Page 1

SECURITY THREATS AND CONTROLS

INTRODUCTION

- The rapid growth and wide spread use of information and communication
technology, Internet services as well as numerous occurrences of internationals
terrorism, demands better methods of protecting computers, data and information.
Definition of terms

- Security — the protection of information, hardware and software against computer

criminals, physical and natural hazards.
- Privacy — Protection of private data or information against misuse or
unauthorised access.
- Health — guarding end-users against physical and mental risks associated with
use of technology.
- Environment — Minimise the effects of using ICT on our environment.

DATA SECURITY CORE PRINCIPLES

- The three core principles of data security also referred to as information security
are :
 Confidential,
 Integrity and
 Availability

1. Confidentiality

- Confidentiality means that sensitive data or information belonging to an

organization or government should not be accessed by or disclosed to an
authorized people. Such data includes employees’ details, classified military
information, business financial records etc.

2. Integrity

- Integrity means that data should not be modified without owner’s authority. Data
integrity is violated when a person accidentally or with malicious intent, erases or
modifies important files such as payroll or a customer bank account file.

3. Availability

- Information must be available on demand. This means that any information

system and communication link used to access it, must be efficient and functional.
An information system may be unavailable due to power outages, hard failure,
unplanned upgrades or repairs.

0
 Page 2

SECURITY THREATS AND CONTROLS MEASURES

- Security threats to computer base information system, private or confidential data

include:
 unauthorized access,
 alteration,
 malicious destruction of hardware, software, data or network resources,
 sabotage
- The goal of data security control measures is to provide security, ensure integrity
and safety of an information system hardware, software and data.

Computer crime and criminals

Computer criminals can be classified into four main groups:
• Hackers and crackers — A hacker is a person who gains unauthorised access to an
information just for fun while a Cracker gains unauthorized access for malicious reasons.
• Fraudsters — these are mostly former employees of the company or outsiders who
use their knowledge to cheat or defraud with the intension of acquiring goods, services or
cash.

• Terrorist—A person or an organization that works towards crippling the

information infrastructure by attacking expensive installations like satellite stations,
server rooms and buildings in order to wage an economic warfare or to hurt people.
• Thieves and trespassers — these are people who physically break into a room with
the intention of stealing hardware and software resources such as storage devices.

INFORMATION SYSTEM FAILURE

Some of the causes of the computerized system failure include;

1. Hardware failure due to improper use.
2. Unstable power supply as a result of brownouts or blackouts and vandalism
3. Network breakdown
4. Natural disaster
5. program failure

Control measures against hardware failure

- Protect computer against brownout or blackouts which may cause damage or data
loss by using surge protectors and USP such as the one shown below.

- For critical systems, most organizations have put into place fault tolerant systems.
A fault tolerant system has a redundant or duplicate storage, peripheral devices

0
 Page 3

and software that provide a fail-over capability to back up components in the

events of system failure.

Disaster recovery plans

- Disaster recovery plan involves establishing offsite storage of an

organization’s databases so that incase of disaster or fire accidents; the
company would have a back up copies to reconstruct lost data form.

Threats that cause information system failure/Data loss

a. Threats from malicious programmes

- Malicious programme may affect the smooth running of a system or carry out
illegal activities such as , secretly collecting information an unknowing user.
Some of common types malicious programmes include:

1. Boot sector viruses- they destroy the booting information on storage media
2. file viruses- attach themselves to files
3. hoax viruses- come as e- mail with attractive messages and launch themselves
when e-mail is open
4. Trojan horse- they appear to perform useful functions but instead they perform
other undesirable activities in the background.
5. Worms- this is a malicious programmed that self – replicates hence clogs the
system memory and storage media.
6. Backdoors- May be Trojan or a worm that allows hidden access to a computer
system.

