17 Security of ICT Systems - Pearson Education · Macro viruses hide within the macros of applications such as Word and Excel. Such viruses spread from one open document or spreadsheet

About this unitAttacks against ICT systems, by hackers and others, are

commonplace and increasing. Someone may access an

ICT system, without authorisation, and hence illegally, in

an attempt to read sensitive information. Even if they do

not intend to damage the system, these hackers may still

create problems for the organisation. Such breaches of

security can be damaging, not only to the data and the

users of that data, but also to the reputation of the

organisations being attacked.

Individuals and organisations need to trust information

stored on a computer and to know that the ICT systems

themselves are reliable and secure. When this is not

possible, the whole use of the system is undermined.

Therefore, the IT practitioner needs to develop specialist

skills to be able to combat such threats to security.

This unit enables you to understand why security is

necessary, what specifi c potential dangers exist and how

best to protect the ICT system and the data on it.

17 Security of ICT Systems

BTEC_1st ICT Unit 17.indd 1BTEC 1st ICT Unit 17 indd 1 12/9/06 8:55:43 pm12/9/06 8:55:43 pm

2 BTEC First ICT Practitioners

Continued from previous page

Learning outcomesWhen you have completed this unit you will:

1 understand potential breaches of security

2 understand the need to protect data in ICT systems

3 know how to protect the data of individuals and organisations

using appropriate security measures.

How is the unit assessed?You will be assessed on internally set assignments. These

assignments might involve your preparing a presentation, and you

may be asked to present this to your peers. The presentation might

be on slides, or online. Or you may be asked to create a leafl et, a

poster or a report.


3

Protecting data in ICT systems

Much of the data held on an ICT system is business data. This data is confi dential and other companies might be very interested to know what it contains. Therefore security is needed to ensure that information is available only to those with a right to know it.

ICT systems can be protected and kept secure only if the people looking after them carry out certain tasks on a regular basis. It is very important, therefore, to consider all the ways in which an ICT system could be threatened, and to devise tasks that will protect the system and its data.

This section identifi es potential breaches of security and establishes the need to protect data in ICT systems.

� It considers different types of security breaches and how these might be caused.

� It then looks at the possible impact of a breach, and the legislation that attempts to deter would-be offenders.

� Finally, it focuses on the different types of ICT system and considers how the confi guration affects security issues.

Types of security breach

There are many ways of breaching security. Four are considered for this qualifi cation:

� unauthorised use without damage to data

� unauthorised removal of data

� damage to physical systems

� damage to data or code.

All four breaches involve unauthorised behaviour, i.e. acting without the authority of those responsible for the data or ICT system.

Unauthorised use without damage to data Software should be used only by those authorised to do so. Someone – a hacker – may access confi dential data.

The hacker may read the data or copy it, but do no damage to it. However, simply reading data can also cause damage to an organisation, even if that data is not deleted or altered.

Obtaining personal details of an individual can lead to identity theft.

If you become the victim of identity theft, you might have diffi culty obtaining credit for a credit card, loan or mortgage until the confusion is resolved.

Unit 17 Security of ICT Systems

A hacker is a person who gains access to computer systems when he or she has no right to do so.

What does it mean?

Identity theft involves using another person’s personal details, such as credit card information, to purchase goods and services fraudulently.

What does it mean?



Unauthorised removal of dataSomeone may pass data on to another person who is not authorised to read it; this is called data theft.

Data related to new products or business plans of an organisation is sensitive. If this data fell into the wrong hands, e.g. a competitor, the organisation would lose any competitive edge that secrecy would have given them.

The worst-case scenario is for the data to be removed altogether. Imagine the chaos if all the personnel records of an organisation – the contact details of all employees, their pay records and details of promotions, pensions, etc. – were removed.

Damage to physical systemsSomeone may damage the hardware in the ICT system. A hard disk holds a lot of data. If the disk was sabotaged, the data would become inaccessible.

The hardware in an ICT system can be worth many hundreds of thousands of pounds. If any of it is damaged or stolen then it will take time to replace it. The cost of replacement is usually covered by insurance, so the main problem is the time delay in installing replacement equipment. This delay can result in lost business and, as a consequence, the organisation may lose money. Consequential loss may not be covered by insurance, so this is a ‘real’ loss.

Damage to data or codeData or software should only be altered or deleted by someone who is authorised to do so. A hacker may damage – i.e. amend or delete – the data or software.

Data and software may also be damaged by virus attack, as discussed on page 5.

Causes of security breaches

Breaches in security may be caused by human actions, systems issues or viruses.

Visit the Home Offi ce website to learn more about the threat of identity theft. Go to www.heinemann.co.uk/hotlinks, insert the express code 2048P and click on this unit. Make notes.

If you want a real challenge, prepare an oral presentation of your fi ndings so that you can share them with others in your group.

Further research – identity theft


5Unit 17 Security of ICT Systems

Human actions Breaches in security due to human actions could be accidental, malicious, or the result of negligence:

� Accidental breaches of security may due to insuffi cient training of employees in the correct procedures.

� Malicious breaches may be prompted by a discontented employee who decides to take revenge on the organisation.

� An employee who knows what to do, but disregards policy, is guilty of negligence. If this results in a breach of security, the employee could be disciplined, and this may lead to job loss.

Systems issuesSystems issues may be caused by an incorrect installation, confi guration problems or an operational error:

� If the virus checker software is incorrectly installed, e.g. not the most up-to-date version, there could be a breach of security.

� If the fi rewall (page nn) is set up with the wrong settings, access could be allowed in error, and there could be a breach of security.

� If there is some confusion between backup copies, the most recent data could be overwritten.

Systems issues can be avoided by the correct and timely application of procedures.

VirusesComputer viruses can damage software by deleting and altering programs and data.

Viruses show themselves in various ways. Your computer may spontaneously reboot, or you may have system and applications crashes, problems with a soundcard or a speaker, or screen display anomalies (such as distortion, misshapen images or missing video). There may also be missing or corrupted fi les, disk partitions that disappear or boot disks that become unbootable.

Any such ‘strange’ behaviour can indicate a virus attack, and should be investigated before the virus can do more damage or transfer to other computers.

Types of virusThe least offensive form of a virus is the imposter virus. An email will warn you of a virus and suggest that you check whether you have a particular fi le somewhere on your hard disk. When you check, you fi nd that indeed you do have this fi le, and set about deleting the offending fi le as per instructions given in the email, only to fi nd that it was a hoax. Apart from the waste of time, and the stress involved in thinking you have a virus, you may delete an important fi le and reduce the functionality of your PC software.

Strictly speaking, a virus is a program that attaches itself to existing software and then spreads by creating copies of itself. The specifi cation for this course uses the term in a more general way to mean any program that can cause damage to an ICT system, so that is the meaning we have used here.

What does it mean?



Other forms of virus are even less acceptable and can do real damage to your PC data.

� A boot sector virus plants itself in the boot sector of every bootable fl oppy disk or hard disk. This guarantees that it will run each time you boot up. These viruses spread from disk to disk, and hence from PC to PC if you take a fl oppy disk (or CD etc.) from one PC to another.

� File viruses are infected program fi les with extensions of .exe or .com; when the program is run, it does whatever damage it is designed to do.

� Macro viruses hide within the macros of applications such as Word and Excel. Such viruses spread from one open document or spreadsheet to another.

� BIOS viruses are the most harmful, as they attack the fl ash BIOS, overwriting the system BIOS and making the PC unbootable.

� A trojan is special kind of virus. It infi ltrates a PC by pretending to be a fi le or program that would normally be found on a PC. However, it can still cause problems, and can be diffi cult to track down. It takes its name from the Greek myth in which a gift of a wooden horse was a ruse to get soldiers, hidden inside the horse, inside the city walls. When executed, the trojan program tends to compromise the PC’s security.

� A worm or email virus, such as the famous Melissa virus, can send on emails – and the virus – to all your contacts using data from your address book. It tends to create a spoof message, which might fool someone who receives the email into thinking it is genuinely from the sender.

Some viruses hide by using a double fi le extension. A fi le may be called harmlessfun.jpg.vbs. The ‘vbs’ part shows that it is a Visual Basic program – and a potential virus – but, if you have opted to hide fi le extensions, it will show in a folder listing as harmlessfun.jpg and look just like an image fi le to you.

