1.6.

1 Data security

Information/data security

Information security, sometimes shortened to InfoSec, is the practice of

defending information from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction. It is a general term that
can be used regardless of the form the data may take (e.g. electronic, physical).

IT Security

Information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification or destruction. The
terms information security, computer security and information assurance are
frequently incorrectly used interchangeably. These fields are interrelated often and
share the common goals of protecting the confidentiality, integrity and availability
of information; however, there are some subtle differences between them.

in
Information security is concerned with the confidentiality, integrity and availability

sa
of data regardless of the form the data may take: electronic, print, or other forms.
Computer security can focus on ensuring the availability and correct operation of a

us
computer system without concern for the information stored or processed by the
computer.
H
Confidentiality
a q

Confidentiality is the term used to prevent the disclosure of information to

ht

unauthorized Individuals or systems. For example, a credit card transaction on the

Internet requires the credit card number to be transmitted from the buyer to the
us

merchant and from the Merchant to a transaction processing network. The system
-M

attempts to enforce confidentiality by encrypting the card number during

transmission, by limiting the places where it might appear (in databases, log files,
backups, printed receipts, and so on), and by restricting access to the places where
M

it is stored. If an unauthorized person obtains the card number in any way, a

breach of confidentiality has occurred.

Breaches of confidentiality take many forms. Someone looking at your computer

screen behind your back while you have confidential data displayed on it could be a
breach of confidentiality. If a laptop computer containing sensitive information
about a company's employees is stolen or sold, it could result in a breach of
confidentiality. Giving out confidential information over the telephone is a breach of
confidentiality if the caller is not authorized to have the information. Confidentiality
is necessary (but not sufficient) for maintaining the privacy of the people whose
personal information a system holds.

Contact the teacher: 03215275281

Integrity

In information security, integrity means that data cannot be modified without

permission. Integrity is violated when an employee accidentally or with malicious
intent deletes important data files, when a computer virus infects a computer, when
an employee is able to modify his own salary in a payroll database, when an
unauthorized user vandalizes a web site, when someone is able to cast a very large
number of votes in an online poll, and so on. There are many ways in which
integrity could be violated without malicious intent. In the simplest case, a user on
a system could mis-type someone's address. On a larger scale, if an automated
process is not written and tested correctly, bulk updates to a database could alter
data in an incorrect way, leaving the integrity of the data compromised.
Information security professionals are tasked with finding ways to implement
controls that prevent errors of integrity.

System Security measures

in
1.Authentication and Authorization

sa
Remove or disable accounts upon loss of eligibility: Accounts which are no longer

us
needed must be disabled in a timely fashion using an automated or documented
procedure.
H
Separate user and administrator accounts: Administrator accounts must not be
used for non-administrative purposes. System administrators must be provisioned
a q

with non-administrator accounts for end-user activities, and a separate

ht

administrator account that is used only for system-administration purposes.

Use unique passwords for administrator accounts: Privileged accounts must use
us

unique passwords that are not shared among multiple systems. Credentials which
are managed centrally, such as the NetID/password combination, are considered a
-M

single account, regardless of how many systems they provide access to.
Throttle repeated unsuccessful login-attempts: A maximum rate for unsuccessful
M

login attempts must be enforced. Account lockout is not required, but the rate of
unsuccessful logins must be limited.
Enable session timeout: Sessions must be locked or closed after some reasonable
period.
Enforce least privilege: Non-administrative accounts must be used whenever
possible. User accounts and server processes must be granted the least-possible
level of privilege that allows them to perform their function.

2. Firewall
Systems must be protected by a firewall that allows only those incoming
connections necessary to fulfill the business needs of that system. Client systems
which have no business need to provide network services must deny all incoming
connections. Systems that provide network services must limit access to those
services to the smallest reasonably manageable group of hosts that need to reach
them.

Contact the teacher: 03215275281

A firewall is a software program or piece of hardware that helps screen out hackers,
viruses, and worms that try to reach your computer over the Internet.

in
sa
3.Password Protection
us
All accounts and resources must be protected by passwords which meet the
H
following requirements, which must be automatically enforced by the system:
Must be at least eight characters long.
q

Must NOT be dictionary or common slang words in any language, or be

a
ht

relatively easy to guess.

