DATA SECURITY AND CONTROLS

Data & Information must be protected against 1). COMPUTER VIRUSES

- Unauthorized access, A computer virus is a program designed specifically to damage other programs or
- Disclosure, interfere with the proper functioning of the computer system.
- Modification A virus is a computer code usually designed to carry out 2 tasks:
- Damage. (a) To copy itself from one computer system to another.
This is because; it is a scarce & valuable resource for any business organization or (b) To locate itself within a computer system enabling it to amend/destroy
government. Security and controls are applied on data & information to ensure program & data files, by interfering with the normal processes of the
O Confidentiality operating system.
O Integrity and
O Availability Types of computer viruses
1. Boot sector viruses – they destroy the booting information on storage devices.
1. Confidentiality
Confidentiality means that sensitive data or information belonging to an 2. File viruses – they attach themselves to files either erasing or modifying them.
organization or government should not be accessed by or disclosed to an
authorized people. Such data includes employees’ details, classified military 3. Hoax viruses – they come as e-mails with an attractive subject & activate
information, business financial records etc. themselves when the e-mail is opened.

2. Integrity means that data should not be modified without owner’s authority. 4. Trojans – are programs that appear to perform necessary functions, but
Data integrity is violated when a person accidentally or with malicious intent, perform other undesirable activities in the background without the knowledge
erases or modifies important files such as payroll or a customer bank account of the user.
file.
5. Worms – viruses that stick in the computer memory.
3. Availability
Information must be available on demand. This means that any information 6. Backdoors – may be a Trojan or Worm that allows hidden access to a
system and communication link used to access it, must be efficient and computer system.
functional.
Types of destructions/damages caused by a virus attack
DEFINITION OF TERMS  Delete or modify data, information & files on storage devices (disks) or memory
- Security— the protection of information, hardware and software against during normal program execution, e.g., may attack the format of a disk making
computer criminals, physical and natural hazards. any program or data on it impossible to recover.
- Privacy— protection of private data or information against misuse or  Systematically destroy all the data in the computer memory.
unauthorised access.
- Health — guarding end-users against physical and mental risks associated  Might lock the keyboard.
with use of technology.  Can change keystroke values or data from other I/O devices, e.g., change the
- Environment— minimise the effects of using ICT on our environment. effect of SHIFT key.
 Delete characters displayed on a visual display.
SECURITY THREATS AND CONTROLS MEASURES  Uses up computer memory/space, hence slowing down its performance or
Security threats to data & information causing the system to crash.
The threats include:-
- Virus  Changes colour of the display.
- Unauthorised access  Cause boot failure.
- Computer errors and accidents (Information System Failure)
- Theft
1
Sources of viruses  Programs taking longer than usual to load.
a) Contact with contaminated systems:  Disk access time seeming too long for simple tasks.
If a diskette, flash disk or memory card is used on a virus infected computer,  Unusual error messages occurring more frequently.
it could become contaminated. If the same device is used on another  Frequent read/write errors.
computer, then the virus will spread.  Disk access lights turning on for non-referenced devices.
 Computer hags anytime when running a program.
b) Use of pirated software:  Less memory available than usual, e.g., Base memory may read less than
Pirated software may be contaminated by a virus code or it may have been 640KB.
amended to perform some destructive functions which may affect your
 Size of executable files changing for no obvious reason.
computer.
Control measures against viruses
c) Infected proprietary software:
i). Install up-to-date (or the latest) antivirus software on the computers.
A virus could be introduced when the software is being developed in
laboratories, and then copied onto diskettes containing the finished software
ii). Restrict the movement of foreign storage media, e.g., diskettes in the
product.
computer room.
d) Fake games:
If they have to be used, they must be scanned for viruses.
Some virus programs behave like games software. Since many people like
playing games on computers, the virus can spread very fast.
iii). Avoid opening mail attachments before scanning them for viruses.
e) Freeware and Shareware:
iv). Write-protect disks after using them.
Freeware are programs freely available on the internet.
Shareware are programs freely available on the net for some period of time
v). Disable floppy disk drives, if there is no need to use disks in the course of
as trial version.
normal operation.
Both freeware & shareware programs are commonly available in Bulletin
board systems.
vi). Backup all software & data files at regular intervals.
Such programs should first be used in controlled environment until it is clear
that the program does not contain either a virus or a destructive code.
vii). Do not boot your computer from disks which you are not sure are free from
Spyware: are malicious software that attach themselves to an operating
viruses.
system to monitor the user’s web surfing activity. Spyware may appear as a
prize notification pop-up window.
viii). Avoid pirated software. If possible, use the software from the major software
houses.
f) Updates of software distributed via networks:
Viruses programs can be spread through software distributed via networks.
ix). Programs downloaded from Bulletin Boards & those obtained from computer
clubs should be carefully evaluated & examined for any destructive code.
Symptoms of viruses in a computer system
The following symptoms indicate the presence of a virus in your computer:
 Boot failure. 2). UNAUTHORIZED ACCESS
 Files & programs disappearing mysteriously. Data & information is always under constant threat from people who may want to
 Unfamiliar graphics or messages appearing on the screen, e.g., the virus might access it without permission. Such persons will usually have a bad intention,
flash a harmless message such as “Merry Christmas” on the computer terminal. either to commit fraud, steal the information & destroy or corrupt the data.
 Slow booting.
 Gradual filling of the free space on the hard disk.
 Corruption of files and programs.
2
 iv). Use file passwords to prevent any person from getting access to the
Unauthorized access may take the following forms: electronic files.
a). Eavesdropping: v). Enforce network security measures, e.g., use of firewalls.
This is tapping into communication channels to get information, e.g., Hackers vi). Encrypt the data & information during transmission.
mainly use eavesdropping to obtain credit card numbers. vii). Perform frequent Audit trails to identify threats to data & information.

