Computer system security

PDCA CYCLE

 The Plan phase is about designing the ISMS, assessing information security risks and
selecting appropriate controls.
 The Do phase involves implementing and operating the controls.
 The Check phase objective is to review and evaluate the performance (efficiency and
effectiveness) of the ISMS.
 In the Act phase, changes are made where necessary to bring the ISMS back to peak
performance.

Security experts say and statistics confirm that:

 information technology security administrators should expect to devote approximately

one-third of their time addressing technical aspects. The remaining two-thirds should
be spent developing policies and procedures, performing security reviews and
analyzing risk, addressing contingency planning and promoting security awareness;
 security depends on people more than on technology;
 employees are a far greater threat to information security than outsiders;
 security is like a chain. It is as strong as its weakest link;
 the degree of security depends on three factors: the risk you are willing to take, the
functionality of the system and the costs you are prepared to pay;
 security is not a status or a snapshot but a running process.

Critical success factors for ISMS

To be effective, the ISMS must:[4]

 have the continuous, unshakeable and visible support and commitment of the
organization’s top management;
 be managed centrally, based on a common strategy and policy across the entire
organization;
 be an integral part of the overall management of the organization related to and
reflecting the organization’s approach to Risk Management, the control objectives and
controls and the degree of assurance required;
 have security objectives and activities be based on business objectives and
requirements and led by business management;
 undertake only necessary tasks and avoiding over-control and waste of valuable
resources;
 fully comply with the organization philosophy and mindset by providing a system that
instead of preventing people from doing what they are employed to do, it will enable
them to do it in control and demonstrate their fulfilled accountabilities;
 be based on continuous training and awareness of staff and avoid the use of
disciplinary measures and “police” or “military” practices;
 be a never ending process;
SECURITY
 Security is all the policies, procedures and technical tools used to
safeguard information systems from unauthorized access,
alteration, theft and physical damage.

DEFINITIONS

THREAT. -Any person, act, or object that poses a danger to computer security

COUNTERMEASURE - Any kind of policy, procedure, or action that recognizes,

minimizes, or eliminates a threat or risk.

RISK, -Any kind of analysis that ties-in specific threats to specific assets with an
eye toward determining the costs and/or benefits of protecting that asset or risk
assessment. Risk is always a calculated assumption made based on past
occurrences. Threat, on the other hand, is constant.

VULNERABILITY - Any kind of asset that is not working optimally and

is mission-critical or essential to the organization, such as data that
are not backed-up. For example, for fire vulnerability would be the
presence of inflammable materials (e.g. paper).

A WEAKNESS - is anything imperfect.

CONTROL -Any kind of countermeasure that becomes fairly automat-ed and

meets the expectations of upper management

These are the countermeasures for vulnerabilities. There are four

types:

 Deterrent controls reduce the likelihood of a deliberate attack

 Preventative controls protect vulnerabilities and make an attack
unsuccessful or reduce its impact
 Corrective controls reduce the effect of an attack
 Detective controls discover attacks and trigger preventative or
corrective controls.
THREATS IN COMPUTER SECURITY
 Hardware failure - extra hardware makes the system fault-tolerant
 Software failure - programs simply have bugs in them, period
 Program changes - any change or upgrade produces a new set of threats
 Users - from the good-hearted foolish ones to disgruntled super users
Terminal Access Penetration - unauthorized login at network workstations
 Theft of data, services, equipment - stealing, plain and simple
 Fire - nothing toasts computer circuitry or media more easily
 Human errors in system design and implementation
 Human errors in data capture and system inputs
 Hacking and other privacy violations
 Viruses and other system sabotage
 Criminal activities such as theft and fraud
 Vandalism and physical damage
 Electrical supply failures
 Accidental magnetic erase
 Fire destruction
 Water flooding and pollutant destruction
 Earthquakes, lightening strikes and other natural calamities
Electrical problems - not lightning, but the power company you depend on
Telecommunications problems - the carrier company you depend

