Professional Documents
Culture Documents
Chapter 7 - ICT Security Issues
Chapter 7 - ICT Security Issues
Security: refers to the policies, procedures and technical measures used to prevent unauthorised access,
alteration, theft or physical damage to information systems.
Control: are methods, policies and organizational procedures that ensures the safety of the organization’s
assets; the accuracy and reliability of its records, and operational adherence to management standards
Information systems are vulnerable to technical, organizational, and environmental threats from
internal and external sources. The weakest link in the chain is poor system management. If managers
at all levels don't make security and reliability their number one priority, then the threats to an
information system can easily become real.
7.3. Vulnerabilities
A Trojan horse is a program that appears to be legitimate but actually contains another program or
block of undesired malicious, destructive code, disguised and hidden in a block of desirable code.
Trojans can be used to infect a computer with a virus.
A back-door Trojan is a program that allows a remote user or hacker to bypass the normal access
controls of a computer and gain unauthorised control over it. Typically, a virus is used to place the
back-door Trojan onto a computer, and once the computer is online, the person who sent the
Trojan can run programs on the infected computer, access personal files, and modify and upload
files.
A botnet (short for robots) is a group of infected, remotely-controlled computers. The hacker
sends out a virus, Trojan or worm to ordinary computers. The virus, Trojan or worm gains access
Spoofing: to misrepresent oneself by using fake email addresses or masquerading as someone else. It
is one of the methods hackers and criminals can use to gain improper or illegal access to computer
systems. Spoofing is becoming a common way to steal financial information through fake Web sites.
The spoofed site is almost a mirror image of the real site and unless the unsuspecting user examines
the spoof closely, he/she may inadvertently give out important personal and financial information.
Sniffing: a type of eavesdropping program that monitors information travelling over a network. It is a
popular way to "grab" information as it passes over transmission lines whether they are hard-wired or
wireless. It is almost impossible to detect and encryption is about the only way to safeguard against it.
Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks: an attack on a Web site
in which an attacker uses specialized software to send a flood of data packets to the targeted computer
with the aim of overloading its resources. Due to the widespread availability of free intrusion tools
and scripts and the overall interconnectivity on the internet, virtually anyone with minimal computer
experience can mount a DOS attack.
DDOS: involves using numerous computers to attack the targeted network from numerous launch
points.
Computer crime and cyber terrorism Computer crime is any violations of criminal law that involve
knowledge of computer technology for their penetration, investigation or prosecution. The computer
can be an instrument of crime or a target of crime.
Identity theft
With the growth of the internet and electronic commerce, identity theft has become a matter of
concern. Identity theft is a crime in which an imposter obtains key pieces of personal information,
such as debit or credit card details to impersonate someone else.
Software Vulnerability Software errors also pose a constant threat to information systems, causing
untold losses in productivity. A major problem with software is the presence of hidden bugs, or
program code defects. Studies have shown that it is impossible to eliminate all bugs from large
programs.
General Controls
General controls in information systems consist of the systems software and manual procedures used
to control the design, security and use of the programs and the data files in the overall system. You
can compare the general controls to the overall security system of a building, which may consist of
outside door locks, fencing around the building, and employee passes. General controls wouldn't be
concerned with what happens in one particular area of the building. The Table below describes the
types of general controls, including administrative controls, used in information systems
Application Controls
We've talked about controls for the general use of an information system. Application controls are
specific controls within each computer application used in the system.
Mechanism that determines who can legitimately use a network. This restricts different classes of
users to subsets of information and ensures that they can only access data and services for which they
have been authorised. These include using:
network restrictions to prevent access to other computer systems and networks
application controls to ensure individuals are limited in the data or service they can access
restrictions on what can be copied from the system and stored on pen drives, memory sticks or
CDs/DVDs
limits on the sending and receiving of certain types of email attachments
Changes to access privileges must be controlled to prevent users retaining them if they transfer
between departments or leave the business
User authentication
There are several techniques that can identify and verify someone seeking to access an e-commerce
system. These include:
A user name and password combination, where the password can vary in length and include
numbers and characters. Remember to include a system that prompts employees to change their
passwords at regular intervals.
Firewalls
A single point between two or more networks where all traffic must pass (choke point), it
authenticates, controls and logs all traffic. It acts as a barrier between a trusted network or a PC and
the untrustworthy internet. It is a hardware or software security device that filters information passing
between internal and external networks. It controls access to the internet by internal users, preventing
outside parties from gaining access to systems and information on the internal network. A firewall can
be applied at the network level, to provide protection for multiple workstations or internal networks,
or at the personal level where it is installed on an individual PC. Firewalls detect and prevent intruders
from accessing the network while intrusion detection systems detect intruders Firewalls can be
designed to protect against;
Remote login: remote connection
Application backdoors: remote access.
SMTP session hijacking: SMTP, is used to send e-mails over the internet, and by hijacking it and
gaining access to the email addresses, then any one can send spam emails.
Macros: creation of scripts (macros) that can destroy data or crush the computer.
