Know and understand hacking including the measures that must be taken in order to protect data

Safety and Security – Topic 8

Objective

Know and understand hacking, the threats to data, and the measures (technical and organisational) that must be taken to protect data and ensure safety.

1. Physical Safety (Syllabus 8.1)

  • Electrical hazards – risk of electric shock from faulty cords, exposed wiring, or un‑grounded equipment.

    • Prevention: use mains‑rated surge protectors, inspect cables regularly, never touch live parts.

  • Fire safety – overheating computers, blocked ventilation, or power‑supply failures can cause fire.

    • Prevention: keep workspaces tidy, maintain adequate ventilation, install smoke detectors and fire‑extinguishers.

  • Mechanical hazards – tripping over cables, lifting heavy hardware, or moving server racks.

    • Prevention: cable‑manage, use trolleys or lifting aids, keep walkways clear.

  • Backup power – loss of power can corrupt data or damage hardware.

    • Solution: use an Uninterruptible Power Supply (UPS) and regularly test it.

2. eSafety – Safe Internet Use & Data Protection (Syllabus 8.2)

2.1 Personal vs. Sensitive Data

  • Personal data – any information that can identify a living individual (e.g., name, email address, ID number, location).

  • Sensitive data – a special category of personal data that includes racial or ethnic origin, political opinions, religious beliefs, health information, biometric data, sexual orientation, etc. It requires a higher level of protection.

2.2 Data‑Protection Principles (GDPR / UK DPA 2018)

  1. Lawful & fair processing – data must be collected for a legitimate purpose and not be deceptive.

  2. Purpose limitation – data may only be used for the specific purpose for which it was obtained.

  3. Data minimisation – only the data necessary for the purpose should be collected.

  4. Accuracy – data must be kept up‑to‑date and corrected when inaccurate.

  5. Security – appropriate technical and organisational measures must protect data against unauthorised access, loss or damage.

  6. Retention – data must not be kept longer than required.

2.3 Safe Internet Behaviours (e‑Safety Checklist)

  • Use strong, unique user‑ID/password combinations; change passwords regularly.

  • Enable two‑factor authentication (2FA) / multi‑factor authentication (MFA) wherever possible.

  • Verify URLs before clicking; look for “https://” and a padlock (SSL/TLS).

  • Do not share personal or sensitive information on public forums or social‑media platforms.

  • Be sceptical of unsolicited emails, messages, or phone calls – report suspected phishing, vishing, smishing, or pharming.

  • Keep software, browsers and plugins up to date.

  • Use reputable antivirus/anti‑malware tools and run regular scans.

  • Back up important files regularly and store at least one copy offline.

  • Report cyber‑bullying, harassment or any suspicious online activity to a trusted adult or authority.

3. Definition of Hacking (AO 1)

Hacking is the unauthorised use, manipulation, or disruption of computer systems, networks, or data. Motives can include curiosity, financial gain, political protest, or the desire to demonstrate technical skill.

3.1 Types of Hackers

  • White‑hat (ethical) hacker – works with permission to discover and report vulnerabilities.

  • Black‑hat hacker – exploits weaknesses for personal gain, damage or disruption.

  • Grey‑hat hacker – breaches systems without permission but usually reports findings later.

  • Hacktivist – uses hacking to promote a political, social or ideological cause.

  • Script kiddie – uses pre‑written tools without deep understanding of the underlying techniques.

4. Common Hacking Techniques & Threats (Syllabus 8.3)

  1. Phishing, vishing, smishing, pharming – deceptive communications that trick users into revealing credentials or installing malware.

  2. Malware – viruses, worms, Trojans, ransomware, spyware, and ad‑ware that corrupt, steal or encrypt data.

  3. Password cracking – brute‑force, dictionary, or rainbow‑table attacks to recover passwords.

  4. Social engineering – manipulation of people (in‑person, phone, online) to obtain confidential information.

  5. Denial‑of‑Service (DoS) / Distributed DoS (DDoS) – flooding a server or network with traffic to render services unavailable.

  6. Man‑in‑the‑Middle (MitM) – intercepting and possibly altering communications between two parties.

  7. SQL injection – inserting malicious SQL code into an input field, causing the database to execute unintended commands.

  8. Cross‑site scripting (XSS) – injecting malicious scripts into web pages; the script runs in other users’ browsers and can steal cookies or session data.

  9. Malicious code via insecure SSL/TLS or lack of digital certificates – attackers exploit weak encryption or absent certificates to eavesdrop or impersonate services.

  10. Biometric spoofing – forging fingerprint, facial or iris data to bypass biometric authentication.

5. Impacts of Hacking

  • Loss or theft of confidential/personal data.

  • Financial loss – fraud, ransomware payments, remediation costs.

  • Damage to reputation and loss of customer trust.

  • Legal consequences for breaching data‑protection legislation.

  • Operational disruption and downtime.

6. Measures to Protect Data

6.1 Technical Controls (with evaluation – AO 3)

ControlPurpose / Typical UseHow it Counters ThreatsAdvantagesDisadvantages / Limitations
Firewall (network‑level)Filters inbound and outbound traffic based on rule‑sets.Blocks unauthorised access, many DoS attempts, and inbound malware.Low‑cost, easy to configure, provides a clear perimeter.Can be bypassed with encrypted traffic or insider attacks; requires regular rule updates.
Intrusion Detection/Prevention System (IDS/IPS)Monitors traffic for suspicious patterns; can alert (IDS) or block (IPS).Detects malware, MitM attempts, port scans, and known exploit signatures.Real‑time detection; can automatically block attacks.False positives may disrupt legitimate traffic; needs signature updates.
Antivirus / AntimalwareScans files and processes for known malicious code.Stops viruses, worms, Trojans, ransomware before execution.Widely available, integrates with OS, provides regular updates.May miss zero‑day threats; performance impact on older hardware.
Encryption (AES, RSA, SSL/TLS)

  • AES – symmetric encryption for data at rest (e.g., files, databases).

