Privacy & Security

Dangers

There are many dangers that can arise from the use of computers to manage files of personal data such as:-

Hacking - gain unauthorised access to data/to a computer system.
Viruses - a program which is capable of copying itself and typically has a detrimental effect, such as corrupting the system or destroying data.
Malicious damage - when a person intentionally sets out to corrupt or delete electronic files, data or software programs e.g. White Collar Crime. Further examples could include:-
- - A hacker (virus) intentionally deleting or altering another customer’s data
  - A company employee intentionally deleting or altering a customer’s data
  - A customer deleting or altering another customer’s information
    - Malicious damage may be prevented by the use of a firewall, usernames and passwords (plus other security questions) to enter a system, restricted access rights for company employees i.e. must not be allowed to amend or delete customer files, restricted access rights for customers i.e. customers can only access their data, virus checker.
Accidental damage - when a person unintentionally corrupts or deletes electronic files, data or software programs.
- - Examples could include a customer deleting or altering customer’s data unintentionally or a company employee deleting or altering a customer’s data unintentionallyLoss of data leading to damage to company’s reputation
    - Accidental damage could be prevented by making account files and statements read only; ask user for confirmation of amendments or deletions; suitable staff training and clear user instructions
Loss of data leading to fines or prosecution / GDPR
Loss of data leading to damage to company reputation
Hardware failure leading to a loss of data
ID theft leading to personal losses / fraud
Trojan - a program designed to breach the security of a computer system while ostensibly performing some innocuous function.
Worm - a standalone malware computer program that replicates itself in order to spread to other computers.
Spyware - software that enables a user to obtain information about another's computer activities by transmitting data from their hard drive.
Botnets - a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g. to send spam.
Malware - software which is specifically designed to disrupt or damage a computer system.
Keylogger - a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information.

Protecting the Security & Integrity of Data

There are many contemporary processes that are followed to protect the security and integrity of data including:-

Levels of permitted access – certain users would have different/restricted access to certain data or parts of the system
Write-protect mechanisms – only certain users will have permission to write/edit data already stored on the system. (e.g. in school we have different network areas with restricted access, pupils can access files on p:drive but not edit the files.
Strong secure password – the organisation limits access to the network by ensuring that all authorised users have a strong secure password. (e.g. at least 8 characters with a letter, number and a symbol).
Access rights - access to confidential files on the network is limited to authorised users only by assigning access rights to users that only allow certain users to access specified area of the network and/or specified files.
Encryption - hackers are prevented from reading the confidential files even if they gain access to it by encrypting the files. An encryption key is used and known only by the organisation
Firewall - the servers would be protected with firewall software blocking / checking all network traffic entering or leaving specified ports / stop programs accessing the internet
Antivirus software - file servers would be protected with antivirus software which regularly scans all files stored on them for possible infection by malware
Antivirus software - email server would be protected with antivirus software and all incoming emails would be scanned to see if attached files are infected
Antivirus software - workstations would be protected with antivirus software and all files from external media would be scanned before they’re allowed to be accessed
Backups – copies of data held in order to restore in the event of data loss
Policies / Legislation – relevant descriptions based on current legislation or company policies. Standard clerical procedures e.g. ensuring all employees have signed and agreed to the ICT Code of Conduct and have signed that they will follow the rules set out in the Acceptable Network Use Policy.
Accounting or auditing software – all files accessed by a user are recorded in an activity log

Methods used in file security to prevent accidental data loss from computer systems

File Back Up

A data backup is a copy or archive of files and folders for the purpose of being able to restore them in case of data loss.
Autosaving of files as you use them e.g. Word keeping backup copies.

Generations of files

This involves storage of three of the most recent versions of master file. (grandfather – father - son) . Also known as the 'ANCESTRAL SYSTEM'.
Useful if one version is corrupted: the previous version(s) is still available
Data should be stored off site in case of a disaster

Transaction Logs

This method is an incremental file security method, meaning that in order to restore a database to a certain point-intime, all transaction log records are required to replay database changes up to that particular point-in-time
Only backs up data that has changed and writes over older back ups
Useful as it saves storage space and is faster than full backup.
Version control

Access Rights

Users can be given rights to certain files or file structures that prevent them from accessing them / changing them / deleting them.
File attributes

Incremental Backup

Only backs up data that has changed and writes over older back ups
Useful as it saves storage space and is faster than full backup
Only allows the user to restore the most recent backup

Delta Change Backup

Only data changed since the previous backup is backed up
The original backup is also maintained in case data needs to be restored
Useful as it is faster than creating a complete backup

EXERCISES

Dangers of using computers to manage personal data

https://wordwall.net/resource/13223419/computing/dangers-using-computers-manage-personal-data

Protecting the security and integrity of data

https://wordwall.net/resource/13223852/computing/protecting-security-integrity-data

Identifying Vulnerabilities

There are a number of methods of identifying vulnerabilities within a computer system.

Foot printing

Footprinting is the first step in the evaluation of the security of any computer system.
It involves gathering all available information about the computer system or network and the devices that are attached to it.
Footprinting should enable a penetration tester to discover how much detail a potential attacker could find out about a system and allow an organisation to limit the technical information about its systems that is publicly available.

Ethical Hacking

• Ethical hacking is carried out with the permission of the system owner to cover all computer attack techniques.

• An ethical hacker attempts to bypass system security and search for any weak points that could be exploited by malicious hackers.

• This information is then used by the system owner to improve system security.

Penetration Testing

• Penetration testing is a sub set of ethical hacking that deals with the process of testing a computer system, or network to find vulnerabilities that an attacker could exploit.

• The tests can be automated with software applications or they can be performed manually.

• Penetration test strategies include:

Targeted testing, testing carried out by the organization's IT team and the penetration testing team working together.
External testing, to find out if an outside attacker can get in and how far they can get in once they have gained access.
Internal testing, to estimate how much damage a dissatisfied employee could cause.
Blind testing, to simulate the actions and procedures of a real attacker by severely limiting the information given to the team performing the test.

Acceptable Network Use Policy

Policies are documents written to outline the rules that users are required to follow while using a computer network. The purpose of an Acceptable Network Use Policy is to govern the behaviour of a user whilst connected to the network.

Contents of an Acceptable Network Use Policy

The policy may include some description of what may be called etiquette which includes such items of conduct as:
- creation and transmission of offensive, obscene, or indecent document or images
- creation and transmission of material which is designed to cause annoyance, inconvenience or anxiety
- creation of defamatory material
- creation and transmission that infringes copyright of another person
Transmission of unsolicited commercial or advertising material and deliberate unauthorised access to other services accessible using the connection to the network.
Then there is the type of activity that uses the network to waste time of technical staff to troubleshoot a problem for which the user is the cause,
Corrupting or destroying other user's data
Violating the privacy of others online
Using the network in such a way that it denies the service to others
Continuing to use software or other system for which the user has already been warned about using,
Any other misuse of the network such as introduction of viruses.
Outline consequences of violating the policy.
Common actions that the company may take:
If the activities are illegal the organization may involve appropriate authorities, such as the local police.
Employers will at times withdraw the service from employees,
Although a more common action is to terminate employment when violations may be hurting the employer in some way, or may compromise security.

Page updated

Report abuse