Data Security

Introduction
Content
• Data security concepts
• Threats and controls
• System vulnerability and abuse;
• System integrity;
• Security Controls;
• Disaster recovery and business continuity
planning;
• Data backup and restoration procedures
• Risk assessment;
• Risk mitigation strategies.
• Business value of data security
 Intended Learning
Outcomes
• After reading this chapter, you will be
able to answer the following questions:
1. Why are information systems vulnerable to
destruction, error, and abuse?
2. What is the business value of security and
control?
3. What are the components of an organizational
framework for security and control?
4. What are the most important tools and
technologies for safeguarding information
resources?
 Introduction
• Business assets ( resources 
Value)
• System Vulnerability ( weak points
 Threat Targets)
• System Security ( Shields)
• Database
• Internet System • Antivirus
Business System • Firewall
Assets • Network Vulnerability
• Wifi Securit
• Password • Security
y team
System Vulnerability
 Data Threats

• In computer security a threat is a possible

danger that might exploit a vulnerability
to breach security and therefore cause harm.
• Data is unprocessed information for data
processing. Data may be a collection of
unprocessed numbers, text, or images.
• Information is the processed output of data
making it meaningful to the person who
receives it.

6
 Data Threats

Types of Data Threat

• Cyber Crime: involves using the Internet or
a computer to carry out illegal activities,
often for financial or personal gain.
Examples include identity theft and social
engineering.
• Cybercriminals (hackers) are individuals
who use computer technology to gain
unauthorized access to information for
malicious purposes.

7
Forms of Computer/Cyber Crimes
 Examples of Data Threats
Shapes of Cyber Crime
Here are some of the different ways cybercrime can take shape:
• Theft of personal data/Identity theft
• Copyright infringement
• Fraud/Click fraud
• Child pornography
• Cyberstalking
• Physical theft of ICT equipment
• Bullying/Cyberbullying
or cyberharassment
• Hacking
• Cracking
• Spoofing
• Social engineering
• Unethical internal employees
• Outsiders

9
 Hacking
• Hacking is identifying weakness in
computer systems or networks to exploit
its weaknesses to gain access.
• This is done by hackers who can be
referred to as a White hat or a Black
hat.
– White hat: Persons who do hacking for good
reasons.
– Black hat: Person who do hacking with
malicious intentions.

10
 Ethical Hacking
• Ethical hacking is also done by hackers but they
are done legally for checking systems and
software security.
• They try to find out the mistakes done by a
software developer mainly in security section of
networking, websites and software.
• They are used to develop the security system.
Ethical hackers are popularly called as White
hats. They are the persons who protect us from
black hats.

11
 Cracking

• Cracking is editing the existing source code of

a software.
• Crackers usually remove or adding irrelevant
information as per their wish.
• They edit the stuff done by programmers. It is
done for protection purpose.
• You may find some software remains active for
only few days after that you cannot use that
software because after that it automatically
cracks. This technique is used in trial software.

12
Spoofing
• Spoofing
– Involves a cybercriminal
masquerading as a trusted
entity or device to steal
information
Sender Spoofing
Receiver Spoofing
 Cont’
• Sniffing
A sniffer is a type of
eavesdropping program that
monitors information
traveling over a network.
Sniffers enable hackers to
steal proprietary information
from anywhere on a
network, including e-mail
messages, company files,
and
confidential reports.
 Denial of Service
Attack
DOS
In a denial-of-service (DoS) attack, hackers
flood a network server or Web server with
many thousands of false communications or
requests for services to crash the network.

The network receives so many queries that it

cannot keep up with them and is thus
unavailable to service legitimate requests.

A distributed denial-of-service (DDoS) attack

uses numerous computers to inundate and
overwhelm the network from numerous
launch points.
SQL- Injection

SQL injection attacks take

advantage of vulnerabilities in
poorly coded Web application
software to introduce malicious
program code into a company’s
systems and networks. These
vulnerabilities occur when a Web
application fails to properly
validate or filter data entered by a
user on a Web page, which might
occur
when ordering something online.
 Internal Threats -
Employees
• Employees may intentionally steal or
damage company data such as client
details or product information.
• They could use this data to their
advantage such as selling this data to
other competing companies.
• They can also accidentally lose or
delete company data.

17
 Outsiders

Service Providers
Service providers involved in storing the data of
companies on their servers can lose, destroy or
steal valuable data. Loss of data may be
intentional or accidental.
External individuals
External individuals can also gain access to a
computer or network and steal, damage and
delete the data. As indicated in the previous
section these individuals are often referred to as
hackers.