How viruses infect a PCViruses, trojans or worms can be introduced to a PC by one of two sources:

� If you save data on to an external storage medium (e.g. a fl oppy disk or CD) from a PC that is infected with a virus then, when you read from that medium into a second PC, the virus can infect it. This can happen when a fi le is opened from the medium, or when you boot from it.

Explore your software to see how to show the extensions of fi les. Set your system so that extensions are not hidden.

Further research – fi le extensions

A macro virus hides within a macro – so care must be taken when enabling macros.

What does it mean?

A trojan virus hides in a fi le that has a name you would expect to fi nd on your PC.

What does it mean?

An email virus or worm can send on emails – and the virus – to all your contacts using data from your address book.

What does it mean?



� A fi le can arrive at a PC as an attachment to an email. If the fi le was saved from a PC that was infected, the receiving PC can become infected as soon as the attached fi le is opened.

Because viruses are programs, they can infect only programs. However, having done so, they can wipe fi les from your hard disk, make your PC crash or render it inoperable.

� From My Computer or Explorer, select the folder containing the fi les for which you want to check the fi le extensions.

� On the menu bar, select Tools and then, from the drop-down menu, select Folder options.

� Click on the View tab and make sure that the item that reads Hide extensions for known fi le types is not checked. See Figure 17.1.

Display fi le extensions

How to –

Figure 17.1 Unhiding extensions

Visit the government’s publication website and browse by subject for publications relating to information security management. Go to www.heinemann.co.uk/hotlinks, insert the express code 2048P and click on this unit. Make notes.

If you want more of a challenge, prepare a slide presentation with your fi ndings so that you can share them with others in your group.

Further research – security breaches

Test your knowledge1 Defi ne these terms: hacker, identity theft, data theft.

2 Explain the difference between a trojan, a virus and a worm.

3 Explain how viruses, including trojans and worms, can infect a PC.

Make sure this box is not checked



Impact of security breaches

Individuals and organisations need to trust information stored on a computer, and to know that the computer systems themselves are reliable and secure. This is particularly important in such activities as emailing, Internet purchases, online services and instant data retrieval from both databases and smartcards. Where this cannot be relied upon, the whole use of the ICT system is undermined.

CostsWhatever the source or cause of security breach, costs are incurred.

� If data is lost, costs are incurred in recovering the data.

� If software is corrupted, a copy should be available, but the replacement will take time and incur staff costs.

� Depending on how serious a breach was experienced, there may be a need to consult specialists, and this too will incur extra costs.

So, security breaches are costly! Every effort should be made to avoid them.

� It may be decided that additional protection software is required to prevent further breaches.

� It may be decided that additional hardware is needed, or the placement of this hardware in more secure locations.

Any changes to the system will require staff time. The cost of this, as well as the impact on delays to work that would otherwise have been done, has to be included in the bill for a security breach.

Loss of business A security breach can result in the collapse of an ICT system. The time during which normal service is not available is called downtime.

Organisations that rely on an ICT system to take orders will suffer a loss of business during the downtime. Some customers will come back later, but some will not; they will already have taken their business elsewhere.

If a security breach causes data loss, and it proves diffi cult to recover that data, then the result can be disastrous for an organisation.

Imagine what could happen if a theatre company lost all its data about the tickets it had sold for future productions. It would not be able to issue the tickets to theatre-goers who had already booked but not yet received their tickets; it would not know whether performances were sold out, or what seats were available on which nights, so would not be able to sell more tickets.

List some more organisations that rely very heavily on their data to succeed.

If you want a real challenge, search the Internet for news of data loss incidents. Pool this information and, from this, identify more examples of types of organisation that are vulnerable to data loss.

Further research – loss of data

Downtime is any time when an ICT system is not working.

What does it mean?



Any organisation that suffers a security breach suffers also the embarrassment and loss of face from the bad publicity if the public fi nd out. Customers will be less inclined to trust an organisation, for example, if its website is often down, or deliveries do not arrive, or monies are deducted in error. Bad news travels very fast in such situations!

Physical loss of equipment As technology moves on, hardware becomes easier to steal:

� Laptops become more portable, lighter, slimmer and easier to carry.

� A wireless mouse can be slipped in the pocket much more easily than one that is attached by a wire to the PC.

Security auditsAn organisation that is unaware of how and where security breaches might occur could soon be faced with a situation that will be costly, and could be very embarrassing.

Instead, a security audit should be conducted to check what might go wrong, and to plan improvements before a hacker – or some other individual – takes advantage of the situation.

Contingency plans and disaster recoveryWhile a security audit will identify weaknesses that ought to be addressed, and an organisation should make every effort to remedy any shortfall, there will always be a risk of a security breach.

For this reason, an analysis of risks should be carried out and a contingency plan drawn up.

This contingency plan should cover backup, offsite storage, data recovery procedures, access to immediate hardware replacement, plus insurance that covers replacement, loss of business and all the recovery work.

Training should be given so that employees know what to do, for example, if they suspect a virus attack:

� Who should they contact fi rst?

� Should they turn their ICT system off?

Employees also need to know what to do if they think their login ID is being used by someone else:

� Who should they inform of their fear?

� What methods might be used to trap the culprit?

� What procedures should be followed to prevent similar lapses in security in future.

Employees who are responsible for data recovery should also know the procedures to follow. The aim should be to plan ahead so that the whole

A security audit reviews the ICT system and lists weaknesses that may result in a security breach.

What does it mean?

A contingency plan identifi es what to do if something goes wrong.

What does it mean?



system can be up and running again within a specifi ed time-scale, e.g. 24 hours.

Then, if the worst case scenario happens, disaster recovery should be as smooth as possible.

The contingency plan has to be developed from a full risk analysis, so that every eventuality is taken into consideration.

Legislation

The importance of personal and business data protection is so well recognised that various laws and guidelines have been introduced. These encourage data protection and discourage hacking and other offences.

This section considers three Acts of Parliament:

� The Data Protection Act 1998

� Crime and Security Act 2001

� Computer Misuse Act 1990

Data Protection Act 1998The Data Protection Act (DPA) 1998 aims to safeguard the integrity, privacy and security of personal data.

Unit 2 explains the details of the DPA, data protection principles and introduces the terms used: data subject, data controller.

The DPA is overseen by the Information Commissioner’s Offi ce, an independent supervisory authority reporting directly to Parliament. It also oversees and enforces compliance with the Freedom of Information Act 2000 and the Privacy and Electronic Communications Regulations 2003.

Test your knowledge4 Explain these terms: downtime, security audit.

5 What is the link between the terms ‘contingency plan’ and ‘disaster recovery’?

The full text of each act can be seen on the Internet. Use a search engine to fi nd these acts and related sites that explain their application.

For a bigger challenge, read each act and make notes on the content.

Further research – legislation covering personal and business data protection

Disaster recovery is the process of following a contingency plan, adapted or otherwise, when a disaster happens.

What does it mean?

Personal data is data that relates to a living person, is private to that person and so could be used to identify that person.

What does it mean?



The Information Commissioner’s Offi ce has two main responsibilities:

� to promote good information control practice

� to enforce information control legislation.

To meet these responsibilities, the Information Commissioner’s Offi ce has several tasks:

� It publishes guidance to help individuals and organisations to comply with the legislation, and to raise awareness of it through speaking engagements.

� It provides a general enquiry handling service, which includes maintaining their website, and formal written guidance that addresses individual circumstances.

� It maintains a public register of data controllers and computer bureaux under the Data Protection Act, together with the list of those public authorities with approved publication schemes under the Freedom of Information Act.

� It promotes compliance with the data protection principles.

� It encourages, where appropriate, the development of codes of practice to help data controllers to comply with the principles.

� It considers complaints about breaches of the principles of the Act and, where appropriate, prosecutes offenders or serves notices.

There are several exemptions from the DPA. For example, it does not apply to data held for ‘personal, family or household purposes’, so data held in a personal address book or mobile phone is exempt. In addition, data collected for national security, for the investigation of crime or for taxation purposes does not have to be declared to the Commissioner.

