ICT in Business and Society

Chapter 7: ICT Security

7.1. Dimensions of ICT Security

There are six key dimensions to ICT security;
 Integrity: assurance that data is accurate or that the message has not been altered. The assurance
that information being displayed on a Web site or being transmitted has not been altered by an
unauthorised party/
 Nonrepudiation: ability to ensure that online customers or trading partners cannot falsely deny
their purchase, transactions etc. On repudiation involves many assurances.
o Providing the sender of data with proof of delivery
o The recipient with proof of senders identity
 Authenticity: ability to identify/ verify the real identity of persons or entities involved in E-
commerce transactions.
 Confidentiality: ability to ensure that messages and data are available only to those who are
authorised to view them. Assurance of data privacy.
 Privacy is the ability to control the use of information about one self.
 Availability: Assurance that access to data, Web sites or E-commerce data services is timely,
available, reliable, and restricted to authorised users. Web site functions as expected.
 Authorization: Process of determining what the authenticated entity is allowed to access and
what operations it is allowed to perform.
 Auditing: Process of recording information about what Web site, data, file or network was
accessed, when and by whom or what

7.2. System Vulnerability and Abuse

As our society and the world it self come to depend on computers and information systems more and
more, firms must put forth a better effort in making their systems less vulnerable and more reliable.
Information systems are vulnerable to technical, organizational, and environmental threats from
internal and external sources.The systems must also be more secure when processing transactions and
maintaining data. These two issues are the biggest issues facing those wanting to do business on or
expand their operations to the Internet. The threats are real, but so are the solutions.

 Security: refers to the policies, procedures and technical measures used to prevent unauthorised access,
alteration, theft or physical damage to information systems.
 Control: are methods, policies and organizational procedures that ensures the safety of the organization’s
assets; the accuracy and reliability of its records, and operational adherence to management standards

Why Systems Are Vulnerable

From a technology perspective, there are three key points of vulnerability when dealing with ICT:
 The client
 The server
 The communication pipeline

Information systems are vulnerable to technical, organizational, and environmental threats from
internal and external sources. The weakest link in the chain is poor system management. If managers
at all levels don't make security and reliability their number one priority, then the threats to an
information system can easily become real.

Chapter 7: ICT Security Page 1

  Non-technical attacks are those in which a perpetrator uses some form of deception or
persuasion to trick people into revealing information or performing actions that can compromise
the security of the network. Example Social Engineering: a non technical attack that uses some
ruse to trick users into revealing information or performing an action that compromises a
computer or network. Social networking is making it easy for Social engineering.
 Technical Attacks: System and software knowledge or expertise is used to carry out technical
attacks.

7.3. Vulnerabilities

Malicious Software: Viruses, Worms, Trojan Horses, and Spyware –

Malicious Code; Malware, it includes a variety of threats such as viruses, worms, Trojan horses and
bots. One latest innovations in malicious code distribution is to embed it in the online advertising
chain.
 A virus is a computer program that has the ability to replicate or make copies of itself, and
spread to other files.
 Worm is a malware that is designed to spread from computer to computer
 Viruses and worms spread across computers and networks by making copies of themselves,
usually without the knowledge of the computer user.
Computer virus fall in several major categories;
 Macro virus
 File-infecting virus
 Script viruses

 A Trojan horse is a program that appears to be legitimate but actually contains another program or
block of undesired malicious, destructive code, disguised and hidden in a block of desirable code.
Trojans can be used to infect a computer with a virus.
A back-door Trojan is a program that allows a remote user or hacker to bypass the normal access
controls of a computer and gain unauthorised control over it. Typically, a virus is used to place the
back-door Trojan onto a computer, and once the computer is online, the person who sent the
Trojan can run programs on the infected computer, access personal files, and modify and upload
files.
 A botnet (short for robots) is a group of infected, remotely-controlled computers. The hacker
sends out a virus, Trojan or worm to ordinary computers. The virus, Trojan or worm gains access

Chapter 7: ICT Security Page 2

 to the computer, usually through some malicious application that they are carrying. This in turn
allows the hacker to gain full control of the now-infected computers. These computers can then be
used to launch denial-of-service attacks, distribute spam emails and commit click fraud, identity
theft and thefts of log-in details and credit card numbers.

