COMPUTER SECURITY

Three basic principles of information security

Confidentiality - is the reliable access to trustworthy and accurate information or data by
authorized people as and when data is required .an attempt to prevent the intentional,
unauthorized access to data
Integrity - Data Integrity refers to the overall completeness, accuracy and consistency of data
in a computer system. Data integrity is normally enforced in a database system by a series of
integrity constraints or rules and in a network by transmission protocols
Availability - only certain staff can access the data.

THREATS
A security threat is defined as a risk that which can potentially harm computer systems and
organization

Hacking
Using IP addresses or other unethical network access tools to steal data on a network
Solution:- Using firewall and intrusion detection and prevention systems to filter authorized and
unauthorised traffic and block unauthorised traffic

Denial of service (DoS)

DoS is a cyber-attack in which the perpetrator seeks to make a machine or network resource
unavailable to its intended users by temporarily or indefinitely disrupting services of
a host connected to the network. Denial of service is typically accomplished by flooding the
targeted machine or resource with superfluous access requests in an attempt to overload systems
and prevent some or all legitimate requests from being fulfilled. For example, if a bank website
can handle 10 people a second clicking the Login button, an attacker only has to send 10 fake
requests per second to make prevent or delay legitimate users from logging in. DoS attacks can
cause the following problems:
-Ineffective/slow services
-Inaccessible services
-Interruption of network traffic
-Connection interference
Solution:- Using firewall and intrusion detection and prevention systems to filter authorized and
unauthorised traffic and block unauthorised traffic
- Server configuration to block out unauthenticated users (users without trusted digital
certificate) from addressing the server’s resources.

Virus
Types include
 boot sector virus- infect and distort operating system boot files and either prevent the
computer from booting or slow the booting process
 file infector virus- infect either system files or data files created by various applications
-Viruses usually modify or delete files so that data becomes unavailable or system services are
denied
Solution:- Installing anti-virus software to block virus software from attaching itself to system or
data files
Malware
-includes worms, Trojan horses etc. Malware can
 Intimidate you with scareware, which is usually a pop-up message that tells you your
computer has a security problem or other false information.
 Reformat the hard drive of your computer causing you to lose all your information.
 Alter or delete files.
 Steal sensitive information.
 Send emails on your behalf.
 Take control of your computer and all the software running on it.
Solution:- Installing anti-malware software to block malware

Spyware
-Software that collects personal information about you without you knowing. They often come in
the form of a ‘free' download and are installed automatically with or without your consent.
-Spyware can
 Collect information about you without you knowing about it and give it to third parties.
 Send your usernames, passwords, surfing habits, list of applications you've downloaded,
settings, and even the version of your operating system to third parties.
 Change the way your computer runs without your knowledge.
 Take you to unwanted sites or inundate you with uncontrollable pop-up ads.
Solution:- Installing anti-malware software to block malware activity

Phishing
-Use of fake emails, text messages and websites created to look like they're from authentic
companies to lure people into entering their personal credentials. They're sent by criminals to
steal personal and financial information from you. This is also known as “spoofing”.
-It tricks you into giving them information by asking you to update, validate or confirm your
account. It is often presented in a manner than seems official and intimidating, to encourage you
to take action.
-Provides cyber criminals with your username and passwords so that they can access your
accounts (your online bank account, shopping accounts, etc.) and steal your credit card numbers.
Solution:- Visit trusted sites with digital certificates approved by the browser

Pharming
-Pharming is a common type of online fraud.
-It means to point you to a malicious and illegitimate website by redirecting the legitimate URL.
-Even if the URL is entered correctly, it can still be redirected to a fake website.
-The site convinces you that the site is real and legitimate by spoofing or looking almost identical
to the actual site down to the smallest details. You may enter your personal information and
unknowingly give it to someone with malicious intent.

SQL injection
It is a code injection technique, used to attack data-driven applications, in which malicious SQL
statements are inserted into an entry field for execution to steal data from the database. SQL
injection must exploit a security vulnerability in an application software’s query input field e.g.
inadequate filter rules for SQL statements in the query input field.
Solutions:- use database firewalls to detect unwarranted SQL queries.
-Also use parameterized queries with variable definitions which are slightly different from
regular SQL statements used in SQL injection queries. This will enable SQL injections to be
rejected since they are not parameterized.