b). Surveillance (monitoring): 3). COMPUTER ERRORS & ACCIDENTAL ACCESS

This is where a person may monitor all computer activities done by another Errors and accidental access to data & information may be as a result of:
person or people.  Mistakes made by people, e.g., one may print sensitive reports & unsuspectingly
The information gathered may be used for different purposes, e.g., for give them to unauthorized persons.
spreading propaganda or sabotage.
 People experimenting with features they are not familiar with. E.g., a person
may innocently download a file without knowing that it is self-installing or it
c). Industrial espionage:
may be dangerous to the system.
Industrial espionage involves spying on a competitor so as to get or steal
INFORMATION SYSTEM FAILURE
information that can be used to finish the competitor or for commercial gain.
Some of the causes of the computerized system failure include;
The main aim of espionage is to get ideas on how to counter by developing
1. Hardware failure due to improper use.
similar approach or sabotage.
2. Unstable power supply as a result of brownouts or blackouts and vandalism
3. Network breakdown
d). An employee who is not supposed to see some sensitive data gets it, either by
4. Natural disaster
mistake or design.
5. Program failure
e). Strangers who may stray into the computer room when nobody is using the
Control measures against hardware failure
computers.
- Protect computer against brownout or blackouts which may cause damage or
data loss by using surge protectors and UPS.
f). Forced entry into the computer room through weak access points.
- For critical systems, most organizations have put into place fault tolerant
Quiz: State ways in which users in an organization can be a security threat to data in an
systems. A fault tolerant system has a redundant or duplicate storage,
information system. peripheral devices and software that provide back up in the events of system
failure.
i. Through accidental access to files they are not supposed to access
ii. By using confidential data for their own personal gain Disaster recovery plans
iii. Through intentional access to unauthorised data - Disaster recovery plan involves establishing offsite storage of an
organization’s databases so that incase of disaster or fire accidents; the
company would have a back up copies to reconstruct lost data form.
Control measures against unauthorized access
i). Enforce data & information access control policies on all employees to Control measures against computer errors & accidents
control access to data. i). Restrict file access to the end-users and technical staff in the organization,
ii). Keep the computer room closed when nobody is using it. i.e., deny access of certain files & computers to certain groups of end-users.
iii). Reinforce weak access points, e.g., doors & windows with metallic grills &
burglar alarms.

