DATA SECURITY AND

CONTROL Introduction

Data & Information must be protected against unauthorized access, disclosure,

modification or damage. This is because; it is a scarce & valuable resource for any
business organization or government. It is mostly used in transactions, it can be
shared, and has high value attached to it.

Data & Information security:

Data security is the protection of data & information from accidental or intentional
disclosure to unauthorized persons.

Data & Information privacy:

Private data or information is that which belongs to an individual & must not be
accessed by or disclosed to any other person, without direct permission from the
owner.

Confidential data or information – this is data or information held by a

government or organization about people. This data/information may be seen by
authorized persons without the knowledge of the owner. However, it should not be
used for commercial gain or any other unofficial purpose without the owner being
informed.
SECURITY THREATS TO DATA & INFORMATION

1). COMPUTER VIRUSES

- A computer virus is a destructive program that attaches itself to other files when
the files are opened for use, and installs itself on the computer, without the
knowledge of the user.

-A computer virus is a program designed specifically to damage other programs or

interfere with the proper functioning of the computer system.

A virus is a computer code usually designed to carry out 2 tasks:

(a) To copy itself from one computer system to another.

(b) Tolocate itself within a computer system enabling it to amend/destroy program

& data files, by interfering with the normal processes of the operating system.

Types of computer viruses.

1. Boot sector viruses – they destroy the booting information on storage devices.

2. File viruses – they attach themselves to files either erasing or modifying them.

3. Hoaxviruses – they come as e-mails with an attractive subject & activate

themselves when the e-mail is opened.

4. Trojans– they appear to perform necessary functions, but perform other

undesirable activities in the background without the knowledge of the user.

5. Worms – viruses that stick in the computer memory.

6. Backdoors – may be a Trojan or Worm that allows hidden access to a computer

system.
Types of destructions/damages caused by a virus attack

-Delete or modify data, information & files on storage devices (disks) or memory
during normal program execution, e.g., may attack the format of a disk making any
program or data on it impossible to recover.

- Systematically destroy all the data in the computer memory.

- Might lock the keyboard.

- Can change keystroke values or data from other I/O devices, e.g., change the
effect of SHIFT key.

- Delete characters displayed on a visual display.

- Uses up computer memory/space, hence slowing down its performance or causing

the system to crash.

- Changes colour of the display.

- Cause boot failure.

Sources of viruses.

a) Contact with contaminated systems:

If a diskette is used on a virus infected computer, it could become contaminated. If

the same diskette is used on another computer, then the virus will spread.

b) Use of pirated software:

Pirated software may be contaminated by a virus code or it may have been
amended to perform some destructive functions which may affect your computer.

c) Infected proprietary software:

A virus could be introduced when the software is being developed in laboratories,
and then copied onto diskettes containing the finished software product.

d) Fake games:

Some virus programs behave like games software. Since many people like playing
games on computers, the virus can spread very fast.

e) Freeware and Shareware:

Both freeware & shareware programs are commonly available in Bulletin board
systems.

Such programs should first be used in controlled environment until it is clear that
the program does not contain either a virus or a destructive code.

f) Updates of software distributed via networks:

Viruses programs can be spread through software distributed via networks.

Symptoms of viruses in a computer system.

The following symptoms indicate the presence of a virus in your computer:

- Boot failure.

- Files & programs disappearing mysteriously.

- Unfamiliar graphics or messages appearing on the screen.

- Slow booting.

- Gradual filing of the free space on the hard disk.

- Corruption of files and programs.

- Programs taking longer than usual to load.

- Disk access time seeming too long for simple tasks.

- Unusual error messages occurring more frequently.

- Frequent
read/write errors.
Control measures against viruses.

i). Install up-to-date (or the latest) antivirus software on the computers.

ii). Restrict the movement of foreign storage media, e.g., diskettes in the computer
room.

If they have to be used, they must be scanned for viruses.

iii). Avoid opening mail attachments before scanning them

for viruses. iv). Write-protect disks after using them.

v). Disable floppy disk drives, if there is no need to use disks in the course of
normal operation.

vi). Backup all software & data files at regular intervals.

vii). Do not boot your computer from disks which you are not sure are

free from viruses. viii). Avoid pirated software. If possible, use the

software from the major software houses.

ix). Programs downloaded from Bulletin Boards & those obtained from computer
clubs should be carefully evaluated & examined for any destructive code.
2). UNAUTHORIZED ACCESS

Data & information is always under constant threat from people who may want to
access it without permission. Such persons will usually have a bad intention, either
to commit fraud, steal the information & destroy or corrupt the data.

Unauthorized access may take the following forms:

a). Eavesdropping:

This is tapping into communication channels to get information, e.g., Hackers

mainly use eavesdropping to obtain credit card numbers.

b). Surveillance (monitoring):

This is where a person may monitor all computer activities done by another person
or people.

