6 Security, privacy and data

integrity

6.1
In this chapter, you will learn about

Data security
★ the terms security, privacy and integrity of data
★ the need for security of data and security of computer systems
★ security measures to protect computer systems such as user
accounts, passwords, digital signatures, firewalls, antivirus and
anti-spyware software and encryption
★ security threats such as viruses and spyware, hacking, phishing and
pharming
★ methods used to reduce security risks such as encryption and access
rights
★ the use of validation to protect data integrity
★ the use of verification during data entry and data transfer to reduce or
eliminate errors.

6.1 Data security

WHAT YOU SHOULD ALREADY KNOW
Try these five questions before you read the first 4 a) What are pop-ups when visiting a website?
part of this chapter. Are they a security risk?
1 a) What is meant by hacking? b) What are cookies? Do cookies pose a
b) Is hacking always an illegal act? Justify security threat?
your answer. c) Describe:
2 Contactless credit cards and debit cards are i) session cookies
regarded by some as a security risk. ii) permanent cookies
iii) third party cookies.
Discuss the advantages and disadvantages
of using contactless cards with particular 5 Why must the correct procedures be carried
reference to data security. out when removing a memory stick from a
computer?
3 What are the main differences between
cracking and hacking?

Key terms
Data privacy – the privacy of personal information, or
other information stored on a computer, that should not
be accessed by unauthorised parties.
Data protection laws – laws which govern how data
should be kept private and secure.
Data security – methods taken to prevent unauthorised
access to data and to recover data if lost or corrupted.
User account – an agreement that allows an individual
to use a computer or network server, often requiring a
user name and password.
Authentication – a way of proving somebody or
something is who or what they claim to be.
Access rights (data security) – use of access levels to ensure
only authorised users can gain access to certain data.

159

457591_06_CI_AS & A_Level_CS_159-177.indd 159 25/04/19 9:35 AM

 Malware – malicious software that seeks to damage or example, deletion of files or use of private data to the

6 gain unauthorised access to a computer system.

Firewall – software or hardware that sits between
a computer and external network that monitors and
filters all incoming and outgoing activities.
Anti-spyware software – software that detects and
removes spyware programs installed illegally on a
user’s computer system.
Encryption – the use of encryption keys to make data
6 Security, privacy and data integrity
hacker’s advantage).
Ethical hacking – hacking used to test the security
and vulnerability of a computer system. The hacking is
carried out with the permission of the computer system
owner, for example, to help a company identify risks
associated with malicious hacking of their computer
systems.
Phishing – legitimate-looking emails designed to trick
a recipient into giving their personal data to the sender

meaningless without the correct decryption key.

Biometrics – use of unique human characteristics to
identify a user (such as fingerprints or face recognition).
Hacking – illegal access to a computer system without
the owner’s permission.
Malicious hacking – hacking done with the sole intent
of causing harm to a computer system or user (for
of the email.
Pharming – redirecting a user to a fake website in order
to illegally obtain personal data about the user.
DNS cache poisoning – altering IP addresses on a DNS
server by a ‘pharmer’ or hacker with the intention of
redirecting a user to their fake website.

6.1.1 Data privacy

Data stored about a person or an organisation must remain private and
unauthorised access to the data must be prevented – data privacy is required.
This is achieved partly by data protection laws. These laws vary from country
to country, but all follow the same eight guiding principles.

1 Data must be fairly and lawfully processed.

2 Data can only be processed for the stated purpose.
3 Data must be adequate, relevant and not excessive.
4 Data must be accurate.
5 Data must not be kept longer than necessary.
6 Data must be processed in accordance with the data subject’s rights.
7 Data must be kept secure.
8 Data must not be transferred to another country unless that country also has
adequate protection.

Data protection laws usually cover organisations rather than private

individuals. Such laws are no guarantee of privacy, but the legal threat of fines
or jail sentences deters most people.

6.1.2 Preventing data loss and restricting data access

Data security refers to the methods used to prevent unauthorised access to
data, as well as to the data recovery methods if it is lost.

