SECURITY AND ETHICS

Form 5
Explain The Difference Between Data Privacy and
Integrity

- Information/data privacy refers to the

right of individuals and companies to deny or
restrict the collection and use of data or
information about them (information is not
revealed without permission.)
- Security means that data is confidential and
is not open for unauthorized parties.
The three most important goals for the security
are:
• integrity, which means that information cannot
be changed during transmission
• authentication, which occurs when an identity is
established
• confidentiality, which means that the
information is secure and stays confidential
during transmission
2. Analyse Common Threats and Vulnerabilities On
Computer Systems
A computer threat or risk is any event or action
that could cause a loss of or damage to computer
hardware, software, data, information, or
processing capability
- computer crime- Any illegal act involving a
computer
- cybercrime refers to online or Internet-based
illegal acts.
- hacker, a computer enthusiast, who accesses a
computer or network illegally.
- A cracker is someone who accesses a computer or
network illegally but has the intention of destroying
data, stealing information, or other malicious action. Both
hackers and crackers have advanced computer and
network skills.
- A script kiddie has the same intent as a cracker but
does not have the technical skills and knowledge, uses
prewritten hacking and cracking programs to break into
computers.
- corporate spies have excellent computer and
networking skills and are hired to break into a specific
computer and steal its proprietary data and
information, or to help identify security risks in their
own organization. (used for corporate espionage
whereby unscrupulous companies hire corporate spies,
to gain a competitive advantage.)
- Unethical employees may break into their employers’
computers for a variety of reasons eg to exploit a
security weakness,seek financial gains from selling
confidential information or disgruntled employees may
want revenge.
- A cyberextortionist is someone who uses e-mail as a
vehicle for extortion by sending an organization
blackmailing e-mail message, claim a sum of money in
exchange.
- cyberterrorist is someone who uses the Internet or
network to destroy or damage computers for political
reasons. The cyberterrorist might target the nation’s air
traffic control system, electricity-generating companies,
or a telecommunications infrastructure. The term,
cyberwarfare, describes an attack whose goal ranges
from disabling a government’s computer network to
crippling a country.
3. Identify Sources Of Vulnerability
4. Evaluate Tools Used To Eliminate Vulnerabilities
5. Identify Risks To Computer Systems
1. Internet and Network Attacks
Information transmitted over networks has a higher
degree of security risk than information kept on an
organization’s premises.
An online security service is a Web site that
evaluates your computer to check for Internet and
e-mail vulnerabilities, it then provides
recommendations of how to address the

vulnerabilities.
a) Malware (malicious software) - program that act
without a user’s knowledge and deliberately alter the
computer’s operations eg viruses, worms, Trojan horses,
and rootkits are classified as
1. Virus is a potentially damaging computer program that
affects, or infects, a computer negatively by altering
the way the computer works without the user’s
knowledge or permission.
2. Worm is a program that copies itself repeatedly, for
example in memory or on a network, using up resources
and possibly shutting down the computer or network.
3. Trojan horse is a program that hides within or looks
like a legitimate program. Unlike a virus or worm, a
Trojan horse does not replicate itself to other
computers and certain condition or action usually
triggers the Trojan horse.
4. Rootkit is a program that hides in a computer and
allows someone from a remote location to take full
control of the computer. Once the rootkit is installed,
the rootkit author can execute programs, change
settings, monitor activity, and access files on the
remote computer.
Safeguards against Malwares
- Methods that guarantee a computer or network is safe
from malwares simply do not exist, therefore users have
to take several precautions, to protect their home and
work computers and mobile devices from these malicious
infections.
1. Do not start a computer with removable media
inserted in the drives or plugged
2. Never open an e-mail attachment unless you are
expecting the attachment and it is from a trusted
source. (A trusted source is an organization or person
you believe will not send a virus infected file knowingly)
3. Users should install an antivirus program and update it
frequently, an antivirus program protects a computer against
viruses by identifying and removing any computer viruses found in
memory, on storage media, or on incoming files and also protect
against other malwares.
4. Install a personal firewall program to protect a computer and
its data from unauthorized intrusions.
5. Stay informed about new virus alerts and virus hoaxes. A virus
hoax is an e-mail message that warns users of a non-existent
virus or other malware and the contents of the hoax message,
for example, may inform users that an important operating
system file on their computer is a virus and encourage them to
delete the file, which could make their computer unusable.