18
 Social Engineering

• Social engineering is the process of

manipulating people to perform some
action that will allow unauthorized access
to a computer or network.
• This process is usually non-technical and
relies heavily on human interaction and
often involves tricking people into
exposing confidential data, spreading
malware infections, or giving access to
restricted systems.
19
 Social Engineering

Typically social engineering is used:

• To gather information that may be
confidential or valuable.
• To gather information to commit an act of
fraud.
• To facilitate unauthorized access to a
computer system or network that may
reveal confidential data.

20
 Social Engineering
Techniques/Methods

1. Phone calls
The attacker may impersonate a person of authority, a person representing a
person of authority or a service provider to extract information from an
unsuspecting user. For example, a person claiming to be the CEO of the
company calls someone on the helpdesk, requesting for his password, which
he claims to have forgotten.
2. Phishing
A type of social engineering attack where the attacker sends an e- mail that
appears to come from a legitimate source (for example, a bank) and includes
links to fraudulent web pages which are made to look very similar to
legitimate web pages. The e-mail usually requests for verification of
information, sometimes warning of dire consequences if the recipient fails to
comply.
3. Shoulder surfing
This involves watching someone use his/her computer from “over his/her
shoulder” to get sensitive information such as username and password or PIN
numbers in an ATM booth or POS.
21
 Social Engineering
Techniques/Methods
4 Pharming
• Pharming involves stealing personal
information from users by secretly
redirecting them to bad sites
• Phishing attempts to capture personal information
by getting users to click and visit a fake website
whilst pharming redirects users to false websites
without them even knowing it.

22
 Pharming

• Pharmers can also poison entire DNS

servers, which means any user that uses
the affected DNS server will be redirected
to the wrong website.
• Fortunately, most DNS servers have
security features to protect them against
such attacks.

23
 Identity Theft

• Someone steals your personal information and using it

without your permission.
• There are different forms of identity theft:
1. Theft of Personal Information
Someone may steal the username and password that you use to access a social
networking site e.g. Instagram, Facebook and use these details to take over your
profile account and may start communicating with your friends and posting
messages on your wall. These actions may harm your reputation.
2. Theft of Financial Information
Someone may steal the username and password that you use to access your online
shopping mall e.g. Amazon. S/he will use these details to take over your profile
account. If you have saved your credit card details in the profile, s/he may be able
to purchase goods and pay for these using your credit card.
3. Loss of Business Data
Someone may steal the username and password that you use to access the
network of the company you work for and use the credentials to gain access to
sensitive data such as client data or company accounts etc.
4. Fraud/Legal
Someone may steal your personal details and use these to fraud a company. This
may lead the company to take legal action against you.
24
 Methods of Identity Theft

1. Information diving
Also known as Dumpster Diving, it is a method of obtaining personal or
private information by digging through a dumpster or trash bin for discarded
documents or material such as utility bills or credit card statements.
2. Skimming
Identity thieves use skimming as a method of capturing a victim’s personal
data by using a small electronic device. A skimmer is a device that is usually
attached to an ATM machine’s card slot. A victim may unwittingly slide his
card into the skimmer, which then reads and stores all the information from
the card’s magnetic strip.
3. Pretexting
This involves creating and using an invented scenario (the pretext) to
engage a targeted victim. The pretext increases the chance the victim will
reveal information or perform actions that would be unlikely in ordinary
circumstances – for example, someone pretending to be from a company
that provides you with a service might persuade you to share your bank
account details with them.
25
 Malware

Definition: Malware is malicious software

designed to install itself on a computer
without the owner’s consent.
It is a computer program that secretly
enters and damages a computer system.
Types of Malware
1.Normal malware
2.Infectious malware
3.Data theft malware.

26
 Common Malware

Trojan Horse
• A non-self-replicating malware that pretends to be
a harmless application.
• It secretly places illegal, destructive instructions in
the middle of a computer program. Once the
program is run, the Trojan becomes active. Trojans
can delete, block, modify or copy data.
• They can also disrupt the performance of a
computer or a network. Trojans typically enter a
computer system attached to a free game or other
utility. Unlike viruses, Trojans do not replicate
themselves.
27
 Common Malware

Rootkit.
• This is another type of malware that is activated
each time a computer system boots (loads) up
and enables continued access to computers or
devices while hiding their presence.
• Rootkits are difficult to detect because they are
activated before the operating system (e.g. MS
Windows) has completely booted up.
• A rootkit often allows the installation of hidden
files, hidden processes and hidden user
accounts in the operating system of a computer.