User accounts
User accounts are used to authenticate a user (prove that a user is who
they say they are). User accounts are used on both standalone and networked
computers in case the computer can be accessed by a number of people. This is
often done by a screen prompt asking for a username and password:

160

457591_06_CI_AS & A_Level_CS_159-177.indd 160 25/04/19 9:35 AM


EXTENSION
ACTIVITY 6A
An airport uses a
computer system
to control security,
flight bookings,
passenger lists,
administration and
customer services.
Describe how it is
possible to ensure
the safety of the
data on the system
so that senior staff
can see all data,
while customers can
only access flight
times (arrivals and
departures) and duty
free offers.
457591_06_CI_AS & A_Level_CS_159-177.indd 161
6
User login
Need an account? Sign Up
6.1
username
Data security
password
keep me logged in
Sign In
Forgot your password? Click here
▲ Figure 6.1 A login screen
User accounts control access rights. This often involves levels of access. For
example, in a hospital it would not be appropriate for a cleaner to have
access to data about one of the patients. However, a consultant would need
such access. Therefore, most systems have a hierarchy of access levels
depending on a person’s level of security. This could be achieved by
username and password with each username (account) linked to the
appropriate level of access.
Use of passwords
Passwords are used to restrict access to data or systems. They should be hard
to crack and changed frequently to retain security. Passwords can also take the
form of biometrics (such as on a mobile phone, as discussed later). Passwords
are also used, for example, when
» accessing email accounts
» carrying out online banking or shopping
» accessing social networking sites.
It is important that passwords are protected. Some ways of doing this are to
» run anti-spyware software to make sure your passwords are not being relayed
to whoever put the spyware on your computer
» regularly change passwords in case they have been seen by someone else,
illegally or accidentally
» make sure passwords are difficult to crack or guess (for example, do not use
your date of birth or pet’s name).
Passwords are grouped as either strong (hard to crack or guess) or weak
(relatively easy to crack or guess). Strong passwords should contain
» at least one capital letter
» at least one numerical value
» at least one other keyboard character (such as @, *, &)
161
25/04/19 9:35 AM
 Example of a strong password: Sy12@#TT90kj=0

6 Example of a weak password: GREEN

EXTENSION ACTIVITY 6B

Which of the following are weak passwords and which are strong
passwords?
Explain your decision in each case.
6 Security, privacy and data integrity

a) 25-May-2000
b) Pas5word
c) ChapTer@06
d) AbC*N55!
e) 12345X

Digital signatures
Digital signatures protect data by providing a way of identifying the sender of,
for example, an email. These are covered in more depth in Chapter 17.

Use of firewalls
A firewall can be software or hardware. It sits between the user’s computer and
an external network (such as the internet) and filters information in and out
of the computer. This allows the user to decide to allow communication with
an external source and warns a user that an external source is trying to access
their computer. Firewalls are the primary defence to any computer system to
protect from hacking, malware (viruses and spyware), phishing and pharming.

firewall (software
user’s computer internet
or hardware)
▲ Figure 6.2 Firewall

The tasks carried out by a firewall include

» examining the traffic between the user’s computer (or internal network) and
a public network (such as the internet)
» checking whether incoming or outgoing data meets a given set of criteria
» blocking the traffic if the data fails to meet the criteria, and giving the user
(or network manager) a warning that there may be a security issue
» logging all incoming and outgoing traffic to allow later interrogation by the
user (or network manager)
» preventing access to certain undesirable sites – the firewall can keep a list
of all undesirable IP addresses
» helping to prevent viruses or hackers entering the user’s computer (or
internal network)
» warning the user if some software on their system is trying to access an
external data source (such as an automatic software upgrade). The user is given
the option of allowing it to go ahead or request that such access is denied.

The firewall can be a hardware interface which is located somewhere between

the computer (or internal network external link) and the internet connection. In

162

457591_06_CI_AS & A_Level_CS_159-177.indd 162 25/04/19 9:35 AM

 these cases, it is often referred to as a gateway. Alternatively, the firewall can

6
be software installed on a computer, sometimes as part of the operating system.
However, sometimes the firewall cannot prevent potential harmful traffic. It
cannot
» prevent individuals, on internal networks, using their own modems to
by-pass the firewall
» control employee misconduct or carelessness (for example, control of
passwords or user accounts)
» prevent users on stand-alone computers from disabling the firewall.