  • RSA – asymmetric encryption for key exchange and digital signatures.

  • SSL/TLS – encrypts data in transit, authenticates servers via digital certificates.

Prevents eavesdropping, data theft, and tampering during storage or transmission.Strong confidentiality; RSA enables secure key distribution; SSL/TLS is industry standard for web security.Key management can be complex; performance overhead; weak implementation (e.g., outdated TLS versions) can be vulnerable.
Strong Password Policy & User‑ID ManagementRequires complex, unique passwords and regular changes; enforces minimum length, mixed characters.Reduces success of password‑cracking and credential‑stuffing attacks.Simple to implement; raises overall password quality.May lead to user fatigue or insecure work‑arounds (e.g., writing passwords down).
Two‑Factor / Multi‑Factor Authentication (2FA/MFA)Combines something you know (password) with something you have (token, app) or are (biometric).Mitigates impact of stolen credentials, phishing, and password reuse.Significant security boost with modest cost; many free authenticator apps.Requires additional devices or apps; can be inconvenient for some users.
Patch ManagementRegularly applies security updates to OS, firmware, and applications.Closes known vulnerabilities that could be exploited by malware, ransomware, or injection attacks.Prevents many high‑profile incidents (e.g., WannaCry).Needs disciplined schedule; occasional incompatibility issues after updates.
Secure Back‑ups (offline or encrypted cloud)Creates regular copies of critical data stored separately from the primary system.Provides recovery after ransomware, accidental deletion, or hardware failure.Ensures business continuity; offline copies are immune to network‑based attacks.Requires storage space and testing of restoration procedures.
Biometric Authentication (fingerprint, facial, iris)Uses unique physiological traits to verify identity.Adds a factor that cannot be easily guessed or shared.Convenient for users; reduces reliance on passwords.Potential for spoofing; privacy concerns; may not work in all environments.
Digital Certificates (PKI)Provides cryptographic proof of identity for users, devices or services.Prevents man‑in‑the‑middle attacks and ensures trusted communication.Enables secure email, code signing, and VPN authentication.Management of certificate lifecycle can be complex and costly.

6.2 Organisational Controls

  • Security policies & procedures – documented rules covering acceptable use, password standards, incident response, and data‑handling.

  • Access control & least‑privilege principle – users receive only the rights necessary for their role (role‑based access control).

  • User education & awareness programmes – regular training on phishing, safe browsing, social engineering, and e‑safety.

  • Physical security – locked server rooms, CCTV, access cards, and visitor logs.

  • Incident‑response plan – predefined steps to contain, eradicate, recover, and review a security breach.

  • Audit, monitoring & logging – systematic recording of user activity, regular security audits, and vulnerability scans.

  • Change management – controlled process for introducing new hardware/software or configuration changes.

7. Legal & Ethical Considerations

  • Unauthorised access is a criminal offence in many jurisdictions (e.g., UK Computer Misuse Act 1990, US Computer Fraud and Abuse Act).

  • Ethical hacking must be performed with written permission, a clearly defined scope, and a full report to the system owner.

  • Breaches of the GDPR/UK DPA can result in fines up to £17.5 million or 4 % of global turnover, plus reputational damage.

8. Real‑World Example: WannaCry Ransomware (May 2017)

The ransomware exploited the unpatched Windows vulnerability “EternalBlue” (SMB v1). Once infected, it encrypted users’ files and demanded payment in Bitcoin. The outbreak affected hospitals, businesses and public services worldwide, highlighting the critical importance of:

  • Prompt patch management (the vulnerability had a patch released months earlier).

  • Regular, offline back‑ups to restore data without paying the ransom.

  • User awareness of suspicious email attachments (the initial infection vector).

9. Summary Checklist – Defence in Depth (AO 3 Evaluation)

  1. Implement and maintain a perimeter firewall.

  2. Deploy an IDS/IPS to detect and block malicious traffic.

  3. Install up‑to‑date antivirus/antimalware on all endpoints.

  4. Encrypt sensitive data:

    • At rest with AES.

    • In transit with SSL/TLS (digital certificates).

    • Use RSA for secure key exchange.

  5. Enforce a strong password policy and unique user‑ID for each account.

  6. Enable 2FA/MFA wherever possible.

  7. Apply security patches

  8. Maintain regular, tested back‑ups (offline or encrypted cloud).

  9. Adopt organisational safeguards:

    • Clear security policies.

    • Role‑based access and the principle of least privilege.

    • Physical security of hardware.

    • Ongoing user education and e‑safety awareness.

    • Incident‑response and business‑continuity planning.

    • Continuous audit, monitoring and vulnerability scanning.

  10. Review and evaluate each control regularly – consider cost, usability, and effectiveness.

Suggested diagram: “Defence in Depth” – layered model (from outer to inner): Physical security → Perimeter security (firewall) → Network security (IDS/IPS) → Host security (antivirus, patches) → Application security (secure coding, input validation, SSL/TLS) → Data security (encryption, backups, digital certificates).