Hackers and Cyber-vandalism

A hacker is an individual who intends to gain unauthorized access to a computer system. The term
cracker is typically used for hackers with criminal intent. Hackers spoof, or misrepresent themselves,
by using fake e-mail addresses or masquerading as someone else. Hacker activities include:
 Theft of goods and services
 System damage
 Cyber-vandalism: The intentional disruption, defacement, or even destruction of a Web site or
corporate information system.
 Spoofing: Hiding of the hackers true identities or email addresses, or redirecting a Web link to a
different web site that benefits the hacker.
 Theft of proprietary information: A sniffer is an eavesdropping program that monitors network
information and can enable hackers to steal proprietary information transmitting over the network.

Spoofing: to misrepresent oneself by using fake email addresses or masquerading as someone else. It
is one of the methods hackers and criminals can use to gain improper or illegal access to computer
systems. Spoofing is becoming a common way to steal financial information through fake Web sites.
The spoofed site is almost a mirror image of the real site and unless the unsuspecting user examines
the spoof closely, he/she may inadvertently give out important personal and financial information.

Sniffing: a type of eavesdropping program that monitors information travelling over a network. It is a
popular way to "grab" information as it passes over transmission lines whether they are hard-wired or
wireless. It is almost impossible to detect and encryption is about the only way to safeguard against it.

Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks: an attack on a Web site
in which an attacker uses specialized software to send a flood of data packets to the targeted computer
with the aim of overloading its resources. Due to the widespread availability of free intrusion tools
and scripts and the overall interconnectivity on the internet, virtually anyone with minimal computer
experience can mount a DOS attack.
DDOS: involves using numerous computers to attack the targeted network from numerous launch
points.

Computer crime and cyber terrorism Computer crime is any violations of criminal law that involve
knowledge of computer technology for their penetration, investigation or prosecution. The computer
can be an instrument of crime or a target of crime.

Identity theft
With the growth of the internet and electronic commerce, identity theft has become a matter of
concern. Identity theft is a crime in which an imposter obtains key pieces of personal information,
such as debit or credit card details to impersonate someone else.

Internal Threats: Employees

It is surprising to learn that most computer crime against companies is committed by current or former
employees. They know the system best, are entrusted with huge amounts of data, and have the easiest

Chapter 7: ICT Security Page 3

access. Managers and executives need to be aware of potential internal threats to their systems and put
special measures in place to safeguard systems and data. They also need to impress upon all
employees how important security is throughout the system right down to the last person.

Software Vulnerability Software errors also pose a constant threat to information systems, causing
untold losses in productivity. A major problem with software is the presence of hidden bugs, or
program code defects. Studies have shown that it is impossible to eliminate all bugs from large
programs.

7.4. Establishing a Management Framework for Security and Control

How do you help prevent some of the problems we've discussed? One of the best ways is to institute
controls into your information system the same way you might in any other system; through methods,
policies, and procedures.

General Controls
General controls in information systems consist of the systems software and manual procedures used
to control the design, security and use of the programs and the data files in the overall system. You
can compare the general controls to the overall security system of a building, which may consist of
outside door locks, fencing around the building, and employee passes. General controls wouldn't be
concerned with what happens in one particular area of the building. The Table below describes the
types of general controls, including administrative controls, used in information systems

