Introduction to Network Security:
One of the factors associated with CMA, is the ” CIE, triangle”, otherwise known as Confidentiality, integrity, and availability, and these factors play a key role ,when it comes to the business environment. Likewise, they outline, what to do in terms of keeping information in safe hands, and how to back up information, as discussed below.
CIA, is also known as Confidentiality, integrity, and availability. This a type of security model in Place to enforce the paramount safety of a business. If there is thought to be any misconduct in either breaching any of these three, then severe consequences, will be put in place for any third parties that have an involvement in this.
Confidentiality – This is referring to information or data, which is sought to be private or to remain a secret, which means there should be no other third parties involved. The only main and most obvious reason, is to avoid unauthorised access , In any sort of way. Another possible alternative is to ensure data encryption is readily available, as it is much more safer than to remain unencrypted.
This could be largely attained by putting biometric measures in place. For example, having strong facial, eye, and finger print recognition could help protect someone’s identity. It is also advised, if the user has a valid password, which should consist of numbers ; alphabets, and is preferred if they have, more than 8 characters.
Integrity- “Integrity” refers to data which you can generally rely on and it is meant to be up to date, it is data which is not meant to be modified or tampered in any way. Data as such is always trustworthy, therefore, should be overseen by individuals who have authorised permission. This means once the data, is left in its current state, it should not be tampered with neither altered, otherwise this is known as trespassing, which means data has been compromised.
Availability- “Availability” this means having access to something if a disaster was to occur and this could be having readily information accessible. For example, ensuring multiple back- ups are made, this could be by having physical copies, all stored and locked away safely in a filing cabinet. Moreover, having resources at hand is another way in the event of hardware mishap or any technical failures. It is extremely essential, that all devices are running up to date, and tested regularly, so you are prepared for the worst. For example, if the server was down for a business, and all information was lost, then businesses can be assured that their information is backed up elsewhere, so it saves time and the effort of having to do the manual process of creating them again. 4.
CIA: (confidentiality, integrity, availability,) is changing rapidly, over the years, in terms of industry as they want to make it stricter, for those who still don’t understand, the consequences of what happens when there is a breach. They are now thinking of new possibilities, such as bringing in new training to help understand what happens, when private information is shared, and this includes explaining the risk factors involved, in terms of security. In terms of universities, as a business, students and staff are given their ID’s which they use to scan to gain access into the building. This is referring to one of the biometric measures, as discussed above. Another way to put this would be, the use of two factor authentication, in this case having access to sensitive information with consent, and at the same time making sure, the candidate has a strong password.
In terms of integrity, the nature of hacking allows outside users to access this information for social or commercial gain, allowing the hacker to manipulate information and customise it according to their liking. Once data has been compromised, or a virus gets through, information has been stolen, this leaves the system vulnerable to further attacks.
Examples like such as known as phishing and trojans. Once this happens, it is called vulnerability exploitation. The integrity of a system is like an ego, once tampered, it becomes vulnerable. The cost of the breach is weighed up against the cost. In worst case scenario the breach is done by a malicious hacker intending on sabotaging the network, deleting files, folders and server information. If this happens in a business environment, this can seriously affect the business’s reputation and in some case, can shut down a company, depending on how serious the matter is. The issue can be minimised by limiting or exchanging private information, as those that work within a business can’t even be trusted.
Computer Misuse Act in England and Scotland:
The Scottish policy for the CMA is to ensure that the rules and regulations are up to date and stronger, as well as they comply with the UK law too. Scotland also states that all information should be kept safe, and there is not the risk of information being exploited in any way. 8 The key differences between England and Scotland, is the sections, but the sentencing of the crimes are different. For example, England follows sections 1,2,3,3za and 3a, whereas, Scotland follows only sections 1 – 3A only. The other difference is that, Scotland never seem to have had these laws in place, until the Serious Crime act 2015, was in place, which then led Scotland to be on par with England and Wales, to offer more or less the same punishments, but at the time it wasn’t like that, England had always offered, the same laws, but it was only recent that Scotland had decided to change, and this was due to the serious misuse act 2015 , originally their punishment, was only for six months in jail, but they now that the laws have been updated, they now also the same consequences as England.
Both the laws state, that if an offence is misconducted, then a search will be conducted, and questions will be raised, as to why the crime was committed, this is referring to sections 1- 3A, which has the same effect for England and Scotland. Both England and Scotland, state that anyone who is found accountable of breaching the act, there will be a maximum of 12 years in jail, or followed by a fine, passed down by the government.
Subsections, attacks and consequences:
Section 1 is broken down into three subsections, part1 (a), (b) and (c), part 2, (a) ,(b) and (c), and part 3 a, b and c. Now if you are talking about a section 1 attack then for example, phishing .Then it would come under section 1 a, because part “a” mentions the way a computer will behave, once the attacker has got access to it, where they are able to access any programs, or data from their computer, which is done without the user’s consent. In England, if the user is found guilty for committing this offence, then they will serve twelve months in prison or a fine.
