DATA SECURITY AND CONTROL

Data Security and Controls

Data security is the protection of programs and data in computers and communication
systems, against unauthorized modification, destruction, disclosure or transfer, whether
accidental or intentional.

It involves:
- Protection of data and information against access or modification
- Denial of data and information to unauthorized users
- Provision of data and information to authorized users.
Data control is the measure taken to enforce the security of programs and data.

Data and information privacy

Private data or information is that which belongs to an individual and must not be
accessed or disclosed to any other person unless with direct permission from the owner.
Confidential data – data or information held by a government or organization about
people , must be protected against unauthorized access or disclosure.

Data security core principles

Also referred to as information security. They are; Confidentiality, Integrity and
Availability.

Confidentiality
Sensitive data or information like employees details, business financial ,etc belonging to
the organization or government should not be accessed by or disclosed to unauthorized
people.

Integrity
Means that data should not be modified with without owners authority.

Availability
Information must be available on demand.

Security threats and control measures

Viruses
The term virus stands for: Vital Information Resource Under Siege
A virus is a program that will change the operation of the computer without the user’s
information. Viruses attach themselves to computer files called executable files such
that any time such programs are run a copy of the virus is sent out. So it duplicates
itself continuously.
Therefore a computer virus can be defined as:
- A self -replicating segment of computer code designed to spread to other computers
by sharing “infected” software.
- A destructive program that attaches itself to other files and installs itself without
permission on the computer when the files are opened for use.
- A program that can pass a malicious code to other non-malicious programs by
modifying them.
- A program or code that replicates itself and infects other programs, boot and partition
sectors or documents inserting itself or attaching itself to the medium.

Types of computer viruses

 Boot sector – they destroy the booting information on storage media.
 File viruses – attach themselves to files

1
 Hoax viruses – come as e-mail with an attractive subject and launches itself when e-
mail is opened.
 Trojans Horse – they perform undesirable activities in the background without user
knowledge.
 Backdoors – may be a Trojan or worm that allows hidden access to a computer system.
 Worms – it attaches it self on non-executable files and it self-replicates clogging the
system memory and storage media. When a document is emailed the worm travels with it
and through that easily spreads to other computers on a network.
 A logic bomb – infects a computer’s memory, but unlike a virus it does not replicate
itself. A logic bonb delivers its instructions when it is triggered by a specific condition,
such when a particular date or time is reached or when a combination of letters is typed
on a keyboard. A logic bomb has the ability to erase a hard drive or delete certain files.

Note: The main difference between a virus and a worm is that a viruses attaches
themselves to computer executable files while a worm attaches it self on non-executable
files in the computer.

Symptoms of a computer affected by viruses

- Unfamiliar graphics or quizzical messages appearing on screen.
- Program taking longer to load
- Slow – down of the general operation
- Unusual and frequent error messages occurring more frequently
- Access light turning on for non-referenced devices
- Programs / files mysteriously disappearing
- Executable files changing size for no obvious reason.
- Change in file size
- Loss or change in the file size
- Loss or change of data
- Disk access seeming excessive for simple tasks
- System crash
- Files and programs disappearing mysteriously
- Disk access seems excessive for simple tasks

Sources of virus into the computer system

- Copies of pirated software
- Fake computer games
- Freeware / Shareware and bulletin board programs that have not been checked for
viruses.
- Using infected disks from vendors, consulting firms, computer repair shops and main-
order houses.
- Downloading and opening infected files from the Internet.
- Hackers intent on malicious destruction of networked systems to which they have gained
unauthorized.
- Infected proprietary (private) software
- Updates of software distributed via networks.
- E-mail attachments
- Contacts with contaminated systems e.g. diskettes, flash disks, CDs, etc.

Control measures against viruses

- Install the most latest version of antivirus software on the computer
- Avoid foreign diskettes in the computer system
- Avoid opening mail attachments before scanning for viruses
- Regular backing-up of all software and data files. Files back-up can be used to restore
lost files in the event of a system failure.
- When opening e-mails, user should not open attachments from unknown senders.

2
- All unlicensed software should be carefully examined before use.
- Always check for virus on portable disks when used to move files between computers.

