the payment lifecycle during:
 Account Registration - screening and evaluating consumer
account registration risk;
 Payment Authentication - analyzing and defining security
strategies to verify genuine customers;
 Transaction Processing - identifying, detecting and reviewing
high-risk transactions based on unique risk profiles;
 Dispute and Recovery - managing and resolving chargeback
disputes to recover losses; and
 Evaluation and Refinement - analyzing and refining fraud
performance against trends.
Secure global payment networks
There are various secure global payment networks. For example, the
Society for Worldwide Interbank Financial Telecommunications
(SWIFT) is a highly secured private telecommunications network
set up originally for the exclusive use of banks, financial institutions
and related market infrastructures. SWIFT is one example of several
systems underpinning global financial systems that connect into
broader bank networks and are remotely accessible. Most financial
institutions in the world have a SWIFT connection, which provides
a critical global messaging platform to the financial sector and is
designed to service more than 10,000 financial institutions in 212
different countries.
Its secondary role has always been as a standards organisation for

developing and managing financial message standards for a whole
range of purposes. These messages have been designed to promote
straight through processing (STP) when used by banks, market
infrastructures, and bank customers. As such SWIFT acts as a
secure link between the financial community to exchange messages
about money.
226
The Trans-European Automated Real-time Gross settlement
Express Transfer (TARGET) system is another global payment
network. It is a payment system comprising a number of national
real-time gross settlement (RTGS) systems and the ECB payment
mechanism (EPM). The national RTGS systems and the EPM are
interconnected by common procedures (interlinking) to provide a
mechanism for the processing of euro payments throughout the euro
area and some non-euro area EU Member States.
Real time gross settlement systems (RTGS) are a funds transfer

mechanism where transfer of money takes place from one bank to
another on a "real time" and on "gross" basis. Settlement in "real
time" means payment transaction is not subjected to any waiting
period. The transactions are settled as soon as they are processed.
"Gross settlement" means the transaction is settled on one to one
basis without bunching with any other transaction. Once processed,
payments are final and irrevocable.
Emerging trends in payment systems
The field of electronic payment systems continue to evolve as more

and more innovative payment systems are developed. For instance
mobile wallets such as Apple Pay, Samsung Pay, Android Pay and
Chase Pay are now trending as they enable shoppers to simply tap
their smartphones at terminals anywhere in the world to quickly and
efficiently make purchases of products and services. Peer-to-peer
services such as Venmo make it easier for friends to split restaurant
checks and also to send money halfway around the world with just
the push of a button.
Other trending payment systems include contactless payments

which allow storage of credit card information onto a smart phone
and the phone is held a few inches away from the point-of-sale
(POS) terminal. This device then automatically reads the payment
information stored on the smart chip embedded in your card and
then processes the transaction.
227
Near-field communication technology works by bringing together
two electronic devices, typically a mobile device such as a
smartphone and a reader of some kind. In terms of payments
technology, the reader would be the initiator and the smartphone
(which contains the stored credit card information) would be the
target. Similarly, bluetooth payment technology is also being used
as electronic payment systems. Bluetooth offers a much longer
range, provides faster processing and creates a truly hands-free
experience because shoppers would not even need to take out their
phones to tap them to a reader. Bluetooth payment systems also
facilitate multiple transactions at once from a single payments
terminal, which would further speed up the checkout process.
8.8 Payment Cards and Data Security
Payment cards are widely used in many countries in the world.

However, there is need for data security systems that protect users.
According to Laudon & Laudon (2014), credit cards account for
80% of online payments in the United States and about 50% of
online purchases outside the United States. In Zimbabwe, a sizeable
number of the population have access to and use credit and debit
cards for making payments. The card payment systems architecture
is as illustrated in Figure 8.1 below which shows a card transaction
is processed.
228
Figure 8.1: Card transaction process (adopted from
http://www.businessinsider.com)
Payment card industry standards

There certain standards that are applied in the payment card
industry to ensure the security of the payment systems. The
Payment Card Industry Data Security Standard (PCI DSS) is a
proprietary information security standard for organizations that
handle branded credit cards from the major card schemes including
Visa, MasterCard, American Express, among others.
The PCI Standard is mandated by the card brands and administered

