Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
AS - INFO2 - 5 - Computer Misuse and Threats to ICT Systems
Transcript of AS - INFO2 - 5 - Computer Misuse and Threats to ICT Systems
Misuse and Threats
Organisations have become increasingly dependent upon their ICT systems and the data associated with them, so it comes as no surprise that data security is constantly under threat from computer crime.
The consequences of not adequately securing this data can result in the following:
• Financial loss as missing data has to be restored or missing hardware replaced.
• Legal consequences as non compliance with the Data Protection Act can result in compensation
• Loss of reputation and trust due to the bad publicity received from the media when a security breach occurs.
In this section the threats from within and external to the organisation will be outlined and the
difference between malpractice and crime will be discussed.
Internal Threats to Data Security
Many internal threats to the ICT systems can be caused by the employees of the organisation and in
many cases they are not deliberate.
Typically these errors might be the inaccurate input of data by a data entry clerk, the accidental deletion of a computer file by a careless member of staff or even the introduction of a computer virus onto the system by an employee using a removable disk to
transfer work from home to the office.
These problem areas can best be dealt with by introducing a detailed code of practice to help train and anticipate potential errors, although it has to be said that “accidents will happen”.
In other cases internal threats to the ICT systems can be deliberate and intentional; this area of data
security is more difficult to deal with as this sort of illegal activity will be carried out in secret.
The system could be sabotaged or damaged by a disaffected employee who uses their detailed knowledge of the system to cause damage by deleting critical data or even damaging the backup data.
Equally serious is the internal threat from the member of staff that seeks financial gain by selling company data or valuable data resources to rival organisations.
In some cases when an employee hands in their notice to transfer to a rival organisation, they are not required to work their notice due to the potential damage that they may cause as a result of their mixed loyalties.
External Threats to Data Security
Many external threats to ICT systems are non-deliberate such as natural disasters, like extreme weather
conditions and floods or technological failures like power cuts and fires.
Although these threats can be very damaging to an organisation their effects can be minimised by choosing a site in a non threatening environment, keeping backed up data off the site in a safe location and maintaining a multi site operation so that if a natural disaster were to close a site temporarily, the operation can be transferred with a minimal loss of production.
A major concern to computer based operations is deliberate external threats to their data. This can
occur in the following ways:
where actual hardware or software is physically stolen by breaking into the company offices.
where organisations are bombed or burnt down to gain publicity.
where criminals breaks into the system to access and change financial detail.
where rival companies get hold of sensitive company information to gain a competitive
Hacking and Viruses
where individuals damage the company data for either personal gain or just the
intellectual challenge of it.
Crime can be defined as the breaking of a rule or law for which a punishment may ultimately be
prescribed by some governing authority or force. Typical crimes involve the theft of money, information
Computer crime or electronic crime generally refers to criminal activity where a computer or network is involved; it is very much a deliberate activity and can be defined as where criminal activity involves an ICT system, such as:
• Illegal or unauthorised access into a system.
• Illegal interception of data – by technical means of non-public transmissions of computer data to, from or within a computer system.
• Data interference – by unauthorised damaging, deletion, or alteration of computer data for fraudulent purposes.
• Systems interference – interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data.
• Forgery or ID theft.
Malpractice (often termed as bad practice) on the other hand is not a criminal activity but unprofessional behaviour, such as ignoring a rule or recommendation in the company code of practice.
Typical rules ignored might include not logging off the system when the member of staff takes a break; in many cases this may have no impact on the organisation, but like all security rules on the one case when it does the impact might be major as a criminal gains illegal access to the system where a new user account could be launched with system administrator access rights.
Protecting ICT systems
The measures that can be taken to try to protect all parts of ICT systems, including networks, against
• Hardware measures
• Software measures
A firewall is a combination of hardware and software that is designed to check incoming messages and requests for service from the system.
Where a message or request is "dodgy" it can be re-routed
Staff training courses are an effective technique that can be used for preventing damage to the security of
ICT systems; where employees understand the danger and threats to the system they will understand the importance of their actions.
For example, no harm will be caused simply because a virus is sent to the system as an attachment to an email. It is only when the email is opened that the damage will be done; so staff could be made aware that they should only open email attachments from known and reliable sources.
Encryption is used to make stored data more secure, by making it unreadable to people who do not have the key to decode it.
The basic concept is that the stored data is encrypted by using a code. When this encrypted data is read it
appears as a collection of meaningless characters.
The data can then be transmitted with no danger of it being understood.
When the data is read by someone who is entitled to
read it they can apply the decode key to put meaning
back into the message or data transmitted.
Access to networks is nearly always protected by passwords that are linked to a username.
The username can be assigned access to certain areas and files on the network, related to their “need to know”, so that senior managers could well have more access to sensitive files than new starters.
Access rights can be given to certain files and folders so that they can have the following attributes:
read / write access.
Passwords can also be made stronger or more difficult to break by using Mixture of Numbers, Letters, Symbols, Lower-case & Upper-case so that the final password does not look like a word.
