DATA SECURITY AND CONTROL

Definitions
 Security: - Degree of resistance to, or protection from harm. Applies to any vulnerable and valuable
assets e.g. data, information or computer systems.

 Privacy: - Ability of a system to seclude itself, or information about itself. Encompasses appropriate use
and protection of information.

Data Security Core Principals

 Confidentiality: - Ability of the organization not to disclose sensitive data to unauthorized people e.g.
employee data, military information, business financial records.
 Integrity: - Means that data should not be modified without the owner’s authority.
 Availability: - Information must be available on demand.

Security Threats and Control Measures

Security threats are majorly to computer based information systems, private or confidential data,

These include:
 Unauthorized access to data
 Data alteration
 Malicious destruction of hardware and Software
 Malicious destruction of network resources, and sabotage

Data security provide security, integrity and safety of information systems. The following are the major security
threats and the control measures for each case
1. Information system failure
This include: -
 Hardware failure
 Unstable power supply due to brownout and black out
 Network breakdown
 Natural disaster
 Program failure

Control measures include:

 Protecting computer against blackout and brownout using the UPS
 Disaster recovery systems that involve establishing offsite storage of an organization’s databases

2. Threats from malicious program

They affect the smooth running of a system, carry out illegal activities such as secretly collecting information
from the user
Some of the common malicious programs include:
 Boot Sector Virus – Destroy booting information on storage media
 File Viruses – Attach themselves to files

1
  Hoax Viruses – Come as emails with attractive messages and launch themselves when the email is
opened
 Trojan Horses – They appear to perform useful functions but carry out undesirable activities in the
background
 Worms – Malicious program that self-replicates hence clogs the system memory and storage media.
 Backdoors – Maybe Trojan or a worm that allows hidden access to the computer system

Control measures against viruses

 Install the latest anti-viruses, and make sure they are continuously updated
 Scan removable storage medias before using them
 Scan mail attachments for viruses before opening them

3. Physical Theft
Refers to physical theft of computer hardware and software

Control measures against Theft

 Employing security guard
 Reinforce access points to building (burglar proofing)
 Motivate workers
 Insure the hardware resources.

4. Piracy
The illegal distribution and/or reproduction of software/data/information protected by copyright for business or
personal use.

Kinds of Piracy
 End User Piracy: - This is the use of multiple copies of a single software package on several systems or
distributing registered/licensed copies of software to others. This also includes use of cracked software.
 Reseller Piracy: - Occurs when unscrupulous persons distributes multiple copies of a single software
package to different customers. This also includes preinstalling systems with software without providing
original manuals and CDs; and when persons knowingly sell counterfeit versions of software to
unsuspecting customers.
 Trademark/Trade Name Infringement: - Occurs when individual dealers claim to be authorized either
as a technician, support provider or reseller or improperly using a trademark/trade name.
 Internet Piracy: - Occurs when there is an electronic transfer (upload/download) of copyrighted
software.

Control measures against Piracy

 Enforce laws that protect the owners of data and information against privacy
 Make software cheap enough to increase affordability
 Use license and certificates to identify original number
 Set installation password that deter illegal installation of software

2
5. Fraud
Refers to stealing by false pretense. Fraudsters can be company employees, and Non-existence Company that
purports to offer internet services.

6. Sabotage
Illegal destruction of data and information with the aim of crippling service delivery. It’s carried out by
disgruntled employees and competitors with the aim of causing harm to an organisation.

COMPUTER CRIMES
Computer crimes encompasses a broad range of potentially illegal activities but can be generally divided into
two:
1. Crimes that target computer networks or devices directly
 Malware
 Denial of service
 Computer Viruses

2. Crimes facilitated by computer networks or devices, the primary target of which is independent of the
computer network or device
 Cyber stalking
 Fraud & Identity theft
 Phishing scams
 Information warfare

