Data and System Security - Computing and ICT in a Nutshell

advertisement
Data and System Security
Threats to Data
Computer software and data are valuable commodities. If a business loses its data, it may no long be able to
contact its customers, or if it can, it might not be able to find all of the customer details. This could lead either to
business being lost altogether, or a customer losing confidence in the company because they appear to be
incompetent.
Threats to software and data fall into three different categories. These are loss due to:

Physical threats – i.e. damage to hardware

Software threats – i.e. loss caused by problems with programs

Human error or malicious damage
Physical Threats
Threat
Theft
Natural disasters
Power failure
Equipment
failure
Description
Prevention/Remedy
Your computers or other
equipment is at risk from people
who want to steal them, either to
remove the data or use the parts.
Physical security measures:
e.g. competitors might want to
steal confidential company data,
or bank details might be stolen for
fraudulent use
Door locks, bars on windows, door entry systems,
swipe cards, alarms, etc.
Procedural measures:
Asking visitors to sign in and wear badges, challenging
anyone who isn’t wearing, etc.
Your data or systems are also at
risk from natural disasters such as
fires, floods, earthquakes, etc.,
that might cause your data to
become corrupted, or the
computers to stop working
Equipment could be stored in waterproof, etc.,
buildings
If the power fails, then you are not
going to be able to operate your
equipment, and data may be lost
if it hasn’t yet been saved
For important equipment, such as file servers, you can
attach a device called a UPS (un-interruptible power
supply). This acts like a big battery and allows the
computers to operate for a short while after the power
fails, so that information can be saved and the
computers closed down properly
Computer equipment is generally
very reliable, with the MTBFB
(mean time between failures)
often given in years, but it can still
break down
For safety critical or mission critical computer systems
(i.e. systems where you can’t carry on without them),
we can use redundancy. This is where the system has
several of some key parts, such as sensors or
processors, in case one of them breaks down.
Backups can be stored in a fire-proof fire safe
Software Threats
Threat
Description
Prevention/Remedy
Software must be tested thoroughly before it is sold or given to
the customer.
Software errors
Sometimes, when
programs are written,
they contain errors that
might cause data to be
lost or corrupted
Software companies must produce a thorough test plan (just like
the one you create for your projects) to try to think of everything
the user could do to the system
Threat
Description
Prevention/Remedy
Software measures:
Viruses
There are certain
programs, called
viruses, that deliberately
spread and cause
damage to data
Use virus checking software
Install a firewall to stop programs coming in from outside (e.g.
the internet)
Procedural measures:
Restrict the use of things like the internet or floppy discs that
might lead to the introduction of a virus
Human Threats
Threat
Description
Prevention/Remedy
Accidental
deletion
Sometimes users delete
files or data by accident
Files can be write-protected so that they can’t be deleted
Some programs display “Are you sure?” type message when
you delete things
Lots of programs have an Undo facility
Windows has the Recycle Bin
Data entry
errors
Data may be written
down incorrectly, or
keyed in wrongly
Validation
Verification
Taking regular backups and keeping them in a separate place will help you minimise effect of any of these
threats. For example, if you have your computer stolen, you just need to get a new one and restore the old data
onto the new machine.
Security Measures
Security of Buildings
There are several reasons why a company might need security systems to protect their premises:

To protect products that are under development from industrial spies

To protect valuable equipment

To prevent unauthorised access

Electronic systems are able to provide protection around the clock, seven days a week
Methods of security that a company might employ are:

To protect the outside of the premises using closed circuit television

To use electronic intruder alarms to warn of unauthorised access

To have electronic door entry systems that make the user either type in a number or "swipe" a card. This
card may be a "smart" card (i.e. one containing a "chip"), or it may have a magnetic strip, like a credit card.

Entry systems are getting more advanced all the time. Electronic systems are now available that can
recognise fingerprints or patterns on the cornea.
As well as the obvious benefits of protecting the security of the building from intruders, electronic security systems
also have disadvantages:

They can be expensive to install

It is possible that the equipment might fail, causing a lapse in security

Potential intruders can tamper with the equipment
There may also be an impact on jobs (fewer security guards are needed?), and often people don't like to feel that
the "Big Brother" cameras are watching them; they feel that their freedom is being taken away.
Security of Data
As well as stopping people entering the building and physically getting to it, sensitive data on computers is
protected in the following ways:

Computers and networks have passwords to prevent unauthorised access. These passwords are only issued
to people who are authorised to view the information that they protect.

Information can be coded, or encrypted. This is especially useful when transmitting information, for example
via the Internet.

The Computer Misuse Act makes it an offence for anyone to access computer information without
permission, or to deliberately damage that information (for example by introducing a virus). This means that
"hacking" is illegal and can lead to imprisonment.
People whose information is held on computers are also protected by the Data Protection Act.
summarised below and detailed in section 1.9 – The Legal Framework.
This is
Computer data is not just at risk from malicious damage. There is also the possibility that an authorised might
accidentally change or delete data, or that some sort of power or mechanical failure might cause information to be
lost. Losing data can cause the company to lose time and money as it tries to recover that information. It can
also make the company look bad in the eyes of customers, who might want to take their business elsewhere.
Backup and Recovery
To protect against this happening, a backup of the information should be made on a regular basis. Organisations
usually have a backup policy, which says when and how often they should backup the data. Because the
backups are normally not used, and therefore speed is not an issue, they are often made onto tapes or cartridges,
which are relatively cheap but are slow to read and use serial access.
The more often the data changes, the more frequently it will need to be copied onto the backup tape. A school
might backup the server every night, so that if anything happens to the server, we won't lose more than a day's
work. If a school had a two week timetable, they might use 10 different tapes, one for each day of the school
timetable, so that we can go back two weeks to a previous lesson.
A copy of the backup is usually taken off the site, or stored in a fire safe to ensure that if there is a disaster that
affects the whole building, then the data remain safe.
Finally a company might have an uninterruptible power supply (UPS) connected to certain computers, e.g. the
server. This acts like a battery and allows the computer to operate for a certain amount of time (normally about
20 minutes) should the power fail. This gives the operators time to close everything down properly to help
prevent data being lost.
Legal Protection
As well as physical and other types of protection, there are also three laws that are in place to protect computer
systems:
Data Protection Act (1998)
The Data Protection Act covers personal data held by companies – they
must ensure that it is correct and up-to-date, and hold no more
information than is necessary for their business. It also give the
individual the right to look at, and correct, the information held about
them.
Computer Misuse Act (1990)
This makes it an offence to gain unauthorised access to (i.e. “hack”) a
computer system, or cause malicious damage, such as introducing
viruses
Copyrights, Designs and
Patents Act (1989)
This law makes it an offence to copy or steal software. Stealing
software includes installing the same copy of a program on more than
one computer without a licence
Download