PRINCIPLES OF SECURITY

The National Computing Centre specifies four principles of Security as:

 Extent
 Aim
 Steps
 Cover
EXTENT
Safeguarding information systems can be costly and complicated. A system that
has too many controls can be so unwieldy and difficult to use that people may be
discouraged from using it at all. Data security must be provided for both data
storage and data usage in on-line and batch systems.
Extensive security is never possible for several reasons:
 Cost is unacceptably high
 Processing becomes impractically slow
 It is counterproductive

AIM
The aim should be to achieve a reasonable balance between the risks and
the costs. Prevention of damage, loss of destruction alone is not sufficient
but it is important to decrease the probability of an occurrence but also to
minimise the effects to acceptable level.

STEPS
It is necessary to decide the areas which need protection by examining the
probability and consequences of particular occurrences like fire, flood, machine
failure etc. The steps to be taken are:
 Arrange appropriate levels of security and make sure all the activities meet
the requirement
 Set up effective recovery procedures

COVER
Security must cover:
 Hardware
 Data
 Software
People

RISKS TO INFORMATION SYSTEMS

* Destruction of physical assets or information

* Disclosure of confidential information
* Removal of physical assets or information (theft)
* Fraud or abuse of data or programs
* Delayed processing or interruption of service

SECURITY RISK ANALYSIS

Security risk analysis, otherwise known as risk assessment, is

fundamental to the security of any organization. It is essential in
ensuring that controls and expenditure are fully commensurate with
the risks to which the organization is exposed.

Divided into: -quantitative risk analysis

-qualitative risk analysis

SECURITY MEASURES

Two data security measures can be adopted:

• Access restriction

• Backup procedures

1.ACCESS RESTRICTION

Access restriction can be achieved through carefully designed and administered

password procedures. Employees can be assigned passwords that restrict them to
viewing a portion of data that concerns them, or a need to know basis and that
may or may not allow them to alter the data.

Passwords are used to gain access to:

* terminals;
* computer or parts of computers;
* areas in memory;
* programs or parts of programs;
* files or records;
* information categories;
* specific commands.
Various forms of password protection are available including:
* The simple single password;
* System that asks different specific characters from the password each time
the system is assessed;
* Systems that ask for one from a list of passwords;
* Systems that ask a random series of questions based on the particular user
(e.g. date of birth, mother's maiden name and so on)

Certain rules should apply to passwords:

 Passwords can give different access levels

 Passwords should not be too short
 Password display should be suppressed
 Files containing passwords should be encrypted
 Users should change their passwords regularly
 Passwords should not be easily guessed words
 Passwords are more secure if they consist of a mixture of upper and lower
case, letters and numbers
• After a set number of attempts any access to the system should be denied.

The purpose of access restriction using password is to check the validity of the user
via a key that he or she should know but most people are careless about
passwords.

Good passwords procedures require that you:

 Do not use your login name in any form (as is, reversed, capitalized,
doubled, etc.).
 Do not use your first, middle, or last name in any form or use your
spouse’s or children’s names.
 Do not use other information easily obtained about you. This
includes license plate numbers, telephone numbers, social security
numbers, the make of your automobile, the name of the street you
live on, etc.
 Do not use a password of all digits or the entire same letter.
 Do not use a word contained in English or foreign language
dictionaries, spelling lists, or other lists of words.
 Do not use a password shorter than six characters.
 Do use a password with mixed-case alphabetics.
 Do use a password with non-alphabetic characters (digits or
punctuation).
  Do use a password that is easy to remember, so you don’t have to
write it down.

When data is being transmitted there is possibility of EAVESDROPPING.

Eavesdropping involves the tapping into an electronic signal at any point in the
telecommunication link. One way to counter eavesdroppers is through encryption
which is the coding or scrambling of data, messages or programs. Only the sender
and the receiver are supposed to know the particular coding technique used thus
locking out any attempt by a third party to decipher the code.