Control measures against viruses

1. Install the latest versions of anti-virus software on the computers.

2. Always scan removable storage media for viruses before using them.
3. Scan mail attachments for viruses before opening or downloading an
attachment.

b. Physical theft

- One the widespread computer related crimes, especially in developing

countries, is the physical theft of the computer hardware and soft ware
- Now and then, we hear of people breaking into an office or firm and stealing
computers, hard disks and other valuable computer accessories. In most cases
such theft may be done by untrustworthy employees of firm (an inside job) or

0
 Page 4

by outsiders. The reason behind such an act may be commercial, destruction

to sensitive information or sabotage.

Control measures against theft

1. Employee security agent to keep watch over information centre and restricted
back up sites.
2. Reinforce weak access points like the window, door and roofing with metallic
grills and strong padlocks.
3. Motivate workers so that they feel a sense of belonging in order to make them
proud and trusted custodians of the company resources.
4. Insure the hardware resources with a reputable insurance firm.

c. Piracy

- Piracy is a form of intellectual property theft which means illegal copying of

soft ware, information or data. Software, information and data are protected
by copyright and patent laws

Control measures against piracy

There are several ways of reducing piracy:

1. Enforce laws that protect the owners of data and information against piracy.
2. Make software cheap enough to increase affordability.
3. Use licenses and certificates to identify original software.
4. Set installation password that deter illegal installation of software.

d. Fraud

- With the dynamic growth of internet and mobile computing, more

sophisticated cyber crimes like fraud are on the rise. Fraud is stealing by false
pretence. Frauds can be either employees in accompany, non-existent
company that support to offer internet services such as selling vehicles etc.
Other forms of frauds may also involve computerized production and use of
counterfeit documents

e. Sabotage

- Sabotage refers to illegal destruction of data and information with the aim of
crippling service delivery, or causing great loss to an organization. Sabotage is
usually carried by disgruntled employees or by competitors with the intention
of causing harm to an organization.

Threats to piracy and confidentiality

0
 Page 5

- Piracy means that data or information belonging to an individual should not

be accessed by or disclosed to other people. It is an individual’s right to
determine for themselves what should be communicated to others.

- Confidentiality in the other hand means that sensitive data or information

belonging to an organization or government, should not be accessed by or
disclosed unauthorized people.

- Private and confidential data must be protected against unauthorized access or

disclosure.

- The following are some example of computer – related crimes that

compromise data privacy or confidentiality:

a. Eavesdropping

- Eavesdropping refers to tapping into communication channel to get

information. Hackers mainly use eavesdropping to access private or
confidential information from internet users or from poorly secured
information system.

b. Surveillance (monitoring)

- Surveillance refers monitoring use of computer systems and network using

background programs such as spy ware and cookies. The information gathered
may be used for one reason or the other e.g. spreading propaganda or
sabotage.

c. Industrial espionage

- Industrial espionage involves spying on a competitor to get information that

can be used to cripple the computer

d. Accidental access

- Sometime, threats to and information comes from people unknowingly giving

out information to strangers is or unauthorized persons.

e. Hacking and cracking

- A hacker is a person who gains unauthorized access just for fun, while a
cracker gains unauthorized access for malicious reasons. Hackers and crackers

0
 Page 6

violate the security measures put in place such as by passing passwords or

finding weak access points to software.

- There are various motivations for hacking. One is that, some people like the
challenge and feel great after successfully hacking a system, while some do it
commercially for software manufacturers test the security status of a new
software system.

f. Alteration

- Alteration is the illegal modification of private or confidential data and

information with the aim of misinforming users. Alteration is usually done by
people who wish to conceal the truth or the sabotage certain operation.
alteration compromises the integrity of the data and information making it
unreliable

CONTROL MEASURES AGAINST UNAUTHORIZED ACCESS

- To safeguarded data and information against unauthorized access, the

following measures should be put in place:

a. Firewall

- A firewall is a device or software system that filters the data and information
exchange between different networks by enforcing the horst network access
control policy. The main aim of a fire is to monitoring and control to or from
protected networks. People who do not have permission (remote requests)
cannot access the network and those within cannot access firewall restricted
sites outsides their network.

b. Data encryption

- Data on transit over a network faces many dangers of being tapped, listen or
copied to unauthorized destinations. Such data can be protected by mixing it
up into a form that only the sender and the receiver are able to understand.
- This is by reconstructing the original message from the mix which is called
data encryption.
- The message to be encrypted is called the plain text document. After
encryption, using a particular order called algorithm or key, this is sent as
cipher text on the network. The recipient receives it and descript it using a
reverse algorithm to the one used during encryption called decryption key, to
get the original plain text document .therefore, without the decryption key
nobody can be able to reconstruct the initial message.

