Computer Systems Vulnerability

COMPUTER SYSTEMS VULNERABILITY 

Information Systems are made up of many components that may be in several locations.  Each information system is vulnerable to many potential hazards.  Vulnerability is increasing as many information systems become networked thus increasing the threats.  Threats to information system can be categorized into:

8.1 UNINTENTIONAL THREATS

Unintentional threats can be caused by human errors, environmental hazards or can be accidental computer failures.  Human errors can be caused by the design of the hardware in programming, testing, during data collection, data entry, authorization and instructions. Environmental hazards include earthquakes, hurricanes, storms, power failures, fire, defective air conditioning explosions, radioactive fail outs, smoke, heat, flood, etc.  Computer failures can be a result of poor manufacturing or defective materials.

8.2 INTENTIONAL THREATS

Intentional threats occur as a result of intentional actions.  Examples include: theft of data, inappropriate use of data e.g. manipulating inputs, theft of computer time, theft of equipment or programs, deliberate manipulation in handling, entering, processing or transferring or programming data, labour strikes, riots or sabotage, malicious damage to computer resources, destruction from viruses, computer abuses and crimes.

8.3 COMPUTER CRIMES

Computer crimes in many ways resemble conventional crimes.  They can occur in four ways:

·         Can target a computer e.g. a computer may be stolen, destroyed or a virus may destroy data in a computer

·         The computer can be the media of the attack by creating an environment in which a crime or fraud can occur.

·         False data are entered into a computer system to mislead individuals examining a system support

·         Computer can be the tool by which the crime is perpetrating a computer is used to plan the crime but the crime does not involve a computer.

The computer can be used to intimidate or deceive e.g. computer statistics or show forecasts that are deceiving in order to confuse or convince people who have to depend on the statistics or forecasts to make decisions.  Computer crimes can be performed by outsiders to an organization to penetrate a computer system or by an insider who is authorized to use the computer system but misuses the authorization.  Such a person is known as a hacker.  If the intention of the hacker is to cause malicious damage he is known as a cracker.  Computer criminals are various and frequently innovative in their attack method.  The two basic approaches that they use are data tampering where false data, fabricated data or fraudulent data is entered into the system or the existing data is changed or deleted.

·         Data tampering can also be done through programming techniques where skilled criminals can modify a computer program with the intention of committing fraud. 

·         Through viruses which is the introduction of undesired program in a system that can cause files, databases, other programs or even parts of the computer hardware to malfunction.  When a virus is attached to a legitimate program, that program becomes infected without the owner becoming aware and the infection may spread causing damage to the program and other programs of files in the system. 

Information systems must be secured from all types of attacks by providing security and controls that aim to protect the system and its components.  To protect information system is not a simple or inexpensive task due to the fact that there are very many threats.  Information systems components are always widely distributed, many users, technological changes are very fast thus requiring frequent upgrades to the control and security measures as well.  Also many crimes are undetected or may even go for a long period of time.  People tend to violate security procedures because procedures and inconvenient, it may require a lot of knowledge for someone to commit a computer crime and the cost of preventing hazards can be very high and many organizations may not afford.

However, information systems can be protected by inserting controls i.e. defense mechanisms which can be intended to prevent accident hazards, to deter intended acts, to detect problems as early as possible, to enhance damage and recovery and correct problems. The selection of specific strategy depends on the objective of the defense and the perceived cost benefit. The following defense strategies can be implemented:

·         Controls for prevention and difference – This is aimed at preventing errors from occurring, to deter criminals from attacking and to deny access to unauthorized people.  This is important where potential damage to the information system is very high.

·         Detection – It may not be possible to prevent all hazards therefore deterring measures may not work therefore unprotected systems are vulnerable to attach hence if the attack can be detected as early as possible it will be possible to combat it before it causes damage e.g. one may not protect or prevent fire from occurring or a virus from attacking but if either of this is detected early enough the damage can be minimal

·         Imitation – This means minimizing losses once a malfunction has occurred.  It can be accomplished by including a fault tolerant system that permits operation in a degraded mode until full recovery is made

·         Recovery – This defense strategy explains how to fix a damaged information system as quickly as possible.  It involves replacing of components that have been affected in order to recover as fast as possible.

·         Correction – This strategy focuses on the repairing of the damaged components and also preventing the problem for occurring again.

8.4 GENERAL COMPUTER CONTROLS

The Defense Strategies can be implemented either as application controls or general controls.  Some are intended to protect against human errors or others protect against natural causes.  General controls are established to protect the system regardless of the specific application e.g. protecting hardware and controlling access to a computer centre.  Application controls as safeguards that are intended to protect specific applications, major categories of general controls include physical controls, access controls, data security controls, network controls and administrative controls.