Must include at least three of the following four characteristics, in any order:
us

upper case letters, lower case letters, numbers, and special characters, such
as ! @#$%^&*.
-M

Must be changed at least once per year.

4. Digital signature
M

It is basically a way to ensure that an electronic document (e-mail, spreadsheet,

text file, etc.) is authentic. Authentic means, you know who created the document
and you know that it has not been altered in any way since that person created it.
Digital signatures rely on certain types of encryption to ensure authentication.
Encryption is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to
decode.
Authentication is the process of verifying that information is coming from a trusted
source. These two processes work hand in hand for digital signatures.

Contact the teacher: 03215275281

Security measures designed to protect the security of data
Data Backup: Data protection is crucial for protecting your business's continuity. If
your only data backup is on a computer and the hard disk crashes or is damaged by
a power surge, your businesss data is gone. And having paper copies of business
data isn't adequate data protection; what if your business premises burns to the
ground or destroyed in a flood? Once again the data you need to carry on your
business could be irretrievably lost.
Methods of data backups
Archiving Critical Business Data
Creating physical data backups
Creating off-sight backups
Real-time backups take place at any time and must have a procedure for
handling files that are open during backup. In most cases, the backup
system tracks open files and returns to back them up later.
Disk mirroring is a real-time strategy that writes data to two or more disks at

in
the same time. If one disk fails, the other continues to operate and provide
access for users. Server mirroring provides the same functionality, except

sa
that an entire server is duplicated. This strategy allows users to continue
accessing data if one of the servers fails. See "Fault Tolerance and High
us
Availability" for additional information on these strategies.
H
Replication copies information to alternate servers on distributed networks to
make that information more readily available to people in other locations.
q

While replication is not necessarily a backup technique, replicated data on

a

remote servers can be made available to local users if the server close to
ht

them goes down.

us

Remote vaulting is an automatic backup technique that transmits data to

alternate sites. The alternate sites can be more than just warehouses for
-M

backups. They may be entire data centers that can be brought online when
the primary data center goes offline in the event of a major disaster.
M

Encryption
Encryption involves applying a mathematical function, using a key value, to a
message that can only be read by the sender and the intended receiver. There
are many techniques for this. There are a number of terms used with
encryption.
Plain text describes the original unaltered text as created by the sender.
Encryption algorithm is the calculation which is used to change the plain
text into the encrypted text
Cipher text is the message text after the encryption has been performed
Decryption is the process of converting the message text back to the
original pliant text
Symmetric encryption
It is the simplest technique for encryption. The same algorithm and key is used
for both encryption and decryption. The receiver therefore must be in possession
of both the algorithm and the key in order to decrypt the cipher text.

Contact the teacher: 03215275281

Asymmetric encryption
Most modern systems of encryption use the idea of two keys working together,
a public key and a private key.
The public key is universally known and the private key is known only to the
holder.
To use asymmetric encryption, the user must purchase a digital certificate from
a certification authority, such as versign.The certificate contains
The holders name
An ID number
An expiry date
The public key
How it works?
Suppose Ahmad and Ali each has a digital certificate which gives each their own
public and private keys. So according to rule
Ahmad never knows alis private key
Ali never knows Ahmads private key

in
sa
us
H
a q
ht
us
-M
M

Contact the teacher: 03215275281

1.6.2 Data integrity
Data validation
Validation is a check on DATA INPUT to the system by comparing the data input
with a set of rules that the computer software has been programmed to
implement. If the data does not match up with the rules then there must be an
error. There are many different types of validation checks that can be used to
check input in different applications:
1. Range check. A mathematics exam is out of 100. A simple validation rule that
the computer can apply to input data is that the mark must be between 0 and
100 inclusive. Consequently, a mark of 101 would be rejected by this check as
being outside the acceptable range.
2. Character check. A persons name will consist of letters of the alphabet and
sometimes a hyphen or apostrophe. This rule can be applied to input of a
persons name so that dav2d will immediately be rejected as unacceptable.
3. Format check. A particular application is set up to accept a national insurance

in
number. Each person has a unique national insurance number, but they all have
the same format of characters, 2 letters followed by 6 digits followed by a single

sa
letter. If the computer knows this rule then it knows what the format of a NI
number is and would reject ABC12345Z because it is in the wrong format, it
breaks the rule. us
H
4. Length check. A NI number has 9 characters, if more or fewer than 9
characters are keyed in then the data cannot be accurate.
q