by the Payment Card Industry Security Standards Council. The
standard was created to increase controls around cardholder data to
reduce credit card fraud. Validation of compliance is performed
annually, either by an external Qualified Security Assessor or by a
firm specific Internal Security Assessor that creates a Report on
Compliance (ROC) for organizations handling large volumes of
transactions, or by Self-Assessment Questionnaire (SAQ) for
companies handling smaller volumes. The standard requirements in
terms of the PCI DSS are highlighted in Table 8.1 below.
Control Objectives PCI DSS Requirements
Build and maintain a secure network  Install and maintain a firewall configuration to protect
cardholder data
 Do not use vendor-supplied defaults for system passwords
and other security parameters.
Protect cardholder data  Protect stored cardholder data
 Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management  Use and regularly update anti-virus software on all systems
program commonly affected by malware
 Develop and maintain secure systems and applications
Implement strong access control  Restrict access to cardholder date by business need-to-know
measures  Assign a unique ID to each person with computer access
 Restrict physical access to cardholder data
Regularly monitor and test networks  Track and monitor all access to network resources and
229
cardholder data
 Regularly test security systems and processes
Maintain an information security policy  Maintain a policy that addresses information security
Table 8.1 Payment Card Industry Data Security Standard requirements
8.9 Electronic Cards Frauds
A credit card is part of a system of payments named after the small

plastic card issued to users of the system. It is a card entitling its
holder to buy goods and services based on the holder's promise to
pay for these goods and services. The issuer of the card grants a line
of credit to the user from which the user can borrow money for
payment to a merchant or as a cash advance to the user. There a
variety of electronic cards issued by financial institutions. These
include Automated Teller Machine (ATM) cards, credit cards, smart
cards and so on.
In Zimbabwe the Criminal Law (Codification and Reform) Act

[Chapter 9:23] provides for statutory offences specifically related to
unauthorized use or possession of credit or debit cards. Section 167
of the Code stipulates that ―any person who, (a) without authority,
manufactures, copies or uses; or (b) without reasonable excuse,
possesses; any credit or debit card belonging to another person shall
be guilty of unauthorized use or possession of a credit or debit
card‖. The Code defines a ―credit or debit card‖ as ―a card, disc,
plate or token, which, directly or indirectly, causes a computer to
function.‖
Incidence of credit card fraud

Fraudulent activities involving electronic payment cards are
prevalent. Credit card fraud is a wide-ranging term for theft and
fraud committed using or involving a payment card, such as a credit
card or debit card, as a fraudulent source of funds in a transaction.
The purpose may be to obtain goods without paying, or to obtain
unauthorized funds from an account. Credit card fraud is also an
adjunct to identity theft.
230
According to Adler et al (2004), many cards are stolen while in
transit from the issuer to the cardholder. In other instances an
offender may simply use false information about a real person to
obtain a genuine card. A fraudster may also make a purchase by
mail order or telephone using a genuine card number, but have the
goods delivered to an address other than the address of the card
owner. Traffickers in stolen electronic payment cards sell them for
cash, with the amount based on the credit limit of the account.
The rapid growth of credit card use on the Internet has made
database security lapses particularly costly; in some cases, millions
of accounts have been compromised. Stolen cards can be reported
quickly by cardholders, but a compromised account can be hoarded
by a thief for weeks or months before any fraudulent use, making it
difficult to identify the source of the compromise.
The availability of new and relatively inexpensive technological

equipment, however, keeps transforming the nature of the fraud.
Stolen, lost or expired credit cards are now modified with
computers an encoding devices so that they appear to be valid.
Counterfeit credit cards are also fabricated with the help of laser
copies or other duplicating techniques. Cyber criminals are also
resorting to stealing credit card account numbers from the Internet.
The main credit card frauds may therefore be summarized as
follows:
 Counterfeit card fraud in which cards are printed, embossed
or encoded without permission from the issuer;
 Fraudulent possession of card details which are used in CNP
frauds, in phone, mail order, fax or Internet transactions;
 Fraud using lost and stolen cards;
 Mail non receipt frauds in which new cards are intercepted;
 Identity theft fraud in which stolen or false details from cards
are used to open or takeover an account.
The economic rewards of credit card fraud are quick and relatively
easy. The risks are low. Usually merchants do not ask for personal
identification; cards are issued in banks that are often in other states
231
or countries; and authorization procedures are weak.
Identity theft and card fraud