6.1
Data security
These issues require management and/or personal control to ensure the firewall
can work effectively.

Antivirus software
Running antivirus software in the background on a computer will constantly
check for virus attacks. Although different types of antivirus software work in
different ways, they all
» check software or files before they are run or loaded on a computer
» compare possible viruses against a database of known viruses
» carry out heuristic checking (check software for behaviour that could
indicate a virus, which is useful if software is infected by a virus not yet on
the database)
» quarantine files or programs which are possibly infected and
– allow the virus to be automatically deleted, or
– allow the user to make the decision about deletion (it is possible that
the user knows that the file or program is not infected by a virus – this
is known as a false positive and is one of the drawbacks of antivirus
software).
Antivirus software needs to be kept up to date since new viruses are constantly
being discovered. Full system checks need to be carried out regularly (once a
week, for example), since some viruses lie dormant and would only be picked up
by this full system scan.

Anti-spyware software
Anti-spyware software detects and removes spyware programs installed
illegally on a user’s computer system. The software is either based on rules
(it looks for typical features associated with spyware) or based on known file
structures which can identify common spyware programs.

Encryption
If data on a computer has been accessed illegally (by a hacker, for example) it
is possible to encrypt the data, making it virtually impossible to understand
without encryption keys to decode it. This cannot stop a hacker from deleting
the files, but it will stop them using the data for themselves. This is covered in
more depth in Chapter 17.

Biometrics
In an attempt to stay one step ahead of hackers and malware writers, many
modern computer devices use biometrics as part of the password system.
Biometrics rely on the unique characteristics of human beings. Examples
include fingerprint scans, retina scans (pattern of blood capillary structure),
face recognition and voice recognition.
163

457591_06_CI_AS & A_Level_CS_159-177.indd 163 25/04/19 9:35 AM

 Fingerprint scans

6 Images of fingerprints are compared against previously scanned fingerprints

stored in a database; if they match then access is allowed; the system
compares patterns of ‘ridges’ and ‘valleys’ which are fairly unique (accuracy
is about 1 in 500).
Retina scans
Retina scans use infra-red to scan the unique pattern of blood vessels in the retina
(at the back of the eye). It requires a person to stay still for 10 to 15 seconds
6 Security, privacy and data integrity

while the scan takes place; it is very secure since nobody has yet found a way to
duplicate the blood vessels patterns’ (accuracy is about 1 in 10 million).

▲ Figure 6.3 Fingerprint

▲ Figure 6.4 Retina scan

Mobile phones use biometrics to identify if the phone user is the owner.

6.1.3 Risks to the security of stored data

Hacking
You will see the term hacking used throughout this textbook. There are two
types of hacking: malicious and ethical.
Malicious hacking is the illegal access to a computer system without the user’s
permission or knowledge. It is usually employed with the intention of deleting,
altering or corrupting files, or to gain personal details such as bank account
details. Strong passwords, firewalls and software which can detect illegal
activity all guard against hacking.
Ethical hacking is authorised by companies to check their security measures
and how robust their computer systems are to resist hacking attacks. It is
legal, and is done with a company’s permission with a fee paid to the ethical
hacker.

Malware
Malware is one of the biggest risks to the integrity and security of data on a
computer system. Many software applications sold as antivirus are capable of
identifying and removing most of the forms of malware described below.
Viruses
Programs or program code that can replicate and/or copy themselves with the
intention of deleting or corrupting files or causing the computer to malfunction.

