To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.
The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
SYSTEM SECURITY, ICT ETHICAL ISSUES, AND EMERGING TECHNOLOGIES
Sub Topic 1: Computer System Security
Sub topic Objectives:
a.Computer security
I. Explaining the various forms of computer security (data and physical security).
ii. Identifying security threats for (hardware and software).
iii. Explaining the meaning of a computer virus.
iv. Explaining how viruses are spread on standalone and networked computers.
v.Explaining the concept of hacking.
vi.Explaining how denial of service attacks, backdoors, spoofing are carried out.
vii.Identifying appropriate ways of protecting data in computer systems.
viii.Identifying types of computer crimes
Forms of computer security (data and physical security)
–Integrity means prevention of unauthorized modification of data and data corruption. Data corruption refers to errors in data that may occur during reading, writing, processing, storage or transmission of said data which may introduce unintended/unwanted changes to the original data.
–Availability means prevention of unauthorized withholding of data access (Intended users can access whenever they need to access).
–Confidentiality means to avoid unauthorized disclosure of data third parties.
Physical Security refers to the measures put in place by protect computer systems from physical damage and mitigate physical security risks. Physical security includes:
Security threats for (hardware and software)
Action that causes loss of or damage to computer system
Security threats to computers-based information systems, private or confidential data include:
– system failure
– information theft
– hardware theft
– software theft
– Internet and network attacks such as hackers
– Malicious programs (computer viruses, worms and trojan horses)
– unauthorised access and use
– unauthorized alteration,
– Malicious destruction of hardware, software, data or network resources, as well as sabotage.
Information system failure
Some of the causes of computerized information system failure include
1. Hardware failure due to improper use.
2. Unstable power supply as result of brownout or blackout and vandalism.
3. Network breakdown.
4. Natural disasters
5. Program failure
Control measures against hardware failure
Protect computers against brownout or blackout which may cause physical damages or data loss by using surge protectors and Uninterruptible power supply (UPS). For critical systems, most organizations have put into place fault tolerant systems. A fault tolerant system has redundant or duplicate storage, peripherals devices and software that provide a fail-over capability to backup components in the event of system failure.
Disaster recovery plans
Disaster recovery plan involves establishing offsite storage of an organization’s databases so that
in case of disaster or fire accidents, the company would have backup copies to reconstruct lost
data Data backup.
Hardware theft and hardware vandalism
Hardware theft is act of stealing computer equipment
Hardware vandalism is the act of defacing or destroying computer equipment
A license agreement gives the right to use software. Single-user license agreement allows user to install software on one computer, make backup copy, and sell software after removing from computer.
Internet and Network Attacks
Information transmitted over networks has a higher degree of security risk than information kept on an organization’s premises. In an organization, network administrators usually take measures to protect a network from security risks. On the Internet, where no central administrator is present, the security risk is greater.
Internet and network attacks that jeopardize security include computer viruses, worms, Trojan horses, and rootkits; botnets; denial of service attacks; back doors; and spoofing.
Unauthorized access and Use
–Unauthorized access is the use of a computer or network without permission. Unauthorized use is the use of a computer or its data for unapproved or possibly illegal activities.
–Unauthorized use includes a variety of activities: an employee using an organization’s computer to send personal e-mail messages, or someone gaining access to a bank computer and performing an unauthorized transfer.
Information theft
Information theft is yet another type of computer security risk. Information theft occurs when someone steals personal or confidential information. An unethical company executive may steal or buy stolen information to learn about a competitor. A corrupt individual may steal credit card numbers to make fraudulent purchases.
Safeguards against Information Theft: Most companies attempt to prevent information theft by implementing the user identification and authentication controls.
To protect information on the Internet and networks, companies and individuals use a variety of encryption techniques.
Explaining the meaning of a computer virus
A computer virus is a potentially damaging computer program that affects, or infects, a computer negatively by altering the way the computer works without the user’s knowledge or permission. Once the virus infects the computer, it can spread throughout and may damage files and system software, including the operating system.