Type of General Control Description

Software controls
Hardware controls
Computer Operations controls
Data security controls
Implementation controls
Monitor the use of system software and prevent unauthorised access of
software programs system software and computer programs. System software
is an important control area because it performs overall control functions for
the programs that directly process data and data files
Ensure that computer hardware is physically secure and check for equipment
malfunction. Computer equipment should be specially protected against fires
and extremes of temperatures and humidity. Organization that are dependent
on their computers also must make provisions for backups or continued
operation to maintain constant service.
Oversee the work of the computer department to ensure the programmed
procedures are consistently and correctly applied to the storage and processing
of data. They include controls over the setup of computer processing jobs and
computer operations and backup and recovery procedures for processing that
ends abnormally.
Ensure that valuable business data files on either disk or tape are not subject to
unauthorised access, change or destruction while they are in use or in storage.
Audit the systems development process at various points to ensure that the
process is properly controlled and managed. The systems development audit
looks for the presence of formal reviews by users and management at various
stages of development; the level of user involvement at each stage of
implementation; and the use of formal cost-benefit methodology in
establishing system feasibility. The audit should look for the use of control
and quality assurance techniques for program development, conversions and
testing and for complete and thorough system, user and operations
documentation

Chapter 7: ICT Security Page 4

Administrative Controls Formalized standards, rules, procedures and control disciplines to ensure that
the organization’s general and application controls are properly executed and
enforced.

Application Controls
We've talked about controls for the general use of an information system. Application controls are
specific controls within each computer application used in the system.

7.5. Technologies and Tools for Security and Control

Access Control
Access control consists of all the policies and procedures a company uses to prevent improper access
to systems by unauthorized insiders and outsiders. To gain access a user must be authenticated.
Authentication refers to the ability to know that a person is who or she claims to be. This can be
established by using passwords

Mechanism that determines who can legitimately use a network. This restricts different classes of
users to subsets of information and ensures that they can only access data and services for which they
have been authorised. These include using:
 network restrictions to prevent access to other computer systems and networks
 application controls to ensure individuals are limited in the data or service they can access
 restrictions on what can be copied from the system and stored on pen drives, memory sticks or
CDs/DVDs
 limits on the sending and receiving of certain types of email attachments

Changes to access privileges must be controlled to prevent users retaining them if they transfer
between departments or leave the business

User authentication
There are several techniques that can identify and verify someone seeking to access an e-commerce
system. These include:
 A user name and password combination, where the password can vary in length and include
numbers and characters. Remember to include a system that prompts employees to change their
passwords at regular intervals.

Chapter 7: ICT Security Page 5

  'Two-factor' authentication requiring something the user has (eg an authentication token) and
something the user knows (eg a personal identification number).
 A digital certificate that enables authentication through the use of an individual's unique signing
key.
 Biometric A person's unique physical attribute, referred to as a biometric. This can range from a
fingerprint or iris scan, through to retina or facial-feature recognition. Biometric systems:
authentication systems that identifies a person by measurement of biological characteristics such
as fingerprints, iris patterns, facial features or voice.

Firewalls
A single point between two or more networks where all traffic must pass (choke point), it
authenticates, controls and logs all traffic. It acts as a barrier between a trusted network or a PC and
the untrustworthy internet. It is a hardware or software security device that filters information passing
between internal and external networks. It controls access to the internet by internal users, preventing
outside parties from gaining access to systems and information on the internal network. A firewall can
be applied at the network level, to provide protection for multiple workstations or internal networks,
or at the personal level where it is installed on an individual PC. Firewalls detect and prevent intruders
from accessing the network while intrusion detection systems detect intruders Firewalls can be
designed to protect against;
 Remote login: remote connection
 Application backdoors: remote access.
 SMTP session hijacking: SMTP, is used to send e-mails over the internet, and by hijacking it and
gaining access to the email addresses, then any one can send spam emails.
 Macros: creation of scripts (macros) that can destroy data or crush the computer.
 Viruses
 Spam: unsolicited mails or messages.

Intrusion detection:
These products monitor system and network activity to spot any attempt being made to gain access.
If a detection system suspects an attack, it can generate an alarm, such as an email alert, based upon
the type of activity it has identified. Intrusion Detection System: a special category of software that
can monitor activity across a network or on a host computer, watch for suspicious activity and take
automated action based on what it sees.

Antivirus Software Antivirus Software is designed to check computer systems and drives for the
presence of computer viruses.