Ciphertext Black
Black Panther
Panther Black
kclB Panther
0 rehtnpa
p
 Page 7

Plain text Encryption key Decrypting key Plain text

c. Security monitors

- Security monitors are programs that monitor and keep a log fie or record of
computer system and protect them from unauthorized access.

d. Biometric security

- Biometric security is a growing form of unauthorized control measure that

takes the user attributes such as voice, finger prints and facial recognition. For
example, you can log on swap a finger on finger print swap window.

e. Other access control measures

- Access control can be also enhanced by implementing multi- level

authentication policies such as:
 assigning users log on account,
 use of smart card and
 personal identification number( PIN)

GENERAL DATA PROTECTION MEASURES

i. Encryption. This refers to the coding of data or information so that only a person with
decrypting key can read it.
ii. Enforcing data and information access control policies on all employees and outsiders.
iii. Reinforce the computer room security.
iv. Assign user accounts in a networked environment.
v. Install firewalls. A firewall acts as a security buffer or wall between a private network and
other networks. Access to the private and external networks must first be authenticated by
the firewall and the proxy server.
vi. Install security and antivirus software, which should be updated regularly to protect the
computer against the malicious programs.
vii. Put in place disaster recovery plan. Natural forces including floods, fire, hurricanes,
tornadoes and earthquakes are beyond our control. To avoid losing data and information,
an organization should put in place a disaster recovery plan which entails backing up
data, creating of emergency facilities and installing fire extinguishers.
viii. Avoid downloading programs, games, screen savers and themes you are not sure
of.

0
 Page 8

ix. Enable write protection on removable disks.

x. Protect computers against brownout or blackout which may cause physical damage or
data loss by using surge protectors and UPS.

Effects of ICT on health

- Some health concerns on the use of ICT devices such as computers and Cellular
phones are:
1. Eye strain and headache — This can be controlled by taking frequent breaks,
using TFT LCD displays or an antiglare screen on CRT monitors.
2. Back and neck pains — Use adjustable furniture and right sitting posture as
shown in Fig. 9.2.
3. Repetitive strain injury (RSI) — Also known as repetitive motion injury or
cumulative trauma disorders results from fast repetitive tasks such as typing. This results
in damage of nerves and tendons. Make correct use of the keyboard, and take frequent
breaks in between.
4. Noise: Some noise, such as that of an impact printer, may leave a person with
“ringing ears”. Use non-impact printers, head mounted earphones and microphones.

Effects of ICT on the environment

- Disposal of dead computer parts as shown in, power, Consumption and emissions
have resulted in environmental pollution.
- Environmental Protection Agency (EPA) has created the energy star Compliance
policy, which coerces electronic components manufacturers Worldwide to comply
to acceptable levels of environmental pollution and Radiation.
- Computer manufacturers are also avoiding excessive use of harmful chemicals
such chlorofluorocarbons and nickel cadmium and other heavy metals in their
productions.

POLICIES AND LAWS GOVERNING INFORMATION SECURITY

- Most countries have acts of parliaments, regulation, laws and policies that
govern data processing and information security. Internationally, data security
issues are governed by bodies such as International Organization for
standardization (ISO) and information security Forum (ISF) . ISO, a
consortium of national standards institutes has published “information
technology- security techniques-Code of practice for information security
management’.

- Information security forum (ISF) is a global non- profit making body made up
of several leading organization in financial services , manufacturing ,
telecommunication, consumer goods and governments. The organization
provides research on best practiced summarize in its report standard of goods
practice.