Humans
-includes physical break in as well as theft and use of keys to unlock and enter unauthorised
rooms e.g. server rooms
-also includes abuse of access rights e.g. by modifying employee salaries to defraud a company
of money
Solution:- Use of biometric access on doors to block entry; use of alarms and cameras for alerts
to security on unauthorised physical access

Weather and natural disasters

-Earthquakes, floods and extreme weather conditions such as cyclones and tornadoes can
damage hardware such as hard drives, power supplies, network devices and cause data to be
inaccessible

Electrical faults
May cause damage to hardware such as hard drives, power supplies, network devices and cause
data to be inaccessible
Solution: Use of surge protectors

VULNERABILITIES
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such
as an attacker, to perform unauthorized actions within a computer system. Vulnerabilities include

Misconfigured softwares and browsers

Security misconfiguration is simply defined as failing to implement all the security controls for a
server or web application, or implementing the security controls, but doing so with errors. This
could range from failing to set a useful security header on a web server, to forgetting to disable
default platform functionality that could grant administrative access to an attacker.

Weak passwords
Usually contain characters only, numbers only, names (easy to guess) etc. Permutation softwares
can be easily employed to predict the password

ATTACKS

The threats discussed above are attacks when put into action. These include
1. Virus attacks
2. Malware attacks
3. Denial –of-service attacks
4. Spyware attacks
5. Phishing
6. Pharming
7. SQL injection
8. Password Attacks
Password attacks are as they sound an external entity trying to gain access to any particular
systems by cracking or guessing the user’s password.

Types of Password Attacks

a. Guessing
This technique will only work when the hacker is aware about certain things of its target or the
target is very well known. This gives him/her the leverage to hack into the target’s account with
some commonly tried guesses

b. Dictionary Attacks
Dictionary attacks are based on the assumption that most of the passwords that are used in
accounts are a permutation and combination of a given set of numbers like birthdates, etc. and
details like addresses, first and last names, pet’s name, child’s name, etc. Dictionary attack works
by choosing the word from the given dictionary of characters and numbers and having a code
manipulate them into various combinations which are then tried to gain access to the
corresponding account

c. Brute Force Attacks

A brute force attack basically checks all of the permutations and combinations from the very
beginning. These attacks are still much considerate when the length of the password is less than
or equal to 4 characters.

ACCESS CONTROL

Access control is characterized by

• Identification
-Method of establishing the user’s identity. It involves use of user name or other public
information or known identification component requirements.
 Authentication
Is a method of proving the identity of a user. There are three ways of authenticating
information
• something the user knows, e.g. a password, pass-phrase or PIN
• something the user has, such as smart card
• something the user is, such as fingerprint, verified by biometric measurement
• Authorization
Determines that the proven identity has some set of characteristics associated with it that
gives it the right to access the requested resources

Access Control Techniques

1. Passwords
Create strong passwords including special characters, numbers and letters
2. Biometric techniques

Fingerprints

This is probably the best known technique. In modern access control applications, users
place their finger onto the glass plate of a fingerprint scanner. A light shining from below
reflects only where there is a fingerprint ‘valley’, not a ridge. This reflected image is
recorded and stored. Normally two fingers would be scanned per subject. This allows for one
fingerprint being damaged.

Iris pattern

The iris has long been recognised as distinctive and individual. Iris recognition devices take
a greyscale photograph of the iris pattern using an invisible and harmless infrared light for
illumination. By processing the image, a binary code is produced. It is this code which is
used for comparison. Although the image can be obscured by cosmetic contact lenses,
standard lenses cause no problems. Iris recognition systems are accepted as one of the better
biometrics techniques.

Retina scan

A retinal scan is a biometric approach that makes use of the unique patterns on someone's
retina. By processing the image, a binary code is produced. It is this code which is used for
comparison. Advantages of using retinal scan consists of low prevalence of false positives,
extraordinarily low fake bad charges, highly dependable because no humans have the same
retinal sample

Hand geometry

Hand shape has long been used as a biometric technology. It requires the hand to be placed
on a reflective surface. Illumination from above reflects from the exposed part creating a
silhouette of the hand which is captured by the camera. It is the shape of the hand only that is
recorded, not the palm print or the fingerprint.