Otherwise, the exemptions from the need to register are extremely narrow. They cover only the simplest tasks:

� calculating pay and pensions for staff administration

� keeping accounts or records of purchases or sales

� distributing articles or information, such as advertising, marketing and public relations (using mailing lists)

� preparing text documents.

The Freedom of Information Act 2000 gives the general rights of access to all types of recorded information held by public authorities, allows for some exemptions and sets obligations on those public authorities.

Visit the website of the Information Commissioner’s Offi ce to fi nd out more about what is expected of public authorities.

If you want a bigger challenge, write your own summary of the Act.

Further research – the Freedom of Information Act 2000



Most organisations fi nd it diffi cult to meet and stay within the limits imposed by these exemptions. This means that people and organisations that hold personal information about living individuals probably need to register under the DPA, no matter how unimportant this information may appear.

If personal data is exempt from the whole of the DPA then there is no need to register. In this case there is then no right of data subject access, i.e. a person cannot demand to see data held about them, and the courts have no powers regarding this personal data.

Note: An earlier Data Protection Act related only to data stored on a computer system. The more recent Act covers all personal data, including documents stored in a fi ling cabinet or lists written on paper.

Crime and Security Act 2001This Act focuses on national security matters, but it also affects how data might need to be accessed by relevant authorities. In particular, Part 11 of the Crime and Security Act 2001 covers the retention and disclosure of communications data.

Communications service providers are allowed to retain data about their customers’ communications for access by law enforcement agencies and for national security purposes. So, for example, instead of deleting mobile phone records as soon as they have been used for billing purposes (as per the data protection principles of the Data Protection Act), the telephone company may retain them, and this data may be used to help the police to monitor calls made by suspects.

A code of practice, to be drawn up in consultation with industry, will set out provisions that will fall within the Regulation of Investigatory Powers Act 2000. This Act sets out the limits on the purposes for which the law enforcement, security and intelligence agencies may request access to data relating to specifi c communications.

At your centre of learning or place of work, fi nd out what personal data is stored about you.

Investigate any policies that protect your data. Do these policies cover the requirements of the Data Protection Act?

If you want a real challenge, make recommendations for improving the protection of your personal data.

Further research – personal data held about you



Computer Misuse Act 1990The Computer Misuse Act 1990 covers four main types of criminal activity:

� hacking into a system, even if just done as a game to beat an organisation’s security system or fi rewall

� vandalising software or data held on a computer, e.g. by overwriting codes or changing data

� writing viruses that can cause damage to software and data and disrupt the operation of a computer system

� theft of data, e.g. confi dential information regarding product design plans or diagrams of security wiring within a building.

The Act introduces three new offences:

� unauthorised access to computer data

� unauthorised access with intent to commit or allow further offences

� unauthorised modifi cation of computer data.

It is important to appreciate what each entails – and what penalties can be levied. Unit 2 covers this in more detail.

Visit The Guardian website on anti-terrorism and make notes on aspects that relate to the security of data. Go to www.heinemann.co.uk/hotlinks, insert the express code 2048P and click on this unit.

Look for other sources of information about this Act, and the reaction to it.

Further research

Case study

JANET

JANET is the electronic communications network used by UK higher and further education colleges and the research community. JANET is managed by UKERNA on behalf of the Joint Information Systems Committee (JISC) and is not for public use. JANET publish their AUP (acceptable use policy) on their website.

Find out what AUP exists within your college or place of work. Visit the JANET website and compare your list with the material published by JANET.



ICT systems

This section considers standalone and networked computers, and Internet-enabled systems, and how these different types of ICT system might fall foul of a security breach.

Standalone computersStandalone PCs fall into two types:

� Mobile computers are light enough to take from place to place. See Figure 17.2.

� A desktop computer is more bulky, and is certainly not portable. See Figure 17.3.

Test your knowledge6 Explain these terms: personal data, data controller, data subject.

7 List the Data Protection principles.

8 What four types of criminal activity are covered by the Computer Misuse Act?

9 What is an AUP?

Figure 17.2 Mobile computers: (a) laptop and (b) PDA Figure 17.3 Standalone desktop PC with peripherals

A standalone PC is one that is not linked permanently to others in a network.

What does it mean?

(a)

(b)



Risk of theftA laptop is the easier of the two to steal. It can fi t easily into a briefcase and be carried away. If a laptop is left visible in a car, it is an invitation for thieves to break in and steal it, as well as any other valuables.

A desktop is less likely to be stolen by the casual thief. Its bulkiness alone makes this impractical. However, if adequate physical security measures are not in place then an organisation could be robbed of several desktop computers and associated peripherals in a single determined break-in.

Risk of virus attackEither type of standalone computer runs the same level of risk: none through Internet access, unless connected. They have the same level of risk if an unchecked fl oppy disk, CD or other storage medium is used to transfer data from another computer.

Risk of unauthorised accessWhile a computer is unconnected there is no risk of hacking taking place. However, unless security procedures such as passwords are used, an individual might access confi dential data on an unattended standalone PC. Ideally, if you leave your PC, you should log off. If this is not practical, a screen saver might be used that requires you to log in again when you return.

Networked computersThe network could be a LAN (local area network) where all the resources are very close to each other or a WAN (wide area network), where the resources can be in separate buildings, or even separate towns or countries.

Risk of theftNetworked computers in a LAN are much less likely to be stolen than standalone computers. In a WAN, the equipment is located in a number of different places, and each place needs adequate physical security measures.

Individual workstations and peripherals may attract thieves though. For example, if a particularly expensive, high quality printer is shared by a number of workstations, warranting its high cost, this one peripheral may be worth stealing.

Risk of virus attackIf one computer on the network becomes infected, it is highly likely that others will too. There are more possible entry points in a network, so everyone is reliant on everyone else to be vigilant.

Risk of unauthorised accessAs with standalone PCs, while a network in not connected to the Internet there is no risk of hacking by persons outside the premises. Therefore, an intranet might operate without such a threat.

A networked computer is one connected to others so that software and hardware resources can be shared, and communication is possible between them.

What does it mean?



However, once the network is attached to the Internet, the risks are the same as for temporarily connected standalone computers.

Internet-enabled systemsAs soon as a system is connected to the Internet, risks increase:

� Email communication, with attachments, can result in the spread of viruses.

� Open channels between the system and the Internet could allow unauthorised access to data, increased risk of data theft, and infection by viruses.

To protect an Internet-enabled system, a fi rewall is needed.

Test your knowledge10 Explain these terms: standalone PC, networked PC, LAN, WAN.

11 What is an IP address used for?

12 Compare and contrast the risks of theft, virus infection and hacking for the three different types of ICT system: standalone PC, networked PC and Internet-enabled system.

An Internet-enabled system is a computer or network of computers with a link to the Internet. This allows the exchange of email communication and access to the World Wide Web.

What does it mean?

A fi rewall is a type of security system that monitors the data passing through the ports of an ICT system, and blocks data that is unauthorised.

What does it mean?


17

Security measures

The main aims of ICT security are as follows:

� to maintain the integrity of the ICT system or network

� to protect the data and software from unauthorised changes being made

� to protect the hardware and the immediate environment of the system from both accidental and deliberate damage

� to detect and monitor successful and unsuccessful attempts at illegal access

� to provide a means of recovery in case damage is incurred.

This section considers how to protect the data of individuals and organisations by using appropriate security measures. These are divided into three types:

� Data protection methods include software solutions such as virus protection software and fi rewall barriers to hackers.

� Physical security methods include the installation of access control devices such as CCTV, and common-sense actions such as careful positioning of a monitor screen.

� Organisational procedures are also important. An organisation needs to set up procedures for good practice and then to check that these are adopted by all employees.

Data protection methods

There is a wealth of software available – at a price – to protect a computer from attack. However, those attempting to breach security are always devising new methods, so there is a constant requirement to regularly update whatever software defences are in place.

Disadvantages While it is important to load your ICT system with all the necessary software protection, the fact that these programs are resident on the computer, and running all the time, means that they are taking up processor time. This can result in system slowdown.

Security, however, should not be allowed to impede access or effective use of a system, so it is important that the confi guration of the computer is suffi ciently high (fast processor, lots of RAM) to cope with the background tasks.