28
 Normal Malware

Backdoor.
• A backdoor is a method of bypassing normal
authentication in an attempt to remain undetected.
This is usually done in an attempt to secure remote
access to the computer.
• Backdoors are built into a software by the original
programmer, who can gain access to the computer
by entering a code locally or remotely.
• Typically programmers install a backdoor so that they
can access a program for troubleshooting purposes.
• However, hackers often use back doors that they
detect or install themselves to enter a computer
system.
29
 Infectious Malware

Virus
• Malware that can replicate when triggered by a
human action and cause damage to a computer.
• A virus cannot be spread without human action.
Viruses are usually spread by sharing infected files
as email attachments or downloaded from websites.
• Virus attaches itself to a program or file and
spreads from one computer to another, leaving
infections as it travels.
• Almost all viruses are attached to an executable
(.exe) file.

30
 Infectious Malware

Worm
• Self-replicating malware that uses a computer
network to send copies of itself to other computers.
• Worms spread from computer to computer, but
unlike viruses, worms are able to infect computer
systems without intervention from computer users.
For example, a worm can send copies of itself to all
contacts in an email address book.
• The worm replicates again and sends itself out to
everyone listed in each of the receiver's address.
Typically worms slow down computer systems and
networks.

31
 Data theft
Malware
Adware:
• A software application that automatically displays
advertising banners while the program is running.
• Most common when you use freeware Software.
• The advertisements disappear when users stop running
the freeware software.
• Some freeware applications may contain adware which
tracks the Internet surfing habits of users and pass this
on to third parties, without the user's authorization or
knowledge.
• The users will then receive other advertisements that are
targeted to their Internet browsing habits etc. When the
adware becomes intrusive like this it is considered as
Spyware.
32
 Data theft Malware

Spyware
• A program that secretly installs itself on computers and
collects information about users without their knowledge.
• Spyware programs can collect various types of personal
information, such as Internet surfing habits and sites that
have been visited.
Botnet
• A group of computers connected together for malicious
purposes.
• Each computer in a botnet is called a bot.
• These bots form a network of compromised computers
used to transmit malware or spam, or to launch attacks.
• Botnet attacks slow down a computer network or a
website.
33
 Data theft Malware

Keystroke logging
• A program that allows the user to monitor what another
user types into a device.
• It involves recording consecutive key strokes on a
keyboard.
• Sensitive information such as usernames and passwords
that are keyed in the computer may be stolen through
such programs.
Dialer
• A is a program that causes the computer to dial
premium (high rate) telephone numbers without the
user’s knowledge or consent.
• This will result in high telephone bills.
• This is possible only if users are using a dial-up modem.
34
 Value of Information

Protecting personal information

• We should protect sensitive personal information
like passwords, bank card details and personal
identification numbers (PIN).
• Precautions should be taken against identity theft
and fraud.
• Identity theft occurs when someone steals the
identity of another person and uses this to gain
access to resources and other benefits in that
person’s name.

35
 Value of Information
Protecting Commercially Sensitive Information
• Companies protect commercially sensitive
information such as client details, data about their
products and financial information.
• Companies safeguard details about their clients
because of data protection obligations and also to
safeguard their commercial interests. GDPR

36
Protecting Valuable Information

37
 Secure Data
Management Practices

1. Using Antivirus software

2. Physical Security of ICT Devices
3. Correct data disposal/destruction
4. Using Virtual Private Network (VPN) to access
intranet remotely
5. Using Firewalls and content control software
6. Encryption
7. Protecting WiFi networks using encryption
8. Browsing on Secure Websites
9. Use of One-Time Password (OTP) to authenticate
transactions
10. Use ICT security policies
38
 Physical Security of ICT
Devices

• Log all ICT equipment - It is important to keep an

inventory of all IT equipment, their location and
details of persons using the equipment.
• Use cable locks on portable devices - To
minimize theft of computers and laptops, one can
use cable locks to lock these to a desk.
• Control physical access to critical ICT
equipment - The server room is the heart of any
computer network. It is important that access to
the server room is restricted to authorized people
only. The server room must be locked at all times.