The information gathered may be used for different purposes, e.g., for spreading
propaganda or sabotage.

c). Industrial espionage:

Industrial espionage involves spying on a competitor so as to get or steal

information that can be used to finish the competitor or for commercial gain.
d). An employee who is not supposed to see some sensitive data gets it, either by
mistake or design.

e). Strangers who may stray into the computer room when nobody is using the
computers.

f). Forced entry into the computer room through weak access points.

g). Network access in case the computers are networked & connected to the
external world.
Control measures against unauthorized access.

i). Enforce data & information access control policies on all employees to control
access to data.

ii). Keep the computer room closed when nobody is using it.

iii). Reinforce weak access points, e.g., doors & windows with metallic grills

& burglar alarms. iv). Use file passwords to prevent any person from getting

access to the electronic files.

v). Enforce network security measures, e.g., use of firewalls.

vi). Encrypt the data & information during transmission.

vii). Perform frequent Audit trails to identify threats to data

& information.

3). COMPUTER ERRORS & ACCIDENTAL ACCESS

Errors and accidental access to data & information may be as a result of:

-Mistakes made by people, e.g., one may print sensitive reports & unsuspectingly
give them to unauthorized persons.

- People experimenting with features they are not familiar with. E.g., a person may
innocently download a file without knowing that it is self-installing or it may be
dangerous to the system.

Control measures against computer errors & accidents.

i). Restrict file access to the end-users and technical staff in the organization, i.e.,
deny access of certain files & computers to certain groups of end-users.

This is because; accidental access mistakes occur if the end-users have too much
privilege that allows them to access or change sensitive files on the computer.

ii). Set up a comprehensive error-recovery strategy in the organization.

4). THEFT

The threat of theft of data & information, hardware & software is real. Some
information is so valuable such that business competitors or some governments can
decide to pay somebody a fortune so as to steal the information for them to use.

Control measures against theft of information, hardware, & software.

i). Create backups & store them in locations away from the main computing centre.

ii). Reinforce weak access points, e.g., the windows, doors, & roofing with
metallic grills and strong padlocks. iii). Put burglar proofs in the computer
room.

iv). Employ guards to keep watch over data & information centres and backups.

COMPUTER CRIMES

-A computer crime is a deliberate theft or criminal destruction of computerized

data.

- The use of computer hardware, software, or data for illegal activities, e.g.,
stealing, forgery, defrauding, etc.

- Committing of illegal acts using a computer or against a computer system.

Types of computer crimes.

The following are the major types of computer crimes:

1. Trespass.

2. Hacking.

3. Tapping.

4. Cracking.

5. Piracy.

6. Fraud (Theft of money)

7. Sabotage.

8. Alteration of data.

9. Theft
of computer time / Theft of service.
Trespass.

- Trespass refers to the illegal physical entry to restricted places where

computer hardware, software & backed up data is kept.

- It can also refer to the act of accessing information illegally on a local or

remote computer over a network.

-Trespass is not allowed and should be discouraged.

Hacking.

Hacking is an attempt to invade the privacy of a system, either by tapping

messages being transmitted along a public telephone line, or through breaking
security codes & passwords to gain unauthorized entry to the system data and
information files in a computer.
Reasons for hacking,

- To copy or corrupt the information.

- Asa hobby to test their expertise. Some people like the challenge & they feel
great after successful hacking.

-Some do it for computer & software producing companies that want to secure
their systems by reducing weaknesses discovered after professional hacking.

Hacking is done by skilled programmers referred to as Hackers. Hacker is a person

who gains unauthorised access to a computer network for profit, criminal mischief,
or personal gain.

Such people are able to break through passwords or find weak access points in
software. They are involved in propagating computer viruses.

Tapping.

Tapping involves listening to a transmission line to gain a copy of the message

being transmitted.

Tapping may take place through the following ways:

a) A person may send an intelligent program to a host computer that sends

him/her information from the computer.

b) Spying on a networked computer using special programs that are able to

intercept messages being sent & received by the unsuspecting computer.

Cracking.

Cracking is the use of guesswork by a person trying to look for a weakness in the
security codes of a software in order to get access to data & information.
These weak access points can only be sealed using sealed using special corrective
programs called Patches, which are prepared by the manufacturing company.
A program patch is a software update that when incorporated in the current
software makes it better.

NB: Cracking is usually done by people who have some idea of passwords or user
names of the authorized staff.

Piracy.

Software, information & data are protected by copyright laws. Piracy means
making illegal copies of copyrighted software, data, or information either for
personal use or for re-sale.

Ways of reducing piracy:

i) Enact & enforce copyright laws that protect the owners

of data & information against piracy.

ii) Make software cheap enough to increase

affordability. iii) Use licenses and certificates of

authenticity to identify originals. iv) Set installation

passwords that prevent illegal installation of software.

Fraud.

Fraud is the use of computers to conceal information or cheat other people with the
intention of gaining money or information.

Fraud may take the following forms:

a). Input manipulation:

Data input clerks can manipulate input transactions, e.g., they can create dummy
(ghost) employees on the Salary file or a ghost supplier on the Purchases file.
b). Production & use of fake documents:

E.g., a person created an intelligent program in the Tax department that could
credit his account with cents from all the tax payers. He ended up becoming very
rich before he was discovered.