Face recognition

This system uses a digital image of the subject for comparison. Consistency of pose, lighting
and facial expression is required. The photograph must also be recent. These exacting
requirements make this system difficult to manage in an access control application.

Finger/palm vein

This is a newer technique and involves the imaging of veins in the hand or finger. This
system exploits the fact that veins absorb more near-infrared light than other types of tissue
beneath the skin. The hand or finger is illuminated with low intensity infrared light which
 can be imaged with a standard CCD sensor. The light absorbing veins return a dark pattern
against the more translucent skin and other tissue.

Voice pattern / recognition

This technique uses the voice patterns of a subject for identification. This requires the subject
to speak a known phrase. It is this exact phrase that is used for comparison. As yet there are
no standards for voice biometric access control systems.

3. Access rights

Access rights are usually enforced on data files or database files to give read or write
permissions for each file to users according to their access levels. Write permissions allow
users of the database to modify records in a file. Read permissions only allows users to view
records in files, but cannot modify the records. Read or write permissions granted to users are
defined by an Access Control List or Capability List

COMPUTER CRIMES, LEGISLATION AND DATA PROTECTION

Crimes
-Hacking- illegal access to information through a network
-Software piracy- copying or reproducing software without consent of the owner
-Plagiarism - copying literary works without acknowledging the source
-Identity theft
-Cyber bullying - threatening or intimidating another person via the social media platforms
-Cyber-attacks – using malware, virus, SQL injections or any other harmful software to attack
computer systems

Legislation and tools to control crimes

Data Protection Act
-Provides legislation that govern access to personal or an organisation’s private data

Anti-plagiarism software
-Plagiarism checker software works by comparing submitted text against a database, and
identifying identical, or near-identical passages which have acknowledged sources. The most
popular anti-plagiarism software is Turn it in

DISASTER RECOVERY METHODS

It involves storing data separately from servers used on day to day transactions.
Data recovery methods include
1. Back up
Local server back up
Use of cloud servers –usually hosted by cloud vendors
Saving data on remote and stand-alone servers
Disc mirroring
2. Use of data and system recovery software to scan and reconstruct data from disks with bad
sectors as well as to repair system files
3. Encryption of data
4. Hardware repair in case of hardware damages on computers and network devices
IMPACT OF THE SOCIAL MEDIA

Positive Impact / Benefits

1 Connectivity –People from anywhere can connect with anyone regardless of the geographical
location. This enables people around the globe to share experiences and update each other on life
developments, thereby keeping friendship and family bonds alive

2 Education – Social media has a lot of benefits for the students and teachers. It is very easy to
educate from others who are experts and professionals via the social media. You can follow
anyone to learn from him/her and enhance your knowledge about any field. Regardless of your
location and education background you can educate yourself, without paying for it.

3 Help – You can share your issues with the community to get help and giddiness. Whether it is
helping in term of money or in term of advice, you can get it from the community you are
connected with.

4 Information and Updates – The main advantage of the social media is that you update yourself
from the latest happenings around in the world. Most of the time, Television and print media
these days are biased and does not convey the true message. With the help of social media, you
can get the facts and true information by doing some research.

5 Promotion of the business product– The whole world is open for you, and can advertise to
them. This makes the businesses profitable and less expensive, because most of the expenses
made over a business are for advertising and promotion. This can be decreased by constantly and
regularly involving on the social media to connect with the right audience.

6 Noble Cause – Social media can also be used for the noble causes. For example, to promote an
NGO, social welfare activities and donations for the needy people. People are using social media
for donation for needy people and it can be a quick way to help such people.

7 Awareness Campaigns – Social media also create social, political, economic and legal
awareness and innovate the way people live. Awareness campaign example is a cholera and
typhoid outbreak alert and prevention and control strategies

8 Helps Government and Agencies Fight Crime- It is also one of the advantages of the social
media that it helps Governments and Security Agencies to gather information about criminals
from the people and catch criminals to fight crime.