39
 Correct Data Disposal

Methods of Destroying Data Safely

Data can be permanently destroyed using these methods:
• Shredding – CDs, DVDs and papers containing sensitive data
should not be thrown away in garbage bins. Instead shredding
machines should be used to destroy these, making it impossible for
people to recover data.
• Drive/media destruction – Holes can be drilled in a hard drives to
make the data unreadable.
• Degaussing - This is a process that uses a magnetic field on a hard
disk or a magnetic tape to scramble electronic data and make it
unreadable. The data on degaussed hard disks or tapes cannot be
recovered. Several companies offer degaussing services.
• Data Destruction Utility – This is a software program designed to
overwrite data in a hard disk in a way that will make it impossible to
recover data after the process. This software is also referred to as
hard drive eraser software or disk wipe software.
40
 Use of Strong
Passwords
Characteristics of Passwords
– A strong password should be at least 6 characters long.
It should consist of a mix of upper- and lower-case
letters, one or more numbers and one or more special
characters (e.g. $, @, !).
– Your date of birth, phone number or any word that can
be found in a dictionary do not constitute a strong
password.
– Passwords should be changed regularly.
– Never share or disclose your password to any other
person including colleagues, family members etc.
– Do change your password if you suspect that somebody
knows it.

41
 Protection Against Malware

You can protect your system, data and

also yourself from by using an antivirus
program.
• Antivirus: This program is powerful
pieces of software that is essential on
Windows computers security strategy.
• The constant stream of vulnerabilities
for browsers, plug-ins, and the Windows
operating system itself make antivirus
42
 Antivirus Protection
On-Access Scanning.
• Also known as background scanning, resident scanning,
and real-time protection.
• When an Antivirus software runs in the background on
your computer, checking every file you open.
• When you double-click an EXE file, your antivirus software
checks the program first, comparing it to known viruses,
worms, and other types of malware.
• Antivirus software also does “heuristic” checking, which
is checking programs for types of bad behavior that may
indicate a new, unknown virus.

43
 Antivirus Protection

Full System Scan

• It isn’t usually necessary to run full-system scans
because of On-Access Scanning
• Full-system scans can be useful however, when
you’ve just installed an antivirus program – it
ensures there are no viruses lying dormant on
your computer.
• Most antivirus programs set up scheduled full
system scans, often maybe once a week.
• This ensures that the latest virus definition files
are used to scan your system for dormant viruses.

44
 Antivirus Protection

Virus Definitions (Updates)

• Antivirus software relies on virus definitions to detect
malware.
• That’s why it automatically downloads new, updated
definition files – once a day or even more often.
• The definition files contain signatures for viruses and
other malware that have been encountered in the world.
• When an antivirus program scans a file and notices that
the file matches a known piece of malware, the antivirus
program stops the file from running, putting it into
“quarantine.”

45
 Use of Virtual Private
Network (VPN)
• VPN is a technology that creates a safe and encrypted
connection over a less secure network, such as the
internet.
• VPN technology was developed as a way to allow
remote users and branch offices to securely access
corporate applications and other resources.
• To ensure safety, data travels through secure tunnels
and VPN users must use authentication methods
including passwords, tokens and other unique
identification methods to gain access to the VPN.

46
 Virtual Private Network
(VPN)

Advantages of using VPN

1. The benefit of using a secure VPN is it ensures the appropriate
level of security to the connected systems when the
underlying network infrastructure alone cannot provide it.
2. The justification for using VPN access instead of a private
network usually boils down to cost and feasibility: It is either
not feasible to have a private network e.g. for a traveling sales
rep or it is too costly to do so.
Disadvantages of using VPN
VPN performance can be affected by a variety of factors which
includes;
3. Speed of users' internet connections
4. The types of protocols an internet service provider may use
and the type of encryption the VPN uses.
5. Poor quality of service and conditions that are outside the
control of IT.
47
 Using Firewalls and
Intrusion Detection
Systems
• It is a system designed to prevent unauthorized
access to or from a private network (LAN).
• Firewalls can be implemented in both hardware
and software, or a combination of both.
• Firewalls are frequently used to prevent
unauthorized users from accessing a LAN
connected to the Internet.
• All messages entering or leaving the LAN pass
through the firewall, which examines each
message and blocks those that do not meet the
specified security criteria.

