Security threats and

controls
There is need to protect data from theft because it used to make
decisions in everyday life. Wrongful storage of data can lead to a
number of evil activities if it reaches malicious people
Data security core principles

MK SOLUTIONS
• The three core
principles of Confidentiality

data security
also referred to
as information
security are:
1. Confidentiality Information
security
2. Integrity and
3. Availability
Availability integrity

2
Confidentiality

MK SOLUTIONS
• This implies that sensitive data or information belonging to an
organization or government should not be accessed by or
disclosed to unauthorized people.
• Such data includes: office documents, chemical formula,
employee’s details, examinations etc.

Data security core principles

Integrity
• Integrity refers to a situation where data should not be
modified without owner’s authority

MK SOLUTIONS
4

Data security core principles

Availability

MK SOLUTIONS
• Information must be available on demand
• This translates to any information system and communication
link used to access it, must be efficient and functional. An
information system may be unavailable due to power outages,
hardware failures, unplanned upgrades or repairs

Data security core principles

Security Threats and
Control Measures
Security threats of private or confidential data includes
unauthorized access, alteration, malicious destruction of hardware,
software, data or network resources as well as sabotage.
The main objective of data security control measures is to provide
security, ensure integrity and safety of an information system
hardware, software and data
Information System Failure
Causes of computerized system failure include
1. Hardware failure due to improper use
2. Unstable power supply as a result of brownout or blackout
and vandalism

MK SOLUTIONS
3. Network breakdown
4. Natural disaster
5. Program failure
6. Computer virus attacks

7
Control measures against hardware failure

• Computer systems should be protected from brownout or

blackout which may cause physical damage or data loss by
using surge protectors and UPS
• Most organizations use Fault Tolerant Systems
• A fault tolerant system has redundant or duplicate storage,

MK SOLUTIONS
peripheral devices and software that provide a fail-over
capability to back up components in the event of system
failure
• Disaster recovery plans – involves establishing offsite storage
of an organization ‘s databases so that in case of disaster or
fire accidents, the company would have backup copies to
reconstruct lost data from.
8
Threats from malicious programs
• Malicious programs may affect the smooth running of a
system or carry out illegal activities such as, secretly collecting
information from an unknowing user. Some of the malicious
programs include:
1. Boot sector viruses

MK SOLUTIONS
2. File viruses
3. Hoax viruses
4. Trojan Horse
5. Worms
6. Backdoors

9
Malicious Programs Insight
1. Boot Sector Viruses 2. File Viruses
• They destroy the • Attach
booting themselves to

MK SOLUTIONS
information on files
storage media

10
Malicious Programs Insight
3. Hoax Viruses 4. Trojan Horse

• Come themselves • They appear to

as email with perform useful

MK SOLUTIONS
attractive functions but
messages and instead they
launch themselves perform other
when email is undesirable
opened activities in the
background. 11
Malicious Programs Insight
5. Worms 6. Backdoors
• This is a malicious • May be a Trojan or a
program that self- Worm that allows
replicates hence hidden access to a

MK SOLUTIONS
clogs the system computer system.
memory and storage
media

12
Control measures against theft
1. Employ security agents to keep watch over information
centers and restricted backup sites
2. Reinforce weak access points like the windows, door and
roofing with metallic grills and strong padlocks.
3. Motivate workers so that they feel a sense of belonging in

MK SOLUTIONS
order to make them proud and trusted custodians of the
company resources.
4. Insure the hardware resources with a reputable insurance
firm.
5. Encrypt and create strong passwords for your data and
access to computers
13
Piracy
• Piracy is a form of intellectual
property theft which means illegal
copying of software, information or

MK SOLUTIONS
data. Software, information and data
are protected by copyright and patent
laws

14
Control measures against piracy
• To reduce piracy:
1. Enforce laws that protect the owners of data
and information against piracy
2. Make software cheap enough to increase

MK SOLUTIONS
affordability
3. User licenses and certificates to identify
original software
4. Set installation passwords that deter illegal
installations of software
15
Fraud
• Fraud is a deception deliberately practiced in order to
secure unfair or unlawful gain
• Computer fraud is defined as any act using computers,
the Internet, Internet devices, and Internet services to

MK SOLUTIONS
defraud people, companies, or government agencies of
money, revenue, or Internet access. There are many
methods used to perform these illegal activities. Phishing
, social engineering, viruses, and DDoS attacks are fairly
well known tactics used to disrupt service or gain access
to another's funds.

16
Sabotage
• Refers to illegal destruction of
data and information with the
aim of crippling service

MK SOLUTIONS
delivery or causing great loss
to an organization.
17
Threats to piracy and confidentiality
• Privacy means that data or information
belonging to an individual should not be
accessed by or disclosed to other people. Its an
individual’s right to determine for themselves

MK SOLUTIONS
what should be communicated to others
• Confidentiality – is the sensitive data or
information belonging to an organization or
government. Should therefore not to be
accessed by or disclosed by unauthorized people
18
Computer crimes related to data privacy and security
1. Eavesdropping

This refers to tapping into

communication channels to get
information.