Specialist software and updating A huge industry has been built to combat security breaches. Software engineers work hard to write software, such as virus and spyware protection software, and to dream up clever types of data encryption.

Unit 17 Security of ICT Systems

System slowdown is the noticeable effect of too many background tasks being run while the user is trying to work in the foreground, e.g. to write a letter.

What does it mean?



Virus protection softwareAlmost at the same rate as virus writers invent new viruses, anti-virus software vendors produce updated versions of their software.

Anti-virus software attempts to trace viruses by looking for the virus signature. This sequence of characters can be recognised by the anti-virus software vendors, having analysed the virus code. Meanwhile, virus writers adopt ‘cloaking techniques’:

� Just as cells in a diseased body mutate, a polymorphing virus is designed to change its appearance, size and signature each time it infects another PC, making it harder for anti-virus software to recognise it.

� A stealth virus hides its damage so that, for all intents and purposes, it looks as if nothing is wrong.

� A directory virus corrupts a directory entry so that it points to the virus instead of to the fi le the virus is actually replacing.

The only defence against viruses is to subscribe to a reliable anti-virus software vendor’s virus protection service. Regular scanning of the PC is recommended, as is immediate update of virus software as soon as an update is released.

There are several types of products available:

� Virus scanner software is the most common form of anti-virus software. The scan is initiated by the user.

� Start-up virus scanner software runs each time the PC is booted up. It checks only for boot sector viruses.

� Memory-resident virus scanner software stays in memory and checks incoming emails and browser documents, and so automatically checks the environment in which your PC operates.

� A behaviour-based detector is a form of memory-resident virus scanner software that watches for behaviour that would indicate the presence of a virus, such as similar emails being sent within a short space of time.

The anti-virus software vendors maintain a database of information about viruses, as a DAT fi le of their profi les and signatures. Users who subscribe to an online anti-virus protection service may have this virus defi nition DAT fi le downloaded to their PC automatically each time an update is released. Other users may receive an email telling them that an update is available.

Having the most up-to-date DAT fi le, scanning regularly and avoiding opening emails that look like they may contain viruses, is all that PC users can do to protect themselves. You ought to perform anti-virus checks as part of your regular maintenance programme. This should keep your data fi le of known viruses up to date, and reduce the risk of attack.

If your system is behaving strangely, this may indicate a virus attack. Update your virus checker and do a scan, just in case this explains the behaviour.

Virus protection software attempts to trap viruses and, therefore, prevent them from damaging data and software.

What does it mean?



If the software detects a virus, a pop-up screen informs the user and may offer options: to quarantine the fi le (i.e. move it somewhere it can do no harm), to repair the fi le (i.e. delete the virus but retain the fi le) or to delete the fi le.

Anti-virus software vendors may include the option to create a rescue disk. This is a bootable disk that also contains anti-virus software. If your system fails due to a virus and will not boot, this rescue disk should solve the problem. Write-protecting the disk will prevent it becoming infected with a virus.

SpywareSpyware is software that is installed on your ICT system without your knowledge. It tries to send information about your computer habits and activities to another computer.

1 First, check that your anti-virus software is as up to date as possible. You will need to go online to your anti-virus software provider and use their facilities to check your ICT system to see whether an update is necessary. (Some vendors offer to advise you automatically, and to download updates automatically, whenever you are online. You should accept such offers, as it saves you having to remember to check for updates, and reduces the amount of time that your PC may be unprotected from the latest viruses.)

2 Once you are sure that you have the best anti-virus data available to you, use the anti-virus software menu to select the virus scan option.

3 You will be asked to identify which parts of your ICT system you want to be checked.You might want to check only a fl oppy disk, or a CD from which you intend to read fi les. You should, however, on a regular basis, check your hard disk too. Tick the relevant boxes to show which drives are to be checked for viruses, and then click OK.

4 If a virus is found, your anti-virus software will attempt to clean the fi le for you. Sometimes this is not possible and the fi le will have to be deleted. If it is an important systems fi le, you may need to reinstate it – from your backup fi les (see page 24 for details of backing up data).

It you want a bigger challenge, write notes to show how to perform a virus check on your own PC.

Perform a virus check

How to –

Demonstrate that your virus data is up to date and then complete a virus scan on your PC. Use a utility to permanently delete any unwanted fi les, and to ‘clean’ your hard disk. Finally, use a utility to defragment your hard disk.

Further research – clean and defragment your hard disk

A rescue disk contains enough software to restart your PC, plus anti-virus software so that you can clean your infected PC.

What does it mean?

Spyware is any application that tracks your behaviour in accessing websites without your knowledge or consent.

What does it mean?



There are a number of ways spyware can work:

� The application may incorporate a keylogger, which records your every keystroke. This may include your password or other sensitive data such as a bank account number.

� Toolbars that you download to make browsing easier have the capability to record all your activity through that toolbar, and to send this record back to the toolbar supplier.

� Driveby downloads are programs that may be downloaded to your computer, perhaps while you are downloading something else, often without your knowledge or consent. For example, these can be initiated during a visit to a web page, or by opening an HTML email message.

� When you visit a website, the website software may be written so as to leave a cookie on your computer. Some cookies, such as tracking cookies, may pose a security threat; others are harmless and even useful. If you have a fi rewall, your computer may reject attempts to leave a cookie on your computer, but you may need to grant access for some software; otherwise you cannot access online help pages and updates automatically.

Anti-spy software can identify spyware and list them. Figure 17.4 shows one software package. Figure 17.5 lists the tracking cookies found during a scan; note the option to remove them. You would be wise to delete any tracking cookies identifi ed by anti-spy software.

Figure 17.5 List of cookies generated by a spyware scan

Figure 17.4 Anti-spy software

Research the Internet to fi nd out more about spyware. What software is available and how much does it cost to protect a computer against spyware?

If you would like a bigger challenge, write notes on available spyware, comparing what is on offer and the costs involved.

Further research – spyware

Data encryptionData encryption involves encoding sensitive data, such as fi nancial, legal and other confi dential details, when it is sent over the Internet, so that only the intended recipient can decode the data.

Data encryption is the coding – or scrambling – of data prior to transmission and the unscrambling of it on arrival, to prevent those without the code from understanding the data.

What does it mean?



When a message is encrypted, a secret numerical code, called the encryption key, is applied to each character. The message then comprises indecipherable characters – unless you have the matching key, which reconstructs the original message.

Most e-commerce websites use a type of encryption called secure sockets layer (SSL) encryption, when sending confi dential data such as payment method details.

SET (secure electronic transactions) is a networking protocol developed by the major credit card organisations, MasterCard and Visa, designed to ensure the security of credit card transactions that take place electronically over the Internet. SET encrypts the messages between the purchaser and the vendor so that they are diffi cult to decode by anyone else.

The Electronic Funds Transfer (EFT) system is used by banks and other fi nancial institutions to transfer vast sums of money. These transmissions are protected by the Data Encryption Standard (DES) together with additional encryption techniques.

Find out what encryption methods are used by organisations such as PayPal (Figure 17.6) and WorldPay.

Find out what advice is given by organisations like PayPal as to how you can avoid misuse of confi dential fi nancial information and avoid identity theft.

Further research – the EFT system and Data Encryption Standard

Figure 17.6 Paypal

Using Windows 2000 or later, you can also encrypt a fi le by setting a fi le property. Research the Internet to fi nd out how this can be done.

Further research – how to encrypt a fi le



Passwords and access codesThere are two simple ways to use software to refuse unauthorised access: passwords and access codes.

Modern operating systems allow for one PC to be shared by two or more users. Each user can be allocated their own space on the hard drive, and their privacy can be ensured by the setting up of passwords. A password can be set that gives the user access to all of his or her own work – and to any shared fi les (Figure 17.7).

The benefi t of each user having a named account is that the user may control how software looks when they log on. This means each user can set their own preferences for the desktop icons that are displayed, the toolbars within each application etc.

Test your knowledge13 Explain these terms: polymorphing, stealth virus and directory virus.

14 Distinguish between start-up scanner software and memory-resident scanner software.

15 What is a virus database?

16 What is a rescue disk?

17 What is spyware?

18 Explain these terms: keylogger, driveby download.

19 What is data encryption?

Figure 17.7 User accounts on a single computer

A password is a series of characters that a user has to enter to gain any access at all to a system or to a particular fi le.

