Describe methods that can be used to restrict the risks posed by threats

ResourcesSubject NotesComputer ScienceLesson Plan

6.1 Data Security

1. Terminology & Core Concepts

  • Security: protecting information from unauthorised access, modification, loss or destruction.
  • Privacy: the right of individuals to control *who* may view or use their personal data.
  • Integrity: ensuring data are accurate, complete and unaltered (e.g., by checksums, hashes, parity bits).
  • Distinction: privacy concerns *who* can see data, security concerns *how* data are protected, and integrity concerns *whether* the data remain correct.

2. Threats to Computer & Data Security

Students should be able to name and briefly describe each threat. The wording follows the Cambridge syllabus.

  • Malware – viruses, worms, spyware, ransomware that corrupt or steal data.
  • Phishing & social engineering – deceptive messages that trick users into revealing credentials.
  • Hacking – unauthorised exploitation of software or network vulnerabilities.
  • Insider threat – accidental or deliberate misuse by authorised users (e.g., copying confidential files to a USB stick).
  • Denial‑of‑Service (DoS) – overwhelming a service so it becomes unavailable.
  • Physical theft or damage – loss or destruction of laptops, servers, or storage media.

3. Security Measures for Stand‑Alone PCs and Networks

  • Stand‑alone PC (e.g., a school laptop):
    • User accounts & strong passwords.
    • File‑system permissions (read/write/execute).
    • Local firewall (Windows Defender Firewall, iptables).
    • Full‑disk encryption (BitLocker, FileVault).
    • Anti‑malware software with real‑time scanning.
  • Networked environment (e.g., school LAN):
    • Network firewalls and router ACLs.
    • Intrusion detection/prevention systems (IDS/IPS).
    • Secure Wi‑Fi (WPA2‑Enterprise, captive portal).
    • Regular patching of servers, switches and client OSes.
    • Centralised authentication (Active Directory, LDAP).

4. Risk‑Management Process (Identify → Analyse → Evaluate → Treat → Review)

  1. Identify assets – data, hardware, software, services.
  2. Analyse threats & vulnerabilities – what could go wrong and why?
  3. Evaluate likelihood & impact – use a risk matrix (see section 9).
  4. Treat risk – select and implement appropriate controls.
  5. Review – monitor effectiveness and update controls as needed.

Classroom example: “Risk – unauthorised use of USB drives → Treat – disable USB ports on all workstations and enforce a policy that only approved devices may be connected.”

5. Categories of Controls

5.1 Physical Controls

  • Locked doors, security guards, CCTV – lab example: keep the computer room door locked when not in use.
  • Environmental protection – fire suppression, temperature & humidity monitoring.
  • Hardware protection – cable locks, locked server racks, tamper‑evident seals, BIOS/UEFI passwords.
  • Media disposal – shredding paper, degaussing or physically destroying magnetic storage.
  • Hardware‑level security – Trusted Platform Module (TPM), secure boot, firmware signing.

5.2 Technical (Logical) Controls

Control Purpose Typical Implementation Lab‑friendly Example
Encryption Confidentiality of data at rest and in transit Symmetric (AES‑256) and asymmetric (RSA) algorithms; TLS 1.3 for web traffic Enable BitLocker on a Windows laptop; use OpenSSL to encrypt a text file
Authentication & Authorisation Verify identity and grant appropriate rights Passwords, MFA, smart cards; RBAC, ACLs Create separate user accounts on a lab PC; set file permissions for each account
Firewalls & IDS/IPS Control network traffic and detect intrusions Packet‑filtering firewalls, stateful inspection, Snort IDS Configure Windows Defender Firewall to block inbound traffic; run a simple Snort rule set on a Raspberry Pi
Anti‑malware Software Detect, quarantine and remove malicious code Signature‑based scanning, heuristic analysis, real‑time monitoring Install and schedule daily scans with Windows Defender or ClamAV
Backup & Recovery Restore data after loss, corruption or ransomware 3‑2‑1 rule – three copies, two media types, one off‑site Use an external USB drive + cloud storage (e.g., OneDrive) for weekly backups; test a restore on a spare PC
Patch Management Close known software vulnerabilities Automated update tools, scheduled patch cycles, vulnerability scanners Enable Windows Update “Automatic” and run “WSUS Offline Update” on lab machines
Digital Certificates & PKI Provide trustworthy binding between a public key and an entity X.509 certificates, Certificate Authorities, use in TLS/SSL Generate a self‑signed certificate with OpenSSL and configure Apache to use HTTPS
Data Validation & Integrity Checks Detect accidental or malicious alteration of data Checksums, cryptographic hashes (SHA‑256), parity bits, range/format checks Calculate a SHA‑256 hash of a downloaded ZIP file and compare it to the publisher’s hash; implement a range check on a student‑entered age field

