LEGAL AND SECURITY ISSUES IN ICT

1
LEGAL AND SECURITY ISSUES IN ICT
2
LEGAL AND SECURITY ISSUES IN ICT

• This course provides understanding of the
  fundamentals of information security.
• This will be accomplished by defining key terms,
  explaining essential concepts, and providing the
  knowledge and understanding of information
  security.
• The course will also discuss access control
  devices commonly deployed by modern operating
  systems, and new technologies that can provide
  strong authentication to existing
  implementations.
• (National Teachers Standard 2c, 2e, 3a, 3e, 3h,
  3i, 3k, 3p/ NTECF Pillar 1, 2 3, crosscutting
  issues Core skills, Assessment.

3
LEGAL AND SECURITY ISSUES IN ICT

• This course provides understanding of the
  fundamentals of information security.
• This will be accomplished by defining key terms,
  explaining essential concepts, and providing the
  knowledge and understanding of information
  security.
• The course will also discuss access control
  devices commonly deployed by modern operating
  systems, and new technologies that can provide
  strong authentication to existing
  implementations.
• (National Teachers Standard 2c, 2e, 3a, 3e, 3h,
  3i, 3k, 3p/ NTECF Pillar 1, 2 3, crosscutting
  issues Core skills, Assessment.

4
LEGAL AND SECURITY ISSUES IN ICT

• Goal for the Subject or Learning Area

5
Goal for the Subject or Learning Area

• This course provides understanding of the
  fundamentals of information security.
• This will be accomplished by defining key terms,
  explaining essential concepts, and providing the
  knowledge and understanding of information
  security.
• The course will also discuss access control
  devices commonly deployed by modern operating
  systems, and new technologies that can provide
  strong authentication to existing
  implementations. (National Teachers Standard
  2c, 2e, 3a, 3e, 3h, 3i, 3k, 3p/ NTECF Pillar 1,
  2 3, crosscutting issues Core skills,
  Assessment.

6
LEGAL AND SECURITY ISSUES IN ICT

• 2. Key contextual factors

7
2. Key contextual factors

• There is a high mobile communication device
  ownership in the Ghanaian society.
• Most students and teachers have interest and
  experience in using these devices for social and
  personal interactions.
• However, the integration of ICT into teaching and
  learning is low in Ghanaian schools.
• Ghanaian schools can be categorised as low
  technology-rich learning environment particularly
  in the public schools.

8
2. Key contextual factors

• The following affect effective teaching and
  account for this low integration of ICT in
  teaching and learning
• There is an intra-national digital divide
  (Rich/Poor, Male/Female, Urban/Rural,
  SEN/Typical)
• Generally, there is low internet connectivity
  especially in the rural communities.
• Most schools lack computing facilities.
• Some schools do not have electricity supply
• Existing facilities do not favour people with
  disability

9
LEGAL AND SECURITY ISSUES IN ICT

• 3. Course Description

10
3. Course Description

• This course examines the various definitions and
  categorizations of firewall technologies and the
  architectures under which firewalls may be
  deployed.
• The course also discusses security technologies
  by examining the concept of the intrusion, and
  the technologies necessary to prevent, detect,
  react, and recover from intrusions.
• Specific types of intrusion detection and
  prevention systems (IDPSs)the host IDPS, network
  IDPS, and application IDPS.

11
3. Course Description

• This course explores national laws that guide the
  field and use of ICT, and presents a detailed
  examination of the computer ethics that the users
  and those who implement information security must
  adhere to. (National Teachers Standard 1a, 1b,
  3b, 3c, 3e, 3d, 3n/NTECF Pillar crosscutting
  issues Core skills, Professional values and
  attitudes).
• This course will be taught through interactive
  discussions, seminars and presentation of the
  various concepts to student-teachers.
• The course will be assessed through assignments,
  quizzes and classroom exercises to evaluate
  student-teachers understanding and knowledge of
  Information security concepts.

12
LEGAL AND SECURITY ISSUES IN ICT

• 4. Core and transferable skills and cross cutting
  issues, including equity and inclusion

13
4. Core and transferable skills and cross cutting
issues, including equity and inclusion

• Digital literacy of student teachers will be
  enhanced by giving them opportunities to surf and
  present information across units using various
  digital tools
• Critical thinking is developed in student
  teachers when they collect data, analyse and
  reflect on interventions. Collaboration is
  fostered through assigning group projects and
  presentation of various topics across units and
  encouraging a healthy school-community
  relationship
• Communicative skills of student teacher would be
  enhanced through the examination, interrogation
  and presentation of their misconceptions and
  philosophies

14
4. Core and transferable skills and cross cutting
issues, including equity and inclusion

• Personal development Enquiry skills in action
  research would be fostered acquiring skills for
  collecting data, analysing and initiating
  interventions for individual children and small
  groups.
• Respect for diversity and Individual differences
  would be engendered in student teachers by
  applying appropriate interventions, examining and
  reflecting their usefulness
• Honesty and Accountability would be fostered by
  stating the regulations regarding fair use as
  well as, presentation of a project report on
  compliance with acceptable use policies and other
  guidelines.