Viruses
Spam: unsolicited mails or messages.
Intrusion detection:
These products monitor system and network activity to spot any attempt being made to gain access.
If a detection system suspects an attack, it can generate an alarm, such as an email alert, based upon
the type of activity it has identified. Intrusion Detection System: a special category of software that
can monitor activity across a network or on a host computer, watch for suspicious activity and take
automated action based on what it sees.
Antivirus Software Antivirus Software is designed to check computer systems and drives for the
presence of computer viruses.
Securing wireless networks Security is easily penetrated because of the very nature of the spectrum
transmission used in wi-fi. Unless users take stringent precautions to protect their computers, it's
relatively easy for hackers to obtain access to files. Wireless networks can be secured through the use
of encryption. Encryption is the coding and scrambling of messages to prevent unauthorized access to
or understanding of the data being transmitted.
Use of Proxy server: software server that handles all communications originating from or being sent
to the internet, acting as a spokesperson or bodyguard for the organization.
Virtual Private Networks (VPN): A network that uses the public Internet to carry information nut
remains private by using encryption to scramble the communication, authentication to ensure that
information has not been tampered with and access control to verify the identity of anyone using the
network. It allows remote users to securely access internal networks via the internet using the Pont-to-
Point Tunnelling Protocol (PPTP).
Protocol Tunnelling; method used to ensure confidentiality and integrity of data transmitted over the
internet, by encrypting data packets, sending them in packets across the internet and decrypting them
at the destination addresses.
Data Encryption
Encryption is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the receiver. This is done via a mathematical function and a special
encryption/decryption password called key. The purpose if encryption is to secure stored information
and secure information transmission. Encryption is used to
Protect data in transit over networks from unauthorized interception and manipulation.
Protect information stored on computers from unauthorised viewing and manipulation
Deter and detect accidental or intentional alterations of data
Verify authenticity of a transaction or document.
It uses technologies such as virtual private networks (VPNs) and secure socket layers. The Key (key
Value), the secret code used to encrypt and decrypt a message.
There are two major encryption systems: Symmetric Systems which uses one key and Asymmetric
system which uses two keys.
a. Symmetric (Private): also referred to as secret key encryption, it uses the same key to encrypt and
decrypt the message. The sender and the receiver must share the same key without revealing it.
Example;
b. Public (Asymmetric) key Encryption: Based on the Public Key Cryptography(PKC). Uses a
pair of matched keys, a public key to encrypt a message and a private key to decrypt it and vice
versa. If the message is encrypted using the public key then the associated private key should be
used to decrypt it. Asymmetric encryption is slower than symmetric encryption, even on fast
computers, so most modern encryption uses a combination of both methods.
Public key: an encryption key that is publicly available to anyone
Private key: an encryption key that is known only to the owner.
Encryption techniques using public and private keys require a public-key infrastructure (PKI) to
support the distribution and identification of public keys.
Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures
needed to create, manage, distribute, use, store, and revoke digital certificates
Examples:
Secure Socket Layer (SSL): This is the technique in which web servers and web browsers
encrypt and decrypt all of the information that they transmit and receive. SSL provides end point
authentication and communication privacy over the internet using cryptography. The Secure
Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message
transmission on the Internet.
Secure Electronic Transactions (SET): A protocol developed by VISA and Master Card to
secure payment transactions among all parties involved in credit card transactions on behalf of
cardholders and merchants. SET is an application-oriented protocol that uses trusted third parties’
encryption and digital signature processes, via PKI infrastructure of trusted third-party
institutions, to address confidentiality of information, integrity of data, cardholders authentication,
merchant authentication and interoperability.
Digital signature or digital signature scheme is a mathematical scheme for demonstrating the
authenticity of a digital message or document. It is the electronic equivalent of a personal signature
that cannot be forged. They are based on public keys for authenticating the identity of the sender of a
message or document. They ensure that the original content of an electronic message or document is
unchanged. They are portable, cannot be easily repudiated or imitated and can be time-stamped.
Digital Envelope: Used to send encrypted large documents using symmetric keys and the relevant
key session along with it. It is a secure method to send electronic documents without compromising
the data integrity, authentication and non-repudiation.
Digital Certificate
A digital document issued by a trusted third party called Certification Authority (CA) that contains
the name of the subject or company, the subjects public key, a digital certificate derail number, an
expiry date, an issuance date, the digital signature of the certification authority and other identifying
information. The main purpose of the digital certificate is to ensure that the public key contained in
the certificate belongs to the entity to which the certificate was issued. The most widely used standard
for digital certificates is X.509.
Certificate Authority: an authority in a network that issues and manages security credentials and
public key for message signature verification or encryption.
Back and Recovery Strategies / Disaster Recovery Planning & Business continuity planning
Disaster recovery planning: Devises plans for restoration of disrupted services;
Use Back and recovery
A backup or the process of backing up is making copies of data which may be used to restore the
original after a data loss event. The secondary purpose of backups is to recover data from an earlier
time, according to a user-defined data retention policy, typically configured within a backup
application for how long copies of data are required.