48
 Firewalls

The limitations of firewalls include:

• Does not always provide automatic notification if
a network is hacked.
• Cannot protect against an attack generated
from within the network.
• May restrict some legitimate traffic.
• Examples of Firewalls
– Packet filtering firewall
– Network address translation (NAT)
– Application proxy filter / Proxy servers
– Stateful inspection Firewall
49
 Using Encryption

Encryption: This is the conversion of data into a form that

cannot be easily understood by unauthorized people.
• To read encrypted data, you must have access to a secret
key or password that enables you to decrypt it.
• Decryption is the process of converting encrypted data
back into its original form, so it can be understood.
Encryption is used to safeguard confidential data:
1. On portable devices such as laptops and removable
storage media (e.g. USB disks).
2. Whilst this as being transmitted over the Internet.
Plain Text => Cypher Text

The science of encrypting and decrypting information is

called cryptography
50
The two types of
Encryption
• Symmetric encryption
– single key to encrypt as well as
decrypt data
• Asymmetric encryption
– Also called public key
cryptography
• uses two separate keys-one public
(shared with everyone) and one private
(known only to the key’s generator). The
public key is used to encrypt the data
and the private key helps to decrypt it.
Examples of
Encryption
Standards/algorithms
• Advanced Encryption Standard
(AES)
• Data Encryption Standard
• Rivest-Shamir-Adleman (RSA)
• Triple Data Encryption Standard
(TripleDES)
• Twofish
Applications of
Encryption
• Secure online payments
• Data in the cloud
• Databases: Encrypting databases
• Emails: Email encryption helps to
protect sensitive information
 Encryption -
Advantages and
Limitations
The advantages of encryption include:
1. Encrypted data cannot be read without the secret code or
password. Therefore encrypted data is protected from
unauthorized access.
2. If a computer/laptop is stolen the encrypted data will remain
secure and unreadable.
The limitations of encryption include:
3. If you forget your password then you may not be able to
recover your data.
4. Some forms of encryption can be broken easily and only offer
nominal protection, for example an older ZIP archive or Word
Document.
5. Encrypted files attracts suspicion on emails whereas a non-
encrypted file would not attract the same level of interest.
6. Cannot prevent deletion of data.
54
 Wireless Network
Security
• Wireless networks can be protected/secure or
open.
• A secure wireless connection requires users to
enter a network security key which ensures that
only authorized users can access the network and
data.
• Whenever possible, you should connect to security-
enabled (protected) wireless networks.
• If you do connect to an open network, be aware
that someone with the right tools can see
everything that you do, including the websites you
visit, the documents you work on, and the user
names and passwords that you use. 55
 Dangers of unprotected Wireless
Networks – WiFi Attacks

If Wireless networks are unprotected, they can suffer the

following attacks:
• Eavesdroppers - Other people accessing and
reading your data to find sensitive or confidential
information
• Network hijacking - Other people taking control of
network communications
• Man in the middle - Other people observing
communications and collecting data that is
transmitted

56
 WiFi Intrusion/Attack
Example
SSID Sniffing
 Protecting Wireless
Networks using
Encryption
Several types of wireless network encryption are available:
• Wired Equivalent Privacy (WEP) is the oldest and least secure
wireless network encryption. This is used for hardware (routers)
that do not support Wi-Fi Protected Access.
• Wi-Fi Protected Access (WPA/WPA2) is a security standard to
secure computers connected to a Wi-Fi network. WPA/WPA2 is
more secure than the WEP. Network encryption is set through the
router’s/modem’s admin interface. This will generate a network
encryption key that will be used by each computer to connect to
the wireless network.
• A MAC (Media Access Control) address, sometimes referred to
as a hardware address or physical address, is an network interface
card (NIC) identification code that is assigned to any computer or
device (including printers) that has built-in networking capability
58
 Using Biometric
Security
• This is a security mechanism that uses information about
the physical characteristics of a person to verify the
person’s identity and then provides access to a computer
network.
• Biometric security systems store human body
characteristics that do not change over an individual's
lifetime. e.g.
– Fingerprints
– eye texture
– voice
– hand patterns
– facial recognition

59
 Advantages of Using
Biometric Security
• Biometrics are faster to capture thus saving registration time
• Better Security, Decreased Fraud
Unlike PINs and security questions, which can be more easily compromised, voice
biometrics ensures that the person calling is indeed who they say they are. Voice
biometrics is also much less susceptible to fraud, making it an ideal method for
validating callers in a contact center.
• Improved Customer Experience
With voice biometrics, callers no longer need to provide passcodes or PINs or provide
answers to challenge questions to verify their identity. Once a customer is enrolled, his
or her voiceprint can be leveraged across all of your company’s support channels
• Reduced Costs
Voice biometrics solutions can save costs by reducing the steps and time involved in the
user verification process.
• Non-transferrable
Voice biometrics ensures that every user has access to a unique set of biometrics unlike
PINs and passwords which can be shared.
• Spoof-proof
Voice biometrics are near-impossible to replicate with current technology. They are hard
to fake or steal.

