[Type the abstract of the document

here. The abstract is typically a short

summary of the contents of the
document. Type the abstract of the
document here. The abstract is
typically a short summary of the
contents of the document.]

IT SECURITY
[Type the document subtitle]

HELLO
1. Security concepts

1.1. Data Threads

1.1.1. Distinguish between data and information.
Data is a collection of raw facts or elements e.g. In a school computerized system the name of the
pupil, the surname, his date of birth, his grades in the various subjects.

Information is the result of the processing of data e.g. When we get into the system and ask the
program to tell us how many pupils had 10/10 as grade in mathematics, the number that the
computer will tell us is information.
1.1.2. Understand the term cybercrime.
Cybercrime is criminal activities carried out by means of computers or the Internet. The growing
list of cybercrimes includes crimes that have been made possible by computers, such as network
intrusions and the dissemination of computer viruses, as well as computer-based variations of
existing crimes, such as identity theft, stalking, bullying and terrorism.
1.1.3. Understand the difference between hacking, cracking and ethical hacking.
Hacking is attacking systems and probing security vulnerabilities for fun, exploration, fame,
discovering weaknesses which can assist owners etc.
Cracking is the common term used to describe malicious hacking. Crackers get into all kinds of
mischief, including breaking or "cracking" copy protection on software programs, breaking into
systems and causing harm, changing data, or stealing.
Ethical hacking is hacking done for assessing the security of computer systems. It is sometimes
used by companies to improve the security of their systems. You can even become a Certified
Ethical Hacker (CEH) after passing the relevant examination.
1.1.4. Recognize threats to data from force majeure like: fire, floods, war, and
earthquake.
It is true that big natural (or not) disasters can also be a problem for the data.
 1.1.5. Recognize threats to data from: employees, service providers and external
individuals.
Employees

Excessive internal privileges. Rogue system administrators, who have access to servers and data,
are a serious threat. Everyone from admins up to executives poses a threat to security and data if
they maintain excessive access rights after changing positions or taking on different roles.
Careless or Uninformed Employees
A careless worker who forgets his unlocked iPhone in a taxi is as dangerous as a disgruntled user
who maliciously leaks information to a competitor. Similarly, employees who are not trained in
security best practices and have weak passwords, visit unauthorized websites and/or click on links
in suspicious emails or open email attachments pose an enormous security threat to their employers’
systems and data.
Social engineering. Your company's employees are smart, but they're human, too -- an attacker can
use lies, deception and manipulation to convince someone to unwittingly let them in the digital front
door.
Internal negligence. It's not just leaving your laptop at the airport; it's also failing to regularly check
log reports for suspicious activity because "you were too busy”.

Service Providers

Our Internet Service Provider

They can practically have full access to all our incoming and outgoing traffic.

Third-party Service Providers

“As technology becomes more specialized and complex, companies are relying more on outsourcers
and vendors to support and maintain systems,” notes Matt Dircks, CEO, Bomgar. “For example,
restaurant franchisees often outsource the maintenance and management of their point-of-sale
(POS) systems to a third-party service provider.”

However, “these third-parties typically use remote access tools to connect to the company’s
network, but don’t always follow security best practices,” he says. “For example, they’ll use the
same default password to remotely connect to all of their clients. If a hacker guesses that password,
he immediately has a foothold into all of those clients’ networks.”

External Individuals

Third-party access. As globalization takes place and partners receive access to data in the cloud, it
will take a vigilant IT pro to ensure that employees of partners don't misuse unencrypted data that
they have direct access to.

1.2. Value of information

1.2.1. Understand the reasons for protecting personal information like: avoiding identity
theft, fraud.
Identity theft is a form of stealing someone's identity in which someone pretends to be someone else
by assuming that person's identity, usually as a method to gain access to resources or obtain credit
and other benefits in that person's name. The victim of identity theft can suffer adverse
consequences if they are held responsible for the perpetrator's actions. Identity theft occurs when
someone uses another's personally identifying information, like their name, identifying number, or
credit card number, without their permission, to commit fraud or other crimes. Obviously identity
information must be protected.

1.2.2. Understand the reasons for protecting commercially sensitive information like:
preventing theft or misuse of client details, financial information.

Commercially sensitive information is information whose release would harm the commercial
interests of an organization. Examples might be:
 Discussion about forthcoming contracts, negotiations or purchases.
 Details of ongoing negotiations, where release of information might jeopardize the
negotiations or the organization’s bargaining position.
 Sensitive pricing or operational information and trade secrets received from suppliers,
tenderers, contractors etc.
 Information which might be of value to a competitor: e.g. information about the
organization’s own commercial activities, or plans to expand in a particular area.
 Theft or misuse of client details could expose the clients to dangers, severely harm the
organization’s good name and fame, or even cause loss of the clientele of the organization.