PHYSICAL SECURITY
Access restrictions related to physical security are:

• Detach keyboard and lock it in a cupboard or safe;

• Store all removable secondary storage devices like diskettes, tapes etc in
lockable boxes which should be put in a fire proof safe or taken off the
premises at night;

• Restrict distribution of information if it contains sensitive information;

• Offices need to be locked at night at all times and also burglar proofed;

• Insure all your machines and keep a copy of the serial numbers as you may
need them in the event of fire or theft;

• If possible station guards outside the premises that restricts access to

computer installations;

• Equipment can also be bolted into place and connected to a central alarm
system and the place where the equipment is placed can be monitored by a
closed circuit TV;

• Fire detection equipment can be installed;

• Sites can be selected that minimizes the risk of damage from natural
disasters such as floods and earthquakes;
• Security badges can also be used on personnel entering computer
installations;

• To protect against electrical fluctuations, the computer and it's peripherals

must be properly grounded and equipped with devices that protect the
hardware from sudden surges in power e.g. Use of Uninterrupted Power
Supply (UPS).

• Vet all those personnel that are to work in computer installations;

• A supervisor with knowledge about computer system should be recruited.

BACKUP PROCEDURE (DATA & SOFTWARE SECURITY)

The purpose of backup is to cope with the situation when one or more aspects of system security
have failed. Thus backup may be as simple as allowing a file that has been accidentally overwritten
to be recovered or it may be designed to cope with the complete destruction of a computer
installation.

The method of backup depends to a large extent on the nature of the data that is
being backed up. If the data never or rarely changes as is the case with
applications software, then it would be sufficient to keep copies on tape or disc in
a safe place - for example in a fire proof safe, possibly in a separate building. Any
occasional updates or changes could be copied and similarly stored.

Backing up your data files and programs is vital to an organisation survival and the
following backup procedures can be adopted:

• Programs should be copied and stored in a safe location remote from

computer installations and if amendments are made new copies must be
made;

• Master data files can be copied weekly;

• Transaction data files can be copied daily;

• Master and transaction files should be copied using the grandfather -father-
son principles which rotating three set of diskettes;

• Copies of all documentation should be made.

METHODS OF BACKUP

a)DISK MIRRORING
If access to the data is critical then the file may be mirrored. This is when an
exact copy of the file is maintained on a different disk. Both files are
changed together. If the disk fails, corrupting or making the file
unavailable then processing can continue using the image. This protects
against loss of the file due to disk failure. It does not however allow recovery
from situations where invalid data has been processed or records accidentally
deleted. Mirroring would normally be used in conjunction with a regular backup
procedure .

b)MERGING MASTER AND TRANSACTIONS FILES

Random access files can be backed up by regularly copying the entire file to a
tape or to another disk. Special tape devices called tape streamers are available
for this. The frequency of copying would depend on how active the file was. This
in itself does not allow the file to be recovered since the copy is a snapshot of
the file and the data will have changed since the copy was made. In addition to
the copy a transaction log must be maintained. This is simply a file containing
details of every transaction made since the copy was done. If the file is lost or
corrupted then it can be restored by merging the transaction log with the copy to
reproduce the original.

c) RAID (Redundant Array of Inexpensive Drives)

This is a system whereby every transaction is saved onto more than one HDD, so
that records are backed up as soon as they are created. One of the disks can be
in a remote location.
Lastly it is relevant that standby processing arrangements should be made with
another organisation having similar hardware in the event of your computer being
unusable, you can continue processing especially if you are running a payroll
system since your staff needs to be paid.
d)OTHER SECURITY MEASURES
If a thief manages to evade the physical security measures and password
measures, another level of protection can be applied. For example within the
software a user can be allowed read only, read/write privileges or a file would have
a password protection. Another method that can be used is encryption using
sophisticated coding methods.