The Physical Controls refer to protection of computer facilities and resources which include computers, data centers, software manuals and networks.  Physical controls protect against most natural hazards and subhuman hazards and are commonly referred to as the first line in defense.

They include the following:

·                     Appropriate design of a computer centre so that it is fireproof and waterproof

·                     Shielding against electromagnetic fields

·                     Good fire prevention, detection and extinguishing system

·                     Emergency power shut off and backup batteries

·                     Properly designed  maintained and operated air conditioning system

·                     Motion detector alarms that detect physical intrusion

8.4.1 ACCESS CONTROL

This refers to the restriction of unauthorized access to a portion of computer system or the entire system.  To gain access the user must be authenticated and this can be done in three steps:

·         To allow physical access to the terminal

·         To access the system

·         To access specific commands transactions privileges programs and data within the system.

Access control can be accomplished by the user using something the user has e.g. token or smartcard or using the user e.g. signature, voice, fingerprint or retinal scan which are all implemented through biometric controls.

A biometric control is defined as an automated method of verifying the identity of a person based on psychological or behavioral characteristics.  Common biometrics includes a photographs, fingerprint, voice, signature, hand geometry, keystroke dynamics and blood vessel patterns in the retina of a person’s eye.

8.5 DATA SECURITY CONTROLS

This is concerned with protecting data from accidental or intentional disclosure to unauthorized persons or from unauthorized modification or destruction.  These controls are implemented through operating systems, security access control programs, data communication products, and backup and recovery procedure and application programs.  There controls address the following issues:

• Confidentiality of data
• Access control
• Critical nature of data
• Integrity of data

They must reflect the following two basic principles:

• Minimal privilege i.e. only the information the user needs to carry out an assigned task should be made available to him or her
• Minimal exposure i.e. once a user gains access to sensitive information he or she has the responsibility of protecting it by making sure only people whose duty require it obtain knowledge of this information while it is processed, stored or in transit.

Data integrity is the condition that exists as long as accidental or intentional destruction, alteration or loss of data does not occur.  It is the preservation of data or for its intended use.

8.5.1 COMMUNICATION CONTROLS

These controls are essential in protected data that is in transit through the Internet or intranets.  The most common measures of protecting information in a network include: access control that includes authentication and passwords, encryption, cable testing and firewalls. Access controls safeguards against dial-in attempt.  It authenticates the personal identification number assigned to every user and also user passwords.  It can also include biometrics.  Encryption encodes regular digitized text into unreadable scrabbled text or numbers to be decoded upon receipt.  It accomplishes three purposes:

·         Identifying legitimate senders and receivers

·         Preventing changing any transaction or message

·         Accomplishes privacy

Cable testing is popular in LANS and is used to find faults that can occur with LAN cabling.  It can also include protocol analysis which allows users to inspect the contents of information packets as they travel through networks.  Firewalls are groups of systems that enforce an access control policy between two networks.  They are commonly used as a barrier between secure cooperate network or any other internal network and the Internet which is always assumed to be insecure.  The firewall follows state guidelines that either permit or block traffic.  It is designed with clear and specific rules about what can pass through.

8.5.2 ADMINISTRATION CONTROLS

These controls deal with issuing guidelines and monitoring with the guidelines.  They can include:

·         Appropriately selecting training and supervising employees especially in accounting and information systems.

·         Fostering company loyalty

·         Immediately relocking access privileges of dismissed, transferred or resigned employees

·         Periodically modifying access control with such passwords

·         Developing programming documentation standards to make auditing easier

·         Holding periodic random audits of the system

·         Insisting on security bonds for key employees

·         Instituting separation of duties by dividing sensitive computer duties among as many employees as economically feasible in order to decrease chances of intentional or unintentional damage

8.5.3 APPLICATION CONTROLS

They are intended to protect the content of each specific application.  They are therefore built into the application and usually written as validation rules. They can also be classified into three:

·         Input controls

·         Processing controls

·         Output controls

Input controls are designed to prevent data alteration or loss.  Data are checked for accuracy completeness and consistency.  Also the range and format of data are validated to prevent GIGO situation. Processing controls ensure that data are complete, valid and accurate when being processed and that program have been properly executed.  Output controls ensure that the results of computer processing are accurate, valid complete and consistent and they are also used to evaluate common output errors and their possible courses in order to determine what can be done.  These controls ensure that output have set only the authorized personnel.

8.5.4 NATURAL AND ENVIRONMENTAL THREATS

Computers are also threatened by natural or environmental disaster. Be it at home, stores, offices and also automobiles. Examples of natural and environmental disasters: flood, fire, earthquakes, storms and tornados, excessive heat, and inadequate power supply

8.6 SECURITY MEASURES

·              Today, people rely on computer to create, store and manage critical information. It is important that the computer and the data they store are accessible and available when needed. It is also important that user take measures to protect their computers and data from lost, damage and misuse. How do we protect our computer from breaches of security and our security risk?