1.2.3. Identify measures for preventing unauthorized access to data like: encryption,
passwords.
 Encryption is the encoding of a file in a form that will prevent its use by unauthorized users.
 Passwords is a usual practice to protect unauthorized access although good practices with
passwords are not so usual:
o Choose a difficult password
o change regularly
o understand that holding a password to enter into a system means responsibility (so
do not share your passwords)
1.2.4. Understand basic characteristics of information security like: confidentiality,
integrity, availability.
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide
policies for information security within an organization. The model is also sometimes referred to as
the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central
Intelligence Agency. The elements of the triad are considered the three most crucial components of
security.

In this context, confidentiality is a set of rules that limits access to information, integrity is the
assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable
access to the information by authorized people.

Confidentiality:

Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are

designed to prevent sensitive information from reaching the wrong people, while making sure that
the right people can in fact get it: Access must be restricted to those authorized to view the data in
question. It is common, as well, for data to be categorized according to the amount and type of
damage that could be done should it fall into unintended hands. More or less stringent measures can
then be implemented according to those categories.

Sometimes safeguarding data confidentiality may involve special training for those privy to such
documents. Such training would typically include security risks that could threaten this information.
Training can help familiarize authorized people with risk factors and how to guard against them.
Further aspects of training can include strong passwords and password-related best practices and
information about social engineering methods, to prevent them from bending data-handling rules
with good intentions and potentially disastrous results.

A good example of methods used to ensure confidentiality is an account number or routing number
when banking online. Data encryption is a common method of ensuring confidentiality. User IDs
and passwords constitute a standard procedure; two-factor authentication is becoming the norm.
Other options include biometric verification and security tokens, key fobs or soft tokens. In
addition, users can take precautions to minimize the number of places where the information
appears and the number of times it is actually transmitted to complete a required transaction. Extra
measures might be taken in the case of extremely sensitive documents, precautions such as storing
only on air gapped computers, disconnected storage devices or, for highly sensitive information, in
hard copy form only.

Integrity:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire
life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be
altered by unauthorized people (for example, in a breach of confidentiality). These measures
include file permissions and user access controls. Version control maybe used to prevent erroneous
changes or accidental deletion by authorized users becoming a problem. In addition, some means
must be in place to detect any changes in data that might occur as a result of non-human-caused
events such as an electromagnetic pulse (EMP) or server crash. Some data might include
checksums, even cryptographic checksums, for verification of integrity. Backups or redundancies
must be available to restore the affected data to its correct state.

Availability:

Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs
immediately when needed and maintaining a correctly functioning operating system environment
that is free of software conflicts. It’s also important to keep current with all necessary system
upgrades. Providing adequate communication bandwidth and preventing the occurrence of
bottlenecks are equally important. Redundancy, failover, RAID even high-availability clusters can
mitigate serious consequences when hardware issues do occur. Fast and adaptive disaster recovery
is essential for the worst case scenarios; that capacity is reliant on the existence of a comprehensive
disaster recovery plan (DRP). Safeguards against data loss or interruptions in connections must
include unpredictable events such as natural disasters and fire. To prevent data loss from such
occurrences, a backup copy may be stored in a geographically-isolated location, perhaps even in a
fireproof, waterproof safe. Extra security equipment or software such as firewalls and proxy servers
can guard against downtime and unreachable data due to malicious actions such as denial-of-service
(DoS) attacks and network intrusions.

1.2.5. Identify the main data/privacy protection, retention and control requirements in your
country.
Global Data Privacy
http://www.nortonrosefulbright.com/files/global-data-privacy-directory-52687.pdf

The Republic of Cyprus has implemented the EU Data Protection Directive 95/46 EC. The national
data protection regime protects against the unauthorized and illegal use, recording or collection of
personal information which relates to an individual.
Applicable legislation:
The Republic of Cyprus has implemented the EU Data Protection Directive 95/46 EC through the
Processing of Personal Data (Protection of Individuals) Law of 2001, as amended. This key
legislation is supported by the Data Processing (Permits and Fees) Regulations 2002 and the
Regulation of Electronic Communications and Postal Services Law of 2004. The Constitution of the
Republic of Cyprus also provides an individual with the right to respect for his private and family
life and to the secrecy of his correspondence and other communication. The local Data Protection
Authority in Cyprus is the Commissioner for the Protection of Personal Data (the Commissioner),
which supervises compliance with data protection standards and authorizes processing activities. It
can also impose administrative fines, issue warnings and report contraventions of the law.