Identity theft is an umbrella concept involving the criminal
acquisition of an individual‘s personal data to gain an advantage
(Semmens 2010). It incorporates offences such as passport theft,
credit card fraud all of which involve the use of another‘s personal
data. Identity theft can be divided into two broad categories:
application fraud and account takeover.
Application fraud
Application fraud occurs when a person uses stolen or fake
credentials to open an account in another person's name. Criminals
may steal documents such as utility bills and bank statements to
build up useful personal information. Alternatively, they may create
fake documents. With this information, they could open a credit
card account or loan account in the victim's name.
Account takeover
An account takeover takes place when a criminal poses as a genuine
customer, gains control of an account and then makes unauthorized
transactions. The most common method of account takeover is a
hacker gaining access to a list of user names and passwords.
Skimming
Skimming involves obtaining private information about another
person's credit card used in an otherwise normal transaction. The
thief can procure a victim's card number using basic methods such
as photocopying receipts or more advanced methods such as using a
small electronic device (skimmer) to swipe and store hundreds of
victims‘ card numbers. Instances of skimming have been reported
where the perpetrator has put over the card slot of an ATM
(automated teller machine) a device that reads the magnetic strip as
the user unknowingly passes their card through it. These devices are
often used in conjunction with a miniature camera inconspicuously
attached to the ATM to read the user's PIN at the same time.
232
Card fraud prevention
The banking industry has studied credit card schemes and has
improved the electronic system with target-hardening responses.
Several fraud-prevention initiatives have been developed in
response to the prevalence of credit card fraud. The use of laser-
engraved photography and signatures in credit cards makes
impersonation more difficult.
The cardholder may not discover fraudulent use until receiving a

billing statement, which may be delivered infrequently. Cardholders
can mitigate this fraud risk by checking their account for any
suspicious, unknown transactions or activities. The incidence of
credit card fraud can be greatly reduced by linking one‘s mobile
phone number to a bank account so that the cardholder is
immediately notified via short messaging service (sms) when any
payment or withdrawal of funds is made from the account. In other
words, this is one effective way of alerting cardholders of the
possibility of fraud and other unlawful activities.
When a credit card is lost or stolen, it may be used for illegal

purchases until the holder notifies the issuing bank and the bank
puts a block on the account. Most banks have free 24-hour
telephone numbers to encourage prompt reporting. Still, it is
possible for a thief to make unauthorized purchases on a card before
the card is cancelled. Without other security measures, a thief could
potentially purchase thousands of dollars in merchandise or services
before the cardholder or the card issuer realizes that the card has
been compromised.
Other fraud prevention initiatives include the use of increased

authorization levels on credit card transactions, as well as reduced
floor limits above which transactions must be authorized in order to
be guaranteed. Better technology has been developed to quickly
transmit data on cards that have been reported lost and stolen to
retailers worldwide. Further with the ever-increasing card not
present situations, such as when a person is purchasing items over
the Internet, additional methods are being developed to verify the
233
identity of the cardholder. According to Croall (2011), while cheque
and credit card frauds have declined, particularly since the
introduction of chip and PIN technology, there has been an increase
of card not present (CNP) frauds, in which false details are provided
in Internet and telephone sales.
The only common security measure on all cards is a signature panel,

but, depending on its exact design, a signature may be relatively
easy to forge. Some merchants will demand to see a picture ID,
such as a driver's license, to verify the identity of the purchaser, and
some credit cards include the holder's picture on the card itself. In
some jurisdictions, it is illegal for merchants to demand card holder
identification. Self-serve payment systems (gas stations, kiosks,
etc.) are common targets for stolen cards, as there is no way to
verify the card holder's identity.
Most cards are equipped with an EMV chip which requires a 4 to 6

digit PIN to be entered into the merchant's terminal before payment
will be authorised. However, a PIN isn't required for online
transactions, and is often not required for transactions using the
magnetic strip. However magnetic strip transactions are banned
under the EMV system (which requires the PIN).
Card issuers have several countermeasures, including sophisticated

software that can, prior to an authorized transaction, estimate the
probability of fraud. For example, a large transaction occurring a
great distance from the cardholder's home might seem suspicious.
The merchant may be instructed to call the card issuer for
verification, or to decline the transaction, or even to hold the card
and refuse to return it to the customer.
In this Unit a number of issues relating to electronic transactions

have been explored. It has been noted that the rapid growth in
electronic and online transactions has been characterized by a
corresponding growth in cyber crime. The concept of electronic
commerce has been defined as any business transaction executed
234
electronically such as the buying and selling of products and
services over the Internet.
It has been observed that online payment transactions constitute an

important facet of e-commerce. However, for ecommerce to thrive
online transactions should be safe and secure for users.
Accordingly, cyber security forms a fundamental aspect of
electronic transactions. Various global payment systems have also
been discussed. In the final analysis, a number of cyber crimes
involving identity theft and payments cards fraud have been
highlighted.
235
UNIT 9
CYBER LAW AND REGULATORY COMPLIANCE

