DATA SECURITY AND CONTROL

Data Security and Controls

Data security is the protection of programs and data in computers and communication systems,
against unauthorized modification, destruction, disclosure or transfer, whether accidental or
intentional.

It involves:
- Protection of data and information against access or modification
- Denial of data and information to unauthorized users
- Provision of data and information to authorized users.
Data control is the measure taken to enforce the security of programs and data.

Data and information privacy

Private data or information is that which belongs to an individual and must not be accessed or
disclosed to any other person unless with direct permission from the owner.
Confidential data – data or information held by a government or organization about people , must be
protected against unauthorized access or disclosure.

Data security core principles

Also referred to as information security. They are; Confidentiality, Integrity and Availability.

Confidentiality
Sensitive data or information like employees details, business financial ,etc belonging to the
organization or government should not be accessed by or disclosed to unauthorized people.

Integrity
Means that data should not be modified with without owners authority.

Availability
Information must be available on demand.

Security threats and control measures

Viruses
The term virus stands for: Vital Information Resource Under Siege
A virus is a program that will change the operation of the computer without the user’s information.
Viruses attach themselves to computer files called executable files such that any time such
programs are run a copy of the virus is sent out. So it duplicates itself continuously.
Therefore a computer virus can be defined as:
- A self -replicating segment of computer code designed to spread to other computers by sharing
“infected” software.
- A destructive program that attaches itself to other files and installs itself without permission on the
computer when the files are opened for use.
- A program that can pass a malicious code to other non-malicious programs by modifying them.
- A program or code that replicates itself and infects other programs, boot and partition sectors or
documents inserting itself or attaching itself to the medium.

Types of computer viruses

 Boot sector – they destroy the booting information on storage media.
 File viruses – attach themselves to files
 Hoax viruses – come as e-mail with an attractive subject and launches itself when e-mail is opened.
 Trojans Horse – they perform undesirable activities in the background without user knowledge.
 Backdoors – may be a Trojan or worm that allows hidden access to a computer system.
 Worms – it attaches it self on non-executable files and it self-replicates clogging the system memory
and storage media. When a document is emailed the worm travels with it and through that easily
spreads to other computers on a network.

1
 A logic bomb – infects a computer’s memory, but unlike a virus it does not replicate itself. A logic bonb
delivers its instructions when it is triggered by a specific condition, such when a particular date or time
is reached or when a combination of letters is typed on a keyboard. A logic bomb has the ability to
erase a hard drive or delete certain files.

Note: The main difference between a virus and a worm is that a viruses attaches themselves to computer
executable files while a worm attaches it self on non-executable files in the computer.

Symptoms of a computer affected by viruses

- Unfamiliar graphics or quizzical messages appearing on screen.
- Program taking longer to load
- Slow – down of the general operation
- Unusual and frequent error messages occurring more frequently
- Access light turning on for non-referenced devices
- Programs / files mysteriously disappearing
- Executable files changing size for no obvious reason.
- Change in file size
- Loss or change in the file size
- Loss or change of data
- Disk access seeming excessive for simple tasks
- System crash
- Files and programs disappearing mysteriously
- Disk access seems excessive for simple tasks

Sources of virus into the computer system

- Copies of pirated software
- Fake computer games
- Freeware / Shareware and bulletin board programs that have not been checked for viruses.
- Using infected disks from vendors, consulting firms, computer repair shops and main-order houses.
- Downloading and opening infected files from the Internet.
- Hackers intent on malicious destruction of networked systems to which they have gained
unauthorized.
- Infected proprietary (private) software
- Updates of software distributed via networks.
- E-mail attachments
- Contacts with contaminated systems e.g. diskettes, flash disks, CDs, etc.

Control measures against viruses

- Install the most latest version of antivirus software on the computer
- Avoid foreign diskettes in the computer system
- Avoid opening mail attachments before scanning for viruses
- Regular backing-up of all software and data files. Files back-up can be used to restore lost files in the
event of a system failure.
- When opening e-mails, user should not open attachments from unknown senders.
- All unlicensed software should be carefully examined before use.
- Always check for virus on portable disks when used to move files between computers.