Protected data:
Personal data is defined as any information from which a living natural person (the Data Subject)
may be identified, directly or indirectly, and in particular by reference to a personal identification
number or to one or more factors specific to his physical, physiological, mental, economic, cultural,
political or social identity. Consolidated data of a statistical nature, from which the Data Subject
cannot be identified is not deemed to be personal data. Sensitive personal data includes data
concerning racial or ethnic origin, political convictions, religious or philosophical beliefs,
participation in an organisation or trade union, health, sex life, sex orientation and criminal
prosecutions or convictions.

Restrictions on transfer of data offshore:

EEA and White List Data may be transferred freely within the European Union, to states within the
EEA, and to White Listed countries. No prior consent of the Commissioner is required.

Other countries
Personal data can usually only be exported to other third countries if a license has been granted by
the Commissioner. The Commissioner issues licenses only where he considers that the destination
country ensures an adequate level of protection, in light of factors such as the nature of the data, the
purpose and duration of the processing, the relevant general and special rules of law in the
destination country, and the final destination of the data. Data can be exported to a third country
that does not adequately protect data on an exceptional basis, if the Commissioner consents and one
or more of a number of specified conditions is met. These include that the Data Subject explicitly
consents, the transfer is necessary for the performance of a contract for the Data Subject and/ or the
transfer is necessary to serve an important public interest. Furthermore, the Commissioner may also
allow the transfer of data to a country which does not have a satisfactory level of protection, if the
data controller puts in place sufficient safeguards to protect the Data Subject’s privacy and
fundamental rights. This can be achieved by using appropriate contractual clauses, such as EU
Model Clauses, in the transfer agreement.

1.2.6. Understand the importance of creating and adhering to guidelines and policies for
ICT use.
 1.3 Personal Security
1.3.1 Understand the term social engineering and its implications like: information gathering,
fraud, computer system access.
Social engineering is a non-technical method of intrusion hackers use that relies heavily on human
interaction and often involves tricking people into breaking normal security procedures. It is one of
the greatest threats that organizations today encounter. One example of social engineering is an
individual who walks into a building and posts an official-looking announcement to the company
bulletin that says the number for the help desk has changed. So, when employees call for help the
individual asks them for their passwords and ID's thereby gaining the ability to access the
company's private information.

1.3.2 Identify methods of social engineering like: phone calls, phishing, shoulder surfing.

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends
an e-mail that appears to come from a legitimate business—a bank, or credit card company—
requesting "verification" of information and warning of some dire consequence if it is not provided.
The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company
logos and content—and has a form requesting everything from a home address to an ATM card's
PIN.

Shoulder surfing refers to using direct observation techniques, such as looking over someone's
shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and
similar data.

1.3.3 Understand the term identity theft and its implications: personal, financial, business,
legal.
fghjfghjf
1.3.4 Identify methods of identity theft like: information diving, skimming, pretexting.

Information diving is the practice of recovering technical data, sometimes confidential or secret,
from discarded material. In recent times, this has chiefly been from data storage elements in
discarded computers, most notably recoverable data remaining on hard drives.

Card skimming is the illegal copying of information from the magnetic strips found on credit and
debit cards.

Pretexting also known in the UK as blagging or bohoing, is the act of creating and using an
invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the
victim will divulge information or perform actions that would be unlikely in ordinary
circumstances. An elaborate lie, it most often involves some prior research or setup and the use of
this information for impersonation (e.g., date of birth, Social Security number, last bill amount) to
establish legitimacy in the mind of the target.

1.3.5 Understand the term identity theft and its implications: personal, financial, business,
legal.
Identity theft is a form of stealing someone's identity in which someone pretends to be someone else
by assuming that person's identity, usually as a method to gain access to resources or obtain credit
and other benefits in that person's name. The victim of identity theft (here meaning the person
whose identity has been assumed by the identity thief) can suffer adverse consequences if they are
held responsible for the perpetrator's actions. Identity theft occurs when someone uses another's
personally identifying information, like their name, identifying number, or credit card number,
without their permission, to commit fraud or other crimes.
1.3.6 Identify methods of identity theft like: information diving, skimming, pretexting.
Information diving is the practice of recovering technical data, sometimes confidential or secret,
from discarded material. In recent times, this has chiefly been from data storage elements in
discarded computers, most notably recoverable data remaining on hard drives. Those in charge of
discarding computers usually neglect to erase the hard drive. It is often in such circumstances for an
information diver to copy installed software (e.g., word processors, operating systems, computer
games, etc.). Other data may also be available, such as credit card information that was stored on
the machine. Companies claim to be especially careful with customer data, but the number of data
breaches by any type of entity (e.g., education, health care, insurance, government, ...) suggest
problems for them as well.