PHYSICAL ACCESS CONTROL

To protect against a person outside the organisation committing these crimes the
above measures would be more appropriate as part of the overall security strategy
but many of computer crimes are perpetrated by insiders who are employees of
the organisation

Potential threats can be minimised by using various procedures such as:

 Vetting potential employees
 Immediate removal of sacked employees from the computer system
 Separation of duties
 Physical security e.g. locks, ID badges
 Passwords
 Education and training of staff (e.g. lock doors, log-off computers,
challenge strangers)
 Software to monitor all terminal activity

The other methods are to set up adequate procedures either by physical access
control or auditing to minimise fraud.

Physical access control procedures should be worked out for handling the following
categories:

* Organisation employees
* Contract or temporary employees
* Visitors

The following physical access control methods can be used:

* 'Something carried' approach - use of magnetically coded badges or use of

tokens with unique personal codes based on radio signals that can be used
to open doors for authorized persons.
* 'Something known' approach - this can be an employee I.D. Number, use
personal statistics (e.g. date of birth etc).

* 'Physical characteristics' approach - use of fingerprints, voiceprints, lip

prints, hand geometry, signature verification etc.

* Movement detection - use of closed circuit television cameras to detect movements using infrared
alarms.

COMPUTER VIRUSES

The biggest threat to information systems are the destructive codes written by
knowledgeable computer brains . These destructive codes are known by various
terms such as Worms, logic bombs, Trojan Horses, Viruses etc.

ANATOMY OF A COMPUTER VIRUS

A computer virus is a tiny program that can attach to a computer operation system
codes that are normally passed to diskettes when being formatted or copied. It
consists of a code that infects other programs, it is self replicating and requires a
host or executable disk segment. Once in the system it can damage or destroyed
data media, the system itself and any attached peripherals.

Phases of a virus
A virus has four phases:
• Dormancy
• Propagation
• Triggering
• Damaging

PROTECTION AGAINST VIRUSES

Though viruses have limited effects on standalone machines they can cause havoc
on networks and in order to protect yourself against viruses:
• Maintain at least several generations of backup copies of your most
important data files.

• Do not use new programs or updated versions unless they have been in the
public domain for at least four weeks.

• Use anti-virus (vaccines) programs to check whether your diskettes have

been infected by viruses;

• Do not allow computer media from outside computer installations to enter

into the computer room.

NOTE : Most viruses are transmitted through computer games!!!

POSSIBLE VIRAL INFECTIONS

* A virus may destroy the file allocation table (FAT) rendering the disk
unreadable thus effectively destroying the information on the disk.

* A virus may alter disk assignments resulting in files being written to the
wrong disk.

* A virus may erase specific executable files or data files.

* A virus may alter data in files

* A virus may specifically format specific tracks of a disk or even the entire
disk.

* A virus may suppress the execution of programs resident in RAM.

* A virus may reduce the amount of free space available on disk.

* A virus may cause the system to crash or to 'hang' so that it does not
respond to any keystrokes and requires a cold boot.
Information Security Components:
or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems
are decomposed in three main portions, hardware, software and communications
with the purpose to identify and apply information security industry standards, as
mechanisms of protection and prevention, at three levels or layers: Physical,
personal and organizational. Essentially, procedures or policies are implemented to
tell people (administrators, users and operators)how to use products to ensure
information security within the organizations.

Information security
means protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification, perusal, inspection, recording or
destruction.[1]

Controls

three different types of controls.

a)Administrative

Administrative controls (also called procedural controls) consist of approved written

policies, procedures, standards and guidelines. Administrative controls form the
framework for running the business and managing people. They inform people on
how the business is to be run and how day to day operations are to be conducted.
Laws and regulations created by government bodies are also a type of administrative
control because they inform the business. Some industry sectors have policies,
procedures, standards and guidelines that must be followed - the Payment Card
Industry (PCI) Data Security Standard required by Visa and Master Card is such an
example. Other examples of administrative controls include the corporate security
policy, password policy, hiring policies, and disciplinary policies.

Administrative controls form the basis for the selection and implementation of logical
and physical controls. Logical and physical controls are manifestations of
administrative controls. Administrative controls are of paramount importance.

b)Logical

Logical controls (also called technical controls) use software and data to monitor and
control access to information and computing systems. For example: passwords,
network and host based firewalls, network intrusion detection systems, access
control lists, and data encryption are logical controls.

