Unit2Topic5

Unit 1

Unit 2

5. Safety and Security of Data in ICT Systems

Key Concepts	Content and Amplification
1.The need to protect data in ICT systems.	Students should be able to discuss issues involving the: • privacy of data in ICT systems • legislation to protect data • commercial and intrinsic value of data.
2. Threats to ICT systems.	There are different threats to ICT systems, including: • internal and external threats • malpractice and crime.
3. Protecting ICT systems.	The measures that can be taken to try to protect all parts of ICT systems, including networks, against threats: • hardware measures • software measures • procedures.
4. Legislation	Students should be aware of the provisions for legal action to be taken in the event of security breaches. The current legislation.

1. The Need to Protect Data in ICT Systems. Before the introduction of ICT systems it was much easier to keep details of the lives of the public much more private. Dealings with government and individual organisations were stored in paper based system in various different locations. Employees details were kept in the filing cabinet of the company. Their tax and insurance details were kept in the local tax office, their bank details were held by their branch of their bank, their medical details were kept in their doctor's surgery, their mortgate details were kept in the branch of their building society, and purchases were usually paid for in cash or by cheque. These details were private to the organisations holding them. People could keep their private lives private.

Almost everything that we do now is recorded in an ICT system.

Bank account details, loans, mortgages, direct debits, and credit history is shared between like organisations
Purchases that are made using a card or even cash with a store loyalty card
Insurance details including history of claims and no-claims
Details of travel to and from the country
Details of phone calls the times and phone numbers contacted
Details of criminal records and fines and cautions given
Details of earnings, and pension payments
Details of e-mail and Internet use, including web-sites visited and information posted, spyware and cookies downloaded
Details of vehicles owned, whether they are taxed and insured, details of journeys made using roadside cameras
Details of visits to the doctor and hospital appointments, treatments and illnesses
Marketing information from purchases, questionnaires etc.

The government has ruled it necessary to collect all this information in the excuse that it helps in the fight against terrorism. Local authorities have the power to investigate and charge people for littering, putting their refuse bins out either overfilled or on the wrong day. They can spy on people to check that they are living in the catchment area for schools.

As more and more information is collected about people, so linking it all together will give a complete picture about someone's life. Most of this information should be kept private from the public knowledge by the Data Protection Act of 1998. The Act was passed before the explosion in the collection of data in the 2000's. Other laws have been passed to protect the public from Viruses, Unauthorised access to computer data, and copyright.

The Data Protection Act was passed to help protect the general public from the misuse of their personal data that is kept by organisations. It was passed to keep in line with European Union common laws. It stops organisations letting the public aware of personal details and allows individuals to check to see that data is correct if they think an error has been made. The Act covers all personal data, even data that is not kept in an ICT system.

Personal data is classed as being about an identifiable person who is still alive, and about that person. This means that a name and address is present, or if a celebrity something definately identifyable to that person. Data such as Medical history, Credit history, Criminal history, Immigration & Asylum history, Religous beliefs, can be regarded as highly confidential.

Check the Data Protection Act slides.

Using Identification and Passwords for Protecting the ICT System. In most organisations the computer (workstation) can be used by many differentpeople (consider the college classroom). These computers are part of a network of compters that share programs and data. So that only authorised people have access to the programs and data on these computers the network will use a system of user groups and identification and a password. The user identification code is unique to that person which means that the network monitoring software knows who has logged in and the user can set personal settings from the default. The second code is the password which is a check that the authorised user is really the person they are claiming they are. Passwords are secret and canot be seen on the computer screen when being typed in. Individual organisations will have different rules regarding passwords, in general they shouldn't be an ordinary word, they shouldn't be a name, they shouldn't be a favourite team or place. They should be a combination of characters and numbers, they should be a minimum of 8 characters and numbers, and they should be changed regularly. Passwords should never be written down, or told to anyone else, should be different to the identification code, and no one else allowed to look over a password being entered into the system.