5.3 Administrative Controls

  • Security policies – acceptable‑use, data‑classification, password standards, incident‑response.
  • Procedures – step‑by‑step instructions for user provisioning, backup, media disposal, and a documented incident‑response plan (detect, contain, eradicate, recover, post‑mortem).
  • Training & awareness – regular sessions on phishing, password hygiene, safe handling of removable media.
  • Auditing & logging – maintain system logs, review them for unusual activity, conduct periodic audits.
  • Legal & ethical context – recognise relevant legislation (e.g., GDPR, Data Protection Act) and the ethical responsibilities of a computer scientist.

6. Data Integrity Techniques (6.2 Data Integrity)

  • Verification – confirming that data received are exactly what was sent (e.g., comparing a downloaded file’s checksum with the publisher’s checksum).
  • Validation – checking that input conforms to expected rules before processing (e.g., range check: 0 ≤ age ≤ 120; format check: email contains “@”).
  • Checksums & Cryptographic Hashes – MD5, SHA‑1/256 used to detect accidental corruption or intentional tampering.
  • Parity bits & Error‑detecting codes – simple methods for detecting single‑bit errors in storage or transmission.

7. Encryption & Digital Certificates

  • Symmetric encryption – same key encrypts and decrypts (e.g., AES). Fast, suitable for large files or disk encryption.
  • Asymmetric encryption – public key encrypts, private key decrypts (e.g., RSA). Used for key exchange and digital signatures.

SSL/TLS Handshake (simplified) – the process that creates a secure channel for web traffic:

Client Hello  →  Server Hello
               →  Server Certificate (X.509)
               →  Server Key Exchange (if needed)
               →  Server Hello Done
Client Certificate (optional)
Client Key Exchange (pre‑master secret encrypted with server’s public key)
ChangeCipherSpec
Finished
               ←  ChangeCipherSpec
               ←  Finished

After the handshake both sides possess the same session key, which is used for symmetric encryption of the data stream.

8. Risk‑Reduction Techniques (Combining Controls)

  1. Least Privilege – give users only the access they need for their role.
  2. Defence in Depth – layered security (Physical → Network → Host → Application) so that failure of one layer does not expose the whole system.
  3. Segmentation & Zoning – separate networks (DMZ, internal LAN, guest Wi‑Fi) to limit lateral movement.
  4. Secure Development Lifecycle (SDLC) – integrate security activities (code review, static analysis, penetration testing) into each development stage.
  5. Incident‑Response Plan – predefined steps for detection, containment, eradication, recovery and post‑incident review.

9. Example Risk‑Assessment Matrix

Likelihood \ Impact Low ($\leq10\%$) Medium ($10\%–30\%$) High ($>30\%$)
Rare Low Low Medium
Possible Low Medium High
Likely Medium High Critical

10. Summary of Key Methods to Restrict Risks

  • Apply strong encryption (symmetric for bulk data, asymmetric for key exchange and digital signatures).
  • Enforce robust authentication (strong passwords, MFA, biometrics) and authorisation (RBAC, ACLs).
  • Maintain up‑to‑date anti‑malware, firewalls, IDS/IPS and systematic patch management.
  • Secure the physical environment and protect hardware from environmental hazards.
  • Implement regular backups following the 3‑2‑1 rule and test restores periodically.
  • Maintain clear security policies, documented procedures (including an incident‑response plan), and conduct regular training and awareness sessions.
  • Adopt a layered (defence‑in‑depth) approach that combines physical, technical and administrative controls.
  • Use data‑integrity checks (checksums, hashes, parity) and digital certificates to verify authenticity.
  • Validate input and verify output to satisfy the syllabus requirement for data integrity techniques.
Suggested diagram: Layered security model – Physical → Network → Host → Application, with example controls (CCTV, firewall, host‑based IDS, input validation) at each level.

Create an account or Login to take a Quiz

88 views
0 improvement suggestions

Log in to suggest improvements to this note.