Computer viruses, worms, Trojan horses, and rootkits are classified as malware (short for malicious software). Unscrupulous programmers write malware and then test it to ensure it can deliver its payload. The payload is the destructive event or prank the program is intended to deliver.
Macro Viruses
Macros are procedures / instructions saved in an application, such as word processing or spreadsheet program. To protect the system from a macro viruses: Set macro security level in applications that displays warning that opened document contains macro.
Symptoms of computer infected by viruses
What is a virus signature?
Specific pattern of virus code, Also called virus definition. Antivirus programs look for virus signatures. an antivirus program Identifies and removes computer viruses. Most also protect against worms and Trojan horses
Control measures against viruses
that enables computer to restart. Also called rescue disk
How viruses are spread on standalone and networked computers.
Standalone computer is one which is not connected to any other computer. However networked computer is the one which is connected to any other computer for the purpose of exchanging data, information or resources. The table below shows some ways how viruses spread on standalone and networked computers.
The concept of hacking.
Hacking and cracking
The term hacker refers to someone who accesses a computer or network illegally. Originally it was a complimentary word for a computer enthusiast. A cracker also is someone who accesses a computer or network illegally but has the intent of destroying data, stealing information, or other malicious action.
Both hackers and crackers have advanced computer and network skills. Some hackers claim the intent of their security breaches is to improve security, and may be hired by software companies to test the security of new software systems.
A script kiddie has the same intent as a cracker but does not have the technical skills and knowledge. Script kiddies often use prewritten hacking and cracking programs to break into computers.
A cyberextortionist is someone who uses e-mail as a vehicle for extortion.
A cyberterrorist is someone who uses the Internet or network to destroy or damage computers for political reasons. The cyberterrorist might target the nation’s air traffic control system, electricity-generating companies, or a telecommunications infrastructure.
Explaining how denial of service attacks, backdoors, spoofing are carried out
A denial of service attack, or DoS attack, is an assault whose purpose is to disrupt computer access to an Internet service. The attackers may use an unsuspecting computer to send an influx of confusing data messages or useless traffic to a computer network. The victim computer network slows down considerably and eventually becomes unresponsive or unavailable, blocking legitimate visitors from accessing the network. Perpetrators have a variety of motives for carrying out a DoS attack. Those who disagree with the beliefs or actions of a particular organization claim political anger motivates their attacks. Some perpetrators use the attack as a vehicle for extortion. Others simply want the recognition.
A botnet is a group of compromised computers connected to a network such as the Internet that are used as part of a network that attacks other networks, usually for nefarious purposes.
A compromised computer, known as a zombie, is one whose owner is unaware the computer is being controlled remotely by an outsider. Cybercriminals use botnets to send spam via e-mail, spread viruses and other malware, or commit a denial of service attack.
A back door is a program or set of instructions in a program that allow users to bypass security controls when accessing a program, computer, or network. Once perpetrators gain access to unsecure computers, they often install a back door or modify an existing program to include a back door, which allows them to continue to access the computer remotely without the user’s knowledge.
Spoofing is a technique intruders use to make their network or Internet transmission appear legitimate to a victim computer or network.E-mail spoofing occurs when the sender’s address or other components of the e-mail header are altered so that it appears the e-mail originated from a different sender. E-mail spoofing commonly is used for virus hoaxes, spam, and phishing scams.
IP spoofing occurs when an intruder computer fools a network into believing its IP address is associated with a trusted source. Perpetrators of IP spoofing trick their victims into interacting with a deceptive Web site.
Identifying appropriate ways of protecting data in computer systems.
Data encryption
What is Data encryption? Process of converting plaintext (readable data) into ciphertext (unreadable characters). it Safeguards against information theft, Encryption key (formula) often uses more than one method. ØTo read the data, the recipient must decrypt, or decipher, the data
Data on transit over the network faces many dangers of being tapped, listened to or copied to unauthorized destinations. Such data can be protected by mixing up into a form that only the sender and receiver is able to understand. This is by reconstructing the original message from the mix which is called data encryption.
