3.3.6: Implications of ICT

3.3.6: Implications of ICTKeeping data safe and why we need to

This presentation aims to: Help you understand:

› How to discuss the need for keeping data confidential and explain how this is achieved.

› How to discuss how encryption, authorisation, authentication, virus checking, virus protection and physical security can be used to protect data.

This section looks at: Discuss the need for keeping data confidential and explain

how this is achieved.

Why keep data safe? There are two main reasons why organisations

keep data safe:

1. They are bound by the data protection act to ensure all personal data is kept secure and is confidential.

This data might belong to employees or customers.

2. Organisations are always trying to find ways of increasing their market share and are always developing new products and services. The last thing they need is their competitors getting a sniff of their ideas and developing their own versions! So this is for competitive reasons.

How do we keep data safe? Organisations should have a security policy.

This might include guidance to employees for managing their passwords:

› Choosing a password that is only known to you and not easily guessed (e.g. not your birthday or your name!).

› Having a minimum length (no less than 6).

› Change passwords regularly (monthly).

› Do not use passwords that you use for other accounts.

› Do not disclose your password to anyone…not even the boss!

How do we keep data safe? The security policy might also give advice on how

to prevent unauthorised access:

› Lock the computer when you are not working on it.

› Use a screensaver that requires you to type in your password.

› Don’t type in your password if someone is looking at your screen.

› Use anti-spyware, firewalls and virus protection.

This section looks at: Discuss how encryption, authorisation,

authentication, virus checking, virus protection and physical security can be used to protect data.

Encryption Encryption is all about scrambling up data so

that is can’t be understood unless you have the key which turns it into gobbledygook into something meaningful.

The idea behind encryption is that only the person who you intended to see the data can understand it…anyone who intercepts it will have a very difficult time in deciphering it.

Encryption Julius Caesar invested a method of encryption

using a square grid…

This encryption method allowed him to communicate with his generals without having to worry about the enemy killing the messenger and getting the message…

To be fair…he probably didn’t care too much about his messengers – the message was more important!

How the square worked… This could be one of his messages to his

generals…

› “Invade Germania from the South East.”

To prevent the enemy understanding this message he would jumble up the message using a grid of squares.

How the square worked… The message would be split into its letters and arranged

vertically in the grid…

So this message:› “Invade Germania from the South East.”

Became

I N ON G I M S EV E A O AA R T U SD M F H T TE A R E H .

What you then had to do was write out the message again by writing out the letters going across the grid…

The message would then appear like this:

I NO NGIMSEVEA OAAR TUSDMFHTTEAREH.

All the generals had to do was draw out the grid and work backwards!

Public Key Encryption Modern methods of encrypting data include

using a public key encryption. This video sums up how it works quite nicely!

› http://www.youtube.com/watch?v=jJrICB_HvuI

Authorisation This is all about giving people different access rights to

data.

An information system will hold all information in it.

Different users will only need to see parts of the data – it wouldn’t be appropriate to give complete access to all data.

For example, staff who are responsible for staff training only need to see training records of employees…they have no need to see data about where they live or how much they earn.

Authorisation In a school, different members of staff have different access

rights.

These are summed up below:› Read Only

Can see the data but can’t do anything with it.

› Create Can create new records.

› Write Can edit records.

› Delete Can remove records.

Authorisation To gain access to data you have to go through a

security check…usually a username and password.

But there is a problem…what if someone knows your username and password?

Authentication This is where authentication comes into the

equation.

Authentication is all about verifying a person is who they say they are.

The system may require you to enter a PIN or answer a security question.

Another method is to use biometric data.

Authentication Where security is even more important, some

organisations will use biometric data.

Biometric data provides both authorisation and authentication methods at the same time.

Watch this video before moving to the next slide:› http://www.youtube.com/watch?v=xzLOmwF7lKE

Biometrics The video showed you both PIN entry and Iris scanning.

A cheaper method of using biometric data is using finger print recognition.

You can now buy keyboards with these scanners built in.

Virus checking and protection

There are two aspects that you need to consider when dealing with viruses:› Prevention› Searching for and removing viruses

What is a virus? A computer virus usually either:

› Deliberately harms a computer system by modifying files.

› Replicates itself and transfers a copy to another machine.

Some viruses are used to disable a system’s security controls so that a hacker can access the system.

Virus Prevention Installing a virus scanner is essential in the

modern world.

Within minutes, a computer connected to the internet can be attacked by hundreds of viruses.

An anti-virus application has two functions:› Provides a shield against incoming viruses› Provides a search and destroy facility to remove viruses.

Resident shieldThe internet is a ‘Wild West’ environment…with countless viruses roaming the wastelands…waiting to happen across some unsuspecting computer which has no protection…

Resident shieldAn internet enabled computer with no anti-virus software is at a high risk from attack…and will very likely get infected.

Resident shieldA computer with anti-virus software is able to stop attacks as the resident shield denies access to any known virus! (providing you keep your virus scanner up to date!)

Search and DestroyIf, however, a virus does manage to sneak on to your computer (meaning it was probably there before you installed the virus software…) then your anti-virus software can search and destroy any viruses it finds!

Physical security This is basically any physical means of protecting

the data from theft or damage.

Methods include:› Surge protection› Locks› Security guards› Flood and fire protection› Portable security

Surge protection Special plugs can be used which

protect equipment from electrical surges.

Electrical surges can damage equipment and prevent it from working again.

This could impact on the data that is stored on some devices.

Locks Locks have been used for thousands of

years to keep people out of rooms they shouldn’t be in…

The oldest known lock was found by archaeologists in the Khorsabad palace ruins near Nineveh.

The lock was estimated to be 4,000 years old.

Keeping a server behind a locked door is always a good idea!

Security guards When data is extremely sensitive

and absolutely must not get in to the wrong hands…

An organisation may employ security guards.

Guards can check people as they enter and leave a building…

They might also patrol areas likes the server room.

Flood and Fire protection Servers and all backup data storage devices

should be locked away in fireproof rooms and containers.

Smoke detectors with CO2 extinguishers should be used to help prevent damage.

Servers should also be kept on higher floors to prevent damage from flood water.

Portable security Many laptops make use of the Kensington

security slot.

This slot allows a cable to be attached to the laptop thus preventing someone stealing it.

If they tried to pull the laptop, the laptop would simply break.

Keeping data secured in a locked briefcase is also a sensible idea…