Examples of Computer Crimes

 Corporate Espionage: - Seeking of intelligence on a competitors’ trade secrets through illegal means
such as bribing insiders. Companies may also be involved in selling information about their customers
for monetary gain.
 Cyberterrorism: -The premeditated use of disruptive activities, or the threat thereof, against computers
and/or networks with the intention to cause harm or further social, ideological, religious, political or
similar objectives. Or to intimidate any person in furtherance of such objectives.
 Fraud: - Theft and fraud committed using false information such as a credit card or any similar payment
mechanism as a fraudulent source of funds in a transaction.
 Identity Theft: - Occurs when a criminal uses false documents to open an account in someone else’s
name (Application theft). This may also Occurs when a criminals tries to take over another person’s
account, first by gathering information about the intended victim and then calling the insurer
masquerading as the genuine owner and requesting for services.
 Sabotage: -Illegal distribution of data and information with the intention of harming an organization
 Piracy: - Making unauthorized copies of copyrighted/licensed material.
 Data Manipulation: - Altering data stored in a system or creating illegal certificates/records using a
computer.
 Eavesdropping: - Tapping into communication lines over which data/messages are sent without
authorization
 Viruses: -Programs meant to destroy, alter or provide access to data stored in a computer.
 Trap Doors: - Creating special passwords that enable the creator to access a system.
3
  Time Bombs: -Coding of computers programs that self-destruct after carrying out an operation
 Spamming: - Distributing unsolicited e-mails to dozens or hundreds of different addresses.
 Unauthorized access: - Gaining access to a computer, system or network you are not allowed to access.
 Phishing: - Deceiving an individual to gain their private/personal data.
 Cracking: - Seeking and exploiting the weaknesses (hacking) of a computer system or network for
personal gain.
 Cyber stalking/bullying: - Use of the internet or electronic devices to harass, monitor or threaten an
individual or organization.
 Creating Malware: - Writing and spreading computer spyware, bloatware and/or viruses meant to steal
disk space, access personal information, ruin data or send information out to the user’s contacts.
 Denial-of-service attack: - Flooding a company’s website with requests and thus causing it to slow or
crash
 Child Pornography: - Making and digitally distributing child pornography.
 Spoofing: - Deceiving a system into thinking you are someone you really are not.
 Surveillance: - Refers to monitoring the use of a computer system and using background programs such
as spyware and cookies, of which information is then gathered for sabotage.
 Alteration: - Refers to the illegal modification of private or confidential data with the aim of misusing
users.
Detection and Protection of Computer Crimes
a. Audit Trail: - An audit trail log will aid deter some of the illegal transactions in the computer system. It
tracks down activities of those who have access to the computer system. Its show who and when that
person entered the system and the files they worked on. With this information, it would also be easy to
recover lost data.
b. Security Monitors
 Log Files: - Log files record transactions going on in the computer system such as disk
transaction, and errors that may occur.
 Biometrics: - Used to authorize users through use of physical attributes such as voice,
fingerprints and facial features e.g. eyes and ears.
 Multi-level authentication: - Include assigning users log on accounts, use of smart cards and
PINs (Personal Identification Numbers).
c. Firewalls: - It filters the data traffic passing between the LAN and that from external networks
(internet). The firewall protects security breaches by malicious individuals, but also allows users within
the local network to communicate among themselves while using the internet
d. Data Encryption: - Encodes data using some algorithms and thus makes it inaccessible to unauthorized
persons, but only the authorized individuals who know the decryption key.

LEGISLATIONS GOVERNING ICT

1. The Data Protection Act: -Aimed at protecting rights of an individual to privacy.
 If an organization holds data on individuals, it must register under the act.
 Personal data should be processed fairly and lawfully.
 Personal data should be held only for registered purposes.
 Personal data should not be disclosed in any way other than lawfully and within the registered
purpose.
 Personal data should be accurate and kept up-to-date.

4
  Personal data should not be kept longer than necessary.
 Data must be processed in accordance to the data subjects.
 Appropriate security measures must be taken against unauthorized access.
 Individuals should be informed about the data stored and should be entitled to have access to it
and be able to correct errors.
 Personal data cannot be transferred to countries outside the EU unless the country provides an
adequate level of protection.

2. The Computer Misuse Act: -Before this act it was impossible to prosecute a hacker. The act created 3
offences:
 Unauthorized access to private data (viewing data that you are not authorized to see)
 Unauthorized access with the intent to commit or facilitate commission of further
offenses/hacking
 Unauthorized modification of computer programs.

3. Copyright Designs and Patents Act: -Protects software developers from having their software copied
and printed (piracy). It stipulates that it’s illegal to:
 Copy software without the permission of the rightful owner.
 Run copied/pirated software
 Transmit copied software over a telecommunications line.

4. Others
 ICT related Acts in Kenya - For example, the science and technology act, Cap. 250 of 1997.
This is an act of parliament capable of dealing with information security.
 Kenya ICT Policy - For example, the National information & Communication Technology
policy that seeks to address information security.
 Family Education rights and privacy Act (USA) - Is a USA federal law that protects the
privacy of student education records.
 Security Breach Notification Laws – Most countries require businesses, NGOs and state
institutions to notify consumers when unencrypted confidential data is compromised, lost, or
stolen.
ICT and Copyright
Copyright is an important issue in information security and penalties for breach can be high for an
individual/organization.

There are four main areas where copyright issues occur:

 Software copyright/licensing
 Electronic Documents
 Database Copyright
 Computer generated works

Important Principles
 A software licensee never takes ownership of the copyright in the software; he/she merely purchases the
license to use the software under the terms and conditions set by the copyright owner and the law.

5
 Copyright exists in the work from the moment of its creation
 Remedies for civil copyright infringement may include damages to compensate the copyright owner for
damage caused to his business, including reputation and loss of sales
 Criminal penalties can include ultimate fines and 2-year infringement or both
 The rental of software is illegal without the express permission of the copyright holder
 If an organization is using illegal copies of software, the organization may face not only a civil suit, but
corporate officers and individual employees may have criminal liability.