0
 Page 9

- The following are some example of regulation and laws in Kenya, United
Kingdom and USA that governs data processing and information security.

ICT related Acts in Kenya

- In Kenya, ICT issues are considered under various legislation including: The
science and technology Act, cap. 250 of 1977, The Kenya broadcasting
corporation Act of 1998 and the Kenya communication Act of 1998.
However, these acts of parliament are inadequate in dealing with issues of
convergence, electronic commerce and e- government.

Kenya ICT policy

- The government has developed a national ICT policy that seeks to address
issues of privacy, e- security, ICT legislation, cyber crimes, ethical and moral
conduct, copyrights, intellectual property rights and piracy. For more
information on the policy , download a portable document file (PDF) from
the government website titled National Information & communication
Technology(ICT)policy, ministry of information & Communication, January
2006) or any revised version that may be made available from time to time.

United Kingdom Data Protection Act 1998

- In the United Kingdom, the protection Act 1998 protects an individual

privacy. The act states that on processing of information relating to
individuals, including to obtaining, holding, use or disclosure of such
information can be done without owners` consent.

United Kingdom computer misuse Act 1990

- Computer misuse Act of parliament makes computer, crimes such as hacking

a criminal offence. The has become a model of many other countries
including Kenya, which they have used to draft their own information security
regulation.

Family Education Rights and Privacy Act (USA)

- The family education act rights and privacy, is a USA federal law that protect
the privacy of students education records. To release any information from a
student education record, USA school must have written permission from the
parent or the student.

Security Breach Notification Laws

- Most countries require businesses, nonprofit, and state institutions, to notify
consumers when encrypted ‘personal information” is comprised, lost or
stolen.

0
 Page 10

Copyrights and Software protection

- Hardware and software are protected by either national or international
copyright, designs and patented laws or Acts. For example Ms Products are
protected by international copyright law. In UK, the “patents Act 1977,
monopoly rights to inventions’

In genera, although these data security laws or regulations may vary from
country to country they seek to address the following:
1. Data should not be disclosed to other people without the owners permission
2. Data and information should be kept secured against loss or exposure
3. Data and information should not be kept longer than necessary
4. Data and information should be accurate and up to date.
5. Data information should be collected, used and kept for specified lawful purposes.

DATA SECURITY AND CONTROLS

Introduction
ICT security issues and effects on society
Introduction
The dynamic growth of computers and information technology has made it easy for us to
carry out day-to-day activities. However, this technology has also made it easy for some
to access other organizations and personal privacy. The potential impact of ICT on
society touches on:
• Security — The protection of information, hardware and software against
computer criminals, physical and natural hazards.
• Privacy — Protection of private data or information against misuse or
unauthorised access.
• Health — Guarding end-users against physical and mental risks associated with
use of technology.
• Environment — Minimise the effects of using ICT on our environment.
ICT security issues and effects on society Enforcing data security
Enforcing data security refers to the act of safeguarding data and information from loss or
unauthorised access. People who get unauthorised access to data and information are
called computer criminals.
Computer crime and criminals
Computer criminals can be classified into four main groups:
• Hackers and crackers — A hacker is a person who gains unauthorised access to an
information just for fun while a Cracker gains unauthorized access for malicious reasons.

0
 Page 11

• Fraudsters — These are mostly former employees of the company or outsiders

who use their knowledge to cheat or defraud with the intension of acquiring goods,
services or cash.