Using ICT Systems to Monitor Employees at Work, and the Public at Home and during Leisure time. Employees who use computers at work will find that some or all of their computer use is monitored by monitoring and logging software. Time that is used reading and sending e-mails can be logged. Time spent using the Internet can be logged especially if it is during work time. The web-site addresses, the content downloaded, and the times used can be logged and used in disciplinary against the employee if they have broken any rules. Employees who have unauthorised software such as music, images or video will also be identified. At home anyone who uses the Internet may be monitored by the Internet Service Provider. Data such as the web-sites accessed, the data downloaded is collected. The government has the right to ask to see this data to prevent / solve crime including terrorism. E-mail is also monitored including the addresses, the content of the message and attachment and the dates and times of sending / receiving. When we access the Internet our computers leave a unique identifying code making it easy for Internet Service Providers to log all activities.

If a computer manages to download Spyware from a web-site then the program will report back to the people who wrote the spyware, details of what the person does on the Internet. It could possibly send back secret details from files such as credit card numbers, bank details, pin codes etc. Spyware can also slow down performance as it uses computer processor time. It could contain bugs and crash the system. It could allow other unwanted features such as pop ups and banners being displayed constantly by removing the effectiveness of the anti-virus and the firewall.

Cookies are also a small program that people allow to be downloaded onto their ICT system. Cookies can be useful as they report back to the people who wrote them details of Internet use by their customers and helps the originator to select the correct page and tailor the information on them.

Most shops use loyalty cards to offer their customers some cash back or credit against future purchases. These loyalty cards contain a lot of details about the customer, including the details of everytime they use it when shopping. Fitness centres, clubs, libraries etc will have similar systems to keep details of their customers. Every time a person walks in the street, or drives a car, there will be a camera monitoring what people are doing, this can be recorded and saved for future use.

Check the Security of Data slides.

Identity Theft - is the term for the criminal act of stealing personal information with the intent to use it to create similar cloned identities without the victims' knowledge. Stolen personal information such as bank details, passport numbers, birth dates or social security numbers is used illegally to apply for credit, purchase goods and services or cloak the real identities of criminals undertaking more serious criminal acts.

There are four types of Identity Theft:

financial identity theft (using another persons identity to obtain goods and services)
criminal identity theft (using another persons identity when apprehended for a crime)
identity cloning (using another persons identity to assume their identity in daily life)
business/commercial identity theft (using another persons business name to obtain credit)

There is so much use of the internet for banking and financial transactions that criminals have devised way of intercepting sensitive data and using it for fraud.

On-Line Banking: Customers using their credit or debit cards online have been advised that high street banks are likely to become increasingly reluctant to help victims of internet fraud unless the customer has taken reasonable precautions in having a firewall and the most up-to-date anti-virus software. Problems are caused by Phishing and Trojans which up-to-date anti-virus programs will detect.

Phishing: where fraudsters sent messages to people to contact them with details of their personal information. They do this by conning the victim into believing they are legitimate. For example:an e-mail would be sent to a customer of a bank to contact them by return of e-mail. The person will then be taken to the fake website which may look identical to the real bank's website. Once there the person will be asked questions of their bank details, and this will be used by the fraudsters to withdraw cash from their bank account.
Trojans: where hackers had managed to add a small program with an e-mail. This small program will gather details of activities by the person and sent e-mails back to the hacker on secret details of for example bank details and passwords etc.

Identity Theft: Personal data is useful to people who want to pretend they are someone else in order to purchase goods and withdraw money from bank accounts. Stolen credit and credit cards can be used to order goods on-line, and withdrawing cash. Sometimes if done a little at a time the real bank account holder may not notice money is being withdrawn. Letters, bank statements, credit agreements are very useful to criminals as these details can be used to prove they are that person and take out bank loans etc from other peoples' accounts.
Some criminals find great opportunities in stealing rubbish bins. They can sift through discarded bank statements, bills, payment receipts etc. and use them to create their new identity. They can then phone the bank and divert the statements to their own address. They can apply for a credit card to be sent to the new address, and they can set up direct debit payments to come from the bank. They can buy a car using a bank overdraft, they can even pay the tax and insurance using the bank direct debit. If the car is involved in an accident and is written off, all they have to do is give the real persons name and address and off they go to do it all again. Meanwhile the person who threw out the rubbish with their bank details in now owe thousands of pounds to the bank, and have to appear in court over the car crash.