 Have a general appreciation of cyber laws in Zimbabwe
 Understand type of cybercrime offences in the Criminal Code
 Explain the information and communication technologies regulatory
framework in Zimbabwe
 Explain the proposed electronic transactions laws in Zimbabwe
9.0 Introduction
The rapid developments in information and communication

technologies raise fundamental issues requiring a comprehensive
legal and regulatory framework. Most developed countries and
some developing countries in the world have promulgated extensive
laws governing the field of cyber law and cybercrime.
Zimbabwe is still lagging behind in terms of coming up with

specific cyber laws although the Postal and Telecommunications
Regulatory Authority of Zimbabwe (POTRAZ) is working on
introducing a specific legislation on cyber crimes. Currently, the
Criminal Law (Codification and Reform) Act [Chapter 9:23]
provides a number of statutory cyber crimes in Zimbabwe.
However, the Criminal Code does not extensively deal with most of
the issues arising from cyber law. In this chapter the focus will be
on outlining the provisions of the Criminal Code as well as
providing an insight into the information and communication
technologies regulatory framework for Zimbabwe.
Crimes committed in cyberspace also equally have a negative

impact on the overall society and business. The theft of information,
intrusion in the system, and corruption of the information, can result
in loss of money, information, and reputation. To deal with cyber
crimes, it is necessary to put cyber laws in place. Cyber laws deal
with the legal aspects of cyberspace and cyber crimes. (Kulkarni
and Chande 2014:409)
236
9.1 Cyber Law in Zimbabwe
There are a number of fragmented pieces of legislation in

Zimbabwe superficially providing for cyber laws. As highlighted
above, cyber crimes are covered in the Criminal Law (Codification
and Reform) Act (―the Criminal Law Code‖). The Postal and
Telecommunications Act also provides for laws government postal
and telecommunications but does not have a direct bearing on the
field of cyber law and cyber security. However, this Act provides
for the establishment of Postal and Telecommunications Regulatory
Authority of Zimbabwe (POTRAZ), which is the regulatory
authority in Zimbabwe. In the ensuing section, the provisions of the
Criminal Law Code will be discussed in detail.
Criminal Law (Codification and Reform) Act

The Criminal Law Code broadly deals with various criminal
offences in Zimbabwe. For purposes of this study, the Student is
only expected to have a general understanding of statutory offences
covered under Chapter VIII of the Criminal Law Code, which deals
with computer-related crimes.
Definition of computers and computer networks

In order to understand the scope of application of Chapter VIII of
the Criminal Law Code to cyber crime in Zimbabwe, it is important
to establish how the Code defines a ‗computer‘ and a ‗computer
network.‘ The Criminal Law Code defines a ‗computer‘ in Section
162 (1) of the Act as
“a device or apparatus or series of devices which, by

electronic, electromagnetic, electro-mechanical or other
means, is capable of one or more of the following -
(a) receiving or absorbing data and instructions supplied to

it;
(b) processing data according to rules or instructions;
237
(c) storing and additionally, or alternatively, reproducing
data before or after processing the data; and includes -
(i) the devices or apparatus or series of devices

commonly known as automatic telling machines,
electronic cash registers and point-of-sale tills; and
(ii) any other device or apparatus used for the

electronic processing of monetary transactions.”
In summary, for a device to be deemed to be a ‗computer‘ in terms

of the Criminal Law Code, it must be able to electronically receive,
process, store and reproduce data after processing. Section 162(1)
specifically provides that devices commonly used for automatic and
electronic processing of payments and monetary transactions
electronically are deemed as ‗computers‘. Section 162(1) of the
Criminal Law Code also defines a ‗computer network‘ as the
interconnection of one or more computers through (a) the use of
satellite, microwave, terrestrial line or other communication media;
or (b) computer terminals, or a complex consisting of two or more
interconnected computers, whether or not the interconnection is
continuously maintained.
It is noted that the above definitions of a ‗computer‘ and ‗computer

network‘ are sufficiently broad to cover any form of device that is
used to electronically or digitally transmit, receive, store or process
information. The Internet is also covered under the definition of
‗computer network‘ in the Criminal Law Code as it consists of an
interconnection of computers. In general terms, the Internet is
defined as a global computer network providing a variety of
information and communication facilities, consisting of
interconnected networks using standardized communication
protocols. This is particularly important, as most cybercrimes are
committed over the Internet.
238
Specific computer-related crimes
In general, Chapter VIII of the Criminal Law Code provides for
various computer-related crimes classified into five broad
categories. These categories include cyber crimes relating to (a)
unauthorized access or use of computers; (b) introduction of
computer viruses; (c) unauthorized manipulation of computer
programs; (d) unauthorized use or possession of credit or debit
cards; (e) unauthorized use of password or pin number. Another
category deals with computer crimes committed in furtherance of
other serious crimes such as terrorism, sabotage, theft, and fraud,
among many others.
It is important to note that computer crimes in the five categories

