CONTENTS
PREFACE. 3
Describe and give examples of at least four
different computer crimes. 4
Definition of computer
crime.
4
Computer Crime types. 4
Discuss some of the ways a computer virus may
be introduced into a system and describe the potential harm it
may cause. How can you guard against viruses?. 6
Introduction of computer
viruses.
6
Potential harm that
a virus may cause.
6
Guarding against
the harm that a virus can do. 7
List some of the major threats to information
systems besides computer crime.
What issues do such threats raise? 9
Major threats. 9
What issues do such
threats raise?.
9
Describe some basic security measures that should
be taken to protect information systems. 11
What are the key elements of a disaster recovery
plan?.
13
Disaster Recovery
Plan Details.
13
Other considerations.
16
CONCLUSION.. 18
Bibliography. 19
Information system security
covers many areas. Policies, procedures and tools are used to
protect information systems. This project covers several different
areas of information security ranging form computer crimes, viruses,
threats, security measures and a disaster recovery plan. The disaster
recovery plan elements that have been presented cover many aspects
of disasters, and not just computer related ones.
Computer crime is a term used
to describe a wide range of offences that can be committed with
the aid of a computer. Computer crime consists of such things
as
·
The use of a computer
to commit acts of deceit, theft or concealment that are intended
to provide financial, business-related, property or service advantages
·
Threats to the computer
itself, such as the theft of hardware, software, sabotage and
demands for ransom
·
Any violation of a computer
crime law
·
Any crime that requires
the perpetrator to have a knowledge of computer technology to
do the offence
·
Any illegal act for that
the knowledge of computer technology is used to commit the offence,
computers are used as the medium of the crime or the computer
is the object of the crime
(SA Police Web site)
The following are four different
types of computer crimes:
Unauthorised access to computer
systems
·
This is most commonly
known as “hacking”. This happens when someone gains access to
a computer system to which that person is not authorized to access.
The access can be from an internal or an external source. The
internal source can be an employee, and the external source can
be a ‘hacker’. The hacking can be done either to benefit the offender
or a third party. The Internet is used as a means of unauthorised
access.
Manipulation or alteration of
data or programs
·
This is related to unauthorized
access of information and is generally to get some type of benefit
(usually financial) for the offender. This category includes offences
such as fraud, forgery, theft and the copying of information for
personal gain. The personal gain can be for the person doing the
manipulation or altering of data, or for a third party.
Damage to data or programs
·
The reasons are varied
and can be from internal or external sources. Examples of this
type of computer crime can range from hackers who deliberately
erase data from a company's computer system, employees who have
removed data for their own personal gain, or a third parties gain,
or from spite from a disgruntled employee.![]()
Computer viruses and worms
·
A computer virus is a
set of computer instructions that replicates itself into computer
programs and data when it is executed by an infected program
·
A worm is a program that
sends multiple copies of itself within a system
(Adapted from SA Police Web
site)
Computer viruses may be introduced
into computer systems in a number of ways.
·
The use of a floppy disk
in a floppy disk drive may spread a virus
·
Use of zip disks if a
virus is in one
·
The booting up of a computer
with an inserted floppy disk may place a boot virus in the computer
·
Viruses can be downloaded
from the Internet by hiding themselves in programs that the down
loader is unaware of containing a virus
·
CDROMS can carry viruses,
such as recordable or rewritable CDROMS
·
Email program attachments
may carry viruses
·
Bulletin boards may carry
viruses
·
Viruses may spread in
programs that use macros, such as Microsoft Word
·
Viruses may spread by
going through a companies network
·
There may be unusual
messages or displays on your monitor
·
There may be unusual
sounds or music played at random
·
Your computer system
may have less memory available than what you thought it should
have
·
A disk or volume name
has been changed
·
Programs or files that
were there before have suddenly gone missing
·
Unknown files or programs
have been created
·
Files may become corrupted
or do not work properly
(ZDNET Site)
·
Changing of interrupt
vectors
·
Unaccounted use of RAM
(FAQ site)
(Viterbo Site)
There are numerous ways that
computers and computer systems can keep guard against virus attacks.