3
 This is because; accidental access mistakes occur if the end-users have too 5. Piracy.
much privilege that allows them to access or change sensitive files on the 6. Fraud (Theft of money)
computer. 7. Sabotage.
ii). Set up a comprehensive error-recovery strategy in the organization. 8. Alteration of data.
9. Theft of computer time / Theft of service.
4). THEFT 10. Theft of data, information or programs.
The threat of theft of data & information, hardware & software is real. Some 11. Phising (online fraud)
information is so valuable such that business competitors or some governments
can decide to pay somebody a fortune so as to steal the information for them to Trespass
use.  Trespass refers to the illegal physical entry to restricted places where computer
Control measures against theft of information, hardware, & software. hardware, software & backed up data is kept.
i). Create backups & store them in locations away from the main computing  It can also refer to the act of accessing information illegally on a local or remote
centre. computer over a network.
ii). Reinforce weak access points, e.g., the windows, doors, & roofing with Trespass is not allowed and should be discouraged.
metallic grills and strong padlocks.
iii). Put burglar proofs in the computer room. Hacking
iv). Employ guards to keep watch over data & information centres and backups. Hacking is the illegal use of a special program to break in to a computer system to
view, destroy, modify or collect the information.
5.CRASHING OF THE HARD DISK Hacking is an attempt to invade the privacy of a system, either by tapping messages
Crashing of the hard disk refers to permanent damage of the hard disk causing being transmitted along a public telephone line, or through breaking security codes &
malfunction. passwords to gain unauthorized entry to the system data and information files in a
Control measures against crashing of the hard disk computer.
 Install updated antivirus
 Frequently blow away dust to avoid dust accumulation Reasons for hacking
 Shutdown the computer using correct procedure always  To copy or corrupt the information.
 Connect the computer to UPS to safeguard against power surges  As a hobby to test their expertise. Some people like the challenge & they feel great
after successful hacking.
6. POWER FAILURE
Power failure results into loss of unsaved data and crashing of the hard disk.  Some do it for computer & software producing companies that want to secure their
systems by reducing weaknesses discovered after professional hacking.
COMPUTER CRIMES
 A computer crime is a deliberate theft or criminal destruction of computerized Hacking is done by skilled programmers referred to as Hackers. Hacker is a person
data. who gains unauthorised access to a computer network for profit, criminal mischief, or
 The use of computer hardware, software, or data for illegal activities, e.g., stealing, personal gain.
forgery, defrauding, etc.
Such people are able to break through passwords or find weak access points in
 Committing of illegal acts using a computer or against a computer system.
software. They are involved in propagating computer viruses.
Types of computer crimes
Tapping
The following are the major types of computer crimes:
Tapping involves listening to a transmission line to gain a copy of the message being
1. Trespass.
transmitted.
2. Hacking.
3. Tapping.
Tapping may take place through the following ways:
4. Cracking.

4
a) A person may send an intelligent program to a host computer that sends him/her
information from the computer. Reasons that may lead to computer fraud
b) Spying on a networked computer using special programs that are able to  For economic gain (i.e., to gain money or information).
intercept messages being sent & received by the unsuspecting computer.  To gain respect (self-worth)

Security measures to prevent fraud:

Cracking i) Careful recruitment of staff.
Cracking is the use of guesswork by a person trying to look for a weakness in the ii) Set up a clear & firm management policy on crimes & frauds.
security codes of software in order to get access to data & information. iii) Restrict access to computer room or terminal.
iv) Use transaction & fill logs to monitor access to sensitive areas of the system.
These weak access points can only be sealed using sealed using special corrective v) Monitor & investigate error logs and reports on regular basis.
programs called Patches, which are prepared by the manufacturing company. vi) Carry out risk analysis to examine the exposure of the organization to possible
A program patch is a software update that when incorporated in the current software fraud.
makes it better.
NB: Cracking is usually done by people who have some idea of passwords or user Sabotage
names of the authorized staff. Sabotage is the illegal or malicious destruction of the system, data or information by
employees or other people with grudges with the aim of crippling service delivery or
Piracy causing great loss to an organization.
Software, information & data are protected by copyright laws. Piracy means making
illegal copies of copyrighted software, data, or information either for personal use or Sabotage is usually carried out by discontented employees or those sent by competitors
for re-sale. to cause harm to the organization.