An important logical control that is frequently overlooked is the principle of least

privilege. The principle of least privilege requires that an individual, program or
system process is not granted any more access privileges than are necessary to
perform the task. A blatant example of the failure to adhere to the principle of least
privilege is logging into Windows as user Administrator to read Email and surf the
Web. Violations of this principle can also occur when an individual collects additional
access privileges over time. This happens when employees' job duties change, or
they are promoted to a new position, or they transfer to another department. The
access privileges required by their new duties are frequently added onto their
already existing access privileges which may no longer be necessary or appropriate.

c) Physical

Physical controls monitor and control the environment of the work place and
computing facilities. They also monitor and control access to and from such facilities.
For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire
suppression systems, cameras, barricades, fencing, security guards, cable locks,
etc. Separating the network and work place into functional areas are also physical
controls.

An important physical control that is frequently overlooked is the separation of

duties. Separation of duties ensures that an individual can not complete a critical
task by himself. For example: an employee who submits a request for
reimbursement should not also be able to authorize payment or print the check. An
applications programmer should not also be the server administrator or the database
administrator - these roles and responsibilities must be separated from one another

Security controls can also be categorized according to their nature, for example:

 Physical controls e.g. fences, doors, locks and fire extinguishers;

 Procedural controls e.g. incident response processes, management oversight,
security awareness and training;
 Technical controls e.g. user authentication (login) and logical access controls,
antivirus software, firewalls;
 Legal and regulatory or compliance controls e.g. privacy laws, policies and
clauses.

defense depth

For businesses to create effective plans they need to focus upon the following key
questions. Most of these are common knowledge, and anyone can do a BCP.

1. Should a disaster strike, what are the first few things that I should do? Should
I call people to find if they are OK or call up the bank to figure out my money
is safe? This is Emergencey Response. Emergency Response services help
take the first hit when the disaster strikes and if the disaster is serious enough
the Emergency Response teams need to quickly get a Crisis Management
team in place.
 2. What parts of my business should I recover first? The one that brings me
most money or the one where I spend the most, or the one that will ensure I
shall be able to get sustained future growth? The identified sections are the
critical business units. There is no magic bullet here, no one answer satisfies
all. Businesses need to find answers that meet business requirements.
3. How soon should I target to recover my critical business units? In BCP
technical jargon this is called Recovery Time Objective, or RTO. This
objective will define what costs the business will need to spend to recover
from a disruption. For example, it is cheaper to recover a business in 1 day
than in 1 hour.
4. What all do I need to recover the business? IT, machinery, records...food,
water, people...So many aspects to dwell upon. The cost factor becomes
clearer now...Business leaders need to drive business continuity. Hold on. My
IT manager spent $200000 last month and created a DRP (Disaster Recovery
Plan), whatever happened to that? a DRP is about continuing an IT system,
and is one of the sections of a comprehensive Business Continuity Plan. Look
below for more on this.
5. And where do I recover my business from... Will the business center give me
space to work, or would it be flooded by many people queuing up for the
same reasons that I am.
6. But once I do recover from the disaster and work in reduced production
capacity, since my main operational sites are unavailable, how long can this
go on. How long can I do without my original sites, systems, people? this
defines the amount of business resilience a business may have.
7. Now that I know how to recover my business. How do I make sure my plan
works? Most BCP pundits would recommend testing the plan at least once a
year, reviewing it for adequacy and rewriting or updating the plans either
annually or when businesses change.

Good practices for protecting data

 Regularly backup important files, documents and emails.
 Do not use the administrator account for day-to-day activities.
 Keep software up-to-date with the latest versions.
 Keep antivirus and antispyware up-to-date with latest versions.
 Use different passwords
 Disable auto run feature from USB flash drives. Some viruses, specially worms,
spread automatically through USB flash drives [6]
 Always connect to the Internet behind a firewall