15
Instructional Resources
16
Instructional Resources

• Smartphones
• Laptops
• Desktop computers
• Tablets
• TV and Radio
• Open Educational Resources (Including YouTube,
  MOOCS-Udemy/coursera, khan academy, TESSA)
• The iBox (CENDLOS)
• Productivity tools
• Subject based application software

17
MODE OF ASSESSMENT

• Attendance Online Quizzes Class exercises
• Individual and group Presentation Midterm
  examination
• End of Semester Examination

18
MODE OF DELIVERY

• Lectures face-to-face, online, e-learning
  Group Discussions
• Case studies and analysis Illustrative
  presentations Independent studies

19
MODE OF ASSESSMENT

• Attendance Online Quizzes
• Subject Project
• Class exercises
• Individual and group Presentation
• Midsemester examination
• End of Semester Examination

20
Security fundamental I

• UNIT 1

21
KEY TERMS

• Asset
• An organisational resource that is being
  protected Logical - website, software
  information, data Physical - person, computer
  system, hardware
• Information asset
• The focus of information security information
  that has value to the organisation, and the
  systems that store, process and transmit the
  information
• Information Security (InfoSec)
• Protection of the confidentiality, integrity, and
  availability of information assets, whether in
  storage, processing, or transmission, via the
  application of policy, education, training and
  awareness technology
• Security
• A state of being secure and free from danger or
  harm.

22
KEY TERMS

• Asset
• An organisational resource that is being
  protected Logical - website, software
  information, data Physical - person, computer
  system, hardware
• Information asset
• The focus of information security information
  that has value to the organisation, and the
  systems that store, process and transmit the
  information
• Information Security (InfoSec)
• Protection of the confidentiality, integrity, and
  availability of information assets, whether in
  storage, processing, or transmission, via the
  application of policy, education, training and
  awareness technology
• Security
• A state of being secure and free from danger or
  harm.

23

• INTRO UCTION TO SECURITY

24
Security fundamental I

• Information Security Principles
• Confidentiality
• Integrity
• Availability
• (CIA)

25
INTRODUCTION TO SECURITY

• Security, in general, is to be free of danger.
• Protection from the risk of loss, damage,
  unwanted modification, and other hazards.
• Its e?ectiveness depends on the implementation of
  a multi-layered system Specialised areas include
• Physical security - protection of physical items
• Operations security - protection of details of an
  organisations operations and activities
• Communications security - protection of all
  communications media, technology and content
• Cyber (or computer) security - protection of
  computerised information processing systems and
  the data they contain and process
• Network security - protecting voice and data
  networking components, connections and content.

26
INTRODUCTION TO SECURITY

• Information Security - protection of information
  and the characteristics that give it value -
  confidentiality, integrity and availability.
• Includes technology that houses and transfers
  that information through a variety of protective
  mechanisms such as policy, technology, and
  training and awareness programs

27
INTRODUCTION TO SECURITY
28
AT THE EN? OF THIS LECTURE

• UNIT 1

29
AT THE EN? OF THIS LECTURE

• You should be able to
• List and discuss the key characteristics of
  Information Security
• List and describe the dominant categories of
  threats to information security
• Discuss the key characteristics of leadership and
  management Describe the importance of the
  managers role in securing an organisations
  assets

30
DISCUSSION

• What can be classified as assets in the education
  setting?
• What types of information can be classified as
  information assets in the education setting, and
  why?
• Does infosec exist in current education
  institutions? If yes, give examples. If not, why
  not?
• Do you think there is adequate security in the
  current education sector? Explain your answer

31
DISCUSSION FEED BACK

• Buildings, computers, furniture - no
  burglar-proof, lack of security personnel, CCTV,
• Examination - questions, scores, marking scheme -
  encryption, passworded computers, access
  features
• Admission details -
• Certificates
• personnel - giving them name tags to prevent
  intruders, dresscode, securing sta? bungalows
  with security personnel, CCTV, protecting
  personal information, general security controls
  at the entry points of the organisation, Health
  and safety mechanisms