164

457591_06_CI_AS & A_Level_CS_159-177.indd 164 25/04/19 9:35 AM

 They need an active host program on the target computer or an operating

6
system that has already been infected before they can run.
Worms
A type of stand-alone virus that can replicate themselves with the intention of
spreading to other computers; they often use networks to search out computers
with weak security.
Logic bombs
Code embedded in a program on a computer. When certain conditions are met

6.1
(such as a specific date) they are activated to carry out tasks such as deleting

Data security
files or sending data to a hacker.
Trojan horses
Malicious programs often disguised as legitimate software. They replace all or
part of the legitimate software with the intent of carrying out some harm to
the user’s computer system.
Bots (internet robots)
Not always harmful and can be used, for example, to search automatically for
an item on the internet. However, they can cause harm by taking control over a
computer system and launching attacks.
Spyware
Software that gathers information by monitoring, for example, key presses on
the user’s keyboard. The information is then sent back to the person who sent
the software – sometimes referred to as key logging software.

Phishing
Phishing is when someone sends legitimate-looking emails to users. They
may contain links or attachments which, when clicked, take the user to a fake
website, or they may trick the user into responding with personal data such as
bank account details or credit card numbers. The email often appears to come
from a trusted source such as a bank or service provider. The key is that the
recipient has to carry out a task (click a link, for example) before the phishing
scam causes harm.
There are numerous ways to help prevent phishing attacks:
» Users need to be aware of new phishing scams. Those people in industry or
commerce should undergo frequent security awareness training to become
aware of how to identify phishing (and pharming) scams.
» Do not click on links unless certain that it is safe to do so; fake emails
can often be identified by greetings such as ‘Dear Customer’ or ‘Dear
[email protected]’, and so on.
» It is important to run anti-phishing toolbars on web browsers (this includes
tablets and mobile phones) since these will alert the user to malicious
websites contained in an email.
» Look out for https and/or the green padlock symbol in the address bar (both
suggest that traffic to and from the website is encrypted).
» Regularly check online accounts and frequently change passwords.
» Ensure an up-to-date browser, with all of the latest security upgrades,
is running, and run a good firewall in the background at all times. A
combination of a desktop firewall (usually software) and a network firewall
(usually hardware) considerably reduces risk.
165

457591_06_CI_AS & A_Level_CS_159-177.indd 165 25/04/19 9:35 AM

 » Be wary of pop-ups – use the web browser to block them; if pop-ups get

6
through your defences, do not click on ‘cancel’ since this often leads to
phishing or pharming sites – the best option is to select the small X in the
top right hand corner of the pop-up window, which closes it down.

Pharming
Pharming is malicious code installed on a user’s computer or on a web
server. The code re-directs the user to a fake website without their
knowledge (the user does not have to take any action, unlike phishing). The
6 Security, privacy and data integrity

creator of the malicious code can gain personal data such as bank details
from users. Often, the website appears to belong to a trusted company and
can lead to fraud or identity theft.
Why does pharming pose a threat to data security?
Pharming redirects users to a fake or malicious website set up by, for example,
a hacker. Redirection from a legitimate website can be done using DNS cache
poisoning.
Every time a user types in a URL, their web browser contacts the DNS
server. The IP address of the website is then sent back to their web
browser. However, DNS cache poisoning changes the real IP address values
to those of the fake website consequently, the user’s computer connects to
the fake website.
Pharmers can also send malicious programming code to a user’s computer. The
code is stored on the HDD without their knowledge. Whenever the user types in
the website address of the targeted website, the malicious programming code
alters the IP address sent back to their browser which redirects it to the fake
website.
Protection against pharming
It is possible to mitigate the risk of pharming by
» using antivirus software, which can detect unauthorised alterations to a
website address and warn the user
» using modern web browsers that alert users to pharming and phishing
attacks
» checking the spelling of websites
» checking for https and/or the green padlock symbol in the address bar.

It is more difficult to mitigate risk if the DNS server itself has been infected
(rather than the user’s computer).

EXTENSION ACTIVITY 6C
Pharmers alter IP addresses in order to send users to fake websites.
However, the internet does not only have one DNS server. Find out how a
user’s internet service provider (ISP) uses its own DNS servers which cache
information from other internet DNS servers.

166

457591_06_CI_AS & A_Level_CS_159-177.indd 166 25/04/19 9:35 AM