Surge protectors: Protect computers and equipment from electrical power disturbances.Uninterruptible power supply (UPS) is surge protector that provides power during power loss.
What is a firewall?: A firewall is a device or software system that filters the data and information exchanged between different networks by enforcing the host networks access control policy. The main aim of a firewall is to monitor and control access to or from protected networks. People who do not have permission (remote requests) cannot access firewall restricted sites outside their network.Security system consisting of hardware and/or software that prevents unauthorized network access
Use of acceptable use policy (AUP)
The AUP outlines the computer activities for which the computer and network may and may not be used. An organization’s AUP should specify the acceptable use of computers by employees for personal reasons. Some organizations prohibit such use entirely. Others allow personal use on the employee’s own time such as a lunch hour.
Intrusion Detection Software
To provide extra protection against hackers and other intruders, large organizations sometimes use intrusion detection software to identify possible security breaches. Intrusion detection software automatically analyzes all network traffic, assesses system vulnerabilities, identifies any unauthorized access (intrusions), and notifies network administrators of suspicious behavior patterns or system breaches.To utilize intrusion detection software requires the expertise of a network administrator because the programs are complex and difficult to use and interpret. These programs also are quite expensive.
Identifying and Authenticating Users
Many organizations use access controls to minimize the chance that a perpetrator intentionally may access or an employee accidentally may access confidential information on a computer.
An access control is a security measure that defines who can access a computer, when they can access it, and what actions they can take while accessing the computer. In addition, the computer should maintain an audit trail that records in a file both successful and unsuccessful access attempts.
An unsuccessful access attempt could result from a user mistyping his or her password, or it could result from a hacker trying thousands of passwords. Organizations should investigate unsuccessful access attempts immediately to ensure they are not intentional breaches of security.
User Names and Passwords
A username is Unique combination of characters that identifies user. Password is private combination of characters associated with the user name that allows access to computer resources.
How can you make your password more secure? Longer passwords provide greater security
Possessed objects
Items that you must carry to gain access to computer or facility, e.g badges, cards, smart cards, and keys. Often used with numeric password called personal identification number (PIN) e.g ATM pin.
Access control can be enhanced by implementing multilevel authentication policies such as assigning users log on accounts, use of smart cards and a personal identification number (PIN).
Security monitors are programs that monitor and keep a log file or record of computer systems and protect them from unauthorized access.
Biometric devices; Authenticates person’s identity using a human characteristic
Biometric security is a growing form of unauthorized control measure that takes the user’s attributes such as voice, fingerprints and facial recognition. For example, you can log on swap a finger on a finger print swap windows.
COMPUTER CRIMES
The following are some examples of crimes perpetuated by use of computers.
Physical theft
The physical theft of computer hardware and software is the most widespread related crime especially in developing countries.
The most common issues now, we here cases of people breaking into an office or firm and stealing computers, hard disks and other valuable computer accessories. In most cases such theft can be done by untrustworthy employees of firm or by outsiders. The reason behind an act may be commercial, destruction to sensitive information or sabotage.
Control measures against theft
Piracy: Piracy is a form of intellectual property theft which means illegal copying of software, information or data. Software, information and data are protected by copyright and patent laws.
Control measures against piracy
Fraud: Fraud is stealing by false pretense. Fraudsters can be either employees in a company, non-existent company that purports to offer internet services such as selling vehicles etc. other form of fraud may also involve computerized production and use of counterfeit documents. This is due to the dynamic growth of internet and mobile computing, sophisticated cybercrimes.
Sabotage: Sabotage refers to illegal destruction of data and information with the aim of crippling services delivery, or causing great loss to an organization. Sabotage is usually carried out by disgruntled employees or competitors with the intention of causing harm to an organization.