Information system failure

Some of the causes include;
 Hardware failure due to improper use
 Unstable power supply as a result of brownout or blackout and vandalism
 Network breakdown
 Natural disaster
 Program failure

Control measures
 Use surge protectors and UPS to protect computer systems against brownout or black
out which causes physical damage or data loss.
 Install a Fault Tolerant system which has the ability to preserve the integrity electronic
data during hardware or software malfunction.
 Disaster recovery plans by establishing offsite storage of an organizations databases so
that incase of disaster or fire accidents, the backed up copies are used to reconstruct
lost data.

Unauthorized access
Physical access to computer system should be restricted to ensure that no unauthorized
person gets access to the system

Form of unauthorized access:

(i). Eaves dropping / wire tapping
This is tapping into communication channels to get information packet sniffers can
eavesdrop on all transmissions and activities on the system
(ii). Surveillance (monitoring)
This involves where a person may keep a profile of all computer activities done by
another person or people. The gathered information is used for other illegal works.
Special programs called cookies are used by many websites to keep track of your
activities.
(iii). Industrial espionage
Spying on your competitor to get information that you can use to counter or finish the
competitor.
(iv). An employee who is not supposed to see sensitive data by mistake or design gets it.
(v). Strangers straying into the computer room when nobody is using the computers.
(vi). Network access in case the computers are networked and connected to the external
world.

Control measures against unauthorized access:

1. Encrypt the data and information during transmission
Encryption is a process of encoding a message so that its meaning is not obvious;
decryption is the reverse process of transforming an encrypted message back into its
normal form. Data can only be read by person holding the encryption ‘key’.
Alternatively the terms encode and decode or encipher and decipher are used
instead of the verbs encrypt and decrypt.
2. Reinforce the weak access points like doors and windows with metallic grills.
3. Installing alarm systems and other security devices.
4. Keeping computer rooms locked after hours and when not in use.
5. Restricting access to areas with computers so that only authorized personnel are
allowed to use passwords.

3
 6. Use file passwords
7. Use of magnetic token or ‘SAMRT’ card or fingerprint or retinal scan for identification.

Computer errors and accidental access

Errors and accidental access to data and information may be as a result of people
experimenting with features they are not familiar with. Also people may mistaken printing
sensitive reports and unsuspectingly giving them to unauthorized persons.

Control measures
1. Set up a comprehensive error recovery strategy in the organization.
2. Deny access permissions to certain groups of users for certain files and computers.

Physical theft
This involves the theft of computer hardware and software. It involves breaking into an
office or firm and stealing computers, hard disks, data and other valuable computer
accessories by being taken away by either an insider or an intruder. Most cases of theft are
done within an organization by untrustworthy employees of the firm {Inside job} or by an
intruders (outsiders) for commercial, destruction to sensitive information or sabotage
resources.

Control measures
- Employ guards to keep watch over data and information centres and backup.
- Burglar proof the computer room.
- Reinforce weak access points
- Create backups in locations away from main computing centre.
- Motivate workers to feel sense of belonging in order to make them proud and trusted
custodians of the company resources.
- Insure the hardware resources with a reputable firm.

Trespass
This is the act of gaining access or entering into a computer system without legal
permission.

Cracking
Refers to the use of guess work over and over again, by a person until he/she finally
discovers a weak in the security policies or codes of software. Alternatively refers to
someone using his / her knowledge of information systems to illegally or unethically
penetrate computers systems for personal gain.

Hacking
Refers to when an individual intentionally breaks codes and passwords top gain
unauthorized access into a computer system, but without intent of causing damage.
Tapping
Tapping is when someone gains access to information that is being transmitted via
communication links. Any information that is transmitted across a network is at risk of being
intercepted, if appropriate security measures are not put in place.

Piracy
Is the act of making illegal copies of copyrighted software, information or data.
To eliminate piracy
- Make software cheap, enough to increase affordability
- Use licenses and certificate to identify originals
- Set installation password to deter illegal installation of software
- Enforce laws that protect the owners of data and information against piracy.