Section 2- The act responsible for committing further offences, by unauthorised access. It is broken down to subsections for example, (2) (a), which is to do with, getting punishments, which is fixed by the law, which means it is more likely to become a statutory punishment. Section (b), also implies, that when you’re the age of 18, in England and Wales, convictions start to take effect, but it does also say that, if you haven’t been convicted before, and it’s the first time, then you will be liable for a 5 years’ imprisonment term.
Section 3- The section 3 act is about deliberate acts with intent to cause damage. Sub section (a), is about simply having unauthorised access, to any relation of a computer. But if an attack has been carried out, it will be under sub- section (2) which is referring to getting access to sensitive information, and manipulate it, according to their liking, comes under this act. Under the section 2 act, there is a possible twelve months serving in prison, or a fine.
Section 3- ZA- This is the act, which causes serious damage, or with intent to cause serious damage. This can mean any sort of things, from the likes of causing harm to human welfare in any given environment, or damage to securities, or potentially loss or injury of human life. Sub -section 3ZA (2), discusses about some of the attributes, this act comes under. With this act, it’s not just one acts, but a serious of acts committed at once, or intending to commit. If a person is charged under this act, then there is potential that they could face fourteen years in prison, with a fine, but depending on how much damage is caused, they could get a life imprisonment in jail , under England and Wales.
Section 3a- There are five subsections , for this act and 1-3 focuses on how a person is not permitted to obtain articles, and if they do , the consequences behind it. Sub- section (5) focuses on how if a person is found accountable, they will suffer the consequences. For Example, England state , there will be a punishment for twelve months and a fine, or part (c) states that if found conviction on indictment , then an imprisonment for at least two years, or a fine. 5
The sections are mostly broken down into three parts; with section 1 to do with hacking, whereby, access was gained to a computer without express consent. Section 3 to do with committing unethical hacks, with the help of the computer, and section 3A, consists of three parts, known as making, supplying, and obtaining. Refer to Figure 1 below:
What is it?
Making -Referring to setting up viruses, to attack computers, or to create any malicious software.
Supplying -This is to do with, where you got your source from, if you made a virus for example, or got the notion from someone else, it is illegal to share the idea with another third party. Finally, not least.
Obtaining – This is to do with the law, if you know you have purposefully intended on sabotaging someone’s computer by creating malicious files, and left the person vulnerable to an attack, then you have breached the computer misuse act, and are held liable for prosecution. Therefore, this serves a punishment for up to 12 months, with a fine, as followed by the government regulations.
Section 1 attacks:
For the section 1 act, this is to do with getting access to someone else’s computer without their permission, otherwise known as in legal terms, of unauthorised access to computer material. This act comes into force, because this act is done intentionally by attackers purposefully embedding an attack in order to corrupt a computer. There are many types of examples, which fall under section 1, and these are viruses, trojans, phishing, using email and social engineering is also classed as illegal. Now a computer virus, itself defines as a malicious program which is made to easily trick others into thinking what it is, it is designed to modify the way a computer operates daily. The attacker can choose how they would like to insert the virus, in most cases, it will be through a simple website link, or it could be through an email attachment, otherwise known as spam. 6 Trojans are again another type of virus, which is to create a counterfeit software, which will look identical to the original software, but the only difference is of course, hackers are able to monitor every activity. For instance, using your personal credit/ debit details, would not be ideal because each step you take, the attacker can sniff this, and you could potentially be giving private information away unknowingly. However, trojans are not necessary in the form of fake websites, they are more commonly found in email attachments, and once this open, this will eradicate the system and deleting all programs back-ups and completely wipe the computer.
Another example of a trojan can be used in some anti-virus systems, however this is rare. Another example of trojans could be found on the internet, some sites where you have to download files in order to get them. Not all of them are genuine, as attackers may decide to make it seem like the official download, but this could be one of their tricks, to lure the user into clicking the wrong link. Therefore, it is advised, to only download files from trusted sources, the source must be trustworthy, not just from a third-party site, or a site which hasn’t been heard of before, in other words, a site which is not known to the public.
Phishing is also similar to a trojan virus, but in this case, phishing is another piece of fraud software, whereby an attacker impersonates themselves to be that individual or to send out fraud emails to users. Phishing can also work by sending a short message service, known as SMS. Examples of these, include getting a text message saying, “You have won amazon vouchers, click here to claim £500”. These pop up day to day, the more common examples would be “congratulations! you have won an iPhone X” by this point, the user would be forced to enter their personal details, email, D.O.B, and phone number. Moreover, if you have given any information like your bank account details, then in worst case scenario’s there is a greater risk of it being hacked. Likewise, the other option would be, attackers selling your information on to other companies, so you will end up with several nuisance phone calls.