Securing wireless networks Security is easily penetrated because of the very nature of the spectrum
transmission used in wi-fi. Unless users take stringent precautions to protect their computers, it's
relatively easy for hackers to obtain access to files. Wireless networks can be secured through the use
of encryption. Encryption is the coding and scrambling of messages to prevent unauthorized access to
or understanding of the data being transmitted.

Use of Proxy server: software server that handles all communications originating from or being sent
to the internet, acting as a spokesperson or bodyguard for the organization.

Chapter 7: ICT Security Page 6

Demilitarized Zones: Network area that sits between an organization’s internal network and an
external network (internet), providing physical isolation between the two networks that is controlled
by rules enforced by a firewall.

Virtual Private Networks (VPN): A network that uses the public Internet to carry information nut
remains private by using encryption to scramble the communication, authentication to ensure that
information has not been tampered with and access control to verify the identity of anyone using the
network. It allows remote users to securely access internal networks via the internet using the Pont-to-
Point Tunnelling Protocol (PPTP).

Protocol Tunnelling; method used to ensure confidentiality and integrity of data transmitted over the
internet, by encrypting data packets, sending them in packets across the internet and decrypting them
at the destination addresses.

Data Encryption
Encryption is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the receiver. This is done via a mathematical function and a special
encryption/decryption password called key. The purpose if encryption is to secure stored information
and secure information transmission. Encryption is used to
 Protect data in transit over networks from unauthorized interception and manipulation.
 Protect information stored on computers from unauthorised viewing and manipulation
 Deter and detect accidental or intentional alterations of data
 Verify authenticity of a transaction or document.
It uses technologies such as virtual private networks (VPNs) and secure socket layers. The Key (key
Value), the secret code used to encrypt and decrypt a message.

Key elements of Encryption Systems

 Encryption Algorithm: Mathematical based function or calculation that encrypts/decrypts data
 Encryption keys: a piece of information that is used to within an encryption
algorithm(calculation) to make the encryption and decryption process unique.
 Key length : a predetermined length of the key
Encryption keys and algorithms are equally important. The key is used for data encoding and
decoding algorithm.
Encryption can provide four of the six key dimensions of E-commerce security;
 Message integrity: provides assurance that the message has not been altered.
 Non-repudiation.: prevents users from denying having sent he message
 Authentication: provides verification of he identity of the person or computer sending the
message.
 Confidentiality: gives assurance that the message was not read by someone else

There are two major encryption systems: Symmetric Systems which uses one key and Asymmetric
system which uses two keys.

a. Symmetric (Private): also referred to as secret key encryption, it uses the same key to encrypt and
decrypt the message. The sender and the receiver must share the same key without revealing it.
Example;

Chapter 7: ICT Security Page 7

 Data Encryption Standards (DES). A standard symmetric encryption algorithm supported by
NIST (National Institute of Standards and Technology), and NSA (National Security Agency) and
used by U.S government agencies until Oct 2000. It was replaced by Rijndael: an advanced
encryption standard (AES) used to secure U.S government communication since Oct 2000.

b. Public (Asymmetric) key Encryption: Based on the Public Key Cryptography(PKC). Uses a
pair of matched keys, a public key to encrypt a message and a private key to decrypt it and vice
versa. If the message is encrypted using the public key then the associated private key should be
used to decrypt it. Asymmetric encryption is slower than symmetric encryption, even on fast
computers, so most modern encryption uses a combination of both methods.
 Public key: an encryption key that is publicly available to anyone
 Private key: an encryption key that is known only to the owner.

Encryption techniques using public and private keys require a public-key infrastructure (PKI) to
support the distribution and identification of public keys.

 Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke digital certificates

Examples:
Secure Socket Layer (SSL): This is the technique in which web servers and web browsers
encrypt and decrypt all of the information that they transmit and receive. SSL provides end point
authentication and communication privacy over the internet using cryptography. The Secure
Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message
transmission on the Internet.