An access code is a password that allows limited access to a system.

What does it mean?



A network of computers is usually set up to be used by several users, each one having their own user account. The format for the network is usually set centrally and so the user does not have the option to change things. Entry is via a login procedure, which includes entering a password (to access the network) and a user ID (to identify the user).

The user ID also acts as an access code, because certain users will have access to certain applications and fi les, while other users will not have the same access privileges.

On a PC, to provide this differentiation of access, passwords can be set at two levels:

� The user level password is needed for access to a user’s work.

� The higher level is supervisor level. Without this password, you cannot access the BIOS settings.

A user with supervisor level access will be responsible for setting up the user accounts for other users. This includes setting up an initial passwords. Then, the individual users can change their passwords if they wish.

On a PC, if you set up both passwords but forget one or both of them, what will happen?

� If you forget the user password, but can remember the supervisor password, you can turn on the PC and interrupt the boot process before it reaches the point of asking for the user password. You can then use the supervisor password to reset the user password (and then make a point of remembering it!).

� If you forget the supervisor password but can remember the user password, you can use the PC, but you cannot make any further changes to the BIOS settings.

If you forget both passwords, you have problems that cannot be solved using software alone!

You can temporarily bypass the password-checking process. To do this, you need to use the password-clear jumper (Figure 17.9). However, unless you recall the supervisor password, you cannot reset the user password.

All is not lost though – provided you kept track of the BIOS settings that you have made to your PC. You can remove the CMOS battery so that these two passwords are reset to the factory default settings and then confi gure the CMOS settings from scratch again.

Figure 17.8 Password-clear jumper

A user ID is an access code that identifi es the user, so that activity by that user can be tracked. For example, which applications are used and when, which fi les are accessed and when.

What does it mean?



Backup and storageIf there is a security breach and data is lost, or if a computer crashes and the hard drive damaged, how can you recover from this disaster? You need to have a copy of all the software that was installed and, more importantly, a copy of all your data too. The copy is called a backup.

When you buy software, the vendor may supply this on a CD. These are used for installation and also provide the backup version. If you download software from an online source, then, in the event of some corruption of the software, you should be allowed to download it again. You will need to keep note of any registration numbers though, because there will be checks to make sure you are not downloading to a second computer without appropriate licensing.

For data, there are two types of backup:

� A full backup is a copy of all fi les. The date of the backup needs to be recorded.

� A partial backup – or incremental backup – is a copy of only those fi les that have changed since the previous backup. The date is again important, but there also needs to be a record of which fi les have been backed up.

The purpose of taking a backup is to be able to restore data should there be some disaster: a corrupted hard disk, a PC that just stops working, a fi re, or the theft of data. Where you store the backup is therefore important.

Experiment with the Control Panel / User Account option. Set up a new user, and set a password.

How else can users protect their work? For example, when they leave their desk for a short while, how can users prevent anyone from accessing their work?

How might a user prevent anyone else from opening a fi le, e.g. a Word document?

If you want a real challenge, write notes on how to protect a Word document.

Further research – password protection

Test your knowledge20 Distinguish between an access code and a password.

21 What is the difference between a user level password and a supervisor level password?

A backup is a copy of software or data taken at a particular time as a security measure.

What does it mean?



� If a backup copy of the data is stored on the same computer, and the hard drive fails, you might not be able to access it.

� If the CDs holding your software are in a drawer in the desk on which your PC sits, and there is a fi re, the CDs will be lost too.

All backup fi les ought to be stored away from the computers that have the data, and may also be stored in a fi re-proof safe.

The choice of backup medium is also important. It needs to be one that allows fast copying, and is portable so that it can be stored away from the original data. The medium for networked systems tends to be a removable disk or digital tape, mainly because there is such a large volume of data to be stored. On a smaller system, such as a standalone PC, other less expensive solutions might be used. You might save important fi les on a series of CDs, or take advantage of online options.

With networked computers, the person responsible for the management of the network will have a system of taking regular backups. It will probably be an automated process that happens when traffi c on the network is at a minimum, e.g. outside normal offi ce working hours. This should cause the minimum disruption to the system.

Case study

Diana

Diana’s PC was once hit by a virus and she suffered damage to her data, so she wisely installed anti-virus software – and, even more wisely, started taking regular backups of her data. Recently, a fi le was corrupted and she needed to recover a backed-up version of the fi le.

She pressed Start and selected All Programs / Accessories / Systems Tools (Figure 17.9). She then

selected System Restore and followed the on-screen instructions.

What systems tool should Diana have selected?

What does System Restore do?

Explain the effect of what Diana did.

Figure 17.9 System Tools menu

Backup provides a wizard to backup – and to restore – files.

To access the Systems Tools, open the Start menu. Select All Programs, and Accessories.

System Restore restores the system!



To summarise, it is important that the process of taking backups is done in a systematic way, and that the saved data is easily retrieved in the event of any disaster.

� To minimise the amount of time taken during the backup process, you should choose a medium that has fast read/write times, such as another hard drive, a CD or a zip drive.

� To reduce the amount of data that has to be saved, incremental backups could be taken each day, with the full backup being done, say, weekly.

� The timing of the backup can be chosen so that the disruption to other work is minimised, i.e. scheduled for when little other work is being done, maybe late at night or at weekends.

� To automate the backup procedure, an automated scheduled task should be set up.

The software needed to do a backup may be provided as a utility on a computer, or you might buy a specialist package from a software vendor, or subscribe to an online backup service.

System facilities System facilities are necessary to provide a level of protection against data loss. For example, an uniterruptible power supply (UPS) can protect against problems such as power failure.

At your centre of learning or place of work, fi nd out what procedures are adopted for backing up data. Make notes.

Think about how their procedures are tailored to suit their workforce needs. Can you see any room for improvement of their procedures?

If you want a real challenge, write a report recommending changes to the backup procedures adopted at your centre of learning or place of work.

Further research – backup procedures

Test your knowledge22 Explain the term backup.

23 Distinguish between a full backup and an incremental backup.



UPSA UPS aims to provide just that: an uninterrupted power supply! It has two circuits (see Figure 17.10):

� An AC circuit acts as a surge suppressor, protecting the PC against spikes and other voltage fl uctuations.

� A battery with DC to AC converter provides a backup store of energy, so that if there is a brownout the battery power can be converted into AC power and supplied to the PSU.

There are two principal types of UPS, both of which contain batteries to power the computer system if the mains power supply fails:

� In a stand-by UPS, the computer system operates via the mains until there is a cut, when the UPS switches over to a battery, converting its stored energy to alternating current. It is cheap and silent, but offers only limited fi ltering against ‘spikes’ on the mains.

� An in-line UPS is more expensive but isolates the computer from the mains at all times, using mains power to charge a battery, then reconverting to alternating current to power the computer system. because of this, the computer always receives a ‘clean’ waveform.

UPS is not to be confused with SPS (standby power supply) or battery backup (which supplies power when none is available, but has no power conditioning feature).

Surge suppressorTo further protect a PC against problems with the external supply, a power strip, or surge suppressor, can take the hit from any voltage spike. A MOV (metal oxide varistor) within the suppressor absorbs the spike, but can also be knocked out by it. An LED will indicate the level of protection; if this LED fails to light, the suppressor needs to be replaced!

� A surge suppressor’s clamping voltage is the voltage at which the suppressor is set to kick into action.

� The clamping speed is the reaction time of the suppressor – a bit like the thinking speed when you have to hit the brake on a car.

Figure 17.10 UPS

UPS stands for uninterruptible power supply.

What does it mean?

A spike (or power surge) is a sudden and short-lived large voltage that can be caused by an anomaly such as a lightning strike.

What does it mean?

A brownout is the opposite of a spike; it is a period of under-voltage that might be caused by excessive demand on the electrical supply grid.

What does it mean?



The specifi cation for a surge suppressor includes its energy absorption rate (in joules) and the level of protection offered, given by the number of watts that will pass through the suppressor:

� The higher the energy absorption rate the better: 200 joules is OK, 400 joules offers good protection but 600 joules will give the best protection.