under the Criminal Law Code are designed to address the
fundamental pillars of information and cyber security, namely:
confidentiality, integrity and accessibility discussed under Unit 1 of
this Module. The provisions of the Criminal Law Code should
therefore be viewed as complementing the basic principles of cyber
security from a legal perspective. The various cyber crimes will
now be discussed in greater detail in the ensuing sections.
Unauthorized access or use of computers or computer networks

Computer crime involving unauthorized access or use of computers
or computers is provided in section 163 of the Criminal Law Code.
This section makes it a criminal offence for any person, without the
authority of the owner of the computer or computer network, to
intentionally
(a) gain access to any data, programme or system held in a
computer or computer network;
(b) destroy or alter any data, programme or system held in a
(c) render meaningless, useless or ineffective any data,
programme or system held in a computer or computer
network;
(d) copy or transfer any data, programme or system held in a
239
(e) obstructs, intercepts, diverts, interrupts or interferes with the
use of any data, programme or system which is held in a
computer or computer network.
A person convicted of any of the above computer offences may be

liable to a level eight fine or imprisonment for a period not
exceeding three years or both such fine and imprisonment. If the
offences are committed in aggravating circumstances (i.e. in
furtherance of other serious crimes such as, for instance, sabotage,
terrorism, theft or fraud) the penalties are severe as the offender
may be liable to a level twelve fine or imprisonment for a period not
exceeding ten years or both such fine and imprisonment. It is
therefore important to note that computer crimes are serious
offences and the severe penalties should act as a deterrent to
potential attackers of, and intruders to, computer systems.
In technical terminology, the offence of unauthorized access to any

data, programme or system held in a computer is what is commonly
known as ‗hacking‘ in cyber security. Conduct constituting
unauthorized access to a computer may range from simply logging
to a computer without permission of the owner to more complex
levels involving hacking computers via remote access. The latter
activity may involve hackers using a number of computers across
various jurisdictions to gain unauthorized access. This means any
form of intrusion resulting in unsanctioned access to a computer
system constitutes an offence under the Criminal Law Code.
Therefore, hacking is a serious criminal offence in Zimbabwe.
The crime of destroying or altering any data, programme or system

held in a computer is designed to protect the integrity of data and, to
some extent, availability as obliterated data may no longer be
available to legitimate users. Similarly, the offense of rendering data
in a computer system meaningless, useless or ineffective
corresponds with the cyber security principles of safeguarding the
integrity and availability of information systems.
240
The Criminal Law Code also makes it a statutory offence for a
person to intentionally copy or transfer any data held in a computer
without authority. This offence is accordingly intended to protect
intellectual property rights. Typically, data or information in
database is valuable and should be protected against unwarranted
duplication.
One of the pillars of information security is the concept of

availability. In other words, the effectiveness of information
technology depends on its ability to make data or information
available to users in the appropriate format as and when required.
Accordingly, the Criminal Law Code seeks to protect availability of
data and computer systems by making it an offence for any person
to ‗obstruct, intercept, divert, interrupt or interfere with any data,
programme or system held in a computer or computer network. It is
therefore clear that computer crimes provided under the category of
‗unauthorized access or use of a computer or computer network‘ in
section 163 of the Criminal Law Code play a critical role in
safeguarding the confidentiality, integrity and availability of data in
different ways.
In order for a person to be successfully convicted of an offence

involving unauthorized access or use of computer systems, the
intention or motive of the perpetrator must be ascertained. In other
words, the perpetrator must have intentionally committed any of the
unlawful acts stipulated in Chapter VIII of the Criminal Law Code.
In legal jargon, for a person to be found guilty of a computer crimes
of unauthorized access in terms of section 163, the prosecution must
prove both the physical ingredients (actus reus) and mental
ingredients (mens rea) of the offence.
The onus of proof lies with the State to prove ‗beyond reasonable
doubt‘ that the accused person did not have the authority of the
owner to access or use the computer and that he/she intentionally
committed any of the unlawful acts stipulated in the section. Section
163 (2) however provides that it shall be a defence for the accused
person to prove that the conduct was not motivated by malice, and
241
the conduct did not materially affect the data, programme or system
nor the interests of the owner of the computer or computer network.
A perpetrator may have different motives for unlawfully accessing