4
Fraud
Refers to leaking personal or organizational information using a computer with the intention
of gaining money or information.
Example of fraud is where one person created an intelligent program in the tax department
that could credit his account with cents from all the tax payers. He ended up becoming very
rich before he was discovered.

Alteration
Refers to illegal changing of data and information with the aim of gaining or misinforming
the authorized users. When a system is compromised the data lacks reliability, relevance
and integrity. Example of data alteration are when students break into system to alter exam
results, or someone breaks into a banking system to change account details or divert
money.

Spam
A spam is unsolicited electronic junk mail, often commercial, message transmitted
through the Internet as a mass mailing to a large number of recipients. Is send by a person
gaining access to a list of e-mail addresses and redirecting the e-mail through the Mail
Server of an unsuspecting host, making the actual sender of the spam difficult to trace.
Spam is annoying, but usually harmless, except in cases where it contains links to web
sites. Clicking on these links may sometimes leave your system open to hackers or
crackers.

Junk – is meaningless or worthless information received through e-mail

Description and protection against computer crimes

Audit trail
Computer Audit Trails are used to keep a record of who has accessed a computer system
and what operations he or she has performed during the given period of time. Audit
Trails are useful both for maintaining security and for recovering lost transactions. Audit
Trails help to detect trespassing and alterations. Incase the system is broken into by a
hacker; an Audit Trail enables their activities to be tracked. Any unauthorized alterations
can be rolled back to take the system back the state it was in before the alterations
were done

Data encryption
Data encryption is a means of scrambling (or ciphering) data so that it can only be read
by the person holding the encryption ‘Key or ‘algorithm’. The key is a list codes for
translating encrypted data – a password of some sort. Without the key, the cipher
cannot be broken and the data remains secure. Using the Key, the cipher is decrypted
and the data remains secure. Using the Key, the cipher is decrypted and the data is
returned to its original value or state. Each time one encrypts data a key is randomly
generated. The same key is used by the data recipient to decrypt the data.
Data encryption is a useful tool against network snooping (or tapping).

Log files
They are special system files that keep a record (log) of events on the use of the
computers and resources of the information system. The information system
administrator can therefore easily track who accessed the system, when and what they
did on the system.

Firewalls
A firewall is a program or hardware that filters information coming through the Internet
and connection into your personal computer or network. Firewalls can prevent
unauthorized remote logins, limit or stop Spam, and filter the content that is

5
 downloaded from the Internet. Some Firewalls offer virus protection, but it is worth the
investment to install Anti-Virus software on each computer.

Security monitors
These are programs that monitor and keep a log file or record of computer systems and
protect them from unauthorized access.

Biometric security – is unauthorized control measure that takes the user’s attributes
such as voice, fingerprints and facial recognition.

Authentication policies such as signing users log on accounts, use of smart cards and
Personal Identification Number (PIN).

Difficulty in detection and prevention of computer crimes

1. the crime might be complex
2. it’s not easy to find clear trail of evidence leading to the guilty party e.g. No finger
prints
3. there are no witness
4. Few people in management and law enforcement know little about computers to
prevent the crime.

Effects of ICT on health

Some health concerns on the use of ICT devices such as computers and cellular phones are:
 Eye strain and headache – this can be controlled by taking frequent breaks, using
TFT LCD displays or antiglare screen on CRT monitors.
 Back and neck pains – use adjustable and right sitting posture
 Repetitive Strain Injury (RSI) – also known as repetitive motion injury or cumulative
trauma disorders results from fast repetitive tasks such as typing. This results in
damage of nerves and tendons. make sure correct use of the keyboard, and take
frequent breaks in between.
 Noise – some noise, such as that of an impact printer, may leave a person with
“ringing ears”. Use non-impact printers, head mounted earphones and microphones.

Effects of ICT on the environment

Disposal of dead computer parts, consumption and emissions have resulted in
environmental pollution. Environmental Protection agency (EPA) has created the energy star
compliance policy, which coerces electronic components manufacturers worldwide to comply
to acceptable levels of environmental pollution and radiation.
Computer manufacturers are also avoiding excessive use of harmful chemicals such as
chlorofluorocarbons and nickel cadmium and other heavy metals in their productions.