Social engineering is another way of scamming the nation, and it still is a current issue now, which keeps persisting. Examples, of these are receiving phone calls, getting suspected emails, or creating fake websites, otherwise known as counterfeit, which is illegal. Many of them who carry out phone calls, don’t necessarily have to be rude, they can be polite too, that way they know the recipient is more likely to believe them.
Section 1: Real life attacks:
There seems to have been a real-life example of a misconduct under the section 1 act. 7 Earlier this year there was a recent case, held at Birmingham Magistrate court on the 24th April 2018, whereby a police offer named as PC Michelle Denne, seemed to had broken the computer misuse act, and pleaded guilty to six offenses. The offense she committed, was that she somehow was able to get hold of information about her partners ex-wife, children and neighbours, but she did this using the Staffordshire police computers without their permission, thereby violating the the law. The punishment offered to her was that, she was put on community service order for 6 months, 10 days of community rehabilitation work, and aside from this, she has to pay £185, for all the court costs that took place, and an additional £85 on top of that.
Another example, of recent attack, which happened earlier on this year on the 5/03/2018. This attack also falls under section 1. In this incident, a 31- year old man known as Craig Steinberg, who works as a Bar manager, somehow managed to gain unauthorised access into 272 apple iCloud accounts. This was a naive and senseless attack, as he targeted females, to use their private and sexual photographs, in other words, naked photos, and post it on porn websites. The issue was taken to Newcastle Crown Court, and Steinberg pleaded guilty, and was sentenced to 34 months in jail. 8
Section 2 attacks:
The section 2 attack, itself means having unauthorised access, and still intending to carry out further offences. Let’s take a look at some of the recent attacks briefly. There was a case, which was held at Peterborough Crown court, which took place on earlier last year, on 30th January 2017, where a 29 year old man, formally known as Shaun Turner, was able to use a malicious software to control the victims computers , and was somehow able to link it directly to the person’s webcam, so the image was pretty much live, and he was able to see all the images in front of him, using his own computer. So effectively this 29 year- old man, was spying on female victims, by setting this malware into their computer, to get hold of personal files, by downloading them illegally. This man also failed to provide the right encryption, of how he manged to get access to the hard- drives. In Peterborough Crown Court, he was pleaded guilty, and was jailed for 3 years, which also included 10 months for failing to provide, the encryption key to his own access of personal computer files. 9
Section 3/ 3A attacks:
There was another attack which was held at Birmingham Crown Court on the 18th January 2018. This was a case, known as money laundering, which is the process of illegally obtaining money, and transferring it from one account to another. The man behind this attack, was Alex Bessel, aged 21, who produced a malware, which was put on the internet and this gave way to, what is known as DDOS, or known as distributed denial of service, which is a type of attack. The police referred to this attack as being a hacker’s online shop, where he would sell the malware products of his as well as other people’s too, and once the user clicks on the website, this would cause a whole avalanche of viruses to spread and he would also be able to get hold of stealing data. As a result, from doing, so he was able to make £50k in profit for doing so. Bessel was very clever in doing so, because when he registers with a company, he would use a fake address, and sell it on to a real company which exists. Alex Bessel was punished for two years and obtained a serious crime prevention order. 10
As discussed earlier in section 2 about Shaun Turner, who was charged under the section 2 act, he is also charged with Section 3A, due to the fact that, he also committed 5 other offences, and pleaded guilty to “child voyeurism” which is a dirty term, for gaining sexual pleasure by watching someone have sex, or encouraging and participating in sex activity by taking clothes off etc. Like discussed earlier, he was jailed for 3 years and 10 months, refer to section 2 above.
The section 3Za, act is recognised as the act, which forces a person to have unauthorised access, whereby it is likely to cause harm or a serious damage to a business or a person. This is the act that causes damage to material caused by recklessness. In terms of punishment, we’re talking about fourteen years in jail, but depending on the extensive damage caused, the likelihood of the punishment will be severe, meaning the person could be in jail for life. There was another incident, which took place a few years back in 2010. It is to do with Google, those street view cars, the type of cars, which go around and take 3D photographs of every city around the world, but instead, these cars accidentally got access to Wi-Fi networks names known as SSID’S, and mac addresses, but they did state that it didn’t, get the payload information data. Google has confirmed that this had happened by mistake, and they haven’t used any of that data in their products. When Google were aware of the problem, they immediately ceased all street view cars, and disposed the cars which carried the data by making it inaccessible. Therefore, all data which has been collected, will be deleted as quickly as possible, and by doing so, Google are getting help from other countries, so the process will speed up. 11