� The lower the watts, the higher the protection: 500 watts is OK, 400 watts is better but 330 watts is best.

A surge suppressor may also smooth out line noise by fi ltering the incoming power stream. This is called line conditioning and is measured in decibels.

Apart from the power source, power faults may enter the PC via the telephone connecting line, so the surge protector should include phone-line protection. Alternatively, you might install a separate phone/modem isolator.

As ever, the more you pay, the better the product. UL (Underwriters Laboratories) standard UL1449 covers surge suppressors. Any product that has met this standard should protect your PC adequately.

Surveillance and monitoringTo maintain a secure system, it is necessary to incorporate surveillance and monitoring techniques.

Organisations must watch their users to know what they are doing, and to make sure that what they are doing does not pose a threat to the security of a system. When users log on, they enter a user ID. This allows the system to watch what the user is doing:

� An individual user’s key depressions can be recorded, so what the user does, or attempts to do, can be seen.

Test your knowledge24 Distinguish between UPS, PSU and SPS.

25 Explain these terms: spike, power surge, brownout.

26 Name two types of UPS.

27 Distinguish between clamping voltage and clamping speed.

28 What is line conditioning?

Surveillance involves watching at a given moment in time. Monitoring involves keeping track over a period of time.

What does it mean?



� The system can note which fi les are accessed and which are amended, by whom and when. If a user logs on at a time when they would not normally be in the offi ce, this might suggest someone else is using their user ID to gain unauthorised access.

� The system can trace which Internet pages are viewed by which users. This may indicate behaviour that contradicts the conditions of employment. But it may also indicate behaviour that increases the risk of virus attack for the organisation.

� Email traffi c can also be intercepted. This can identify fi les that are to be sent as attachments and uncover attempts to facilitate theft of confi dential information.

The threat to a system may come from hackers who are attempting an attack from outside the organisation. Access may come through open ports, but this may be thwarted by the use of a fi rewall (see below).

Over time, trends in behaviour can also be monitored. A virus may have attacked a system, and be slowly degrading performance. To identify such problems, the performance of the system can be monitored, e.g. by using Performance Logs and Alerts. See Figure 17.11.

FirewallsA fi rewall builds a protective ‘barrier’ around a computer or a network of computers. The fi rewall sets up a ‘gateway’ and allows only authorised traffi c through the gateway. Incoming data is inspected and only let through if it is legitimate. Attempts by software on the computer, or a workstation on the network, to send messages from the system are also monitored and can be selectively barred.

Firewalls can be set up to check all the communications between a system and the Internet. If it detects any unexpected attempts to access the system via the Internet then it can block them and report them immediately to the user.

Figure 17.11 Monitoring system performance

A fi rewall is a piece of systems software that protects the system from unauthorised access.

What does it mean?



Physical security methods

Physical security methods are those that rely on human intervention or physical barriers, such as locked doors, rather than software, to protect the system and its data.

There are many ways in which a system can be damaged:

� Major disasters might be localised, such as a fi re or fl ood, or they may affect a whole district, e.g. an earthquake. Any such disaster will cause disruption, and recovery procedures will be essential.

� The environment can adversely affect hardware and the integrity of data stored. Electrical or magnetic interference, high temperatures or humidity can all create problems.

� Wear and tear, accidents, or mishandling can result in broken components or damaged cables.

Other problems can prevent recovery after data has been lost:

� An employee may lose a CD, or the key to the box in which the backup CDs are stored, or the key to the storeroom in which replacement equipment is stored.

A variety of protection methods can be employed:

� Major disasters, such as a fi re or fl ood within the building, can be prevented by proper maintenance procedures. However, accidents do happen, so it is essential that backup and recovery procedures are in place.

� Environmental factors, such as temperature and humidity, can be controlled by the installation of appropriate equipment in areas where computers are being used.

� Wear and tear, or more likely obsolescence of equipment, is a fact of the passing of time. But employees should be trained to handle equipment properly, without harm to themselves or the equipment.

� Human error, for example in the misplacement of keys, could be catered for by assigning additional key-holders. However, the more keys that are in circulation, the more likely there is to be a breach of security.

Accidental damage will still happen, even if great care is taken. The main purpose, though, in installing physical security methods, is to prevent deliberate security breaches.

Test your knowledge29 Distinguish between surveillance and monitoring techniques.

30 What is a fi rewall? What protection does it offer?



Access-control devices Unauthorised access is the most important threat:

� People without authority should not be able to gain access to buildings – and then to the rooms housing computers or sources of confi dential data.

� Even if they gain access to a forbidden area, they should not be able to log on and gain access to computer systems and data.

So the security in a building must be good enough to prevent unauthorised visitors gaining access to forbidden areas:

� Computers and other sensitive equipment could be kept in a separate area, with access to that area restricted to a limited number of personnel.

� Locks and burglar alarms could be installed to protect whole buildings, and specifi c areas within a building.

Some security methods rely on staff following correct procedures:

� Security staff could be employed to patrol the building outside normal offi ce hours, and a CCTV system could be installed to provide surveillance of sensitive areas from the comfort of a centralised security offi ce. As long as the security staff are vigilant, any attempt at unauthorised access should be seen and action taken to prevent it.

� Reception staff could be required to issue passes to visitors. It might also be necessary for these visitors to be collected at reception by an employee who can escort the visitor during their stay. As long as all employees follow procedures, no apparently legitimate visitor should have the opportunity to breach security.

Building passes could be obtained fraudulently, so more sophisticated methods might be employed in highly sensitive situations. For example, a building pass may incorporate biometric data, making it more diffi cult for someone to pose as someone who really does have the right to access data.

Another option is to use a software protection dongle.

The dongle (Figure 17.12) is also referred to as a hardware key or hardware token.

Without the dongle in place, the user gains access to only a restricted version of the software, or it might be programmed not to run at all without the dongle in place. Figure 17.12 Dongle

CCTV stands for closed circuit television.

What does it mean?

Biometric data is data that measures something to do with the biology of the user, such as a fi ngerprint or a voice pattern.

What does it mean?

A software protection dongle is a hardware device that has to be in place before a user can gain full access to some software.

What does it mean?



Research the term ‘dongle’ to fi nd other meanings applied to it.

Extend your research to fi nd out about the ‘trusted client’ problem.

If you want a real challenge, prepare a presentation to explain how a dongle can be used to restrict access to an ICT system.

Further research – dongles

Next time you are in a bank or other organization which has computers within a public area, note the position of the monitors.

Consider the positioning of monitors in your centre of learning or place of work. Does it prevent anyone who should not see the data from doing so? Make recommendations for improvements.

Consider the screen savers that are available on your ICT system. What controls are offered? Make notes.

For a bigger challenge, prepare an oral presentation on how screen savers can improve the security of an ICT system.

Further research – restricting visibility of screen data



Limiting visibility of data There are some situations where many people may legitimately be near the computers but only a restricted few ought to be able to read the screen.

For example, in a bank the bank clerk needs to be able to see the customer’s details on the screen, and may let the customer view them, but no one else ought to see them. Therefore, careful positioning of the monitor is necessary.

Similarly, if an employee takes a phone call or is distracted from the screen for more than a short while, a screen saver can be used to stop other people seeing what is on screen, providing a level of privacy.

Shielding One source of corruption is electrical interference of cabling: noise on the line and cross-talk. Another source is interference from external sources such as radiation.

The design of cables ranges from very simple to quite complex. The simplest ones are the cheapest but can suffer from noise on the line and cross-talk corruptions. The more complex cabling, involving cable screening, is more expensive but data transfer tends to have fewer errors.

Organisational procedures

This section considers the organisational procedures that will help to

Research the Internet to fi nd out how cables can be tested to check the effectiveness of shielding.

Further research – cable testing

Test your knowledge31 Give three examples of disasters that can adversely affect data held on an

ICT system.

32 How can temperature and humidity adversely affect an ICT system? What can be done to overcome this?

33 Give three examples of access control devices.

34 What does CCTV stand for?

35 What is biometric data? Give two examples of biometric data.

36 What is a dongle? How can it be used as a security protection device?



protect the security of an ICT system.

Organisations must decide the policies that are to be adopted with regard to computer use and Internet access. These policies are to be adopted by all employees, so checks need to be made that employees are indeed following the correct procedures. This may involve carrying out security audits.