6. Set the macro security in programs so that you
can enable or disable macros and enable macros
only if the document is from a trusted source and
you are expecting it.
7. Scan all downloaded programs for viruses and
other malware.
8. Scan any removable media for malware, before
using the media.
b) Botnets
- A botnet is a group of compromised computers connected to a
network that are used as part of a network that attacks other
networks, usually for malicious purposes.
- A zombie is a compromised computer whose owner is unaware
the computer is being controlled remotely by an outsider.
- A bot is a program that performs a repetitive task on a
network. Cybercriminals install malicious bots on unprotected
computers to create a botnet, also called a zombie army. The
perpetrator then uses the botnet to send spam via e-mail,
spread viruses and other malware, or commit a distributed
denial of service attack
c) Denial of Service Attacks
- A denial of service attack, or DoS attack, is an assault whose
purpose is to disrupt computer access to an Internet service
such as the Web or e-mail.
- DDoS (distributed DoS) attack, a more devastating type os
DoS in which a zombie army is used to attack computers or
computer networks.

d) Back Doors
- A back door is a program that allow users to bypass security
controls when accessing a program, computer, or network. ( A
rootkit can be a back door. Some worms leave back doors, which
have been used to spread other worms or to distribute junk e-
mail from the unsuspecting victim computers.)
e) Spoofing
- Spoofing is a technique intruders use to make their network or
Internet transmission appear legitimate to a victim computer or
network.
- e-mail spoofing, occurs when the sender’s address or other
components of the e-mail header are altered so that it appears
the e-mail originated from a different sender, commonly is used
for virus hoaxes, spam, and phishing scams.
- IP spoofing, occurs when an intruder computer fools a network
into believing its IP address is associated with a trusted source.
Safeguards against Botnets, DoS/DDoS Attacks, Back Doors,
and Spoofing
- Some of the latest antivirus programs include provisions to
protect a computer from DoS and DDoS attacks.
- Users can implement firewall solutions, install intrusion detection
software, and set up honeypots.
1. Firewalls
- firewall is hardware and/or software that protects a network’s
resources from intrusion by users on another network.
. 2. Intrusion Detection Software
- software to identify possible security breaches, it automatically
analyzes all network traffic, assesses system vulnerabilities,
identifies any unauthorized intrusions, and notifies network
administrators of suspicious behaviour patterns or system
breaches.
3. Honeypots
A honeypot is a vulnerable computer that is set up to entice an
intruder to break into it so the organization can analyse an
attack being perpetrated.
2. Unauthorized Access and Use
- Unauthorized access is the use of a computer or
network without permission for unapproved or possibly
illegal activities.
- Includes activities like: an employee using an
organization’s computer to send personal e-mail
messages, an employee using the organization’s word
processing software to track his or her child’s soccer
league scores, or someone gaining access to a bank
computer and performing an unauthorized transfer.
Safeguards against Unauthorized Access and
Use
- have a written acceptable use policy (AUP) that outlines the
computer activities for which the computer and network may and
may not be used.
- use access controls to minimize the chances of perpetrators
intentionally accessing or employees accidentally accessing
confidential information on a computer.
- An access control is a security measure that defines who can
access a computer, when and what actions they can take while
accessing the computer.
- computer should maintain an audit trail that records in a file
both successful and unsuccessful access attempts.
- Identifying and Authenticating Users
- Identification verifies that an individual is a valid user.
- Authentication verifies that the individual is the
person he or she claims to be
Three methods of identification and authentication
include user names and passwords, possessed objects,
and bio metric devices.
a) User Names and Passwords
- A user name, or user ID (identification), is a unique
combination of characters, such as letters of the
alphabet or numbers, that identifies one specific user.
- A password is a private combination of characters associated
with the user name that allows access to certain computer
resources.
- some use passphrases to authenticate users instead of
passwords.
- A passphrase is a private combination of words, often
containing mixed capitalization and punctuation, associated with a
user name that allows access to certain computer resources.
- Web sites use a CAPTCHA to further protect a user’s
password.
- A CAPTCHA, Completely Automated Public Turing test to tell
Computers and Humans Apart, is a program developed to verify
that user input is not computer generated.
b) Possessed Objects
- A possessed object is any item that you must
carry to gain access to a computer or computer
facility e.g. badges, cards, smart cards, and keys.