MK SOLUTIONS
Hackers use eavesdropping to access
private or confidential information
from internet users or from poorly
secured information systems
19
Computer crimes related to data privacy and security
2. Surveillance (monitoring)

This is the monitoring of computer

systems and networks using
background programs such as

MK SOLUTIONS
spyware, malware and cookies

20
Computer crimes related to data privacy and security
3) Industrial Espionage

This involves spying on a

competitor to get information that

MK SOLUTIONS
can be used to cripple the
competitor

21
Computer crimes related to data privacy and security
4) Hacking and Cracking

•Hacking is the process of gaining

unauthorized access into a system just
for fun and the person who hacks is

MK SOLUTIONS
called a hacker.
•Cracking is the process of gaining
unauthorized access into a system for
malicious reasons
22
Computer crimes related to data privacy and security
5) Alteration

•Alteration is the illegal

modification of private or

MK SOLUTIONS
confidential data and information
with the aim of misinforming
users.

23
Control Measures Against Unauthorized Access
Introduction

•To safeguard information, a

number of security measures

MK SOLUTIONS
should be put in place. This
include:

24
Control Measures Against Unauthorized Access
A. Firewall

•A firewall is a device or a software system that

filters the data and information exchanged
between different networks by enforcing the

MK SOLUTIONS
host networks access control policy.
•The main aim of a firewall is to monitor and
control access to or from protected networks
•People who do not have permission cannot
access the network and those within cannot
access firewall restricted sites outside their
25
networks
Control Measures Against Unauthorized Access
B. Data Encryption

•This is the process of mixing up data so that only the

sender and the receiver can understand with use of an
encryption key.
•The translation of data into a secret code. Encryption is

MK SOLUTIONS
the most effective way to achieve data security. To read
an encrypted file, you must have access to a secret key or
password that enables you to decrypt it. Unencrypted
data is called plain text ; encrypted data is referred to as
cipher text.
There are two main types of encryption: asymmetric
encryption (also called public-key encryption) and 26
symmetric encryption.
Control Measures Against Unauthorized Access
C. Security Monitors

•The are programs that monitor and keep a log file or

record of computer systems and protect them from
unauthorized access. E.g.
•Biometric Security

MK SOLUTIONS
This type of security takes the user’s attributes such as
voice, fingerprints and facial recognition.
•Other access Controls measures Include:-
 Enhancing a multilevel authentication policies such as
assigning users log on accounts, use of smart cards and
personal identification number (PIN)
27
Policies and laws governing information security

Introduction
• Laws, regulations and policies enacted are meant to regulate
and govern data processing and information security. Laws can
either exist as international laws enacted by ISO- International
Standardization Organization an ISF- Information Security

MK SOLUTIONS
Forum
• These are non-profit making organizations who also offer
research on best practices
• There are also locally enacted laws to control the IT sector by
Parliament and policies made by the ministry of Information
and Technology
• Examples of laws that exist include: 28
Policies and laws governing information security

ICT related acts in Kenya

• The science and Technology Act
• Cap. 250 of 1977

MK SOLUTIONS
• The Kenya Broadcasting Corporation Act of
1988
• The Kenya Communications Act of 1998
However these laws are not adequate to
address the current issues of IT and ICT 29
Policies and laws governing information security

Kenya ICT Policy

• The government has put in place the
ICT policy that seeks to address issues

MK SOLUTIONS
of privacy, e-security, ICT registration,
cyber crimes, ethical and moral
conduct, copyrights, intellectual
property rights and privacy
30
Policies and laws governing information security

United Kingdom Data Protection Act

1998
• This act protects an individual privacy.

MK SOLUTIONS
The act states that no processing of
information relating to individuals,
including the obtaining, holding, use
or disclosure of such information can
be done without owner’s consent. 31
Policies and laws governing information security

United Kingdom Computer Misuse Act

1990
• This act makes computer crimes such as

MK SOLUTIONS
hacking a criminal offence. The act has
become a model of many other countries
including Kenya, which they have used to
draft their own information security
regulations.
32
Policies and laws governing information security

Family Educational Rights and Privacy Act (USA)

• This law protects the privacy of srudent’s
education records. To release any information
from a student’s education record.

MK SOLUTIONS
Security Breach Notification Laws
• Most countries require businesses, nonprofit,
and state institutions, to notify consumers when
encrypted ‘personal information’ is
compromised, lost, or stolen.
33
Policies and laws governing information security

Copyright and Software Protection Laws

• Hardware and Software are protected by either national or
international Copyright, designs and patents laws or Acts.
• These laws seek to address:

MK SOLUTIONS
i. Data should not be disclosed to other people without the
owner’s permission
ii. Data and information should be kept secured against loss or
exposure
iii. Data and information should not be kept longer than
necessary
iv. Data and information should be accurate and up to date
v. Data and information should be collected, used and kept for 34
specified lawful purposes.
Review Questions

1. Differentiate between private and confidential data

2. Why is information a useful resource?
3. Explain any three threats to data and information
4. Give two control measures you would take to avoid

MK SOLUTIONS
unauthorized access to data and information
5. Explain the meaning of industrial espinionage
6. Differentiate between hacking and cracking with reference
to computer crimes
7. What reasons may lead to computer fraud?
8. Explain the term ‘information security’
9. Why would data and information on an externally linked
35
network not be said to be secure even after burglar proofing
a room?
Review Questions

10) How can piracy be prevented in regard to data and

information?
11) Define a computer virus
12) Give four general rules that must be observed to keep within
the law when working with data and information

MK SOLUTIONS
13) Explain two types of computer viruses
14) What is a program patch? Why are patches important?
15) Explain measures you would take to protect computers from
virus attacks
16) What is data alteration? Explain its effect an data
17) How can you control errors related to data and information?
36
Review Questions

18) Data and information security has recently become very

important. Explain why?
19) Explain eavesdropping with reference to computer crimes
20) Why use copyright laws for software data and information
necessary?

MK SOLUTIONS
37