or using a computer system. For instance, the crime of unauthorized
access to computers or computer systems may be motivated by the
desire on the part of the perpetrator to access certain information in
the computer; or to modify the data in the computer or simply to use
the computer for some purpose without the owner‘s approval.
Similarly, the unauthorized access to computers may be actuated by

the desire to modify, alter, or delete some data in a computer so that
it becomes misleading or worthless. In some instances, the hacker
would be interested in gaining some financial or other advantage
through modifying the computer data. In terms of unauthorized use
of a computer, the perpetrator may be interested in obtaining
valuable services for free. In summary, the motive behind the
commission of crimes of unauthorized access or use of computer
systems must be established as intention as an essential ingredient
of the offence.
Accordingly, hacking is prohibited in terms of the Zimbabwean

laws by virtue of the provisions of the Criminal Law code of
Zimbabwe. According to Professor Feltoe (2012), there are a
number of crimes to deal with the problems of computer hacking.
These include the crimes of unauthorised access to or use of a
computer, deliberate introduction of a computer virus into a
computer or computer network and unauthorised manipulation of a
proposed computer program.
Introducing computer viruses
The second category of computer-related crimes under the Criminal

Law Code deals with crimes involving the act of deliberately
introducing viruses into computers or computer networks. Section
164 of the Criminal Law Code provides that
242
Any person who, without authority from the owner of the
computer or computer network, knowingly introduces or
causes to be introduced any computer virus into any
computer or computer network shall be guilty of deliberate
introduction of a computer virus into a computer or
computer network.
The penalties for committing the offence are equally severe. Section
162 (1) of the Criminal Law Code broadly defines computer virus
as ―any set of computer instructions that are, or any data,
programme or system that is designed directly or indirectly to
destroy or alter; or render meaningless, useless or ineffective; or
obstruct, intercept, divert, interrupt or interfere with the use of any
computer or computer network.‖ Although the Code uses the
generic term ‗computer virus‘, it is clear that the intention of the
legislature was to prohibit any forms of malicious software or
programs including worms, Trojan horses, spyware and a host of
other malware as these malignant programs are strictly not viruses
but may directly or indirectly destroy, alter, manipulate or generally
interfere with the use of a computer or computer networks.
Needless to say, the offence of deliberately introducing a computer

virus is intended to prevent malicious damage to computers,
computer networks or interference with computer systems by
introducing or propagating computer viruses. It is important to note
that introducing a computer virus is an offence when this is done
without authority from the owner of the computer or computer
network.
In addition, knowledge on the part of the accused that he/she is

introducing or causing a virus to be introduced in a computer
system is a prerequisite for the commission of the crime. This
means that an IT administrator who is authorised to introduce a
virus into a computer system for purposes of assessing the security
of the system of a company may not be guilty of the offence.
Similarly, a person who unwittingly spreads a virus in a computer
network may not guilty of the offence. For instance, the use of
243
memory flash cards to transfer data from one computer to another
may result in the spreading of computer viruses without the
knowledge of the users.
Unauthorized manipulation of computer programmes

Data or information in computers or information systems is
inherently vulnerable to manipulation if not protected through
adequate security measures. Section 165 of the Criminal Law Code
is designed to prevent the unauthorized manipulation of data,
programme or system. The operative part of the section reads as
follows:
“Any person who fraudulently or mischievously creates,

alters or manipulates any data, programme or system (or
any part or portion thereof) which is intended for installation
in a computer shall be guilty of unauthorised manipulation
of a proposed computer programme…”
A close analysis of the above-cited section shows that manipulation

of the data, programme or system may be motivated by fraudulent
intent or by mischief for it to constitute a criminal offence. The
offence of manipulating data, programme or system is an affront to
the integrity of information systems. Hence, Zimbabwean laws
provide for the protection of data and computer systems integrity by
making it a criminal offence to manipulate computer programs.
Unauthorized use or possession of credit or debit cards

