Show appreciation of the need for both the security of data and the security of the computer system

6.1 Data Security – Understanding the Need for Both Data and System Security

Objective

Explain why protecting the data itself and the computer system that stores, processes and transmits that data are equally essential. Link the ideas to the Cambridge IGCSE/A‑Level Computer Science syllabus (AO1‑AO3) and to later topics such as data integrity, encryption, digital signatures, PKI, and ethical/legal issues.

1. Why Security Matters

• Interdependence: Data is useless if the system that holds it is compromised, and a secure system is meaningless if the data it handles can be read, altered or destroyed.
• Security goals (CIA triad):
  • Confidentiality – preventing unauthorised disclosure.
  • Integrity – ensuring data is accurate and unaltered.
  • Availability – guaranteeing timely access for authorised users.
• Privacy (syllabus requirement):
  • Personal data = any information that can identify a living individual (e.g., name, address, health record).
  • Legal/ethical drivers – GDPR, Data Protection Act, consent, right to be forgotten.
  • Privacy is a specific aspect of confidentiality that focuses on the rights of the data subject.
• Real‑world impact: breaches can cause financial loss, legal penalties, reputational damage, and even threats to personal safety.

2. Key Threats to Data

3. Key Threats to the Computer System

4. Relationship Between Data and System Security

• A compromised system (e.g., a vulnerable OS) often gives attackers direct access to the data.
• Weak data protection (e.g., unencrypted backups) can expose sensitive information even when the system is well‑hardened.
• Effective security therefore requires a layered (defence‑in‑depth) approach that addresses both sides simultaneously.

5. Security Measures for Data

1. Encryption
   • Symmetric encryption – same key for encryption/decryption (e.g., AES‑256). Fast, suitable for large files.
   • Asymmetric encryption – public/private key pair (e.g., RSA‑2048, ECC). Used for key exchange and digital signatures.
   • Example: AES‑256 with a 256‑bit key gives 2²⁵⁶ possible keys – effectively unbreakable with current technology.
2. Hashing
   • Produces a fixed‑length digest; any change to the input changes the hash.
   • Secure algorithms: SHA‑256, SHA‑3 (avoid MD5, SHA‑1 for security‑critical uses).
   • Use case: storing password hashes with a unique salt.
3. Digital Signatures & Certificates (syllabus requirement)
   • Hash the data, then encrypt the hash with the sender’s private key.
   • The receiver decrypts the signature with the sender’s public key and compares the hash.
   • Certificates issued by a trusted Certificate Authority (CA) bind a public key to an identity.
   • Typical applications: code signing, S/MIME email, HTTPS authentication.
4. Access Control
   • Authentication – verifying identity (passwords, biometrics, smart cards, OTP).
   • Authorisation – granting permissions (role‑based access control, least‑privilege principle).
   • Multi‑factor authentication (MFA) dramatically reduces the chance of unauthorised login.
5. Backup & Recovery
   • Regular, automated backups (daily incremental, weekly full).
   • Store at least one copy off‑site or in the cloud; test restores quarterly.
   • Encrypt backup media to protect data at rest.
6. Secure Transmission
   • Use TLS 1.2 or TLS 1.3 (SSL is deprecated) for web traffic, email (STARTTLS), and file transfer (SFTP, FTPS).
   • Virtual Private Networks (VPNs) create encrypted tunnels over public networks.
   • Implement certificate pinning where feasible to prevent rogue certificates.

6. Security Measures for the Computer System

1. Firewalls – packet‑filtering (stateful) or application‑level firewalls enforce inbound/outbound rules.
2. Patch Management – automated update tools (e.g., WSUS, apt‑daily) plus a documented schedule for third‑party software.
3. Intrusion Detection/Prevention Systems (IDS/IPS) – signature‑based (Snort) and anomaly‑based monitoring; can block malicious traffic in real time.
4. Physical Security – locked server rooms, CCTV, biometric entry, cable locks for laptops, and secure disposal of media (shredding, degaussing).
5. System Hardening
   • Disable unnecessary services and ports.
   • Apply the principle of least privilege to user accounts.
   • Use security‑enhanced OS configurations (e.g., SELinux, AppArmor).

7. Data Integrity (Syllabus Section 6.2)

Integrity ensures that data has not been altered unintentionally or maliciously.

• Checksums & CRCs – simple error‑detecting codes used for file transfers.
• Parity bits & ECC memory – detect and correct single‑bit errors in RAM.
• Digital signatures – hash the data, encrypt the hash with the sender’s private key; verification uses the sender’s public key.
• Database constraints – primary keys, foreign keys, and triggers enforce logical consistency.

8. Public‑Key Infrastructure (PKI) – Connecting Encryption & Certificates

1. Certificate Authority (CA) – trusted third party that signs digital certificates.
2. Certificate contents – subject name, public key, validity period, CA signature.
3. Revocation – CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) to invalidate compromised certificates.
4. Use cases – HTTPS websites, code signing, email signing (S/MIME), VPN client authentication.

9. Quantifying Password Strength – Example

Entropy formula: H = L × log₂(N)

• L = length of the password.
• N = size of the character set (e.g., 26 lower‑case + 26 upper‑case + 10 digits + 32 symbols = 94).

Example: a 12‑character password using the full 94‑character set:

H = 12 × log₂(94) ≈ 12 × 6.55 ≈ 78.6 bits

Probability of guessing it in a single try: P = 1 / 2ᴴ ≈ 1 / 2⁷⁸·⁶ ≈ 2.5 × 10⁻²⁴ – effectively impossible with current computing power.

Guideline for the syllabus: aim for ≥ 60 bits of entropy (≈ 10‑character mixed‑case password) and always combine with MFA.

10. Trade‑offs: Security vs. Usability & Performance

• Strong encryption → higher CPU usage; may affect real‑time applications.
• Frequent password changes → better security but can lead to weak, predictable passwords.
• Multi‑factor authentication → excellent security, but can increase login time and require additional hardware.
• Teaching tip: ask students to evaluate a scenario (e.g., a hospital) and justify a balanced security policy.

11. Summary Checklist (AO1‑AO3 Alignment)

12. Suggested Diagram (for classroom presentation)

Concentric‑layer model – draw three rings:

• Centre: Data – encrypted storage, hashed passwords, signed files, backups.
• Middle ring: System Controls – OS hardening, firewalls, IDS/IPS, patch management.
• Outer ring: Physical & Environmental Security – locked rooms, CCTV, power protection, secure disposal.
• Arrows from each outer layer toward the centre illustrate that a breach anywhere can reach the data, reinforcing defence‑in‑depth.

13. Further Reading & Practice

• Cambridge International AS & A Level Computer Science (9618) – Sections 6.1 & 6.2.
• NIST – Digital Identity Guidelines (SP 800‑63).
• OWASP Top Ten – practical examples of web‑application vulnerabilities.
• Lab exercise: configure TLS 1.3 on a local Apache server, generate a self‑signed certificate, and test with openssl s_client.
• GDPR summary (European Union) – rights of data subjects, lawful bases for processing, penalties for non‑compliance.