Describe security methods designed to protect the security of data

6.1 Data Security

Learning objectives

  • Define the core security concepts required by the Cambridge AS & A‑Level syllabus: confidentiality, integrity, availability, authentication and privacy.

  • Identify the main threats to computer and data security.

  • Explain the security measures that protect stand‑alone PCs and networked systems, and link each measure to the relevant security principle.

  • Describe simple techniques for ensuring data integrity (validation, checksums, parity).

1. Core security principles

PrincipleWhat it meansTypical protective measures (exam‑relevant)
ConfidentialityOnly authorised users may read the data.Encryption, strong passwords, access‑control lists, firewalls.
IntegrityData must be accurate, complete and un‑altered.Hash functions, checksums, digital signatures, validation routines.
AvailabilityData and services must be accessible when required.Back‑ups, redundant servers, DDoS mitigation, reliable power.
AuthenticationVerification of the identity of a user, device or process.Passwords, two‑factor authentication (2FA), biometrics.
PrivacyProtection of personal or sensitive information from unauthorised collection or disclosure, and handling it in accordance with legal/ethical requirements.Data‑classification, anonymisation, GDPR‑style policies.

2. Threat landscape (exam focus)

ThreatTypical effectKey counter‑measure(s)
Malware (viruses, ransomware, spyware)Unauthorised modification, loss or encryption of data.Anti‑virus/anti‑malware software, regular patching.
Phishing & social engineeringCredentials or personal data are disclosed to attackers.User education, email filtering, 2FA.
Man‑in‑the‑Middle (MitM)Data intercepted or altered in transit.TLS/SSL, SSH, VPNs, certificate validation.
Denial‑of‑Service (DoS/DDoS)Legitimate users cannot access a service.Firewalls, rate‑limiting, redundant servers.
Insider threatAuthorized users misuse access.Least‑privilege, role‑based access control, audit logs.
Unauthorised access (hacking, password cracking)Attacker gains illegal entry to a system.Strong passwords, account lock‑out, IDS/IPS.
School‑specific examplePhishing email to teachers requesting login details.Awareness training, 2FA for staff accounts.

3. Security measures for stand‑alone PCs

3.1 Passwords & authentication

  • Password policy (exam‑type example)

    • Minimum 12 characters

    • At least one upper‑case, one lower‑case, one digit, one special character

    • Change every 90 days; cannot reuse the last 5 passwords

  • Two‑factor authentication (2FA) – something you know (password) + something you have (OTP token or mobile app).

  • Simple password‑hashing illustration

    salt = generateRandomBytes(16)
    hash = SHA‑256(salt || password)   // “||” = concatenation
    store = salt || hash               // both saved for later verification

3.2 Anti‑virus & firewalls (primary PC safeguards)

  • Anti‑virus/anti‑malware – real‑time scanning, regular definition updates.

  • Host‑based firewall – permits only required inbound/outbound ports (e.g., allow HTTP/HTTPS, block unknown services).

3.3 Encryption (confidentiality)

  • Symmetric encryption – one secret key (AES‑256 is the recommended algorithm). Used for file‑level or whole‑disk encryption.

  • Asymmetric encryption (public‑key) – pair of keys (RSA ≥ 2048 bits or ECC). Used for secure key exchange and digital signatures.

  • Both methods support confidentiality; when combined with a MAC (Message Authentication Code) they also provide integrity.

3.4 Back‑up & recovery (availability)

  • Daily incremental + weekly full backups.

  • Off‑site or cloud storage; encrypt backups to preserve confidentiality.

  • Periodic restoration test to verify data integrity and availability.

4. Data integrity techniques (required for the syllabus)

4.1 Validation checks

  • Range check – value must lie between a minimum and maximum (e.g., age ≥ 0 and ≤ 120).

  • Format check – data must match a pattern (e.g., email must contain “@”).

  • Consistency check – related fields must agree (e.g., start‑date ≤ end‑date).

4.2 Checksums & parity

  • Checksum – simple additive total of bytes; used for quick error detection.

  • Parity bit – even or odd count of ‘1’s in a byte; detects single‑bit errors.

  • Cryptographic hash (e.g., SHA‑256) – produces a fixed‑length digest; used for robust integrity verification and digital signatures.

5. Access‑control mechanisms (network & system level)

  • Discretionary Access Control (DAC) – owners set permissions (e.g., file read/write rights).

  • Mandatory Access Control (MAC) – central authority enforces policies based on security labels (Top Secret, Confidential, etc.).

  • Role‑Based Access Control (RBAC) – permissions assigned to roles (Administrator, Teacher, Student); users inherit rights via role membership.

6. Network‑level security (exam‑relevant basics)

  • Firewalls – packet‑filtering or stateful inspection; block unauthorised ports.

  • Intrusion Detection/Prevention Systems (IDS/IPS) – monitor traffic for known attack signatures; IPS can automatically block.

  • Virtual Private Network (VPN) – creates an encrypted tunnel (IPSec or SSL/TLS) for secure remote access.

  • Secure transport protocols – TLS/SSL for web, SSH for remote command line, SFTP for file transfer.

  • Network segmentation – separate critical services (e.g., finance) from general‑purpose devices using VLANs or sub‑nets.

7. Physical and organisational controls

  • Physical security – locked server rooms, CCTV, biometric entry, fire suppression, temperature control.

  • Security policies (Cambridge wording)

    1. Acceptable‑Use Policy – defines permissible activities on school devices.

    2. Password Management – complexity, expiry, storage rules.

    3. Incident‑Response Plan – steps to follow after a suspected breach.

    4. Data Classification & Handling – label data (Public, Internal, Confidential, Sensitive) and apply appropriate controls.

    5. Audit & Compliance – regular logging, review of access rights.

  • Backup & recovery (re‑iterated) – see section 3.4.

8. Mapping measures to the CIA‑triad

MeasureConfidentialityIntegrityAvailability
Strong passwords & 2FA
Anti‑virus & host firewall✓ (prevents tampering)✓ (keeps system running)
Symmetric encryption (AES)✓ (when used with a MAC)
Asymmetric encryption (RSA/ECC)✓ (digital signatures)
Hash functions / checksums
Back‑ups (encrypted)
RBAC / DAC / MAC✓ (prevents accidental lock‑out)

9. Suggested summary diagram (text description)

Illustrate the life‑cycle of a secure message:

  1. Plaintext data → hash (SHA‑256).

  2. Hash encrypted with sender’s private keydigital signature.

  3. Plaintext + signature encrypted with receiver’s public key (or a symmetric session key protected by RSA).

  4. Transmission over TLS/SSL.

  5. Receiver decrypts with private key, verifies signature with sender’s public key, then recomputes the hash to confirm integrity.

This flow shows how confidentiality, integrity, authentication and (via the signature) non‑repudiation are achieved.