• Terrorist—A person or an organization that works towards crippling the

information infrastructure by attacking expensive installations like satellite stations,
server rooms and buildings in order to wage an economic warfare or to hurt people.
• Thieves and trespassers — These are people who physically break into a room with
the intention of stealing hardware and software resources such as storage devices.
Causes of data loss
Some causes of data or information loss are:
5. Attack by malicious programs like viruses, worms, and Trojan horse.
• A virus is a malicious program that migrates through removable devices and
computer networks causing system failure or data loss.
• A worm is a special type of virus that does not attach itself to program but self-
replicates hence clogging a machine memory.
• Trojan horses are programs that masquerade as something else. Like worms they
are carriers of viruses. Trojan horses may come in form of downloadable games and free
screen savers.
6. Data manipulation involves altering or deleting data and information for the
purpose of sabotage.
7. Piracy is illegal copying of copyright protected data and information or software.
Data protection measures
1. Encryption. This refers to the coding of data or information so that only a person
with decrypting key can read it.
2. Enforcing data and information access control policies on all employees and
outsiders.
3. Reinforce the computer room security.
4. Assign user accounts in a networked environment.
5. Install firewalls. A firewall acts as a security buffer or wall between a private
network and other networks. Access to the private and external networks must first be
authenticated by the firewall and the proxy server.
6. Install security and antivirus software, which should be updated regularly to
protect the computer against the malicious programs.
7. Put in place disaster recovery plan. Natural forces including floods,
fire, hurricanes, tornadoes and earthquakes are beyond our control.
To avoid losing data and information, an organization should put in place a disaster
recovery plan which entails backing up data, creating of emergency facilities and
installing fire extinguishers.
• Avoid downloading programs, games, screen savers and themes you are not sure
of.
• Enable write protection on removable disks.
10. Protect computers against brownout or blackout which may cause physical damage or
data loss by using surge protectors and UPS such as one shown in Fig. 9.1.
w

0
 Page 12

Fig. 9.1: Uninterruptible Power Supply (UPS)

Data privacy and confidentiality
Private data or information is the collection and use of personal information. This
information should not be accessed or disclosed to any other person unless permitted by
the owner. Data held by mi organization or government that should be disclosed to
authorised people only is said to be confidential.
Concerns related to collection and use of private and confidential data are:
8. . Spreading information without the owners consent or awareness.
9. Spreading inaccurate information.
10. Eavesdropping and tapping of information from a communication line.
11. Secretly recording and reporting user activities by using recording devices,
spyware and cookies.
Some laws governing privacy and confidentiality have been created. This laws can be
summarised as:
1. No secret databases — No keeping of personal data exclusively secret in government
or private organisations.
• Right of individual access — An individual must be able to find out what
information about themselves is recorded and how it is used.
• Right of consent — Information obtained for one purpose cannot be used for other
purposes without owner consent
• Right to correct — An individual must be able to correct or amend records of
his/her information.
• Assurance of reliability and proper use — Data must be reliable.
Effects of ICT on health
Some health concerns on the use of ICT devices such as computers and
cellular phones are:
12. Eye strain and headache — This can be controlled by taking frequent breaks,
using TFT LCD displays or an antiglare screen on CRT monitors.
13. Back and neck pains — Use adjustable furniture and right sitting posture as
shown in Fig. 9.2.
14. Repetitive strain injury (RSI) — Also known as repetitive motion injury or
cumulative trauma disorders results from fast repetitive tasks such as typing. This results
in damage of nerves and tendons. Make correct use of the keyboard, and take frequent
breaks in between.
15. Noise: Some noise, such as that of an impact printer, may leave a person with
“ringing ears”. Use non-impact printers, head mounted earphones and microphones.
Fig. 9.2: Correct sitting position. 266
Effects of ICT on the environment
Disposal of dead computer parts as shown in Fig. 9.3, power
consumption and emissions have resulted in environmental pollution.
Environmental Protection Agency (EPA) has created the energy star
compliance policy, which coerces electronic components manufacturers
worldwide to comply to acceptable levels of environmental pollution and
radiation.
Computer manufacturers are also avoiding excessive use of harmful chemicals such
chlorofluorocarbons and nickel cadmium and other heavy metals in their productions.

0
 Page 13

Fig. 9.3: Computer comptfrrihls^f&mp site.