Secure Electronic Transactions (SET): A protocol developed by VISA and Master Card to
secure payment transactions among all parties involved in credit card transactions on behalf of
cardholders and merchants. SET is an application-oriented protocol that uses trusted third parties’
encryption and digital signature processes, via PKI infrastructure of trusted third-party
institutions, to address confidentiality of information, integrity of data, cardholders authentication,
merchant authentication and interoperability.

Transport Layer Security (TLS): A cryptographic protocols that provide communications

security over the Internet. Transport Layer Security (TLS) is a protocol that ensures privacy
between communicating applications and their users on the Internet.TLS encrypts the segments of
network connections above the Transport Layer, using symmetric cryptography for privacy and a
keyed message authentication code for message reliability. When a server and client
communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is
the successor to the Secure Sockets Layer (SSL).

Digital signature or digital signature scheme is a mathematical scheme for demonstrating the
authenticity of a digital message or document. It is the electronic equivalent of a personal signature
that cannot be forged. They are based on public keys for authenticating the identity of the sender of a
message or document. They ensure that the original content of an electronic message or document is
unchanged. They are portable, cannot be easily repudiated or imitated and can be time-stamped.

Chapter 7: ICT Security Page 8

To check the integrity of a message and ensure it has not been altered in transit a hash function (an
algorithm that produces a fixed-length number called a hash or message digest or a mathematical
computation that is applied to a message, using a private key, to encrypt the message) is used to first
to create a digest of the message. Message Digest: a summary of a message, converted into a string of
digits after the hash has been applied

Process of Using Digital Signatures

 Sender creates the email with the contract in it
 Hash function is applied to the message converting it into message digest (MD).
 The sender uses the private key to encrypt the hash, creating the senders digital signature.
 The sender encrypts both the original and the digital signature using the recipient’s public key and
creates the Digital envelope: the combination of the encrypted original message and the digital
signature using the recipient’s public key.
 The sender emails the digital envelope to the receiver
 Upon receipt, the receiver uses the private key to decrypt the contents of the digital envelope.
 The receiver uses the sender’s public key to decrypt the digital signature, resulting in a copy of
the original message digest.
 Using the same has function used in step 2, the recipient then creates a message digest from the
decrypted message.
 The recipient then compares this digest with the original message digest.
 If the two digests match, then the message had not been altered.

Digital Envelope: Used to send encrypted large documents using symmetric keys and the relevant
key session along with it. It is a secure method to send electronic documents without compromising
the data integrity, authentication and non-repudiation.

Digital Certificate
A digital document issued by a trusted third party called Certification Authority (CA) that contains
the name of the subject or company, the subjects public key, a digital certificate derail number, an
expiry date, an issuance date, the digital signature of the certification authority and other identifying
information. The main purpose of the digital certificate is to ensure that the public key contained in
the certificate belongs to the entity to which the certificate was issued. The most widely used standard
for digital certificates is X.509.

Certificate Authority: an authority in a network that issues and manages security credentials and
public key for message signature verification or encryption.

Back and Recovery Strategies / Disaster Recovery Planning & Business continuity planning
 Disaster recovery planning: Devises plans for restoration of disrupted services;
Use Back and recovery
A backup or the process of backing up is making copies of data which may be used to restore the
original after a data loss event. The secondary purpose of backups is to recover data from an earlier
time, according to a user-defined data retention policy, typically configured within a backup
application for how long copies of data are required.