·              Security measures mean the precautionary measures taken to ward off possible danger or damage. There are 6 types of security measures which are data backup, cryptography, Antivirus, Anti-Spyware, Firewall and human aspects.

8.6.1 DATA BACKUP

·              Data backup is a program of file duplication.

·              Backups of data applications are necessary so that they can be recovered in case of an emergency.

·              Depending on the importance of the information, daily, weekly or biweekly backups from a hard disk can be performed.

8.6.2 CRYPTOGRAPHY

·              Cryptography is a process of hiding information by altering the actual information into different representation, for example APA can be written as I?X.

·              Almost all cryptosystem depend on a key such as a password like the numbers or a phase that can be used to encrypt or decrypt a message.

·              The traditional type of cryptosystem used on a computer network is called a symmetric secret key system.

·              With this approach, the sender and the recipient use the same key, and they have to keep the share key a secret from anyone else.

8.6.3 ANTIVIRUS

·              User should install an Antivirus program and update it frequently.

·              An Antivirus program protects a computer against viruses by identifying and removing any computer viruses found in the computer memory, on storage media or incoming e-mail files

Identifying virus: Two techniques are use to identify the virus:

·              Virus signature – also called a virus definition. It is a specific pattern of the virus code.

·              Inoculating a program file – the Antivirus program records information such as the file size and file creation date in a separate inculcation file. The Antivirus program then uses this information to detect if a virus tampers with the data describing the inoculated program file.

·              If an Antivirus program identifies an infected file, it attempts to remove its virus, worm or Trojan horse.

·              If the Antivirus program cannot remove the infection, it often quarantines the infected file. Quarantine is a separate area of a hard disk that holds the infected file until the infection can be removed. This step ensures other files will not become infected.

·              An Antivirus program scans for programs that attempt to modify the boot program, the operating system and other programs that normally are read from but not modified.

·              Many Antivirus program automatically scan files downloaded from the web, e-mail attachments and all types of removable media inserted into the computer.

8.6.4 ANTI - SPYWARE

·              Spyware is a program placed on a computer without the user’s knowledge. It secretly collects information about the user.

·              The Spyware program communicates information to the outside source.

·              An Anti-Spyware application program sometimes called tracking for threat or a Spybot is used to remove Spyware.

Among the popular Anti-Spyware programs are: Spybot Search and destroy Ad-aware and Spyware Blaster

8.6.5 FIREWALL

·              Firewall is a piece of hardware or software which functions in a networked environment to prevent some communications forbidden by the security policy.

·              The purpose of a firewall is to keep bad thing outside a protected firewall implement a security policy. It might permit limited access from in or outside the network perimeters or from certain users or for certain activity.

There are three types of firewall

·              Screening routers - Simplest and sees only addresses and service protocol type and uses screen based on connection rules

·              Proxy gateway - Complex and sees full text of communication and is screen based on behaviour proxies

·              Guard - Most complex and sees full text of communication and uses screens based on interpretation of message content.

8.7 NATURAL DISASTER VS DATA BACKUP

·              The natural and environmental disaster may include flood, fire, earthquakes, storms and tornados.

·              Natural disaster may threaten a computer’s hardware and software easily. Computers are also sensitive to their operating environment such as excessive heat or the inadequacy of power supply.

·              The backup system is needed to backup all data and applications in the computer. With the backup system, data can be recovered in case of an emergency.

8.8 HUMAN ASPECTS

·              Human aspects refer to the user and also the intruder of a computer system.

·              It is one of the hardest aspects to give protection to.

·              The most common problem is the lack of achieving a good information security procedure.

There are three ways to protect computer from human aspect threat:

·              Organization Self Awareness - Organizations need to be aware of the people they work with. Some threat also comes from within the organization and not just from the outside.

·              Organizational User Self Awareness - Provide employee with adequate training and the importance of security and control.  Even a very high-tech protection system could not protect the system against incompetent users.

·              Individual User Self Awareness - Threat often comes in beautiful offers and packages. Do not download or install software from unreliable sources. Do not expose important information to strangers.

8.8.1 THEFT VERSUS HUMAN ASPECTS

Computer theft can be of 2 kinds:

·              Can be used to steal money, goods, and information and computer resources.

·              The actual stealing of computers, especially notebooks and PDAs

·              These threats can be handled based on the human aspects.

Approaches that can be taken by individuals or organizations to prevent theft which are

·              Prevent access by using locks, smart card or password

·              Prevent portability by restricting the hardware from being moved

·              Detect and guard all exits and record any hardware transported.

Be suspicious of all results

·              There are many instances where non-programmers develop applications which are not built with proper understanding of software engineering practices.

·              Data produced by such applications may not be correct and may risk corrupting data received from other sources that are not compatible with the application.