Information system failure

Some of the causes include;
 Hardware failure due to improper use
 Unstable power supply as a result of brownout or blackout and vandalism
 Network breakdown
 Natural disaster
 Program failure

2
Control measures
 Use surge protectors and UPS to protect computer systems against brownout or black out which
causes physical damage or data loss.
 Install a Fault Tolerant system which has the ability to preserve the integrity electronic data during
hardware or software malfunction.
 Disaster recovery plans by establishing offsite storage of an organizations databases so that incase
of disaster or fire accidents, the backed up copies are used to reconstruct lost data.

Unauthorized access
Physical access to computer system should be restricted to ensure that no unauthorized person gets
access to the system

Form of unauthorized access:

(i). Eaves dropping / wire tapping
This is tapping into communication channels to get information packet sniffers can eavesdrop on all
transmissions and activities on the system
(ii). Surveillance (monitoring)
This involves where a person may keep a profile of all computer activities done by another person or
people. The gathered information is used for other illegal works. Special programs called cookies are
used by many websites to keep track of your activities.
(iii). Industrial espionage
Spying on your competitor to get information that you can use to counter or finish the competitor.
(iv). An employee who is not supposed to see sensitive data by mistake or design gets it.
(v).Strangers straying into the computer room when nobody is using the computers.
(vi). Network access in case the computers are networked and connected to the external world.

Control measures against unauthorized access:

1. Encrypt the data and information during transmission
Encryption is a process of encoding a message so that its meaning is not obvious; decryption is
the reverse process of transforming an encrypted message back into its normal form. Data can
only be read by person holding the encryption ‘key’. Alternatively the terms encode and decode or
encipher and decipher are used instead of the verbs encrypt and decrypt.
2. Reinforce the weak access points like doors and windows with metallic grills.
3. Installing alarm systems and other security devices.
4. Keeping computer rooms locked after hours and when not in use.
5. Restricting access to areas with computers so that only authorized personnel are allowed to use
passwords.
6. Use file passwords
7. Use of magnetic token or ‘SAMRT’ card or fingerprint or retinal scan for identification.

Computer errors and accidental access

Errors and accidental access to data and information may be as a result of people experimenting with
features they are not familiar with. Also people may mistaken printing sensitive reports and
unsuspectingly giving them to unauthorized persons.

Control measures
1. Set up a comprehensive error recovery strategy in the organization.
2. Deny access permissions to certain groups of users for certain files and computers.

COMPUTER CRIMES
Physical theft
This involves the theft of computer hardware and software. It involves breaking into an office or firm and
stealing computers, hard disks, data and other valuable computer accessories by being taken away by
either an insider or an intruder. Most cases of theft are done within an organization by untrustworthy
employees of the firm {Inside job} or by an intruders (outsiders) for commercial, destruction to sensitive
information or sabotage resources.

Control measures
- Employ guards to keep watch over data and information centres and backup.

3
- Burglar proof the computer room.
- Reinforce weak access points
- Create backups in locations away from main computing centre.
- Motivate workers to feel sense of belonging in order to make them proud and trusted custodians of the
company resources.
- Insure the hardware resources with a reputable firm.

Trespass
This is the act of gaining access or entering into a computer system without legal permission.

Cracking
Refers to the use of guess work over and over again, by a person until he/she finally discovers a weak in
the security policies or codes of software. Alternatively refers to someone using his / her knowledge of
information systems to illegally or unethically penetrate computers systems for personal gain.

Hacking
Refers to when an individual intentionally breaks codes and passwords top gain unauthorized access into
a computer system, but without intent of causing damage.
Tapping
Tapping is when someone gains access to information that is being transmitted via communication links.
Any information that is transmitted across a network is at risk of being intercepted, if appropriate security
measures are not put in place.

Piracy
Is the act of making illegal copies of copyrighted software, information or data.
To eliminate piracy
- Make software cheap, enough to increase affordability
- Use licenses and certificate to identify originals
- Set installation password to deter illegal installation of software
- Enforce laws that protect the owners of data and information against piracy.

