Data and System Security Threats to Data Computer software and data are valuable commodities. If a business loses its data, it may no long be able to contact its customers, or if it can, it might not be able to find all of the customer details. This could lead either to business being lost altogether, or a customer losing confidence in the company because they appear to be incompetent. Threats to software and data fall into three different categories. These are loss due to: Physical threats – i.e. damage to hardware Software threats – i.e. loss caused by problems with programs Human error or malicious damage Physical Threats Threat Theft Natural disasters Power failure Equipment failure Description Prevention/Remedy Your computers or other equipment is at risk from people who want to steal them, either to remove the data or use the parts. Physical security measures: e.g. competitors might want to steal confidential company data, or bank details might be stolen for fraudulent use Door locks, bars on windows, door entry systems, swipe cards, alarms, etc. Procedural measures: Asking visitors to sign in and wear badges, challenging anyone who isn’t wearing, etc. Your data or systems are also at risk from natural disasters such as fires, floods, earthquakes, etc., that might cause your data to become corrupted, or the computers to stop working Equipment could be stored in waterproof, etc., buildings If the power fails, then you are not going to be able to operate your equipment, and data may be lost if it hasn’t yet been saved For important equipment, such as file servers, you can attach a device called a UPS (un-interruptible power supply). This acts like a big battery and allows the computers to operate for a short while after the power fails, so that information can be saved and the computers closed down properly Computer equipment is generally very reliable, with the MTBFB (mean time between failures) often given in years, but it can still break down For safety critical or mission critical computer systems (i.e. systems where you can’t carry on without them), we can use redundancy. This is where the system has several of some key parts, such as sensors or processors, in case one of them breaks down. Backups can be stored in a fire-proof fire safe Software Threats Threat Description Prevention/Remedy Software must be tested thoroughly before it is sold or given to the customer. Software errors Sometimes, when programs are written, they contain errors that might cause data to be lost or corrupted Software companies must produce a thorough test plan (just like the one you create for your projects) to try to think of everything the user could do to the system Threat Description Prevention/Remedy Software measures: Viruses There are certain programs, called viruses, that deliberately spread and cause damage to data Use virus checking software Install a firewall to stop programs coming in from outside (e.g. the internet) Procedural measures: Restrict the use of things like the internet or floppy discs that might lead to the introduction of a virus Human Threats Threat Description Prevention/Remedy Accidental deletion Sometimes users delete files or data by accident Files can be write-protected so that they can’t be deleted Some programs display “Are you sure?” type message when you delete things Lots of programs have an Undo facility Windows has the Recycle Bin Data entry errors Data may be written down incorrectly, or keyed in wrongly Validation Verification Taking regular backups and keeping them in a separate place will help you minimise effect of any of these threats. For example, if you have your computer stolen, you just need to get a new one and restore the old data onto the new machine. Security Measures Security of Buildings There are several reasons why a company might need security systems to protect their premises: To protect products that are under development from industrial spies To protect valuable equipment To prevent unauthorised access Electronic systems are able to provide protection around the clock, seven days a week Methods of security that a company might employ are: To protect the outside of the premises using closed circuit television To use electronic intruder alarms to warn of unauthorised access To have electronic door entry systems that make the user either type in a number or "swipe" a card. This card may be a "smart" card (i.e. one containing a "chip"), or it may have a magnetic strip, like a credit card. Entry systems are getting more advanced all the time. Electronic systems are now available that can recognise fingerprints or patterns on the cornea. As well as the obvious benefits of protecting the security of the building from intruders, electronic security systems also have disadvantages: They can be expensive to install It is possible that the equipment might fail, causing a lapse in security Potential intruders can tamper with the equipment There may also be an impact on jobs (fewer security guards are needed?), and often people don't like to feel that the "Big Brother" cameras are watching them; they feel that their freedom is being taken away. Security of Data As well as stopping people entering the building and physically getting to it, sensitive data on computers is protected in the following ways: Computers and networks have passwords to prevent unauthorised access. These passwords are only issued to people who are authorised to view the information that they protect. Information can be coded, or encrypted. This is especially useful when transmitting information, for example via the Internet. The Computer Misuse Act makes it an offence for anyone to access computer information without permission, or to deliberately damage that information (for example by introducing a virus). This means that "hacking" is illegal and can lead to imprisonment. People whose information is held on computers are also protected by the Data Protection Act. summarised below and detailed in section 1.9 – The Legal Framework. This is Computer data is not just at risk from malicious damage. There is also the possibility that an authorised might accidentally change or delete data, or that some sort of power or mechanical failure might cause information to be lost. Losing data can cause the company to lose time and money as it tries to recover that information. It can also make the company look bad in the eyes of customers, who might want to take their business elsewhere. Backup and Recovery To protect against this happening, a backup of the information should be made on a regular basis. Organisations usually have a backup policy, which says when and how often they should backup the data. Because the backups are normally not used, and therefore speed is not an issue, they are often made onto tapes or cartridges, which are relatively cheap but are slow to read and use serial access. The more often the data changes, the more frequently it will need to be copied onto the backup tape. A school might backup the server every night, so that if anything happens to the server, we won't lose more than a day's work. If a school had a two week timetable, they might use 10 different tapes, one for each day of the school timetable, so that we can go back two weeks to a previous lesson. A copy of the backup is usually taken off the site, or stored in a fire safe to ensure that if there is a disaster that affects the whole building, then the data remain safe. Finally a company might have an uninterruptible power supply (UPS) connected to certain computers, e.g. the server. This acts like a battery and allows the computer to operate for a certain amount of time (normally about 20 minutes) should the power fail. This gives the operators time to close everything down properly to help prevent data being lost. Legal Protection As well as physical and other types of protection, there are also three laws that are in place to protect computer systems: Data Protection Act (1998) The Data Protection Act covers personal data held by companies – they must ensure that it is correct and up-to-date, and hold no more information than is necessary for their business. It also give the individual the right to look at, and correct, the information held about them. Computer Misuse Act (1990) This makes it an offence to gain unauthorised access to (i.e. “hack”) a computer system, or cause malicious damage, such as introducing viruses Copyrights, Designs and Patents Act (1989) This law makes it an offence to copy or steal software. Stealing software includes installing the same copy of a program on more than one computer without a licence