32

• THE VALUE OF INFORMATION (KEY CHARACTERISTICS)
  AN? THE C.I.A. TRIA

33
THE VALUE OF INFORMATION (KEY CHARACTERISTICS)
AN? THE C.I.A. TRIA

• Confidentiality - limiting access to information
  to those who need it and preventing access by
  those who do not. (Closely related to privacy)
• Measures to be taken include Information
  classification
• Secure document (and data) storage Application
  of general security policies
• Education of information custodians and end-users
  Cryptography (encryption)
• Especially important for personal information
  about employees, customers, etc
• Avoid deliberate or mistaken disclosure as much
  as possible -
• wrong emails, leakage of usernames and passwords,
  etc

34
THE VALUE OF INFORMATION (KEY CHARACTERISTICS)
AN? THE C.I.A. TRIA

• Integrity (or completeness) - threatened when
  exposed to corruption, damage, destruction or
  any other disruption of its original state,
  which occurs during entry, storage or
  transmission.
• Causes of corruption include viruses and worms,
  faulty. Programming, noise in transmission
  channels, deliberate attacks
• A variety of error-control techniques can
  preserve integrity use of redundancy and check
  bits, error-correcting codes, hash values and
  algorithms, retransmission, etc

35
THE VALUE OF INFORMATION (KEY CHARACTERISTICS)
AN? THE C.I.A. TRIA

• Availability - authorised users having access to
  information in a usable format.
• e.g., library patrons presenting required
  identification before accessing a collection of
  research material, access cards used to access
  restricted areas
• Privacy - information being used only in ways
  approved by the persons that provided it.
• Information aggregation (Ghana card-NHIS-SSNIT
  info- Driving License apps on phones, SIM
  registration-GRA-Tax) allow data to be used in
  ways that the original data owner may not know
  or agree to.

36
THE VALUE OF INFORMATION (KEY CHARACTERISTICS)
AN? THE C.I.A. TRIA

• Identification - The ability to recognise
  individual users.
• The first step to gaining access to secured
  material
• Authentication - The process by which a control
  establishes whether a user (or system) is the
  entity it claims to be
• PIN, password, passphrases, fingerprints, eye
  scans, secure socket layer (SSL)

37
THE VALUE OF INFORMATION (KEY CHARACTERISTICS)
AN? THE C.I.A. TRIA

• Authorisation - defines what the user (person or
  system) has been specifically and explicitly
  allowed by the proper authority to do - access,
  modify, delete, update
• Accountability - occurs when a control assures
  that every activity undertaken can be attributed
  to a named person or automated process.
• For example, audit logs track user activity on an
  information system.

38
KEY CONCEPTS OF INFORMATION SECURITY

• Threats and Attacks

39
KEY TERMS

• Attack (or threat event) - an intentional or
  unintentional act that can damage or otherwise
  compromise information and the systems that
  support it
• Exploit - a technique used to compromise a system
• Loss - a single instance of an information asset
  su?ering damage or destruction, unintended or
  unauthorised modification or disclosure, or
  denial of use
• Threat (or threat source) - any event or
  circumstance that has the potential to a?ect
  operations and assets adversely
• Threat agent - the specific instance or a
  component of a threat Vulnerability - a
  potential weakness in an asset or its defence
  control system(s)

40
IN THE ART OF WAR

• According to Chinese General, Sun Tzu Wu (circa
  500BC)
• One who knows the enemy and knows himself will
  not be in danger in a hundred battles
• One who does not know the enemy but knows
  himself will sometimes win, sometimes lose
• one who does not know the enemy and does not
  know himself will be in danger in every battle

41
IN THE ART OF WAR

• To protect your organisations information, you
  must
• Know yourself and be familiar with the
  information assets to be protected
• their inherent flaws and vulnerabilities,
• the sytems, mechanisms and methods used to store,
  transport, process, and protect them
• Know the threats you face
• Management must be informed about the various
  threats to an organisations people,
  applications, data and information systems

42
THE 12 CATEGORIES OF THREAT
43
THE 12 CATEGORIES OF THREAT
Category of Threat Attack Examples
Compromises to intellectual property Piracy, copyright infringement
Deviations in quality of service ISP, power or WAN service problems
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, floods, earthquakes, lightning
Human error or failure Accidents, employee mistakes
Information extortion Blackmail, information disclosure
Sabotage or vandalism Destruction of systems or information
Software attacks Viruses, worms, macros, denial of service
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs, code problems, unknown loopholes
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
44
Required Text (core)

• Whitman, Michael E., and Herbert J. Mattord.
  Principles of information security (4th ed.).
  Cengage Learning, 2011.
• Parliament of Ghana (2012). Data Protection Act,
  2012 (Act 843), Retrieve from Ghana Data
  Protection Commission website https//www.datapro
  tection.org.gh/data-protection-act
• Parliament of Ghana (2008). Electronic
  communications act 2008 (775), Retrieve from
  website https//www.moc.gov.gh/ ,
  https//nca.org.gh/
• Parliament of Ghana. Law of Contract (act 25,
  1960), Retrieve from http//laws.ghanalegal.com/ac
  ts/id/18/contracts-act