60
 Disadvantages of
Using Biometric
Security
• Costly to setup
Significant investment needed in biometrics for security
• Still prone to Data breaches
Biometric databases can still be hacked
• Privacy and Tracking concerns
Biometric devices like facial recognition systems can limit
privacy for users
• Bias
Machine learning and algorithms must be very advanced to
minimize biometric demographic bias
• False positives and inaccuracy
False rejects and false accepts can still occur preventing
select users from accessing systems

61
 Browsing on Secure
Websites

• Before you submit your private information

online, you should be aware of the following:
1. Information travelling between your
computer and a server can be routed through
many computer systems.
2. Any one of these computer systems can
capture and misuse your information.
3. An intermediary computer could even
deceive you and exchange information with
you by representing itself as your intended
destination.
62
 Browsing on Secure
Websites
• If you decide to shop or do banking on the
Internet, protect yourself by dealing with
secure sites.
• You must ensure that your credit card
details are only entered in secure websites.
• You can tell when you have a secure
connection by looking at the URL.
• The URL of a secure website starts with
“https://” not “http://”. The browser will also
show the padlock symbol.
63
 Digital Certificates

• A digital certificate verifies the authenticity

and legitimacy of a website.
• A web browser may display an unsafe
digital certificate alert but still permit user
entry. This warning signal indicates that the
website is a threat and security risk.
• A secure website has a digital certificate
confirming that it is secure and genuine.
• It ensures that no other website can assume
the identity of the original secure site.
64
 Digital Certificates

• Digital certificates are issued by a certificate

authority. When you visit a secure website, the site
automatically sends you its digital certificate.
• Digital certificates are used, by organizations involved
in online monetary transactions.
• The certificates ensure that bank card details will not
be intercepted as these travel from the buyer’s
computer to the web server.
• Digital certificates can be viewed by double-clicking
on the padlock icon in the web browser.

65
 Use of One-Time
Password to
authenticate
transactions
• This is a type of password that is valid
for only one use.
• It is a secure way to provide access to
an application or perform a transaction
only one time.
• The password becomes invalid after it
has been used and cannot be used
again.
66
 Cookies

• Cookies are small text files that save information

regarding user activity on particular websites.
• They may save information, shopping cart
contents, or user preferences.
• This information is packaged into a cookie and sent
to your browser which stores it for later use.
• The next time you go to the same website, your
browser will send the cookie to the web server
• The main purpose of cookies is to identify users
and possibly prepare customized web pages for
them.
67
 Content-Control
Software

• Content-control software is designed

and optimised for controlling what
content a user is allowed to access
when browsing the Web.
• It is also known as censorware or web
filtering software.

68
Characteristics of Information Security
 Characteristics of
Information Security
1.Confidentiality
2.Integrity
3.Availability
4.(Non-repudiation)

70
 Characteristics of
Information Security
The policies for information security within an
organization are based on these characteristics:
1. Confidentiality:
• A set of rules that limits access to information.
• Confidentiality prevents sensitive information
from reaching the wrong people, while making
sure that the right people can get it.
• Some methods used to achive confidentiality
include data encryption, passwords, two-
factor authentication and biometric
verification.

71
 Characteristics of
Information Security
2. Integrity
• This is the assurance that the information is trustworthy and
accurate.
• Integrity involves maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle.
• Data must not be changed whilst being transmitted.
• Steps must be taken to ensure that data cannot be altered by
unauthorized people.
• In addition, processes must be in place to detect any changes
in data that might occur as a result of computer failure (e.g.
server crash).
• Backup copies of data must be available to restore data when
this is damaged, changed or lost.

72
 Characteristics of
Information Security

3. Availability of information
• This refers to ensuring that authorized people are able to
access the information when needed.
• Information is unavailable when it is lost, or when access to it
is denied or delayed.
• For example, information on a website may not be readily
available to users because the web server is under denial-of-
service attack.
• Measures to ensure that information is available include
regular maintenance of hardware, implementing emergency
backup power (e.g. uninterruptible power supply &
generators), keeping off-site backup of data, providing
adequate communications bandwidth, guarding against
denial-of-service (DoS) attacks.
73
 Characteristics of
Information Security

4. Non-repudiation
• This refers to ensuring that actions are not denied by the
actors on digital platforms.

74
 Protecting Yourself
Online
• Use appropriate privacy settings on social networking
sites to limit access to your information, pictures etc.
• Be careful how much information you divulge about
yourself on social networking sites.
• Avoid posting comments and pictures which embarrass
you if seen by family members, colleagues, students,
and your present or future employer.
• Posting particular messages on walls of social
networking sites may not always be appropriate.
• Avoid posting sensitive information including when you
plan to be away from home, confidential data about your
company etc. Use private messaging when appropriate.