- often are used in combination with personal
identification numbers (PIN).
- A personal identification number (PIN) is a
numeric password, either assigned by a company
or selected by a user.
c) Biometric Devices
- biometric device authenticates a
person’s identity by translating personal
characteristic, such as a fingerprint, into
a digital code that is compared with a
digital code stored in the computer.
3. Hardware Theft and Vandalism
- Hardware theft is the act of stealing computer
equipment.
- Hardware vandalism is the act of defacing or
destroying computer equipment.
Safeguards against Hardware Theft and
Vandalism
- Physical access controls, such as locked doors and
windows and install alarm systems for additional
security. Some businesses use a real time location
system (RTLS) to track and identify the location of high-
risk or high-value items.
4. Software Theft
- Software theft is whereby someone
1) steals software media,
2) Intentionally erases programs,
3) Illegally copies a program, or
4) Illegally registers and/or activates a program.
Safeguards against Software Theft
- Keep original software boxes and media in a secure
location, out of sight of prying eyes.
- Back up their files and disks regularly, in the event of
theft.
- Software manufacturers issue users license
agreements which is the right to use the software.
- Product activation, which is conducted either online or
by telephone, users provide the software product’s 25-
character identification number to receive an
installation identification number unique to the
computer on which the software is installed.
5. Information Theft
- Information theft occurs when someone steals personal or
confidential information.
Safeguards against Information Theft
- Implementing the user identification and authentication
controls which are best suited for protecting information on
computers located on an organization’s premises.
- Encryption, is a process of converting readable data into
unreadable characters to prevent unauthorized access. In the
encryption process, the unencrypted, readable data is called
plaintext. The encrypted (scrambled) data is called ciphertext.
- An encryption algorithm, or cypher, is a set of steps
that can convert readable plaintext into unreadable
ciphertext.
- An encryption key is a set of characters that the
originator of the data uses to encrypt the plaintext and
the recipient of the data uses to decrypt the ciphertext.
- Two basic types of encryption are private key
(symmetric key encryption) where both the originator
and the recipient use the same secret key to encrypt and
decrypt the data and public key (asymmetric key
encryption ) which uses two encryption keys: a public key
and a private key.
- Transport Layer Security Transport
Layer Security (TLS) provides encryption of
all data that passes between a client and an
Internet server.

- Secure HTTP Secure HTTP (S-HTTP)

allows users to choose an encryption scheme
for data that passes between a client and a
server.
6. System Failure
- A system failure is the prolonged malfunction of
a computer system which can cause loss of
hardware, software, data, or information.
- Could be caused by aging hardware; natural
disasters such as fires, floods, or hurricanes;
random events such as electrical power problems;
and even errors in computer programs.
- Electrical disturbances - include noise, undervoltages,
and overvoltages.
- Noise is any unwanted signal, usually varying quickly,
that is mixed with the normal voltage entering the
computer.
- An undervoltage occurs when the electrical supply
drops.
- An overvoltage, or power surge, occurs when the
incoming electrical power increases and can cause
immediate and permanent damage to hardware.
Safeguards against System Failure
- To protect against electrical power variations, use a
surge protector (surge suppressor), uses special
electrical components to smooth out minor noise,
provide a stable current flow, and keep an overvoltage
from reaching the computer and other electronic
equipment
- An uninterruptible power supply (UPS) is a device
that contains surge protection circuits and one or more
batteries that can provide power during a temporary or
permanent loss of power
Backing Up — The Ultimate Safeguard
- To protect against data loss caused by system
failure or hardware, software, or information
theft, computer users should back up files
regularly.
- A backup is a duplicate of a file, program, or
disk that can be used if the original is lost,
damaged, or destroyed.
6. Describe How Data Is Kept Safe During
Storage and Transmission
Data needs to be protected in three states: at rest, in use, and
in motion as each state presents unique security challenges.
Data at Rest
Data at rest is data that is not actively moving from device to
device or network to network such as data stored on a hard
drive, laptop, flash drive, or archived/stored in some other way
and is primarily protected by
1. Use of firewalls and anti-virus programs.
2. Encrypting hard drives or
3. storing individual data elements in separate locations to
decrease the likelihood of attackers gaining enough information
to commit fraud or other crimes.