- Run a secure operating system like UNIX or NT
- Buy and use virus protection software
- Avoid programs from unknown sources
- Disable floppy disk booting
- Enable macro protection
- Do not run emailed program files such as those with .exe or .com
(Adapted from How Stuff Works
Site)
(ZDNET
Site 3)
·
Zapping your data - static electricity may pass from your body
to your computer
·
Spikes, brownouts and
blackouts – these may leave you without power to run the computer,
may reduce the amount of power available or may increase the amount
of power and do damage
·
Acts of God – these are
either an inexplicable happening or a natural phenomenon. These
can be things such as trees falling on the property, earthquakes,
floods, fire and tornadoes
·
Human errors – not backing
up and eating or drinking near the computer
(Computer
Security for Dummies, pp33-37)
·
Hardware failure
·
Software failure
·
Fire
·
Program changes
·
Telecommunication problems
(Viterbo site)
The issues that these raise
are that it is not only through computer crime that computer data
can be compromised or lost.
The various threats will need
to be addressed. Static electricity can destroy the data and measures
can be taken to reduce static electricity, such as static electricity
reducing floor maps.
Installing switchboard mounted
protection units can reduce spikes.
Using a UPS can avert the effects
of brownouts and blackouts.
Acts of God can be recovered
from by having up to date backups, paid up insurance policies,
inventories and the like.
Human errors can destroy the
data. An issue that is raised is that the users will need to be
educated about the proper ways to handle computer equipment.
Hardware and software failure
can affect the data and this can result in loss of productivity.
Backups would help. The software should be stored in a safe location
so applications could be reinstalled as required.
Fire comes under the Acts of
God section.
Program changes are an issue.
These changes may install older files over the top of newer ones,
thus resulting in data loss. This could be overcome by carefully
watching what new software is put in on the computer. Images could
be taken of the drive, such as Norton Utilities image, before
any change of software configuration. The drive could be restored
from the image, if need be.
Telecommunication problems would
be an issue for emails, faxes and the Internet. There is not much
you can do if the fault lies with the phone company, until the
line is restored. The phone company should be contacted, by a
mobile phone if need be, and all data should be backed up. When
the line is restored, the data should be sent as soon as possible.
·
With a network service
that requires remote login use an encryption system or a one time
pad to keep passwords secret and safeguard information
·
Use SSH (Secure Shell)
for encryption purposes to keep passwords secret
·
Know who the contact
person for security in the organization is in order to report
security breaches to
·
Keep your password secret
and do not write it down
·
Use a password protected
screensaver when away from your desk to keep the data on the screen
secret
·
Be aware of software
running on the computer and be wary of downloading and executing
software
·
Report security problems
as soon as possible
·
Store downloaded programs
so you can remember their source
·
View certificates attached
to web pages to see if it is a trustworthy source
·
Be wary of sending confidential
information by email so as to ensure privacy
·
Be wary of potential
virus attacks
·
Be wary of using a modem
when connected to a company network as it may open up your network
to attack and turn off auto answer so you can screen calls that
come in
·
Encrypt files on your
hard disk that are not to be shared
·
Shred unnecessary paperwork
so as to reduce any leaks from ‘dumpster diving’
·
Watch out for plugins
from web pages and ensure that they are required and are safe
·
Be wary of telephone
calls from ‘new users’ or ‘executives’ asking for access as they
may not be who they say they are and may be trying to access the
network for illegal purposes
·
Check the credentials
of technicians as they may not be who they say they are and may
be trying to access the network for illegal purposes
·
Keep the computer physically
secure to keep your data safe and secure
·
Do not key in commands
you do not understand that someone else tells you to do
·
Do not reveal any secret
information such as passwords
·
Read all user documentation
·
Back up user data in
case of a security incident
·
Obtain virus checking
tools and use them
·
Upgrade software and
network software regularly so as to have the most recent program
with the fixes required as older programs may have vulnerabilities
·
Apply patches in programs
as required to fix up security issues in programs
(Ohio State University Site)
·
Buy a surge protector
to protect the computer against electrical mishaps
·
Maintain the hard disk
