Describe security methods designed to protect the security of data

ResourcesSubject NotesComputer ScienceLesson Plan

6.1 Data Security

Learning objectives

  • Define the core security concepts required by the Cambridge AS & A‑Level syllabus: confidentiality, integrity, availability, authentication and privacy.
  • Identify the main threats to computer and data security.
  • Explain the security measures that protect stand‑alone PCs and networked systems, and link each measure to the relevant security principle.
  • Describe simple techniques for ensuring data integrity (validation, checksums, parity).

1. Core security principles

Principle What it means Typical protective measures (exam‑relevant)
Confidentiality Only authorised users may read the data. Encryption, strong passwords, access‑control lists, firewalls.
Integrity Data must be accurate, complete and un‑altered. Hash functions, checksums, digital signatures, validation routines.
Availability Data and services must be accessible when required. Back‑ups, redundant servers, DDoS mitigation, reliable power.
Authentication Verification of the identity of a user, device or process. Passwords, two‑factor authentication (2FA), biometrics.
Privacy Protection of personal or sensitive information from unauthorised collection or disclosure, and handling it in accordance with legal/ethical requirements. Data‑classification, anonymisation, GDPR‑style policies.

2. Threat landscape (exam focus)

Threat Typical effect Key counter‑measure(s)
Malware (viruses, ransomware, spyware) Unauthorised modification, loss or encryption of data. Anti‑virus/anti‑malware software, regular patching.
Phishing & social engineering Credentials or personal data are disclosed to attackers. User education, email filtering, 2FA.
Man‑in‑the‑Middle (MitM) Data intercepted or altered in transit. TLS/SSL, SSH, VPNs, certificate validation.
Denial‑of‑Service (DoS/DDoS) Legitimate users cannot access a service. Firewalls, rate‑limiting, redundant servers.
Insider threat Authorized users misuse access. Least‑privilege, role‑based access control, audit logs.
Unauthorised access (hacking, password cracking) Attacker gains illegal entry to a system. Strong passwords, account lock‑out, IDS/IPS.
School‑specific example Phishing email to teachers requesting login details. Awareness training, 2FA for staff accounts.

3. Security measures for stand‑alone PCs

3.1 Passwords & authentication

  • Password policy (exam‑type example)
    • Minimum 12 characters
    • At least one upper‑case, one lower‑case, one digit, one special character
    • Change every 90 days; cannot reuse the last 5 passwords
  • Two‑factor authentication (2FA) – something you know (password) + something you have (OTP token or mobile app).
  • Simple password‑hashing illustration 
    salt = generateRandomBytes(16)
hash = SHA‑256(salt || password)   // “||” = concatenation
store = salt || hash               // both saved for later verification

3.2 Anti‑virus & firewalls (primary PC safeguards)

  • Anti‑virus/anti‑malware – real‑time scanning, regular definition updates.
  • Host‑based firewall – permits only required inbound/outbound ports (e.g., allow HTTP/HTTPS, block unknown services).

3.3 Encryption (confidentiality)

  • Symmetric encryption – one secret key (AES‑256 is the recommended algorithm). Used for file‑level or whole‑disk encryption.
  • Asymmetric encryption (public‑key) – pair of keys (RSA ≥ 2048 bits or ECC). Used for secure key exchange and digital signatures.
  • Both methods support confidentiality; when combined with a MAC (Message Authentication Code) they also provide integrity.

3.4 Back‑up & recovery (availability)

  • Daily incremental + weekly full backups.
  • Off‑site or cloud storage; encrypt backups to preserve confidentiality.
  • Periodic restoration test to verify data integrity and availability.

4. Data integrity techniques (required for the syllabus)

4.1 Validation checks

  • Range check – value must lie between a minimum and maximum (e.g., age ≥ 0 and ≤ 120).
  • Format check – data must match a pattern (e.g., email must contain “@”).
  • Consistency check – related fields must agree (e.g., start‑date ≤ end‑date).

4.2 Checksums & parity

  • Checksum – simple additive total of bytes; used for quick error detection.
  • Parity bit – even or odd count of ‘1’s in a byte; detects single‑bit errors.
  • Cryptographic hash (e.g., SHA‑256) – produces a fixed‑length digest; used for robust integrity verification and digital signatures.

5. Access‑control mechanisms (network & system level)

  • Discretionary Access Control (DAC) – owners set permissions (e.g., file read/write rights).
  • Mandatory Access Control (MAC) – central authority enforces policies based on security labels (Top Secret, Confidential, etc.).
  • Role‑Based Access Control (RBAC) – permissions assigned to roles (Administrator, Teacher, Student); users inherit rights via role membership.

6. Network‑level security (exam‑relevant basics)

  • Firewalls – packet‑filtering or stateful inspection; block unauthorised ports.
  • Intrusion Detection/Prevention Systems (IDS/IPS) – monitor traffic for known attack signatures; IPS can automatically block.
  • Virtual Private Network (VPN) – creates an encrypted tunnel (IPSec or SSL/TLS) for secure remote access.
  • Secure transport protocols – TLS/SSL for web, SSH for remote command line, SFTP for file transfer.
  • Network segmentation – separate critical services (e.g., finance) from general‑purpose devices using VLANs or sub‑nets.

7. Physical and organisational controls

  • Physical security – locked server rooms, CCTV, biometric entry, fire suppression, temperature control.
  • Security policies (Cambridge wording)
    1. Acceptable‑Use Policy – defines permissible activities on school devices.
    2. Password Management – complexity, expiry, storage rules.
    3. Incident‑Response Plan – steps to follow after a suspected breach.
    4. Data Classification & Handling – label data (Public, Internal, Confidential, Sensitive) and apply appropriate controls.
    5. Audit & Compliance – regular logging, review of access rights.
  • Backup & recovery (re‑iterated) – see section 3.4.

8. Mapping measures to the CIA‑triad

Measure Confidentiality Integrity Availability
Strong passwords & 2FA
Anti‑virus & host firewall ✓ (prevents tampering) ✓ (keeps system running)
Symmetric encryption (AES) ✓ (when used with a MAC)
Asymmetric encryption (RSA/ECC) ✓ (digital signatures)
Hash functions / checksums
Back‑ups (encrypted)
RBAC / DAC / MAC ✓ (prevents accidental lock‑out)

9. Suggested summary diagram (text description)

Illustrate the life‑cycle of a secure message:

  1. Plaintext data → hash (SHA‑256).
  2. Hash encrypted with sender’s private keydigital signature.
  3. Plaintext + signature encrypted with receiver’s public key (or a symmetric session key protected by RSA).
  4. Transmission over TLS/SSL.
  5. Receiver decrypts with private key, verifies signature with sender’s public key, then recomputes the hash to confirm integrity.

This flow shows how confidentiality, integrity, authentication and (via the signature) non‑repudiation are achieved.

Create an account or Login to take a Quiz

89 views
0 improvement suggestions

Log in to suggest improvements to this note.