Employees must be aware of what is expected of them, and their responsibilities. They should also be aware of how compliance will be monitored and what sanctions might be used against any employees who fail to observe the stated policies.

The security of an ICT system relies heavily on passwords being kept secret, so it is good practice to change them periodically, and to give employees guidance on a sensible choice of passwords.

Policies The management team will need to identify the levels of authority to be allocated to various employees for making day-to-day decisions, and who is responsible for checking that all employees work within their given brief.

First, a decision needs to be made as to who should be allowed access to an ICT system at all. In many organisations, many of the employees have a networked PC on their desk, and expect to spend much of their working day at the keyboard. However, this is not so true of some security staff, the cleaning team, the catering team and other ancillary staff. Not everyone should have access to the computer system, and it will fall to someone, maybe in the Personnel or IT department, to set up

In your centre of learning or your place of work, fi nd out what the policy is regarding the use of the Internet.

Find out who is responsible for monitoring Internet use, and how this is done.

Further research – Internet usage

Working with a friend, explore the audit trail options within Windows.

In the Help and Support centre, search on ‘audit trail’ and read about how to set up an audit trail, and how it can help to track what is happening on a computer system. Look in particular at any technical articles that show you how to enable Windows security alerting. Make notes.

Go to the Control Panel, and explore the Computer Management option for a wider understanding of how you might set up an audit trail.

Further research – audit trails

An audit trail is a record of everything that has happened, e.g. events such as users logging on and off, fi les being accessed or modifi ed.

What does it mean?



a system of passwords and user IDs (see page 22) so the right people have the right level of access to data for the job they are assigned to do.

For some employees their work may involve working within the organisation’s intranet, and no access to the Internet is needed. For others, to do their job properly, Internet access is a must. However, company policy as to how, and for what purpose, the Internet can be used needs to be stipulated. This may be called an acceptable use policy (AUP).

Security audits and computer check-upsTo keep track of what employees are doing on their workstations, it is possible to set up an audit trail.

You must fi rst decide your audit policy, i.e. the categories of events you want to audit. For example, you may want to note each time a user logs on and logs off a workstation within a network.

Within Windows XP, an audit trail is available as part of the Computer Management option from the Control Panel (Figure 17.13). (You may have to start the Local Security Settings MMC in Local Security Policy fi rst.)

When you fi rst install Windows XP Professional, no categories are selected, and therefore no audit policy is in force. Computer Management lists the event categories that you can audit.

The next step is to set the size and behaviour of the security log. How much history will you keep? The longer the history, the greater the size of the space needed for the log.

There is also an Audit directory service access category and an Audit object access category. For each, you must specify the objects to which you want to monitor access and amend their security descriptors accordingly. For example, if you want to audit any attempts by users to open a particular fi le, you can set a Success or Failure attribute directly on that fi le for that particular event.

Set up an audit trail

How to –

Figure 17.13 Computer Management within Windows XP



An audit trail provides an opportunity to track potential security problems. It also helps to ensure user accountability and provides evidence in the event of a security breach.

Using the audit trail options, a network administrator can therefore monitor access to the network and look at the network access log to check who has been using the network and for what purpose. Similarly, a log of who is using which applications, what emails are being sent and what access is being made to the Internet are all available.

Defi ning responsibilitiesEmployees who do have Internet access might be tempted to spend time during the working day checking the cricket score in a test match, surfi ng the net to decide where to go on their next holiday, or bidding on an online auction. Some organisation may ignore minor use of the Internet for personal use during working hours and, if it does not become excessive, nothing is done. This is a bit like allowing an employee to read the paper when they really ought to be working – or taking a personal phone call during working hours. Where does management draw the line?

Some organisations set a policy that states categorically that no personal use of the Internet is allowed. This forms part of the contract of employment; so, if an employee abuses the access to the Internet, they can face a warning and may be dismissed.

Each employee has a responsibility to behave responsibly and within the terms of their signed employment contract. To do otherwise might open the organisation to the threat of a virus attack or other security breach.

Monitoring compliance and sanctions Employers who have a stated AUP and include restrictions on the use of the Internet within contracts of employment are entitled to monitor the activities of all employees to make sure no one is breaking the terms of their contract. The monitoring may be done using audit trail options, as described above.

If an employee is found to have contravened the terms of employment, a formal warning can be given and, in tune with employment legislation, dismissal may follow.

At your centre of learning or place of work, fi nd out how regularly employees are expected to change their passwords.

Further research

A password cracker is a piece of software that tries all possible passwords – as listed in cracker dictionaries – in an attempt to guess your password.

What does it mean?



Update periods of passwordsSomeone who wants to gain access, and who knows the user ID of an employee, only needs to gain physical access to the network to log on. Then, to make further progress, the hacker needs to know the password. If passwords remained the same forever, any passwords that had been guessed or seen during input would offer the hacker an option to gain entry to confi dential data.

If, however, passwords are changed regularly, this at least limits the length of time a hacker has to make use of any information obtained.

Training and guidance Some organisations use password crackers to try to guess the passwords that employees choose. The theory is that, if an employee has chosen a weak password, it is better for the organisation to guess it, and insist it is changed, than to have an outsider guess it fi rst.

Training is needed to help employees to choose a good password, and guidance as to what makes a password easy to crack helps too.

A password has to be a memorable word for the user, but not something so obvious that anyone else might guess it, especially someone who knows them well. Like a toothbrush, it makes sense to choose a good one, and to replace it as soon as it shows signs of wear. Tables 17.2 and 17.3 provide some guidance.

DO NOT

… share your password Your password gives entry to an account that is assigned to you. You will be held responsible for the activities of the account.

… write down your password

Passwords that are written down can be easily seen and stolen.

… store your password in a program

Many email clients, web browsers, and web services offer to store your password to save you having to type it in each time. This is a bad idea, because it is easy for hackers to recover your password from inside one of these programs, if they have access to your computer (and sometimes even if they do not).

Some computer viruses may also be able to recover your password from such stores and email them to random people, or post them publicly on the Internet.

… use dictionary words One method of guessing passwords is to use a brute force attack in which the attacker tries possible passwords over and over again until they manage to break into the account. All words found in online dictionaries, even foreign dictionaries, can be systematically tried, until the right password is found.

… common misspellings of dictionary words

Even replacing ‘l’ with a ‘1’ does not help. There are cracker dictionaries of commonly misspelt words, so if yours is one of them it can still be discovered.

Table 17.2 Things not to do when choosing a password



… real names As with dictionary words, these can be discovered using a brute force attack.

… the name of the computer or your account

This would be a fi rst guess for a potential hacker. Even if you reverse it, capitalise alternate letters, or double some letters, this is an easy one to crack systematically.

… choose something personal

Avoid including personal dates (birth, anniversaries), special numbers (age, phone number, passport number) or names of nearest and dearest (people, pets, football teams). They are too easy to guess for someone who knows you.

… use obvious passwords Words such as PASS, LETMEIN, OPENSESAME, TEST and number sequences such as 123456 are too easy for a hacker to guess.

… use all the same letter or number

AAAAAAA for 7-character code would be so easy to check for! It would be particularly easy for password cracking software to fi nd this one.

… use a pattern on the keyboard

Be aware that you might be watched while keying in your password. So, a password such as QWERTY would be very easy for someone to notice and remember.

DO

… use as many characters as are allowed

The longer the password, the more diffi cult it could be to guess. additional character increases the total number of combinations plong but relatively simple password can be more secure than a shcomplex one, and could be easier to remember.

… use multiple character classes

Most password systems are case sensitive, so including upper acases complicates the password without making it less memorabInclude also digits and punctuation marks so that you avoid dictio



… use letters from a phrase or lyric

Choose a memorable phrase such as ‘A bookshop at 84 Charing Cross Rd’. Select letters and digits from it: Ab@84CXR. If you can remember the phrase, you can remember the password and yet it is diffi cult for someone else to guess. This is sometimes called the licence plate rule – creating something you might put on a vanity licence plate.