(^IRevlev^
Part A
• One of the following tries to get unauthorised access to data or information
just for fun:
16. Hacker
17. Saboteur
18. Cracker
• The following gets unauthorised access to information for malicious
purposes:
8. Hacker
9. Saboteur
10. Cracker
3. A person who uses his/her knowledge to cheat unsuspecting people on the
internet for economic gain:
A. Fraudster
• Cracker
• Hacker
19. A malicious program that masquerades as being useful yet it performs
background operations that may harm the ICT infrastructure:
11. Virus
12. Trojan horse
13. Worm
20. A person who attacks ICT and government installations with the aim of
stalling service delivery and causing economic loss:
A. spy
B. soldier
C. terrorist
Part B
1. In order to encrypt a message, a key is needed while
to read an encrypted message, a key is needed.
2. A is a measure that can help a company to continue
offering services even after a disaster.
3. data is held in trust by an organisation and may be
shown to authorised parties while data must not be
shown to a third party without the owner’s permission.
4. is a health problem that may result from flickering
screens while may result from poor posture.
5. The two chemicals that cause environmental pollution related to use of ICT
include and .
PartC
1. Define the following terms
(a) Piracy (b) Privacy (c) Encryption
(d) Firewall (e) Ergonomics
2. Differentiate between hacking and cracking.
3. List three types of malicious software that can negatively affect a
computer system.

0
 Page 14

4. State six ways of enforcing data security on information systems.

5. Explain the effect of computer and other ICT devices on physical and
mental health.
r Revision questions 9j
Part A
• Data that is exclusively owned and must not be revealed to a third party is
said to be .
• Programs that secretly record user activities on the Internet are called
• Person who gains unauthorised access to a cprnputer system just for fun is
called a .
4 Person who gains unauthorised access to a computer system for malicious
purposes is known as a
21. Malicious programs that migrate through networks and affect the
functioning of a computer system are known
as .
22. A malware that clogs a computer system with self-replicating files is called
a .
7 Programs that block, heal or quarantine malicious programs are called ^ ... ■
14. Device used to protect a computer from excess electric power that may
destroy computer components is called .
15. Coding data to be transmitted On a network so that only intended users
can read or use is referred to as .
16. Hardware or software that restricts access to the Internet and internal
computer networks is called .
Part B
D. Explain how you would restrict children from accessing offensive sites on
the net.
E. Discuss the effects of ICT on the environment.
F. Which term is used to refer to programs that secretly record and report an
individual’s activities on the internet?
G. How you would safeguard your hardware and software from human and
natural disaster?
H. Explain the concept behind Environmental Protection Agency (EPA) energy
star.
Chapter 9: Data securitty and controls Review exercise 9.1 Part A
1. A 2. C 3. A 4. B 5. C Part B
• Encryption, decryption key
• Disaster recovery plan/contigency plan
• Confidential, private
• Eyestrain, neck pains
• CFC, nickel cadmium
PartC
1. a) Piracy - illegal copying of data and software.
23. Privacy - exclusive ownership of data or information.
24. Encryption - Coding data so that only intended users can read or use it by entering
the decryption key.

0
 Page 15

25. Firewall -Hardware or software that restricts access to internet and intranets.
e) Ergonomics — Sitting posture when using a computer.
• Hacking accessing data illegally just for fun while cracking is malicious access.
• Viruses, Trojans, worms.
• i) Encrypt data.
26. Reinforce the computer room security.
27. Assign user accounts in a networked environment.
28. Install firewalls.
29. Enforce security and install antivirus software.
30. Disaster recovery plan.
31. Back up data regularly.
• i) Eye strain and headache. ii) Back and neck pains, iii) Repetitive
strain injury. iv) Fatigue.
Revision questions 9
Part A
17. Private
I. Cracker 7. Antivirus 10. Firewall
Spyware
Malware
UPS/surge protector
6. Hacker
• Worm 9. Encryption
PartB
6. Using filter programs such as CyberPatrol, Cybersitter or Net Nanny.
7. Disposal of dead computer parts such as nickel cadmium has resulted in
environmental pollution
8. Spyware
9. Contigency plan
10. Environmental Protection Agency (EPA) coerces manufacturers worldwide to
comply with acceptable levels of environmental pollution and radiation.