CHAPTER 5

Protecting information
resources
Risks and threats
Risks
associated ▪ IT can be misused:
▫ Invade users’ privacy
with IT ▫ Commit computer crimes

▪ Mitigate risks:
▫ Regular updating of operating system
▫ Anti-virus, anti-spyware
▫ E-mail security measures
▫ Etc.
Computer
and ▪ Critical for most organisations
▫ Hackers => Types of hackers
network ▫ Sensitive information on computers
security
▪ Comprehensive security system => 3 levels Protects
information in 3 different states:
▸ Transmission
▸ Storage
▸ Processing
Computer
and ▪ Critical for most organisations
▫ Hackers => Types of hackers bl. 61
network ▫ Sensitive information on computers
security
▪ Comprehensive security system => 3 levels p.63
▫ Protects information in 3 different states:
▸ Transaction
▸ Storage
▸ Processing
Types of
Cookies
risks
▪ Small text files with unique ID tags embedded in Web
browser and stored on user's hard drive
▪ Provides information about a user's location and
computer equipment = violation of privacy

Useful and
harmless =
remembers
personal info
Types of
Spyware
risks
▪ Software which secretly gathers information about users
while they are on the web

Adware
▪ Form of spyware which collects information from the
user in order to display advertisements in the Web
browser without the user's permission
Types of
Phishing
risks
▪ Sends fraudulent e-mails that seem to come from
legitimate sources
▪ Refers the user to false website to obtain personal
information
Types of
Keystroke loggers
risks
▪ Hardware and software devices that monitor keyboard
commands and keep record
▪ Steals passwords and bank details
▪ "Trade secrets"

Collect credit card

E-mail and Internet
Legal vs. illegal information during
usage of employees
online purchases
Types of
Sniffing
risks
▪ Capturing and recording of network traffic

Monitor Hackers use it to

network Legal vs. illegal intercept
performance information

Spoofing
▪ Attempt to gain access to network by appearing to be
an authorized user in order to gain access to sensitive
information.
Types of
Computer crime and fraud
risks
▪ Unauthorized use of computer data for personal gain

▪ transfer of money from another person's account

▪ identity theft
▪ piracy software
Types of
threats ▪ Hackers steal or change information
▪ Share passwords with co-workers
▪ Leave a logged in computer unattended
▪ Physical damage to equipment (coffee spill)
3 Aspects Integrity

of security

Confidentiality Availability
3 Aspects 1. Confidentiality
of security ▪ System must prevent disclosing information to
unauthorised users

2. Integrity
▪ Accuracy of information resources within organisation

3. Availability
▪ Authorised users has access when needed
▪ Computers and network in working order
▪ Quick recovery in event of system failure or disaster
Classification
of threats
Unintentional Intentional

• Natural disasters • Hacker attacks

• Accidental deletion • Attacks by
of data disgruntled
• Structural failures employees
• Spreading of virus
(ransomware)
Types of threats
Virus
▪ Consists of self propagating program code
▪ Sometimes activated by specific event or time
▪ When program or operating system containing
the virus is used, the virus attaches itself to
other files
▪ Cycle continues
▪ Can be transmitted through e-mail attachments
or a network
Worms
▪ Travels from computer to computer in the
network
▪ Usually do not wipe data – corrupts data
▪ Unlike a virus, a worm is an independent
program
▪ Can spread itself without being attached to a
host programme
▪ “eats up” computing resources
Trojans
▪ Contains code intended to disrupt computer,
network or website
▪ Hidden in popular program
▪ Users use the popular program, unaware that
malicious software is running in the
background
Logic
bombs ▪ Type of trojan-program used to release a virus,
worm or other destructive code
▪ Activated at specific time or event
▪ Eg. When an employee is dismissed
Backdoors
▪ Built in by programmers
▪ Enables the programmer to bypass security and
sneak back into the system to access programs
or files
Blended
Threats ▪ Security threat that combines the
characteristics of computer viruses, worms and
other malicious codes with vulnerabilities
found on public and private networks
(Distributed)
denial of ▪ Floods a network or server with service
service requests to prevent legitimate users’ access to
attack the system.
(DoSS)
Social
Engineering ▪ Using “people skills” to trick others into
revealing private information (video on
passwords in week 1)
▪ Takes advantage of human element of security
systems
Crypto-
▪ Secretly use someone else’s computing power to mine
jacking cryptocurrency.
End of section 1
Security measures
Biometric ▪ Use a physiological element that is unique to a
security person
▪ Only gains access if details are already stored
on database (enrol fingerprint on your phone)
▪ Types of biometric security:
▫ Facial recognition (iPhone X)
▫ Fingerprint reader (most smartphones)
▫ Hand-geometry
▫ Iris-analysis (Samsung Galaxy)
▫ Palm prints
▫ Vein analysis
▫ Voice recognition (Vodacom app)
Callback-
Modems ▪ Verifies if a user’s access is valid by loggin the
user off (after an attempt to connect to the
network) and then calling the user back at a
(Non- predetermined number
Biometric
security)
Firewalls
▪ Combination of hardware and software that
(Non- acts as a filter or barrier between a private
network and external computers or networks
Biometric
(including the internet)
security)
▪ Network administrator defines the rules for
access and blocks other traffic
▪ Can examine data passing into or out of a
network and decide whether to allow it
▪ Filters incoming and outgoing data
Intrusion
Detection ▪ Protect agains internal and external intrusions
Systems ▪ Place in front of a firewall => identifies
attack=> notifies network administrator =>
ends connection with suspect source
(Non-
Biometric
security)
Physical security
controls
Physical
security ▪ Control access to computers and networks and
include devices for securing computers and
controls
peripherals from theft
Types of
physical ▪ Cable shielding
security ▪ Corner bolts
▪ Electronic trackers
▪ ID badges
▪ Proximity-release door openers
▪ Room shielding
▪ Steel encasements
Logical access controls
Logical
access Designed to protect systems from
controls unauthorised access in order to preserve data
integrity
Logical 2 types
access
1. Terminal resource security
controls ▫ Software that erases the screen and signs
user off automatically after specified length
of inactivity