… invent a pronounceable nonsense word

Consider how words are abbreviated in text messaging and choose something along the same lines: Cul8rAxx

… substitute or omit letters You could take a memorable word or phrase like ‘MyBakedPotatoes’ and lose the vowels: ‘MBkdPtts’.Or use numbers instead of letters; ‘Potato’ could become ‘P0t8t0’.Or use shifted numbers: ! instead of 1, $ instead of 4 and so on. So long as you remember to hold the Shift key down while pressing the digit keys, this part of your password might be easier to remember.

… code using your phone keypad

A phone keypad groups numbers and letters: 1, 2abc, 3def, 4ghi, 5jkl, 6mno, 7pqrs, 8tuv, 9wxyz. If you choose a word or phrase that is memorable to you, such as ‘toenail’, you can recode that to the fi rst letter of the keypad: ‘tmdmagj’. No one could guess it, but if you look at your keypad, you can ‘spell’ out the word quite easily.

Table 17.3 Things to do when choosing a password

Of course, you could choose unprintable characters but, if you use characters that do not appear on the standard US 101 key keyboard

(such as an accented letter), you run the risk of not being able gain access to your account in some situations.

If you have to remember several different passwords, one for each new account held on the Internet, plus your bank account passwords and the ones for work or your centre of learning, you need to adopt some sensible method of choosing different passwords for them all:

� You should not use the same password for all accounts, because, if it were to be guessed, all your accounts would be vulnerable.

� You could reuse the password according to the sensitivity of the data. If you have a number of non-sensitive accounts, you could use the same password for all of them. Then you need only remember

guess. Each ations possible. A

han a short and

pper and lower emorable for you. id dictionary terms.

Test your knowledge37 What is an audit trail?

38 Explain these terms: active directory, service access, network access log.



Assessment tasksAll assessment tasks are based on this scenario:

MAGIC is a small marketing company, employing 35 people. The network manager at MAGIC has reported a number of attempted security breaches. The HR manager has agreed that all staff should be given up-to-date training on all aspects of security on the network.

How do I provide assessment evidence?Your evidence can be presented in any suitable form, such as written reports, presentations or verbal explanations, together with the documents that you create for Task 3. These can be supported by other documentation, such as printouts, screen shots, witness statements, observation records and transcripts of conversations. If you make a presentation, include speaker’s notes, and print off both slides and notes.

All your evidence should be presented in one folder, which should have a front cover and a contents page. You should divide the evidence into fi ve sections corresponding to the fi ve tasks.

Task 1 (P1)Create a poster to describe types of security breach. Use examples, and a tabulated style with one row per breach. In the second and third columns, explain their possible causes and impact. To gain full marks you should describe four types of security breach.

Task 2 (P2)Select one relevant Act of Parliament and summarise the information into a two-page report describing what the current legislation requires a particular organisation to do to protect their data and ICT systems. Make sure that the legislation you describe is current.

Task 3 (P3) Prepare a slide show presentation to describe how to protect data using appropriate security measures. You should describe how data protection, physical security methods and organisational procedures are used.

Task 4 (M1, D1)Identify appropriate security measures for a given scenario. There should be a clear link between aspects of the scenario organisation and the security measures identifi ed.

Task 5 (M2) Explain, through a written or web-based report, with examples, how an individual in an organisation can contribute to the security of data.

To work towards a Distinction you would need to justify your security recommendations for the organisation.

To work towards a Distinction in this unit you will need to achieve all the Pass, Merit and Distinction criteria in the unit and have evidence to show that you have achieved each one.


41Index

IndexNote: Page references in bold refer to defi nitions and key terms.

A

acceptable use policy (AUP) 34access-control devices 31access codes 21anti-spy software 20anti-virus software 18–19attachments, viruses in 7audit trails 34–5AUP (acceptable use policy) 34,

36

B

backup procedures 24–6battery backup 27behaviour-based detectors 18biometric data 31BIOS settings, passwords 23BIOS viruses 6boot sector viruses 6brownout 27building passes 31business losses, security breaches

8–9

C

cabling, shielding from noise 32CCTV (closed circuit television)

31clamping speed and voltage 28Computer Misuse Act (1990) 13contingency plans 9–10cookies 20costs, security breaches 8credit card security 21Crime and Security Act (2001) 12

D

DAT fi les 18data encryption 20–1

Data Protection Act (1998) 10–12data protection methods access codes 23 backups 24–6 fi rewalls 29 monitoring/surveillance 28–9 passwords 22–3 specialist software 17–21 system facilities 26–8data storage 24–6data theft 4, 13data visibility, limiting 32desktop computers, security risks

15disaster recovery 9–10dongles 31double fi le extension viruses 6downtime 8DPA (Data Protection Act) 10–12driveby downloads 20

E

electrical interference, reducing 32

electricity supply, protecting against failures 26–8

Electronic Funds Transfer (EFT) 21

email viruses 6, 16encryption of data 20–1energy absorption rate, surge

suppressors 28equipment, theft of 9

F

fi le extensions, unhiding 6fi le viruses 6fi rewalls 16, 29Freedom of Information Act

(2000) 11full backups 24

G

guidance in choosing passwords 36–9

H

hackers 3hacking 13

I

ICT systems Internet-enabled systems 16 networked computers 15–16 physical damage to 4 standalone computers 14–15identity theft 3imposter viruses 5in-line UPS 27incremental backups 24Information Commissioner’s

Offi ce, duties of 11Internet-enabled systems 16Internet access, limiting 34, 35

K

keyloggers 20

L

LAN (local area network) 15laptops, security risks 15legislation Computer Misuse Act (1990)

13 Crime and Security Act (2001)

12 Data Protection Act (1998)

10–12line conditioning 28



M

macro viruses 6memory-resident virus scanner

software 18monitoring techniques 28–9,

34–5MOV (metal oxide varistor) 27

N

national security 12network access logs 34networked computers 15 audit trails 34–5 backup media/procedures 25 login procedures 23 security risks 15–16

O

organisational procedures access to buildings 31 audit trails 34–5 defi ning responsibilities 35–6 password guidance 36–9 policies 33–4 training 36–9

P

partial backups 24password-clear jumper 23password crackers 36passwords 22 changing regularly 36 guidance on choosing 36–9 levels of 23personal data 10 identity theft 3 protection of 10–12physical security methods 30 access-control devices 31 limiting visibility of data 32 shielding 32policies of organisations 33–4polymorphing viruses 18power failures, protecting against

26–7

power surges, protecting against 27–8

PSU (power supply unit) 27

R

Regulation of Investigatory Powers Act (2000) 12

rescue disks 19restoring backup data 24–5

S

secure electronic transactions (SET) 21

secure sockets layer (SSL) encryption 21

security audits 9security breaches causes of 4–7 impact of 8–10 types of 3–4SET (secure electronic

transactions) 21shared fi les 22shielding, cables 32software protection by dongles

31spikes (power surges) 27SPS (standby power supply) 27spyware 19–20SSL (secure sockets layer) 21staff acceptable use policies (AUPs)

33–4 monitoring activities of 34–5 responsibilities of 35–6 training in use of passwords

36–9stand-by UPS 27standalone PCs 14 backup procedure 24–6 security risks to 14–15storage of backups 24–5supervisor level passwords 23surge suppressors 27–8surveillance 28–9system performance, monitoring

29system slowdown 17

T

theft of PCs, risks of 15toolbars, as spyware 20training choosing passwords 36–9 virus attack procedures 9–10trojan viruses 6

U

unauthorised behaviour damage to code/data 4 hardware damage 4 identity theft 3 Internet-enabled systems 16 networked PCs 15–16 physical access 31 removal of data 4 standalone PCs 15 use of data without damage 3UPS (uninterrupted power supply)

27user IDs 22, 34user level passwords 23users, monitoring of 28–9

V

vandalising software, legislation against 13

virus protection software 18–19virus scanner software 18virus signatures 18viruses 5 anti-virus software 18–19 checking for 19 legislation 13 networked computers 15 sources of 6–7 standalone PCs 15 types of 5–6visibility of data, limiting 32voltage fl uctuations, protecting

against 27–8

W

WAN (wide area network) 15websites, monitoring access to 29worm viruses 6


Documents

17 Security of ICT Systems - Pearson Education · Macro viruses hide within the macros of applications such as Word and Excel. Such viruses spread from one open document or spreadsheet