Eavesdropping: Eavesdropping refers to tapping into communication channels to get information. Hackers mainly use eavesdropping to access private or confidential information from internet users or from poorly secured information system.
Surveillance (monitoring): Surveillance refers to monitoring use of computer system and networks using background programs such as spyware and cookies. The information gathered may be used for one reason or the other e.g. spreading sabotage.
Industrial espionage: Industrial espionage involves spying on a competitor to get information that can be used to cripple the competitor.
Accidental access: Threats to data and information come from peoples unknowingly giving out information to strangers is or unauthorized persons.
Alteration: Alteration is the illegal modification of private or confidential data and information with the aim of misinforming users. Alteration is usually done by people who wish to cancel the truth or sabotage certain operations. Alteration comprises the integrity of data and information making it unreliable.
Sub Topic 2. Privacy and ICT Ethical Issues
Sub topic Objectives:
a.ICT ethics and society
i.define and describe ethical issues in ICT.
ii.describe information accuracy.
iii.explain the concept of intellectual property rights
iv.explain the different aspects of information privacy and violation
a. ICT ethics and society
Moral guidelines that govern use of computers and information systems.
Ethics is knowing and understanding what is right and what is wrong, and then doing the right thing right.
In simple terms, ethics are standards of moral conduct. Quite often, people in society do the wrong things either out of ignorance or deliberately to achieve selfish interests.
In today’s society, computers are involved to some extent in almost every aspect of life and sometimes they often perform life-critical tasks. This makes it very important to carefully consider the issues of ethics in use of computers and software.
Ethical principles are important because they help us navigate through difficult situations and reflect the way to relate with our friends and community.
Three useful ethical principles:
Computer ethics involves use of computers & software in morally acceptable way. Standards or guidelines are important in this industry, because technology changes are outstripping the legal system’s ability to keep up.
Computer Ethics for Computer Professionals
According to the Association for Computing Machinery (ACM) code, a computing professional:
Code of Conduct
A code of conduct is a written guideline that helps determine whether a specific action is ethical or unethical.
IT Code of Conduct
Sample IT Codes of Conduct
b. Intellectual property
Intellectual property (IP) refers to a creation on one’s mind and innovativeness, such as work created by inventors, authors, and artists. Intellectual property rights—rights to which creators are entitled for their work
A copyright gives authors and artists exclusive rights to duplicate, publish, and sell their materials. A common infringement of copyright is software piracy. A trademark protects a company’s logos and brand names.
c. Information privacy
Information privacy refers to the right of individuals and companies to deny or restrict the collection and use of information about them. In the past, information privacy was easier to maintain because information was kept in separate locations.
Today, huge databases store this data online. Much of the data is personal and confidential and should be accessible only to authorized users. Many individuals and organizations, however, question whether this data really is private.
Concerns related to collection and use of private data are:
What are some ways to safeguard personal information?
What is an electronic profile?
Refers to a set of data collected when you fill out a form on the Web, e.g. a user profile on Amazon or a Facebook profile. Merchants may sell the contents of their databases to national marketing firms and Internet advertising firms. Many companies today allow people to specify whether they want their personal information distributed.
Cookies
E-commerce and other Web applications often rely on cookies to identify users. A cookie is a small text file that a Web server stores on your computer. Cookie files typically contain data about you, such as your user name or viewing preferences.
Many commercial Web sites send a cookie to your browser, and then your computer’s hard disk stores the cookie. The next time you visit the Web site, your browser retrieves the cookie from your hard disk and sends the data in the cookie to the Web site.
Web sites use cookies for a variety of purposes:
How do cookies work?
Step 1. When you type Web address of Web site in your browser window, browser program searches your hard disk for a cookie associated with Web site.
Step 2. If browser finds a cookie, it sends information in cookie file to Web site.