Encryption: Is the way to keep bank details secure. When sending data over the Internet companies who collect data for payments need to use a secure area on the web-site where data is encrypted before communicated. This data will be useless to a hacker as they will not have the key to decrypt the data. All banks use this system for on-line banking.

2. The Threats to an ICT System. The threats to any system are Fire, Theft, Flood, Power loss, accidental and deliberate damage to the infrastructure. Threats to ICT systems include damage to the programs and data by viruses, theft of data, denial of service, as well as hardware loss. Organisations need to be aware of all potential threats and measures taken to lessen the threat and ways to recover if a loss of data or service happens. Any loss is costly, without service to customers, or without data an organisation may fail. Apart from natural causes threats come from the following:

Power failure - hardware needs electricity and without standby power the system cannot work. Power failures are rare, but depending on the importance of the data and service, an emergency independent backup power supply will be considered.
Faulty hardware - computers can break down at any time so back up copies of data and programs are essential for computer or hard drive replacement.
Faulty software - is usually caused by bespoke programs where an unexpected bug appears and engineers need to be on standby to add a program that will allow operations to continue.
Theft - of hardware where the organisation has slack security of the offices where hardware is located. Laptop theft is very common as people use laptops on trains, cafe's or even leave them in their cars.
Theft - of software where data is stored on the hard drive of the computer stolen. This may have very serious implications as this may me highly classified data or personal data that has not been kept secure in breach of the Data Protection Act.
Hacking - Unauthorised access to computer hardware and data - a person may gain access to a system un-wittingly, or they may be skilled in breaking codes. The intent is crucial, there may be no intent to do anything more, they may witsh to read the data, or use the data, or sell the data, they may wish to destroy the data or make it unuseable.
Virus - a secret program that will damage or destroy the computer's data - can be collected from people using their own software on an organisation's computers or they may be downloaded through an e-mail or directly from a web-site. (includes Worms, etc).
Trojan Horse - a program that disguises itself as another program. It is similar to a virus, as these programs are hidden and cause an unwanted effect. They differ from viruses because they are normally not designed to replicate like a virus.
Worm - a special type of virus that spreads without any user interaction, typically by exploiting a flaw in popular software.
Denial of Service Attack - where an organisation is denied some of their resources. This is normally the e-mail facility or the ability to use the Internet efficiently. If an on-line store has too many requests it may not be able to deal with all of them resulting in a temporary loss of service.
Spyware - where confidential details of the organisation's system and data can be secretly sent back to the originator.
Keyloggers - are hardware devices or software programs which record all information entered into a machine via a keyboard. Criminals deploy both types of keyloggers to capture personal information such as passwords and credit card numbers. Keyloggers can be installed on a computer without a user's knowledge using Spyware software programs.
Phishing - is an attempt to dishonestly and illegally get sensitive information, such as passwords and credit card details, by acting as a trustworthy person or business. Phishing is typically carried out using email or instant messaging, although phone contact has been used also.
BotNets - are networks of computers that have been infected with specific Trojans which allow access by malicious third parties such as criminals and spammers. These individuals use the power of infected computers to perform a variety of tasks including sending spam email or mounting Denial of Service Attacks on other computers or networks.
Spam - where the e-mail facility is being overloaded by unwanted messages.
Accidental damage - from the staff where someone may have deleted data by mistake.
Deliberate damage - from staff who have a grudge against the organisation they work for.
Fire - is a constant problem where many electrical equipment is used and stored, special attention should be made to where paper is stored, emptying bins, no smoking (its law not to in offices), maintainance of electrical wiring and sockets, switching off un-essential equipment, keeping fire doors closed, having a servicable fire alarm system.