5. Existence check. A bar code is read at a supermarket check-out till. The code is
a

sent to the main computer which will search for that code on the stock file. If
ht

the code is found in the stock file then it is known to exist and is accepted.
us

6. Check digit. When the code is read on the item at the supermarket, it consists
of numbers. One number is special; it is called the check digit. If the other
-M

numbers have some arithmetic done to them using a simple algorithm the
answer should be this special digit. When the code is read at the check-out till, if
M

the arithmetic does not give the check digit it must have been read wrongly, it is
at this point that the beeping sound would normally be heard if everything is
alright.
7. Presence check. A value must be present when filling in an online form, the
system does not allow the user to progress to the next data item unless some
input to the present value is provided. (Be careful about distinguishing between
existence and presence checks, they are often confused by candidates in exam
questions)
8. Uniqueness check: This check makes sure that a certain field is unique.
9. List check: only a limited number of values are allowed e.g. the gender of a
person must be M or F, usually implemented by drop down list.

Contact the teacher: 03215275281

Data verification
Verification means checking the input data with the original data to make sure
that there have been no transcription errors (transcription means copying the
data)
Verification can be performed in a few ways
1. Entering the data twice: think about you choose a new password, you
have to type it in twice. This lets the computer check if you have typed it
exactly the same both times and not made a mistake. It is not ideal for
large amount of data because a person will take a lot of time entering the
data twice, the person can make the same mistake twice so it wouldnt
get picked up and you would end up with two copies of the data.
2. Checking the data on screen with the original paper document
3. Printing out a copy of the data and comparing the printout to the original
paper document.

Data verification during transmission

in
Parity check

sa
A parity check involves checking that the number of 1 bits in a byte totals to an
even number (called even parity) or an odd number (called odd parity).

us
If two devices that are communicating decide to use off parity, there must
always be an odd number of 1s,an error must have occurred .e.g. the byte
H
01011000 is sent, it has three 1 bits so it passes the odd parity check. When it
q
is transmitted the byte received is 11011000.this has four 1 bits, which is an
a

even number so there must have been an error in transmission. The receiving
ht

device would ask for it to be sent again.

Parity is also used when data are transferred between different components of
us

CPU.
-M

If two mistakes are made in the same byte they cancel each other out and the
faulty data are accepted. This problem can be overcome using parity blocks.
Parity block
M

It is a group of byte with an additional parity byte. The data bytes and parity
bytes are together called parity block

Contact the teacher: 03215275281

Check Sum: Data will normally be sent from one place to another as a block of
bytes rather than as individual bytes. The computer can add numbers together
without any trouble, so another checking procedure is to add all the bytes
together that are being sent in the block of data. The carry, out of the byte, is
not taken into account, so the answer is an 8 bit number, just like the bytes.
This answer is calculated before the data is sent, and then calculated again
when it is received, and if there are no errors in the transmission, the two
answers will match.if, however the two bytes are different there must be at least
one checksum that has been corrupted and the whole block of data has to be re-
sent.

Echoing back
The simplest way of checking the transfer of the data is to send the data back
again. If the data sent back are the same as the data sent in the first place then
the original data must have reached the destination unaltered. If not, the data
must be sent again. This is known as echoing back. This method is very

in
effective, but suffers from having to send data twice. The transmission mode

sa
needs to be either duplex or half duplex to allow data transfer in both directions.

us
H
a q
ht
us
-M
M

Contact the teacher: 03215275281