Many organisations make the user change the password at regular intervals such as every 6 weeks, which makes it difficult for the potential hacker to break into the system by attempting to guess the password.
Passwords and Access
Physical security is a tried and trusted method for protecting hardware and software from unauthorised access and potential theft. The following methods could be used:
• Secure areas for equipment where security cameras monitor an area. Doors can be opened by keycards or by number locks.
• Security guards can be used to control access to the buildings and log visits of potential intruders.
• Modern technology locks could be introduced such as biometric or retina scan devices, finger print type passwords (used on many modern IPAQs) and voice recognition software.
Physical Security Procedures
Clerical procedures can be used to make sure that an organisation’s data is error free at the point of entry.
-This might include batch-processing procedures
-Validation checks (to ensure data is in a valid format)
-Verification checks (often consisting of double entry to ensure that data is accurate).
Computer Misuse Act 1990
The Computer Misuse Act became law in August 1990 and hacking and the introduction of viruses became criminal offences.
The Act identifies three specific offences:
1. Unauthorised access to computer material (that is, a program or data).
2. Unauthorised access to a computer system with intent to commit or facilitate the commission of a
3. Unauthorised modification of computer material.
Unauthorised Access to Computer Material
This offence includes examples such as:
1. Using another person's identifier (ID) and password without proper authority in order to use data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data (for example, to a screen or printer).
2. Laying a trap to obtain a password.
3. In the educational context this could mean reading examination papers or examination results and in the commercial context it could be reading details of a Bank or Building Society’s financial figures.
The Act defines this basic crime as a summary offence, punishable on conviction with a maximum prison sentence of six months or a maximum fine of 2000 or both.
Unauthorised Access to a Computer System....
Unauthorised access to a computer system with intent to commit or facilitate the commission of a serious crime
This offence includes using a computer to gain access to the financial or administrative records of an organisation with the intention of committing a serious crime, such as fraud.
The main difficulty of obtaining a successful prosecution in this offence is that intent would have to be proved.
This crime is punishable by imprisonment for a term not exceeding five years or a fine or both, after a suitable trial.
Unauthorised Modification of Computer Material
This offence includes using a computer for the purpose of:
1. Destroying another user's files
2. Modifying system files
3. The creation of a virus
4. The introduction of a local or networked virus
5. Changing financial information
6. Deliberately generating information to cause a complete system malfunction.
This crime is punishable by imprisonment for a term not exceeding five years or a fine or both, after a suitable trial.
The punishments clearly reflect the perceived gravity of the offence and imply that organisations should take an equally serious view of hacking or virus proliferation.
Computer Misuse Act Implementation
The Computer Misuse Act was introduced with the express purpose of preventing attacks on ICT systems to commit crimes or to damage the system.
There have been few prosecutions under this legislation for the following reasons:
1. If a hacker gains access to the system it is very difficult to prove criminal intent and so the punishment for the least serious offence is not a particularly large deterrent. In many cases the hacker would argue that they had gained access inadvertently when they were “mucking” around.
2. Many organisations are unwilling to prosecute hackers since they would be admitting there was a security issue with their ICT systems, which could cause a loss of confidence. The more likely consequence of a security issue is to try and prevent a repeat of the situation by introducing new systems for preventative purposes.
3. The global nature of ICT makes it difficult to enforce laws internationally as in numerous cases the hacker is a resident of one country and the ICT system where the offence was committed is in another; this leads to problems
Copyright Design & Patents Act 1988
The Copyright Design and Patents Act introduced in 1988 aimed to protect the intellectual property of individuals and organisations that create and produce materials based on their own individual ideas. This act has a broad remit and includes the intellectual property (IP) on materials such as:
Software Piracy – this is the illegal copying of software for either personal use or making bulk copies for selling illegally.
There is tremendous profit in this illegal activity as software that might cost many hundreds of pounds can be copied on to a £1 DVD and sold at car boot sales or on the Internet.
This activity has been reduced as outlets like eBay have tried to outlaw this activity on their auction sites
Theft of hardware
Theft of hardware and software ideas and innovations.
In an industry that moves so fast there is seldom time to patent your invention before you release it on to the open market.
Many organisations purchase their rivals’ products with the express purpose of copying their ideas, which save them considerable expense on research and development.
Copying and downloading
Copying and downloading materials such as music, video and text-based files for either personal or commercial reasons.
Similar to software piracy where mostly domestic users copy the latest videos
and music for personal use.
Protecting your copyright is especially worthwhile when you or your organisation have invented a new hardware or software concept.
There are many websites that can help the creator to protect their work, for example the website Business Link in London below has series of options to help you.
Most software companies help to reduce software piracy using online registration and the input of a validation key.
One of the main issues in enforcing copyright law with respect to software piracy is that the small scale copying offence is not viewed as a serious crime by many, who argue that they would buy the software if it wasn’t so expensive.