The Criminal Law Code provides for statutory offences specifically
related to unauthorised use or possession of credit or debit cards. As
indicated in previous Unit 8 of this Module, cases of credit fraud are
prevalent in cyber space and it is appropriate that specific laws be in
place to prevent such cases. Section 167 of the Code stipulates that
―any person who, (a) without authority, manufactures, copies or
uses; or (b) without reasonable excuse, possesses; any credit or
debit card belonging to another person shall be guilty of
unauthorised use or possession of a credit or debit card‖. The Code
defines a ―credit or debit card‖ as ―a card, disc, plate or token,
244
which, directly or indirectly, causes a computer to function.‖
The offence can be broken down into various components. First, it

is an offence to manufacture or copy any credit or debit card
belonging to another person without authority. Second, it also a
crime to use another person‘s credit or debit card without authority.
Finally, section 167 criminalises the mere possession of another
person‘s credit or debit card without reasonable excuse. The penalty
for committing the offence is a fine not exceeding level eight or
imprisonment not exceeding three years imprisonment or both. It is
noted that the level of penalties for this offence are indicative of the
gravity of the crime of unauthorised use or possession of credit or
debit cards.
Unauthorized use of passwords or pin-numbers
One of the basic security measures to prevent unauthorised access

to computer systems is the use of passwords. Personal identification
numbers (PIN) also play a similar role in preventing unauthorised
access. However, if a password or pin-number falls in the wrong
hands the whole purpose of preventing access is defeated. As such,
the law seeks to prohibit unauthorised use of passwords and pin-
numbers. Section 168 of the Criminal Law Code provides that
―Any person who without authority intentionally uses any

password or pin-number which belongs to or which has been
assigned to another person shall be guilty of unauthorised
use of a password or pin-number and liable to a fine not
exceeding level eight or imprisonment for a period not
exceeding three years or both.‖
The Code defines ―password or pin number‖ as ―any combination

of letters, numbers or symbols that belongs or is assigned to a
particular user for the purpose of enabling that user to gain access to
a programme or system which is held in a computer or computer
network.‖
245
Aggravated computer crimes
The last category of computer-related crimes in the Criminal Law
Code pertains to what are called ‗aggravated‘ computer crimes.
This categorization of computer crimes is particularly interesting as
it links the rest of the computer crimes stipulated in the Criminal
Law Code to the commission or furtherance of a host of other
generally serious crimes including, inter alia, insurgency, banditry,
sabotage, terrorism, theft, fraud, forgery and many others. In this
instance, the computer is illegally used as an instrument to facilitate
the perpetration of other serious crimes specified in section 166 of
the Code. An aggravated computer crime committed in conjunction
with any of the other serious offences attracts more stringent
penalties in the form of level twelve fines or imprisonment for a
period not exceeding ten years.
9.2 Electronic Transactions
There are no extensive laws dealing with electronic transactions in

Zimbabwe. Apart from the provision of the Income Tax Act which
deals with digital signatures. This means that electronic transactions
are largely unregulated in Zimbabwe.
9.3 Regulatory Compliance (POTRAZ)
Information Technology administrators and cyber security

professionals should also be conversant with the Postal and
Telecommunications Act [Chapter 12:05] as it is the enabling
legislation providing for the regulatory framework for the
information and communication technologies sector. The Postal and
Telecommunications Act provides for the principal regulation of the
postal and telecommunications sector in Zimbabwe. The object of
this legislation is, inter alia, to provide for the establishment of the
Postal and Telecommunications Authority of Zimbabwe (POTRAZ)
and to provide for its functions and management; to provide for the
licensing and regulation of cellular telecommunication, postal and
telecommunication service. Thus the Act primarily provides for two
things, namely:
246
 It provides for the establishment, composition and functions of
the regulatory authority;
 It provides for the licensing and regulation of cellular
telecommunication, postal and telecommunication services.
POTRAZ is governed by a Board composed of not fewer than five

and not more than seven members appointed by the President after
consultation with the relevant Minister. The President is enjoined by
the Act to, inter alia, ensure that the composition of the Board is
representative of groups or sectors of the community with vested
interests in postal and telecommunications services. It is important
to note that the current Postal and Telecommunications Act is
apparently outdated and grossly inadequate given rapid
technological developments in the field of cyber law. A new
regulatory framework is required to address emerging issues
emanating from the rapid technological developments.
In particular, developments in information and technology sectors

have seen the convergence of information technologies (IT) and
communication technologies (CT). In the past few years, the
boundaries between information technology (IT), which refers to
hardware and software used to store, retrieve, and process data—
and communications technology (CT), which includes electronic
systems used for communication between individuals or groups—
have become increasingly indistinguishable.
Technological convergence is a process by which

telecommunications, information technology and the media, sectors
that traditionally operated independently are now converging to
provide combined services over the same platforms. Thus the
traditional boundaries between previously separate ICT services,
networks and business practices are increasingly becoming blurred.
Examples include cable television networks that offer phone
service, Internet television, and mergers between media and
telecommunications firms.
247
The convergence in ICT is challenging traditional policy and
regulatory frameworks. Traditionally, regulatory frameworks were
designed for an era when clear functional differences existed
between services and infrastructure, but these regulations are
increasingly inadequate for dealing with today‘s world. This
convergence of technologies also comes with new challenges for
cyber security.
Proposed legislation
POTRAZ is reportedly working with the Ministry of Information