Ways of reducing piracy: The following are some acts of saboteurs which can result in great damage to the
i) Enact & enforce copyright laws that protect the owners of data & information computer centres:
against piracy.
ii) Make software cheap enough to increase affordability.  Using Magnets to mix up (mess up) codes on tapes.
iii) Use licenses and certificates of authenticity to identify originals.
iv) Set installation passwords that prevent illegal installation of software.  Planting of bombs.
 Cutting of communication lines.
Fraud
Fraud is the use of computers to conceal information or cheat other people with the Alteration
intention of gaining money or information. Alteration is the illegal changing of stored data & information without permission
with the aim of gaining or misinforming the authorized users.
Fraud may take the following forms:
a). Input manipulation: Alteration is usually done by those people who wish to hide the truth. It makes the
Data input clerks can manipulate input transactions, e.g., they can create dummy data irrelevant and unreliable.
(ghost) employees on the Salary file or a ghost supplier on the Purchases file.
Alteration may take place through the following ways:
b). Production & use of fake documents:
E.g., a person created an intelligent program in the Tax department that could a). Program alteration:
credit his account with cents from all the tax payers. He ended up becoming very This is done by people with excellent programming skills. They do this out of
rich before he was discovered. malice or they may liaise with others for selfish gains.
Fraudsters can either be employees in the company or outsiders who are smart enough
to defraud unsuspecting people. b). Alteration of data in a database:
5
 This is normally done by authorized database users, e.g., one can adjust prices on 2. Have all the security measures been put in place to reduce the risk of computer
Invoices, increase prices on selling products, etc, and then pocket the surplus crimes?
amounts. 3. Are the computers secured in physically restricted areas?
4. Is there backup for data & information of the system that can ensure continuity of
services even when something serious happens to the current system?
5. What real risks face the system at present or in future?
Security measures to prevent alteration: Data encryption
i) Do not give data editing capabilities to anybody without vetting. Data being transmitted over a network faces the dangers of being tapped, listened to, or
ii) The person altering the data may be forced to sign in order for the system to copied to unauthorized destinations.
accept altering the information. To protect such data, it is mixed up into a form that only the sender & the receiver can
be able to understand by reconstructing the original message from the mix. This is
Theft of computer time called Data encryption.
Employees may use the computers of an organization to do their own work, e.g., they
may produce publications for selling using the computers of the company.