Skimming is the theft of payment card information used in an otherwise legitimate transaction. The
thief can procure a victim's card number using basic methods such as photocopying receipts or more
advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of
victims’ card numbers. Common scenarios for skimming are restaurants or bars where the skimmer
has possession of the victim's payment card out of their immediate view. The thief may also use a
small keypad to unobtrusively transcribe the 3 or 4 digit Card Security Code, which is not present
on the magnetic strip. Call centers are another area where skimming can easily occur. Skimming
can also occur at merchants such as gas stations when a third-party card-reading device is installed
either outside or inside a fuel dispenser or other card-swiping terminal. This device allows a thief to
capture a customer’s card information, including their PIN, with each card swipe.

Pretexting (adj. pretextual), also known in the UK as blagging or bohoing, is the act of creating and
using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the
chance the victim will divulge information or perform actions that would be unlikely in ordinary
circumstances.[4] An elaborate lie, it most often involves some prior research or setup and the use
of this information for impersonation (e.g., date of birth, Social Security number, last bill amount)
to establish legitimacy in the mind of the target.[5]

This technique can be used to fool a business into disclosing customer information as well as by
private investigators to obtain telephone records, utility records, banking records and other
information directly from company service representatives. The information can then be used to
establish even greater legitimacy under tougher questioning with a manager, e.g., to make account
changes, get specific balances, etc.

Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, clergy,
insurance investigators — or any other individual who could have perceived authority or right-to-
know in the mind of the targeted victim. The pretexter must simply prepare answers to questions
that might be asked by the victim. In some cases, all that is needed is a voice that sounds
authoritative, an earnest tone, and an ability to think on one's feet to create a pretextual scenario.

1.4 File Security

1.4.1 Understand the effect of enabling/ disabling macro security settings.
Macros automate frequently used tasks to save time on keystrokes and mouse actions. Many were
created by using Visual Basic for Applications (VBA) and are written by software developers.
However, some macros can pose a potential security risk. A person with malicious intent, also
known as a hacker, can introduce a destructive macro in a file that can spread a virus on your
computer or into your organization's network. Using settings that enable all macros in the Office
documents makes your computer vulnerable to potentially malicious code and is not recommended.
1.4.2 Set a password for files like: documents, compressed files, spreadsheets.
Saving your documents with a password makes the security of the files better although this is not a
guarantee for perfect security. Know how you set passwords in MS Office applications (be carefull
though not to forget the passwords)
1.4.3 Understand the advantages and limitations of encryption.
Advantages

The single most important reason for using encryption is to preserve confidentiality. This means
that only an authorized receiver can read the message (the receiver must have the appropriate
decryption key).

Limitations
The overhead it takes to encrypt and decrypt the messages, especially if a digital certificate is
involved, because it may have to be authenticated as well, and that takes time.
Encryption Keys: Without a doubt, data encryption is a monumental task for an IT specialist. The
more data encryption keys there are the more difficult IT administrative tasks for maintaining all of
the keys can be. If you lose the key to the encryption, you have lost the data associated with it.
Expense: Data encryption can prove to be quite costly because the systems that maintain data
encryption must have capacity and upgrades to perform such tasks. Without capable systems, the
reduction of systems operations can be significantly compromised.
Compatibility: Data encryption technology can be tricky when you are layering it with existing
programs and applications. This can negatively impact routine operations within the system.

2. Malware

2.1 Definition and Function

2.1.1 Understand the term malware.
Malware, short for malicious software, is any software used to disrupt computer operation, gather
sensitive information, or gain access to private computer systems

2.1.2 Recognize different ways that malware can be concealed like: Trojans, rootkits and back
doors.
2.2 Types
2.2.1 Recognize types of infectious malware and understand how they work like: viruses, worms.
2.2.2 Recognize types of data theft, profit generating/extortion malware and understand how they
work like: adware, spyware, botnets, keystroke logging and dialers.
2.3 Protection
2.3.1 Understand how anti-virus software works and its limitations.
2.3.2 Scan specific drives, folders, files using anti-virus software. Schedule scans using anti-virus
software.
2.3.3 Understand the term quarantine and the effect of quarantining infected/suspicious files.
2.3.4 Understand the importance of downloading and installing software updates, anti-virus
definition files.