Fraud
Refers to leaking personal or organizational information using a computer with the intention of gaining
money or information.
Example of fraud is where one person created an intelligent program in the tax department that could
credit his account with cents from all the tax payers. He ended up becoming very rich before he was
discovered.

Alteration
Refers to illegal changing of data and information with the aim of gaining or misinforming the authorized
users. When a system is compromised the data lacks reliability, relevance and integrity. Example of data
alteration are when students break into system to alter exam results, or someone breaks into a banking
system to change account details or divert money.

Spam
A spam is unsolicited electronic junk mail, often commercial, message transmitted through the Internet
as a mass mailing to a large number of recipients. Is send by a person gaining access to a list of e-mail
addresses and redirecting the e-mail through the Mail Server of an unsuspecting host, making the actual
sender of the spam difficult to trace. Spam is annoying, but usually harmless, except in cases where it
contains links to web sites. Clicking on these links may sometimes leave your system open to hackers or
crackers.

Junk – is meaningless or worthless information received through e-mail

Description and protection against computer crimes

Audit trail
Computer Audit Trails are used to keep a record of who has accessed a computer system and what
operations he or she has performed during the given period of time. Audit Trails are useful both for

4
 maintaining security and for recovering lost transactions. Audit Trails help to detect trespassing and
alterations. Incase the system is broken into by a hacker; an Audit Trail enables their activities to be
tracked. Any unauthorized alterations can be rolled back to take the system back the state it was in
before the alterations were done

Data encryption
Data encryption is a means of scrambling (or ciphering) data so that it can only be read by the person
holding the encryption ‘Key or ‘algorithm’. The key is a list codes for translating encrypted data – a
password of some sort. Without the key, the cipher cannot be broken and the data remains secure.
Using the Key, the cipher is decrypted and the data remains secure. Using the Key, the cipher is
decrypted and the data is returned to its original value or state. Each time one encrypts data a key is
randomly generated. The same key is used by the data recipient to decrypt the data.
Data encryption is a useful tool against network snooping (or tapping).

Log files
They are special system files that keep a record (log) of events on the use of the computers and
resources of the information system. The information system administrator can therefore easily track
who accessed the system, when and what they did on the system.

Firewalls
A firewall is a program or hardware that filters information coming through the Internet and connection
into your personal computer or network. Firewalls can prevent unauthorized remote logins, limit or
stop Spam, and filter the content that is downloaded from the Internet. Some Firewalls offer virus
protection, but it is worth the investment to install Anti-Virus software on each computer.

Security monitors
These are programs that monitor and keep a log file or record of computer systems and protect them
from unauthorized access.

Biometric security – is unauthorized control measure that takes the user’s attributes such as voice,
fingerprints and facial recognition.

Authentication policies such as signing users log on accounts, use of smart cards and Personal
Identification Number (PIN).

Difficulty in detection and prevention of computer crimes

1. the crime might be complex
2. it’s not easy to find clear trail of evidence leading to the guilty party e.g. No finger prints
3. there are no witness
4. Few people in management and law enforcement know little about computers to prevent the
crime.

Effects of ICT on health

Some health concerns on the use of ICT devices such as computers and cellular phones are:
 Eye strain and headache – this can be controlled by taking frequent breaks, using TFT LCD
displays or antiglare screen on CRT monitors.
 Back and neck pains – use adjustable and right sitting posture
 Repetitive Strain Injury (RSI) – also known as repetitive motion injury or cumulative trauma
disorders results from fast repetitive tasks such as typing. This results in damage of nerves and
tendons. make sure correct use of the keyboard, and take frequent breaks in between.
 Noise – some noise, such as that of an impact printer, may leave a person with “ringing ears”.
Use non-impact printers, head mounted earphones and microphones.

Effects of ICT on the environment

Disposal of dead computer parts, consumption and emissions have resulted in environmental pollution.
Environmental Protection agency (EPA) has created the energy star compliance policy, which coerces
electronic components manufacturers worldwide to comply to acceptable levels of environmental pollution
and radiation.

5
Computer manufacturers are also avoiding excessive use of harmful chemicals such as
chlorofluorocarbons and nickel cadmium and other heavy metals in their productions.