75
Business Value of Data Security
 Class objectives
•
Business Value of Security and Control
•
Security controls
•
Risk assessment and management
 Business Value of Security
and Controls

1. Can we do without security in a business?

2. Why do we need security?
 The reason for securing
information systems
Information systems


 Have confidential information

 Have business sensitive information
 The information systems and information
assets in general cost lots of money to acquire
and maintain
 There are repercussion of security intrusions
could impose legal liability.
 Information Security
Controls and Policies

• Many organizations draw up guidelines and policies

related to the use of IT facilities/services and to ensure
the protection of data.
• The purpose of these guidelines and policies is to outline
the acceptable and appropriate use of ICT resources
within organizations.
• The policies provide a standard that employees/users are
expected to follow.
• The guidelines and policies ensure that there is a clear
position on how ICT should be used to ensure the
protection of the organization’s data.
• The guidelines and policies are usually developed by the
IT department of the organization.
80
 IS-Security Controls

We have three categories of security controls in

information systems security:
General security controls

Is a combination of hardware, software, and manual procedures to
create overall control environment

Govern design, security, and use of computer programs and
security of data files in general throughout organization’s information
technology infrastructure. Apply to all computerized applications

Combination of hardware, software, and manual procedures to
create overall control environment
 Administrative/Behavioural Controls
 Policies, legal provisions, ethics, logical and physical controls
Application controls

Application specific => input, processing, output controls
Types of General
Security controls
1.Physical controls
2.Logical Controls
3.Software controls
4.Hardware controls
5.Computer operations controls
6.Data security controls
7.Implementation controls
Types of general
controls
Physical controls
• Physical security involves the use of multiple
layers of interdependent systems which includes
CCTV surveillance, security guards, protective
barriers, locks, access control protocols, and many
other techniques

Logical Controls
• Software safeguards for an organization's systems,
including user identification and password access,
authenticating, access rights and authority levels.
These measures are to ensure that only authorized
users are able to perform actions or access
information in a network or a workstation.
 Application controls

These are specific controls unique to each computer
application.

They include both automated and manual procedures

They ensure that only authorized data are completely
and accurately processed by that application. They
Include:

1)Data Input controls

2)Data Processing controls
3)Data Output controls
 Risk Assessment and
Management
What is risk?


Any situation that can lead to a potential loss

What is Information Technology Risk?

IT risk is the potential loss associated with the use, ownership,

operation, involvement, influence and adoption of IT within
an enterprise
 Risk Assessment and
Management
IS Security Risk assessment Risk Management
Process Approaches
i. Vulnerability Scanning  Avoidance
ii. Identify Threats and threat
sources  Transfer
iii. Threat and Vulnerability
analysis  Mitigation
iv. Business Impact analysis
v. Ranking  Acceptance/
Retention
Factors to Consider
When Assessing Risk
Information Security Risk
Formula/Equation

• Risk = (Threats x Vulnerabilities) ×

Impact

• Risk = Likelihood × Impact

 Role of Management in Information
Security Risk Management

i. Defining a holistic approach to addressing risk across the entire organization;

ii. Developing an organizational risk management strategy;

iii. Supporting information-sharing amongst authorizing officials and other senior

leaders within the organization

iv. Overseeing risk management related activities across the organization.

v. Ensuring the integration of information security management processes with

strategic and operational planning processes;

vi. Making sure that the information and systems used to support organizational

operations have proper information security safeguards;

vii. Confirming that trained personnel are complying with related information

security legislation, policies, directives, instructions, standards, and guidelines.