with utilities such as scandisk
·
Recognize that you are
accountable for your computer accesses
·
Make certain that no
one can impersonate you by using your password
·
Be aware of the visible
data on the screen while you are working
·
Maintain the authorized
software/hardware configuration
(NIST Site1)
·
Reduce risk to an acceptable
level by spending the necessary monies to maintain the data security
·
Comply with the applicable
laws and regulations and do not have unauthorized software installed
on the computers
·
Have a risk assessment
program up and running to assess the security risks that the organization
may face
·
Train the users about
security issues
(NIST Site 2)
·
When someone leaves the
company remove them from the access list, remove their account,
ensure that any access cards are handed in
·
Deny access to any user
that is suspected of security violations
·
Sign visitors in and
escort them to the relevant site
·
Ensure that only authorized
people run utilities
·
Maintain a site user
list that has the users name, user ID, access level and administrative
privileges
·
Conduct audits and security
checks
·
Review reports such as
access reports
·
Look for after hours
logins
·
Look for multiple login
attempts by a user if they do not have multiple login capability
(Radium site)
·
Know what an emergency
is such as
o
Fire
o
Hazardous materials
o
Flood
o
Earthquake
o
Winter storm
o
Civil disobedience
o
Communications problem
o
Loss of key supplier
or customer
o
Explosion
·
Gain the support of the
Management by presenting the case for emergency management
o
It will help the company
to fulfill its moral responsibilities
o
It facilitates compliance
with legislation
o
It reduces exposure to
criminal liability
o
It enhances the public
image of the company
o
It may reduce insurance
premiums
·
Establish a planning
team
o
The team will increase
the participation of people in the company
o
It allows for more participation,
time and energy in the project
o
The participants should
be from various parts of the organization
·
Authorize the planning
group by Management to develop the plan
·
Issue a Mission Statement
o
This should state clearly
the purpose of the group
·
Establish a schedule and a budget for the group
·
Analyze capabilities
and hazards
o
Review existing plans
and policies such as
·
Evacuation plan
·
Security procedures
·
Occupational health and
safety program
·
Meet with outside groups
such as
o
Fire Department
o
Police Department
o
Phone company
·
Identify existing codes
and regulations such as
o
Environmental codes
o
Zoning regulations
o
Council regulations
·
Identify critical products
and services such as
o
Company products
o
Products supplied by
suppliers
o
Essential equipment and
personnel
·
Identify internal resources
and capabilities such as
o
Fire protection equipment
o
Training
o
Backup systems
·
Identify external resources
such as
o
Fire Brigade
o
Police
o
Hospitals
o
Contractors
·
Do an insurance review
·
Conduct a vulnerability
assessment
·
List potential emergencies
such as
o
Those that can happen
in the company premises
o
Those that can happen
outside the premises
o
Previous emergencies
in the local area such as severe weather, fire, outages
o
Proximity to floods and
dams
o
Computer system failure
o
Power failure
o
Human error
o
Misconduct
o
Fatigue
o
Hazardous materials onsite
·
Consider the results
of
o
Loss of access to the
site
o
Communication lines down
o
Water damage
o
Smoke damage
o
Explosion
o
Trapped persons
·
Estimate the probability
of the likelihood of each emergency happening
·
Assess the potential
human impact with regard to death or injury
·
Assess the potential
property impact
·
Assess the potential
business impact such as
o
Business interruption
o
Employees unable to report
to work
o
Customers unable to reach
site
o
Interruption of supplies
·
Assess internal and external
resources
o
Training of users
o
Equipment purchase
o
Agreements with contractors
·
Develop the plan
o
Write an executive summary
showing the outline of the plan
o
Describe the approach
to items such as
·
Direction and control
·
Communications
·
Safety of human life
·
Property protection
·
Recovery and restoration
o
Describe the approach
to
·
Direction and control
·
Communications
o
Develop procedures for
·
Assessing the situation
·
Protecting employees,
customers, vital information
·
Communicating with personnel
·
Conducting an evacuation
and accounting for peoples
·
Managing activities
·
Protecting records
·
Restoring operations
·
Put together supporting
documents such as
o
Building and site maps
showing hydrants, water mains, gas cutoffs, storm drains, location
of buildings, floor plans, alarms, exits, fire extinguishers,
emergency call lists, resource lists
·
Write the plan
o
Draft
o
Review
o
Draft
o
Print
o
Distribution
·
Establish a training
schedule
·
Coordinate with outside
organizations
o
Local government
o
Police
o
How will outside agencies
communicate with the company?