2. Passwords
▫ Combination of numbers, characters and
symbols that is entered to allow access to a
system
Data communication
controls
Virtual
private ▪ Provides a secure tunnel through the
network internet for transmitting data via a private
network

▪ Data is encrypted before it is sent through

the tunnel
Virtual Examples of uses:
private ▪ Remote users have a secure connection to
network organisation’s network
▪ Security for extranets where a network is
set up between organisation and an
external party (supplier)
▪ Anonymity in critical situations (whistle
blowing lines)
Data ▪ Converts data (“plaintext”) to a scrambled
Encryption form (“ciphertext”) that cannot be read by
others

▪ Recipient needs a decryption key to

decipher the data into a readable format
Data 2 Types:
Encryption
1. Asymmetric encryption = 2 keys
▫ Public key known to everyone +
private key known only to recipient

2. Symmetrical encryption = 1 key

▫ The same key is used to encrypt and
decrypt the message
E-commerce
Key issues:
security ▪ Confidentiality (data not known to others)
▪ Authentication (you are who you claim to be)
▪ Integrity (data’s contents not changed during
transmission)
▪ Nonrepudiation of origin (sender cannot deny
sending data)
▪ Nonrepudiation of receipt (recipient cannot deny
receiving data)
Computer ▪ Team that deals with network intruders and
Emergency –attacks swiftly and effectively
Response
▪ Public awareness campaign
team
▪ Research on internet security
vulnerabilities
▪ Research on ways to improve security
systems
Security plan
 1. Set up security committee with
Security representatives of all departments
plan 2. Post security policy in a visible place
3. Raise employees’ awareness of security
problems
4. Use strong passwords and don’t use same
password across systems or websites
5. Install software patches and updates on
operating system on a regular basis
6. Revoke terminated employees’ passwords
and ID badges immediately
Security 7. Keep sensitive data, software and
plan printouts in secure locations
8. Exit programs and systems promptly, and
never leave logged-on workstations
unattended.
9. Limit computer access to authorised
personnel only.
10. Compare communication logs with
communication billing periodically. Log
should list all outgoing calls.
 11. Install antivirus programs and update
Security
regularly
plan
12. Install only licensed software purchased
from reputable vendors
13. Make sure fire protection systems and
alarms are up to date and test regularly
14. Check environmental factors (temp,
humidity)
15. Use physical security measures
16. Install firewalls and intrusion detection
systems
Business continuity
Business 1. Back up all files
continuity 2. Review security and fire standards for
planning computer facilities
3. Review information from Emergency
response team
4. Staff members should be trained for
disasters
5. Test disaster recovery plan
Business 6. Identify vendors of all software and
continuity hardware used in the organisation and
planning update contact details regularly
7. Document all changes made to hardware
and software
8. Get a comprehensive insurance policy for
computers and network facilities
9. Set up alternative sites to use in case of
disaster
10. Investigate the use of rented third party
facilities
Business 11. Check sprinkler systems, fire
continuity extinguishers and halon gas systems
planning 12. Keep backups in off-site storage and
periodically test data recovery procedures
13. Keep a copy of the recovery plan off site
14. Simulate disasters to assess response time
and recovery procedures
Disaster
recovery 1. Put together a management crisis team to
oversee the recovery plan
2. Contact insurance company
3. Restore phone lines and communication
systems
4. Notify all affected people
Disaster
recovery 5. Set up a help desk to assist affected
people
6. Notify affected people that recovery is
underway
7. Document all actions taken to regain
normality; revise plan if needed
Disaster
recovery ▪ Disaster recovery:
https://www.youtube.com/watch?v=nluJhvgog5I