Data in Use
Data in use is more vulnerable than data at rest because,
by definition, it must be accessible to those who need it.
The keys to securing data in use are to
- control access as tightly as possible
- Use authentication to ensure that users aren’t hiding
behind stolen identities.
- Use audit trails to track and detect suspicious activity,
diagnose potential threats, and proactively improve
security.
Data in Motion
Data in transit, or data in motion, is data actively
moving from one location to another such as
across the internet or through a private network.
The best way to secure data in transmit is to use
an encryption platform
BEST PRACTICES FOR DATA PROTECTION IN
TRANSIT AND AT REST
Unprotected data, whether in transit or at rest, leaves
enterprises vulnerable to attack, but there are effective
security measures that offer robust data protection
across endpoints and networks to protect data in both
states. As mentioned above, one of the most effective
data protection methods for both data in transit and
data at rest is data encryption.
In addition to encryption, best practices for robust data
protection for data in transit and data at rest include:
 Implement robust network security controls
to help protect data in transit. Network
security solutions like firewalls and network
access control will help secure the networks
used to transmit data against malware attacks
or intrusions.
 Use proactive security measures that
identify at-risk data and implement effective
data protection for data in transit and at
rest.
 Choose data protection solutions with policies that
enable user prompting, blocking, or automatic
encryption for sensitive data in transit, such as
when files are attached to an email message or
moved to cloud storage, removable drives, or
transferred elsewhere.
 Create policies for systematically categorizing and
classifying all company data, no matter where it
resides, in order to ensure that the appropriate
data protection measures are applied while data
remains at rest and triggered when data classified
as at-risk is accessed, used, or transferred.
7. Explore Techniques And Practices Of Risk Management
1. Ishikawa Diagram
The fishbone diagram, or the cause and effect diagram -
allows breaking down a problem and identify the
component parts.
2. Decision Tree
A decision tree is a diagram that branches in different
directions with each “branch” highlighting one possible
option, and can then branch off again further if the path
splits again.
It is a visual way of plotting out risk management
actions, especially if the options may result in vastly
different solutions and costs.
3. Expert Interviews
Talk to the people who know, this helps with risk identification
and also risk management action planning as the experts may
offer different ways to address a risk, broadening options when
it comes to deciding what to do next.
4. Workshops
Bringing subject experts together to help with risk management
so as to a deeper insight into some of the possible threats (and
opportunities) on the project.
5. SWOT Analysis
SWOT stands for Strength, Weakness, Opportunity and Threat.
Helps identify the opportunities and threats of the project.
6. Risk Proximity Chart
Proximity refers to how close to the current date the risk
is. For example, the risk of a supplier failing to deliver the
requirement equipment can have a low proximity if the
delivery date is far in the future. If the proposed delivery
date is next week, the risk has a high proximity. Proximity
can help to prioritize risks as it tells which ones are
coming up.
7. Probability and Impact Matrix
It is a grid with probability on one side and impact on the
other where each risk is rated against a standard scale.
Allows tracking of risks over time and makes it easy to see
the risks that require action.
8. Outline The Importance Of Securing Data At Off-
Site Locations (Cloud Computing)
Off-site data protection, or vaulting,
Is the strategy of sending critical data out of the main
location (off the main site) as part of a disaster
recovery plan.
- This ensures systems and servers can be reloaded with
the latest data in the event of a disaster, accidental
error, or system crash.
- Also ensures that there is a copy of pertinent data
that isn’t stored on-site.
9. Identify Code Of Ethics and Professional Practices
In The Computing Field
Computer ethics are the moral guidelines that govern the use of
computers and information systems.
- areas of computer ethics are unauthorized use of computers
and networks, software theft (piracy), information accuracy,
intellectual property rights, codes of conduct, information
privacy, and green computing.
1. Information Accuracy
Information accuracy today is a concern because many users
access information maintained by other people or companies,
such as on the Internet. Do not assume that because the
information is on the Web that it is correct.
2. Intellectual Property Rights
- Intellectual property (IP) refers to unique and original
works such as ideas, inventions, art, writings, processes,
company and product names, and logos.
- These are the rights to which creators are entitled
for their work.