Communication Technologies and Courier Services to introduce a
host of new legislation covering computer crime and cyber crime,
electronic transactions as well as data protection laws. Some of the
bills in the pipeline include the Computer Crime and Cybercrime
Bill, the Data Protection Bill and the Electronic Transactions and
Electronic Commerce Bill. If these bills are eventually promulgated,
Zimbabwe will have a comprehensive legal and regulatory
framework consistent with the developments in the field of cyber
security.
The field of information technology and cyber security is highly

complex and dynamic. Accordingly, the need for a comprehensive
legal framework to regulate the cyber environment and the inherent
risks and threats associated with it cannot be over emphasized. In this
Unit, the cyber laws and regulatory framework currently prevailing
in Zimbabwe has been outlined. An overview has been provided on
the computer-related crimes provided in the Criminal Law
(Codification and Reform) Act of Zimbabwe.
It has been noted that computer-related crimes under the Criminal

Code are conveniently classified into five distinct categories, namely:
unauthorized access or use of computers; introduction of computer
viruses; unauthorized manipulation of computer programs;
unauthorized use or possession of credit or debit cards; as well as
248
unauthorized use of passwords or pin numbers. An attempt has been
made to establish how these various computer crimes relate to
fundamental pillars of information and cyber security such as
confidentiality, integrity and availability of data.
249
250

Information Technology and Cyber Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Technology and Cyber Security

Uploaded by

Copyright:

Available Formats

CHARTERED INSTITUTE OF RISK AND SECURITY MANAGEMENT

INFORMATION TECHNOLOGY AND CYBER SECURITY

MODULE RSM 106

LLB(S) HONS (UNIVERSITY OF ZIMBABWE), MBA (UNIVERSITY OF ZIMBABWE), DIPLOMA IN

3. Unit 1:Introduction to Information Technology 5

4. Unit 2: Ethics and Legal Issues 30

5. Unit 3: Classes of Attacks and Threats 58

6. Unit 4: Cyber Security 96

7. Unit 5: Data Hiding Techniques 126

8. Unit 6: Computer Insecurity 161

9. Unit 7: Incident of Cyber Crime 179

10. Unit 8: Electronic Transactions 213

11. Unit 9: Cyber Law and Regulatory Compliance 236

12. Bibliography 251

The purpose of the course is to develop in the student the knowledge

This course is intended to give students an overview of information

Information security involves a wide range of issues such email

The purpose of the Information Technology and Cyber Security

The Module provides a comprehensive overview of the various

INTRODUCTION TO INFORMATION TECHNOLOGY AND INFORMATION

Objectives of the Unit

By the end of this unit, students will be able to:

Information technology plays a vital role in business as well as in

Despite numerous benefits of information technology certain

1.1 Defining Information Technology

There is no universally acceptable definition of information

Thus Information Technology includes, not only computer

The Information Technology Association of America (ITAA) has

The objectives of IT are to provide better means of information of

Defining Information Systems

„An information system can be defined technically as a set of

What is clear from these definitions is that the concept of

The various components of computer-based information systems,

Data and Information

Information is therefore the product of processed, organized or

(i) Timely - the information should be available when required;

One of the fundamental tenets of information security systems is to

1.2 Defining Information Security

According to Whitman and Mattord (2005), information security is

Institutions may implement various security measures to secure

Information security should be distinguished from computer

Cyber security is the set of preventative methods used to protect

Cyber security therefore extends beyond information security and

1.3 Basic Security concepts

The second set of concepts includes Authentication, Authorization,

Confidentiality refers to a set of rules or a promise that limits access

There are many reasons why persons or organizations may wish to

Organizations also endeavor to keep certain information

The concept of confidentiality of information assumes are more

There are numerous approaches to providing confidentiality,

In the information security realm, integrity normally refers to data

Information has integrity when it is whole, complete, and

Data manipulation may include such things as insertion, deletion

According to Graham et al (2011), disrupting the integrity of data at

Availability may be simply defined as timely, reliable access to data

Understanding the components of the CIA triad (confidentiality,

Authentication may be defined as a security measure designed to

Apart of identification, authentication also applies to validating the

Authorization in the context of information security refers to access

It naturally follows therefore that after a secure system authenticates

A digital signature is used on the Internet to ensure that a message

1.4 Components of Information Technology

In section 1.1 above, information technology has been defined as

Computers are one of the most captivating inventions and