45
Additional Reading List

• Anderson, Ross J. Security engineering a guide
  to building dependable distributed systems. John
  Wiley Sons, 2010.
• Selected articles and online resources
  (youtube.com, MOOCs Khan Academy, TESSA, Udemy
  etc)

46
DISCUSSION
47
ASSESSEMENT

• Project-/problem-/inquiry-based assessment
  Identify, investigate and develop various
  management documents like ICT policies, security
  plans, review of ICT related law etc

48
Component 3 End of Semester Examination 40
overall

• Summary of Assessment Method
• A written assessment to assess student teachers
  basics of information security and IT related
  legal issues knowledge and understanding the
  various concepts of technology leadership and
  management
• Weighting 40

49
Security fundamental II

• Security Concepts

50
Lesson description

• In this lesson, Student teachers will examine the
  various security concepts in Information
  Technology.
• Assess the risks and identify vulnerabilities of
  information assets and Recommend appropriate
  protection for information assets

51
Security Concepts

• Security Concepts
• 1. Vulnerabilities
• 2. Threats
• 3. Threat Actors
• 4. Exploits
• 5. Risk

52
vulnerability

• A vulnerability, in information technology (IT),
  is a flaw in code or design that creates a
  potential point of security compromise for an
  endpoint or network.
• Vulnerabilities create possible attack vectors,
  through which an intruder could run code or
  access a target system's memory.

53
vulnerability

• A vulnerability is a weakness that can be
  exploited by cybercriminals to gain unauthorized
  access to a computer system.
• After exploiting a vulnerability, a cyberattack
  can run malicious code, install malware, and even
  steal sensitive data.

54
Vulnerability Examples

• There are several different types of
  vulnerabilities, determined by which
  infrastructure theyre found on.
• Vulnerabilities can be classified into six broad
  categories
• 1. Hardware
• 2. Software
• 3. Network
• 4. Personnel
• 5. Physical site
• 6. Organizational

55
THREAT

• A threat is a statement of an intention to
  inflict pain, injury, damage, or other hostile
  action on someone in retribution for something
  done or not done.

56
THREAT

• A threat is a statement of an intention to
  inflict pain, injury, damage, or other hostile
  action on someone in retribution for something
  done or not done.
• an expression of intention to inflict evil,
  injury, or damage

57
Threat actor

• Threat actor
• A threat actor or malicious actor is either a
  person or a group of people that take part in an
  action that is intended to cause harm to the
  cyber realm including computers, devices,
  systems, or networks
• A threat actor is any inside or external attacker
  that could affect data security.
• Anyone can be a threat actor from direct data
  theft, phishing

58
EXPLOIT

• a software tool designed to take advantage of a
  flaw in a computer system, typically for
  malicious purposes such as installing malware

59
Vulnerability Examples

• Vulnerabilities can be classified into six broad
  categories
• 1. Hardware
• Any susceptibility to humidity, dust, soiling,
  natural disaster, poor encryption, or firmware
  vulnerability.

60
Vulnerability Examples

• Vulnerabilities can be classified into six broad
  categories
• 2. Software
• ?Insufficient testing, lack of audit trail,
  design flaws, memory safety violations (buffer
  overflows, over-reads, dangling pointers), input
  validation errors (code injection, cross-site
  scripting (XSS), directory traversal, email
  injection, format string attacks, HTTP header
  injection, HTTP response splitting, SQL
  injection), privilege-confusion bugs
  (clickjacking, cross-site request forgery, FTP
  bounce attack), race conditions (symlink races,
  time-of-check-to-time-of-use bugs), side channel
  attacks, timing attacks and user interface
  failures (blaming the victim, race conditions,
  warning fatigue)

61
Vulnerability Examples

• Vulnerabilities can be classified into six broad
  categories
• 3. Network
• Unprotected communication lines,
  man-in-the-middle attacks, insecure network
  architecture, lack of authentication, default
  authentication, or other poor network security.

62
Vulnerability Examples

• Vulnerabilities can be classified into six broad
  categories
• 3. Network
• Unprotected communication lines,
  man-in-the-middle attacks, insecure network
  architecture, lack of authentication, default
  authentication, or other poor network security.
• 4. Personnel
• Poor recruiting policy, lack of security
  awareness and training, poor adherence to
  security training, poor password management, or
  downloading malware via email attachments.

63
Vulnerability Examples

• Vulnerabilities can be classified into six broad
  categories
• 5. Physical site
• ?Area subject to natural disaster, unreliable
  power source, or no keycard access.
• 6. Organizational
• I?mproper internal controls, lack of audit,
  continuity plan, security, or incident response
  plan.

64
(No Transcript)