Security Strategy HIGHER INFORMATION SYSTEMS Security Strategy You will need to be able to explain: Data Security Data Integrity and Data Privacy Risks Hacking Denial of Service DOS Policies & Procedures Password Guidelines Virus Protection Prevention Detection Repair Firewall Encryption Access Rights Security Strategy Data Security Physical Loss – fire or flood Electronic problems – faulty hardware or magnetic influences. Theft – by a competitor. Malicious access, deletion or virus attack. Security Strategy Data Integrity Is the data correct? When it is entered double entry can be used. Call centres ask customer to spell names and details are read back. Transmission errors can cause data errors. Viruses, hardware breakdown, viruses or computer crime can cause problems. Security Strategy Data Privacy This is personal or sensitive data. Is the data safe from unauthorised people? In school we have passwords and user logons so that no one else can access your files. People within school have different levels of access, this means data can be kept more secure. E.g. Guidance have access to personal information but teachers do not. Security Strategy Summary The network manager keeps the data secure. (Fire, flood, electronic outages). Integrity is how correct data is when it is first entered. Privacy is not letting other users into your personal or sensitive data. Security Strategy The Risks Virus – malicious code. Designed to spread to other computers automatically. Transmitted via an e-mail attachment, downloaded or something else. Can lie dormant for some time and can be very harmful. Security Strategy The Risks Hacking – Breaking into a computer system from outside the network. Breaking in is an offence but not a bad as maliciously altering or stealing information. Security Strategy The Risks Denial of Service Attack (DOS Attack)– Flooding a server with surprisingly large amounts of requests for information. The server is overloaded and it ends up crashing. Security Strategy Policies and Procedures Code of Conduct – set of rules that users must follow. Employees have to sign a code of conduct. Usually common sense and for the employee's protection to stop them breaking the law. The British Computer Society has a Code of Ethics which includes professional conduct, professional integrity, public interest, fidelity (trustworthiness), technical competence. Security Strategy Password Guidelines A strong password is one that no one else can guess and would be made up entirely of random numbers and letters (lowercase and uppercase). Users tend to choose poor passwords. The rules are: • Minimum of 8 characters • Letters and numbers and symbols • No words • Not the same as a previous password • Cannot be easily guessed http://www.passwordmeter.com/ Security Strategy Virus protection Computer systems are susceptible to viruses and must be protected by: Not allowing floppy disks. Not open suspicious emails and use filtering software to intercept the virus. Install anti-virus software that can Prevent, detect, or repair the infected file. Stops key loggers. Security Strategy Firewall A firewall was originally constructed to stop fire spreading throughout a house. It could be constructed between the house and the garage. Note: it is anti-virus software that stops viruses! This metaphor has been borrowed by the computing industry to name the software/hardware that acts as a barrier between computers on a network. Without it intruders could destroy, tamper with or gain access the files on your computer. Extra notes: http://www.vicomsoft.com/knowledge/reference/firewalls1.html#2 Security Strategy Firewall A firewall can be hardware or software that has filters to constantly monitor for unauthorised access to an network. It is placed between a file server and the internet connection. It also: Checks and filters external messages Blocks access to certain workstations/servers from an external computer. Only grants access to authorised users. Security Strategy Encryption Encryption techniques are used to pass sensitive data across the internet. The most obvious place you will see this is if you use your credit card to buy goods on the internet. If the packets of data are intercepted they cannot be read because they have been scrambled using 32 bit or 64 bit encryption. The message can only be read by the person receiving it, who holds the correct key to decipher it. Security Strategy Encryption In an exam you may be asked to explain how encryption works. This is public and private key encryption. 1. Bob encrypts the message with Alice’s Public Key. 2. The encrypted message is sent and cannot be read by unauthorised users. 3. Alice decrypts the message with her private key, no one else knows what this key is. Security Strategy Access Rights Access rights are: Read Write Create Erase Modify These right can be granted or revoked by the owner of the files or by the administrator. If a file is read only you cannot write, erase or modify it in any way. You would normally give these access rights in groupings e.g. read, write, create, modify. Security Strategy Access Rights Access rights can specifically set for the following: •Whether you have administrator rights •The amount of disk space allocated •Printers (printer credits) •E-mail •Internet •Folders •Applications Security Strategy You have learned about: •Data Security •Data Integrity and •Data Privacy •Risks Hacking Denial of Service DOS •Policies & Procedures •Password Guidelines •Virus Protection Prevention Detection Repair •Firewall •Encryption •Access Rights Question 2008 Q17 Lachlan is preparing for an interview for the job of network security manager at First Place Ltd. The company has 4 warehouses supplying 40 branches throughout the country. As stock control system is used to manage daily supplies to each branch. As part of the interview he will be asked about a security strategy for the company’s organisational information system. (a) State five areas concerning security strategies that Lachlan should be prepared to discuss in his interview. (5) Question 2009 Section 2 Q17. Setting up a username and password is one task involved in the creation of a network account. State three other settings associated with a network account. 3 2011 Q18 A company holds confidential personal data about its customers (a) Explain the difference between security and privacy as applied to data held in a computerised information system 2 (b) (i) Evaluate the suitability of these passwords: scotland tom100695 Hs%2 3 (ii) Apart from passwords, describe two data security measures that should be introduced as part of the security strategy. 4