 Security Policy
A collection of directives, regulations, rules, and practices that
prescribes how an organization manages, protects, and distributes
information.
As a document Information Security Policy
outlines the following:
i. Ranking information risks,
ii. Acceptable security goals,
iii. Identifying the mechanisms for achieving these goals.
iv. What are the firm’s most important information assets?
v. Who generates and controls this information in the firm?
vi. What existing security policies are in place to protect the information?
vii. What level of risk is management willing to accept for each of these
assets? Is it willing, for instance, to lose customer credit data once every 10
years? Or will it build a security system for credit card data that can
withstand the once-in-a-hundred-year disaster? Management must
estimate how much it will cost to achieve this level of acceptable risk
 Other contents of an ideal
security policy

Acceptable usage Policy



 Show acceptable usage of various aspects of the

information system (DO's and DONT's)
Access control policies


 Authentication
 Authorization
 Access control lists
 Logging
 Session controls
 Disaster Recovery and
Business Continuity Planning
Disaster Recovery Planning


• plans for restoring computing and communications

services after they have been disrupted.
• Disaster recovery plans focus primarily on the
technical issues involved in keeping systems up
and running, such as:
1. which files to back up and;
2. the maintenance of backup computer systems or
disaster recovery services.
 Disaster Recovery Planning
Why would you want to outsource your back-up
plans?
• Cold Sites
• Warm sites
• Hot Sites/Mirrored Sites

• A warm site is a type of facility an organization uses to recover its

technology infrastructure when its primary data center goes down.
• A hot site is a fully functional and readily available facility that
allows immediate recovery from a disaster.
• A cold site is a recovery facility that only includes infrastructure
but no technology until a disaster hits. Technology is installed after
a disaster strikes.
 IS Security
Outsourcing
• Many companies, especially small businesses,
lack the resources or expertise to provide a
secure high-availability computing environment
on their own.
• They can outsource many security functions to
managed security service providers
(MSSP’s) that monitor network activity and
perform vulnerability testing and intrusion
detection.
• E.g SecureWorks, BT Managed Security
Solutions Group, and Symantec are leading
providers of MSSP services.
 Business Continuity
Planning
Business continuity planning focuses on:
i. how the company can continue business
operations after a disaster strikes.
ii. critical business processes
iii. action plans for handling mission-critical
functions if systems go down.
 MIS Audit

An MIS audit examines:
 The firm’s overall security environment
 Controls governing individual information
systems.
 Data quality.

Security audits reviews:
 technologies, procedures, documentation,
training, and personnel.

The audit:

lists and ranks all control weaknesses

estimates the probability of their occurrence

assesses the financial and organizational impact
of each threat.
 Security and Control
measures

Authorization
Authentication


 Access control lists
Passwords (concerns?)
 Smart cards
 Biometrics
 Security and Control
measures
Encryption


Network Security

 Symmetric keys
 Firewall Techniques  Asymmetric keys

Packet filtering 

Stateful Inspection
Digital Certificates

Network Address

Certificate Authority
Translation

Proxy services
 Intrusion Detection
Systems
 Ensuring System
Availability

•
Online Transaction This can be achieved


Processing and network through:

reliant systems need to High Availability Computing
•

promise the least Fault tolerance

•

downtime.
Security Issues For
Cloud Computing And
The Mobile Digital
Platform
• Responsibility over corporate data remains with
the client and not the cloud service provider.
• The client should therefore ensure that the cloud
service provider can guarantee data security.
• This can be done through:
– Finding out how the cloud provider segregates their
corporate data from those of other companies.
– asking for proof that encryption mechanisms are
sound
– knowing how the cloud provider will respond if a
disaster strikes, whether the provider will be able to
completely restore your data, and how long this
should take.
Mobile Device
Security
• Mobile computing devices can be secured through:
– tools to authorize all devices in use;
– maintaining accurate inventory records on all
mobile devices, users, and applications;
– to control updates to applications; and to lock
down lost devices so they can’t be compromised.
– Firms should develop guidelines stipulating
approved mobile platforms and software
applications as well as the required software and
procedures
– Companies will need to ensure that all
smartphones are up to date with the latest
security patches and antivirus/anti-spam
software,
– encrypting communication whenever possible.
Questions

• June 2005 Q3(a) • Nov 2011 Q4 (b), (c)

• Dec 2005 Q3
• Dec 2005 Q8
• May 2012 Q6
• May 2006 Q3 • Dec 2013 Q3 (b)
• Dec 2006 Q3 (a), (c)
• May 2014 Q3 (a)
• Dec 2006 Q5
• Dec 2007 Q3 • June 2013 Q1, Q6 (b)
• June 2008 Q8 (c)
• Dec 2008 Q1 • Dec 2012 Q1 (a)
• Dec 2008 Q6
• Aug 2009 Q2
• June 2010 Q2
June 2011 Q3(c), Q5 (c)
 Thank you!

Any Questions?