Step 3. If Web site does not receive cookie information, and is expecting it, Web site creates an identification number for you in its database and sends that number to your browser. Browser in turn creates a cookie file based on that number and stores cookie file on your hard disk. Web site now can update information in cookie files whenever you access the site.
For privacy purposes, You can set a browser to accept cookies automatically, prompt you if you want to accept a cookie, or disable cookie use altogether. Keep in mind if you disable cookie use, you will not be able to use many of the e-commerce Web sites.
What are spyware and spam?
Spyware is program placed on computer without user’s knowledge which Secretly collects information about the user. Spam is unsolicited e-mail message sent to many recipients.
What is content filtering?
Internet Content Rating Association (ICRA) provides rating system of Web content. Web filtering software restricts access to specified sites.
What is Phishing?
Phishing is a scam in which a perpetrator sends an official looking e-mail message that attempts to obtain your personal or financial information. Some phishing e-mail messages ask you to reply with your information; others direct you to a deceptive Web site, or a pop-up window that looks like a legitimate Web site, that may request you to update credit card numbers, Social Security numbers, bank account numbers, passwords, or other private information. Always don’t click a link in an e-mail message; instead retype the Web address in your browser.
A phishing filter is a program that warns or blocks you from potentially fraudulent or suspicious Web sites. Some Web browsers include phishing filters.
What is Pharming?
Pharming is a scam, similar to phishing, where a perpetrator attempts to obtain your personal and financial information, except they do so via spoofing. That is, when you type a Web address in the Web browser, you are redirected to a phony Web site that looks legitimate.
What is Clickjacking?
Clickjacking is yet another similar scam. With clickjacking, an object that can be clicked on a Web site, such as a button, image, or link, contains a malicious program. When users click the disguised object, for example, they may be redirected to a phony Web site that requests personal information, or a virus may download to their computer.
What is Social Engineering?
As related to the use of computers, social engineering is defined as obtaining confidential information by taking advantage of the trusting human nature of some victims. Some social engineers trick their victims into revealing confidential information such as user names and passwords on the telephone, in person, or on the Internet.
Techniques they use include pretending to be an administrator or other authoritative figure, feigning an emergency situation, or impersonating an acquaintance. Social engineers also obtain information from users who do not destroy or conceal information properly. These perpetrators sift through company dumpsters, watch or film people dialling telephone numbers or using ATMs, and snoop around computers looking for openly displayed confidential information.
Employee Monitoring: Employee monitoring involves the use of computers to observe, record, and review an employee’s use of a computer, including communications such as e-mail messages, keyboard activity (used to measure productivity), and Web sites visited. Many programs exist that easily allow employers to monitor employees.
A frequently debated issue is whether an employer has the right to read employee e-mail messages. Actual policies vary widely. Some companies declare that they will review e-mail messages regularly, and others state that e-mail is private. Several lawsuits have been filed against employers because many believe that such internal communications should be private. Another controversial issue relates to the use of cameras to monitor employees, customers, and the public. Many people feel that this use of video cameras is a violation of privacy.
Content Filtering
One of the more controversial issues that surround the Internet is its widespread availability of objectionable material, such as racist literature, violence, and pornography. Content filtering is the process of restricting access to certain material on the Web.
Many businesses use content filtering to limit employees’ Web access. These businesses argue that employees are unproductive when visiting inappropriate or objectionable Web sites. Some schools, libraries, and parents use content filtering to restrict access to minors.
Some countries like China also do content filtering though banning some websites like Facebook. Content filtering opponents argue that banning any materials violates constitutional guarantees of free speech and personal rights.
Web filtering software is a program that restricts access to specified Web sites. Some also filter sites that use specific words. Others allow you to filter e-mail messages, chat rooms, and programs. An example of a web filtering program in Net Nanny.
Many Internet security programs include a firewall, antivirus program, and filtering capabilities combined.
Assignment
ASSIGNMENT : CS6: Assignment on System Security, ICT Ethical Issues and Emerging Technologies MARKS : 100 DURATION : 3 hours