- A copyright gives authors and artists exclusive rights
to duplicate, publish, and sell their materials, it
protects any tangible form of expression and piracy
(making illegally copy) is infringement of copyright
3. Codes of Conduct
- An IT code of conduct is a written guideline
that helps determine whether a specific computer
action is ethical or unethical.
10. Discuss Security Policies, Laws And Computer Crime
11. Identify Relevant ICT Legislative And Regulatory
Frameworks
Legislation to protect intellectual property rights, include:
– Family Entertainment and Copyright Act of 2005
– U.S. Anticybersquatting Consumer Protection Act of 1999
– Digital Millennium Copyright Act (DMCA)
Privacy Laws
The concern about privacy has led to the enactment of
federal and state laws regarding the storage and
disclosure of personal data, and the laws stipulate that:
1. Information collected and stored about individuals
should be limited to what is necessary to carry out the
function of the business or government agency
collecting the data.
2. Once collected, provisions should be made to
restrict access to the data to those employees within
the organization who need access to it to perform their
job duties.
3. Personal information should be released
outside the organization collecting the data
only when the person has agreed to its
disclosure.
4. When information is collected about an
individual, the individual should know that the
data is being collected and have the
opportunity to determine the accuracy of the
data.
12. Identify Environmental Impact From Computer
Use and Disposal
Green computing involves reducing the electricity and
environmental waste while using a computer and this
include:
– The use of computers in an environmentally friendly
manner
– Consumption of less Energy and paper
ENERGY STAR Program
• Developed to encourage the development of energy-
saving devices
Energy Consumption and Conservation
• Power consumption and heat generation by computers are key
concerns for businesses because more powerful computers use
more energy and run hotter, increasing cooling costs
• Some energy-saving features
– Low-power sleep mode when not in use
– Energy- efficient flat-panel displays
– Liquid cooling systems
– CPUs that power up and down on demand
– Solar power and other alternatives
Solar systems Available for a number of applications
– Solar panels are built into the covers of some computer and
tablet cases
– Portable solar panels can be attached to backpacks and other
items
Hand-powered chargers can be used with portable computers,
smartphones, and other mobile devices
Green Components
• Computers run quieter and cooler
• More recyclable hardware and packaging being used
• Amount of toxic chemicals in personal computers being reduced
• Recycled plastics being used in some mobile phones
• Built-in solar panels can charge devices
Recycling and Disposal of Computing Equipment
– Paper-based trash
• Paperless office basically a myth
• Almost one-half billion pieces of paper a year generated by
printers worldwide
• Utilities designed to reduce paper consumption
– GreenPrint, PrintWhatYouLike.com
- Eliminate images, blank pages, non-critical content in order to
print on the least amount of paper as possible
E-waste (e-trash)
• Discarded computer components
• Current hardware contain a variety of toxic and hazardous
materials and Global concern is where it all eventually ends up
Proper recycling is essential
- Some recycling centres will accept computer equipment
– Many computer manufacturers have voluntary take-back
programs
– Expired toner and ink cartridges can sometimes be returned to
manufacturer or exchanged when purchasing new cartridges
– Using recharged printer cartridges saves consumers’ money
and helps reduce e-waste in landfills
13. Analyse The Ethical Impact Of Existing And
Emerging Technologies
Employee monitoring involves the use of computers to observe,
record, and review an employee’s use of a computer, including
communications such as e-mail messages, keyboard activity (used
to measure productivity), and Web sites visited
ETHICS & ISSUES 11-5
Content filtering is the process of restricting access to certain
material on the Web. Content filtering opponents argue that
banning any materials violates constitutional guarantees of free
speech and personal rights.
Social Engineering is defined as gaining unauthorized access or
obtaining confidential information by taking advantage of the
trusting human nature of some victims and the naivety of others.
14. Explain The Attributes Of Business Ethics
Ethics
– Overall standards of moral conduct
– Can vary with individual and religious beliefs, country, race, or
culture
Personal Ethics
- Guide an individual’s personal behaviour
Business Ethics
- Guide an individual’s workplace behaviour

Computer Ethics
- Concern moral conduct related to computer use
- Individuals and businesses need to make ethical decisions every
day
Ethical Use of Copyrighted Material
– Books and Web-Based Articles
• Need to properly credit sources to avoid plagiarism
• Plagiarism is a violation of copyright law and an
unethical act
• Strict consequences for plagiarism at school and work
• Online tests for plagiarism are available and widely
used by schools