The flow diagram below shows how a message can be encrypted and decrypted to
Theft of data (i.e., commercial espionage) enhance security.
Employees steal sensitive information or copy packages and sell them to outsiders or
competitors for profit. panther
This may lead to a leakage of important information, e.g., information on marketing Black
strategies used by the organization, research information, or medical reports. Black Cyphertext Black
panther kcalB panther
Phising or online fraud rehtnap
Phishing (pronounced: fishing) is an online-fraud technique that is used by criminals to Plain text Plain text
lure you into disclosing your personal information, which then enables the thief to: Encryption key
- apply for and get credit in your name. Decryption key
- empty your bank account and charge expenses to the limit of your credit The message to be encrypted is called the Plain text document. After encryption using
cards. a particular order (or, algorithm) called encryption key, it is sent as Cyphertext on the
- remove money from your accounts or network.
- use a copy of your debit card to withdraw After the recipient receives the message, he/she decrypts it using a reverse algorithm to
the one used during encryption called decryption key to get the original plain text
DETECTION & PROTECTION AGAINST COMPUTER CRIMES document.
This means that, without the decryption key, it is not possible to reconstruct the
The following measures can be taken to detect & prevent computer crimes, and also original message.
seal security loopholes.
Log files
Audit trails These are special system files that keep a record (log) of events on the use of the
This is a careful study of an information system by experts in order to establish (or, computers and resources of the information system.
find out) all the weaknesses in the system that could lead to security threats or act as
weak access points for criminals. Each user is usually assigned a username & password or account. The information
system administrator can therefore easily track who accessed the system, when and
An audit of the information system may seek to answer the following questions: - what they did on the system. This information can help monitor & track people who
1. Is the information system meeting all the design objectives as originally intended? are likely to violate system security policies.
6
 4. Noise: some noise, such as that of an impact printer, may leave a person with
Firewalls “ringing ears”. Use non-impact printers, head mounted earphones and
A Firewall is a device or software system that filters the data & information exchanged microphones.
between different networks by enforcing the access control policy of the host network.
Effects of ICT on the environment
A firewall monitors & controls access to or from protected networks. People (remote
- Disposal of dead computer parts as shown in, power, consumption and
users) who do not have permission cannot access the network, and those within cannot
emissions have resulted in environmental pollution.
access sites outside the network restricted by firewalls.
- Environmental protection agency (EPA) has created the energy star
compliance policy, which coerces electronic components manufacturers
Security monitors
worldwide to comply with acceptable levels of environmental pollution and
Security monitors are programs that monitor and keep a log file or record of computer
radiation.
system and protect them from unauthorized access.
- Computer manufacturers are also avoiding excessive use of harmful chemicals
such chlorofluorocarbons and nickel cadmium and other heavy metals in their
Biometric security
productions.
Biometric security is a growing form of unauthorized control measure that takes the
user attributes such as voice, finger prints and facial recognition. For example, you can
Quiz: State the negative impacts of information communication technology on the
log on swap a finger on finger print swap window.
Environment.
Patch
This is a line of code which repairs the defect in software without interrupting its i. The huge garbage dumps of dead computer parts, printers, ink toners,
proper operations. This code is meant to add new features to the software and provide cartridges, monitors and other accessories are deposited in land fills causing
protection against cracking, hacking and alteration. pollution.
ii. Disposal of Nickel-Cadmium laptop batteries which contain toxic cadmium are
Other access control measures buried in a land fill can leak into underground water table and catchment areas.
Access control can be also enhanced by implementing multi- level authentication iii. Massive extraction of natural resourses such as mining of iron ore and other
policies such as: metals for the costruction of computer parts.
- Assigning users log on account,
- Use of smart card and
- Personal identification number( pin) LAWS GOVERNING PROTECTION OF INFORMATION
Countries usually have acts of parliaments, regulation, laws and policies that govern
Effects of ICT on health data processing and information security.
Some health concerns on the use of ICT devices such as computers and cellular phones Internationally, data security issues are governed by bodies such as international
are: organization for standardization (ISO) and information security forum (ISF). ISO, a
1. Eye strain and headache — this can be controlled by taking frequent breaks, consortium of national standards institutes has published “information technology-
using TFT /LCD displays or an antiglare screen on CRT monitors. security techniques-code of practice for information security management’.
2. Back and neck pains — use adjustable furniture and right sitting posture Information security forum (ISF) is a global non- profit making body that provides
3. Repetitive strain injury (RSI) — also known as repetitive motion injury or research on best practiced summarize in its report standard of goods practice.
cumulative trauma disorders results from fast repetitive tasks such as typing.
Laws have been developed that govern the handling of data & information in order to
This results in damage of nerves and tendons. Make correct use of the
ensure that there is ‘right of privacy’ for all people.
keyboard, and take frequent breaks in between.
The following rules must be observed in order to keep within the law when working
with data and information.

7
1. Data & information should be kept secure against loss or exposure.
2. Data should not be disclosed to other people without the owner’s permission.
3. Data & information should not be kept longer than necessary.
4. Data & information should be accurate and up-to-date.
5. Data & information should be collected, used & kept for specified lawful purposes
(i.e., it should not be used for unlawful gain).
6. The owner of the data has a right to know what data is held by the person or
organization having it.
7. Data should not be transferred to other countries without the owner’s permission.