Chapter 7: ICT Security Page 9

Types of Backups
1. Unstructured: An unstructured repository may simply be a stack of floppy disks or CD-R/DVD-R
media with minimal information about what was backed up and when. This is the easiest to
implement, but probably the least likely to achieve a high level of recoverability.
2. Full only: A repository of this type contains complete system images from one or more specific
points in time. This technology is frequently used by computer technicians to record known good
configurations. Imaging is generally more useful for deploying a standard configuration to many
systems rather than as a tool for making ongoing backups of diverse systems
3. Incremental/ Differential: An incremental style repository aims to make it more feasible to store
backups from more points in time by organizing the data into increments of change between
points in time. This eliminates the need to store duplicate copies of unchanged data. Typically to
start out, a full backup (of all files) is made. After that, any number of incremental or differential
backups can be made. Restoring a whole system to a certain point in time would require locating
the last full backup taken previous to that time and all the incremental / differential backups that
cover the period of time between the full backup and the particular point in time to which the
system is supposed to be restored. Additionally, some backup systems can reorganize the
repository to synthesize full backups from a series of incrementals.
4. Reverse delta: A reverse delta type repository stores a recent "mirror" of the source data and a
series of differences between the mirror in its current state and its previous states. A reverse delta
backup will start with a normal full backup. After the full backup is performed, the system will
periodically synchronize the full backup with the live copy, while storing the data necessary to
reconstruct older versions. This can either be done using hard links, or using binary diffs. This
system works particularly well for large, slowly changing, data sets. Examples of programs that
use this method are rdiff-backup and Time Machine.

 Business continuity planning: Focuses on restoring business operations after disaster

A business continuity plan, adequately supported throughout the organization, embodies the
strategic framework for a corporate culture that embraces a variety of tactics to mitigate risks that
might cause:
• Business process failure
• Asset loss
• Regulatory liability
• Customer service failure
• Damage to reputation or brand

7.6. Management Challenges

There's a reason why we explain all those methods and procedures and processes in future chapters
for building good, solid information systems. They ensure system quality so that the product produced
by the system is as good as it can be.

Designing Systems that are Neither Over-controlled nor Under-controlled

You should be realistic about security and system controls. If you institute five layers of entry into
your Web site, people probably won't use it that much. They'll either ignore it or find a way around
your controls. You have to analyze the system and determine those areas that should receive more
security and controls and those that probably can use less. You probably don't want to go to the
expense of checking absolutely every transaction that is entered into the system, so you check a
sampling of the data. Just make sure the sampling is large enough to detect any exceptions.

7.7. Security Policy

Chapter 7: ICT Security Page 10

Companies spend a lot of money on physical security such as locks on doors or fences around supply
depots. They need to do the same thing for their information systems. Because of the increasing
liability for security breaches, many companies are now establishing a chief security officer position
to help ensure the firm maximizes the protection of information resources. Some tools available to the
CSO are:
 Security policy: principle document that determines security goals and how they will be
achieved
 Acceptable use policy: outlines acceptable and unacceptable uses of hardware and
telecommunications equipment
 Authorization policy: determines what access users may have to information resources
 Authorization management systems: manages access to each part of the information system.

7.8. Implementing an Effective Security Policy

In order to minimize security threats, business organizations firms must develop a coherent corporate
policy that takes into account the nature of the risks, the information assets that need protecting, and
the procedures and technologies required to address the risk as well as implementation and auditing
mechanisms
A security plan building should have the following steps;
 Risk Assessment- an assessment of the risks and points of vulnerability.
 Develop a security policy:- a set of statements prioritizing the information risks, identifying the
mechanisms for achieving these targets.
 Develop an implementation plan:- the action steps taken to achieve the security plan goals.
These involves determining how to translate the levels of acceptable risk into a set of tools,
technologies, policies and procedures
 Create a security organization:- an organizational unit in-charge of security, with the
responsibility of educating, training of users, keeping the management aware of security threats
and breakdowns and maintaining the tools chosen to implement security. It administer the
access controls, authentication procedures and authorization policies.
Access controls determines who can gain legitimate access to a network, for external in
includes firewalls and proxy servers, while for insider, it includes login procedure (username,
passwords and access codes).
Authentication procedures, includes the use of digital signatures, certificates of authority,
Public key Infrastructure (PKI). Biometric devices are used along with digital signatures to
verify physical attributes associated with an individual such as retina, finger prints etc.
Authorization procedures determines differing levels of access to information assets for
differing levels of users. Authorization management systems establish where and when a user is
permitted to access certain parts of a Web site. The primary function is to restrict access to
private information within a company’s internet infrastructure.
 Perform a security audit:- involves the routine review of access logs (identifying how outsiders
are using the site as well as how insiders are accessing the site’s assets.

Chapter 7: ICT Security Page 11