10 Allows people to conduct business transactions such as customer enquiries from shops about
availability and prices of goods. Also allows people to conduct financial transactions such bill
payments e.g. the ZB Bank WhatsApp Business platform where people can buy electricity
tokens from ZESA
Negative Impact / Disadvantages
1 Cyberbullying –Threats, intimidation messages and rumors can be sent to the masses to create
discomfort and chaos in the society.

2 Hacking – Personal data and privacy can easily be hacked and shared on the Internet. Which
can make financial losses and loss to personal life. Similarly, identity theft is another issue that
can give financial losses to anyone by hacking their personal accounts. Several personal twitter
and Facebook accounts have been hacked in the past and the hacker had posted materials that
have affected the individuals’ personal lives. This is one of the dangerous disadvantages of the
social media and every user is advised to keep their personal data and accounts safe to avoid
such accidents.

3 Addiction –It can also waste individual time that could have been utilized by productive tasks
and activities. Many teenagers perform badly in school because of this.

4 Fraud and Scams – Several examples are available where individuals have scammed and
commit fraud through the social media.

6 Reputation damage – Social media can easily ruin someone’s reputation just by creating a false
story and spreading across the social media. Similarly, businesses can also suffer losses due to
bad reputation being conveyed over the social media.

7 Cheating and Relationship Issues – some men and women use social platforms for extra-
marital relationships and if discovered, often leads to divorce and separation

8 Health Issues – The excess usage of social media can also have a negative impact on the
health. It may affect eye sight.

9 Social Media causes death – Not just by using it, but by following the stunts and other crazy
stuffs that are shared on the internet. For example, bikers doing the unnecessary stunts, people
doing the jump over the trains and other life threatening stuffs. For example, in this video 14-
year-old from Mumbai was doing stunts on a running train which caused his death. These types
of stunts are performed by the teenagers because of the successful stunts made and shared over
the social media.

10 Drugs and Alcohol – One of the disadvantages of the social media is that people start to
follow wealthy or famous icons who may be drug addicts and share their views and videos on the
web. This eventually inspires youths to follow the same and get addicted to the drugs and alcohol

11 Sex addiction - resulting from sharing of pornographic material on social platforms

ETHICS IN ICT

Ethics are moral and professional obligations to be upheld by workers, management

and stakeholders in ICT institutions or organisations

Following International organizations promote ethical issues −

 The Association of Information Technology Professionals (AITP)

 The Association of Computing Machinery (ACM)
 The Institute of Electrical and Electronics Engineers (IEEE)
 Computer Professionals for Social Responsibility (CPSR)

The ACM Code of Ethics and Professional Conduct

 Strive to achieve the highest quality, effectiveness, and dignity in both the
process and products of professional work.
 Acquire and maintain professional competence.
 Know and respect existing laws pertaining to professional work.
 Accept and provide appropriate professional review.
 Give comprehensive and thorough evaluations of computer systems and their
impacts, including analysis and possible risks.
 Honor contracts, agreements, and assigned responsibilities.
 Improve public understanding of computing and its consequences.
 Access computing and communication resources only when authorized to do
so.

The IEEE Code of Ethics and Professional Conduct

IEEE code of ethics demands that every professional vouch to commit themselves to
the highest ethical and professional conduct and agree −

 To accept responsibility in making decisions consistent with the safety, health

and welfare of the public, and to disclose promptly factors that might endanger
the public or the environment;
 To avoid real or perceived conflicts of interest whenever possible, and to
disclose them to affected parties when they do exist;
 To be honest and realistic in stating claims or estimates based on available data;
 To reject bribery in all its forms;
 To improve the understanding of technology, its appropriate application, and
potential consequences;
 To maintain and improve our technical competence and to undertake
technological tasks for others only if qualified by training or experience, or
after full disclosure of pertinent limitations;
 To seek, accept, and offer honest criticism of technical work, to acknowledge
and correct errors, and to credit properly the contributions of others;
 To treat fairly all persons regardless of such factors as race, religion, gender,
disability, age, or national origin;
 To avoid injuring others, their property, reputation, or employment by false or
malicious action;
 To assist colleagues and co-workers in their professional development and to
support them in following this code of ethics.