·
Communicate with other
branches in the company
o
Contact numbers of other
staff in those branches
o
What is their disaster
recovery plan?
o
How will the various
offices support each other?
·
Review, conduct training
and revise
·
Distribute the plan around
the company in several binders and have key personnel keep a copy
at their homes
·
Implement the plan
o
Build awareness of the
plan by means such as posters, manuals, mailings
o
Test the plan
o
Conduct drills
o
Train users by means
of orientations sessions, walkthroughs, drills and full scale
exercises and inform them of roles, responsibilities, communication
procedures, emergency response procedures, emergency shutdown
procedures
o
Conduct a formal audit
of the plan once a year
§
Lessons learnt from drills
§
Changes to physical layout
of the site
§
Hazards the same?
§
Responsibilities understood?
§
Contact details the same?
·
Evaluate and modify the
plan as required such as after a drill, when policies or personnel
change
(Adapted from Federal Emergency
Management Site 1)
§
Direction and control - someone must be in control such as an Emergency
Management Group or an Emergency Operations Center
§
Security of the incident
scene must be obtained
§
Find other means of communication
if it is a communications failure
§
Have notification procedures
in place
§
Have a system for warning
staff of an emergency
§
Have an evacuation policy
and procedures
§
Designate evacuation
routes
§
Designate assembly areas
§
Establish procedures
for fighting fires, shutting down equipment and computers
§
Determine needs for systems
such as fire protection systems
§
Establish shutdown procedures
§
Preserve records by means
such as offsite backups, arranging for backup power, making copies
of records
§
Involve the community
and work out how you can help the community
§
Inform the community
if it is a site emergency that may spread beyond the site
§
Maintain links with the
media if an emergency arose and the public had to be informed
§
Make arrangements with
vendors for post emergency services such as data restoration
§
Arrange for emergency
support of employees
§
After an emergency –
establish a recovery team, ensure the continued safety of personnel,
brief the employees, keep records, protect undamaged property,
conduct an investigation, conduct salvage operations, inventory,
restore equipment and supplies, assess the impact of the emergency
and maintain contact with customers and suppliers.
(Adapted from Federal Emergency
Management Site 2)
Computer crimes have been examined
and the four types of computer crime were outlined. These were
unauthorized access to computers, manipulation or alteration of
data or programs, damage to data or programs and viruses and worms.
It was found that there is many ways of how a computer virus can
be introduced into a system. Harm can be caused to the systems;
however, there are measures that can be taken such as anti virus
programs, passwords and backups that can guard against viruses.
Viruses are not the only threat to information systems. Other
threats were found such as hardware and software failure. Security
measures were outlined and disaster recovery plans key elements
were examined in detail.
Davis & Lewis, Computer
Security for Dummies, IDG Books
FAQ Site
http://www.faqs.org/faqs/computer-virus/faq/
Federal
Emergency Management Site 1
http://www.fema.gov/library/biz1.htm
Federal
Emergency Management Site 2
http://www.fema.gov/library/biz2.htm
How Stuff Works Site
http://www.howstuffworks.com/virus5.htm
IBM Site
http://www.av.ibm.com/ScientificPapers/Chess/PCCOMVIR/note211.html#Header_39
NIST Site 1
http://cs-www.ncsl.nist.gov/nistpubs/sp500-171.txt
NIST Site 2
http://cs-www.ncsl.nist.gov/nistpubs/sp500-169.txt
Ohio State University Site
http://www.cis.ohio-state.edu/htbin/rfc/rfc2504.html
Radium
Site
http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-027.pdf
SA Police Site
http://www.sapolice.sa.gov.au/ftfcomp.htm
Viterbo Site
http://www.viterbo.edu/personalpages/Staff/MFranz/chap17_fast/
ZDNET Site
http://www.zdnet.com/zdhelp/stories/main/0,5594,2248291-5,00.html
ZDNET Site 2
http://www.zdnet.com/zdhelp/stories/main/0,5594,2274248,00.html
ZDNET Site 3
http://search.zdnet.com/cgi-bin/texis/zdhelp/zdhelp/single.html?Ueid=919210&b=tipzone
PC Web Design and Development 