PHYSICAL & SOFTWARE

Security Controls
 LEARNING INTENTION
Learning intention
• To understand the types of threats to data and information and security measures that can be put in
place to help protect it.

Success criteria
Can you describe...
• What the three categories of threats are?
• What is classed as an event-based threat?
• What protection and detection is?
• The advantages and disadvantages of symmetric and asymmetric encryption?
• how logical and physical security are different? (use examples)
Learning Intention

U4O2 Key Knowledge Covered

• To understand the types of
threats to data and
information and security
measures that can be put in
place to help protect it.

• Physical and software security controls used

Success Criteria
Can you describe... to protect software development practices
• What the three categories of
threats are?
and to protect software and data, including
• What is classed as an event- version control, user authentication,
based threat?
• What protection and
encryption and software updates
detection is?
• The advantages and
• Software auditing and testing strategies to
disadvantages of symmetric
and asymmetric encryption? identify and minimise potential risks
• how logical and physical
security are different? (use
examples)
Learning Intention

Contents
• To understand the types of
threats to data and
information and security
measures that can be put in
place to help protect it.

• Threats
Success Criteria
Can you describe...
• Physical Security
• What the three categories of • Software Security Controls
threats are?
• What is classed as an event- • Software Development Practices
based threat?
• What protection and
• Minimising Potential Risks
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
The Nature of Threats
measures that can be put in
place to help protect it.
• The nature of threats to an information system
Success Criteria
Can you describe...
can be placed into three broad categories:
• What the three categories of – Accidental
threats are?
• What is classed as an event- – Event-based
based threat?
• What protection and
– Deliberate
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Accidental Threats
measures that can be put in
place to help protect it.
• Incompetent employees
Success Criteria
• "Misplaced" data
Can you describe...
• What the three categories of
threats are?
• What is classed as an event-
based threat?
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Incompetent employees
measures that can be put in
place to help protect it.
• One of the most common threats to data
Success Criteria
• Poorly-trained staff destroy more data than any
Can you describe...
• What the three categories of
number of hackers
threats are?
• Good intentions won’t bring back deleted data
• What is classed as an event-
based threat? • Train users fully; give good documentation
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Incompetent employees
measures that can be put in
place to help protect it.
• Only give users enough access to data so they can do
Success Criteria their job (hierarchical data access) – limits the damage
Can you describe...
they can do
• What the three categories of
threats are? • Use good software that makes mistakes harder to make
• What is classed as an event-
based threat?
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
"Misplaced" data
measures that can be put in
place to help protect it.
• Poor file handling procedures can lead to files being
Success Criteria impossible to find without huge searches
Can you describe...
• What the three categories of
• May not be destroyed, but data is equally inaccessible.
threats are?
• Solution: properly planned and enforced file and folder
• What is classed as an event-
based threat? naming scheme
• What protection and
detection is? • Version control – to prevent overwriting recent
• The advantages and documents with old data.
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Event-based Threats
measures that can be put in
place to help protect it.
• Event-based Threats are ones that are outside the
Success Criteria control of the users
Can you describe...
• What the three categories of
• They can be small scale
threats are? – For example:
• What is classed as an event-
based threat?
• Hard drive failure
• What protection and
• Power failure
detection is? • Software freezing
• The advantages and
disadvantages of symmetric • They can also be on a much larger scale
and asymmetric encryption?
– For example:
• how logical and physical
security are different? (use • Natural disasters (fire, flood, earthquake, lightning, etc.)
examples) • Runaway truck, power surge, riot, war
Learning Intention
• To understand the types of
threats to data and
information and security
Deliberate Threats
measures that can be put in
place to help protect it.
• People who gain unauthorised access to an
Success Criteria organisation’s information.
Can you describe... – Hackers
• What the three categories of
threats are? - White Hat - Grey Hat
• What is classed as an event- - Black Hat - Script Kiddies
based threat? – Spies – stealing data/information without detection
• What protection and
detection is? – Insiders – employees abusing their access to company
• The advantages and information and systems
disadvantages of symmetric
and asymmetric encryption? – Cybercriminals – harvest information and scam
• how logical and physical users/companies
security are different? (use
examples) – Cyberterrorists – attack on the basis of their beliefs/principles.
Attack timing/frequency causes maximum disruption/damage
Learning Intention
• To understand the types of
threats to data and
information and security
Threats Categories
measures that can be put in
place to help protect it.

Success Criteria
Can you describe...
• What the three categories of
threats are?
• What is classed as an event-
based threat?
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Physical Security
measures that can be put in
place to help protect it.
• Preventing unauthorised access to physical hardware
Success Criteria
and software by using physical barriers and
Can you describe... authentication techniques.
• What the three categories of Physical Barriers: Biometric Authentication:
threats are? • Fences • 100% Unique & unchanging features
• What is classed as an event- • Locked doors • Fingerprints
based threat?
• Bars on windows • Retinal scans
• What protection and • Alarms • Iris scans
detection is?
• CCTV • Hand vein pattern
• The advantages and
disadvantages of symmetric • Motion detectors • Less reliable biometrics
and asymmetric encryption? • Fire alarms/extinguishers • Face recognition
• how logical and physical • Security guards • Voice recognition
security are different? (use • Walk (gait) recognition
examples)
Learning Intention
• To understand the types of
threats to data and
Physical Security
information and security
measures that can be put in
place to help protect it.
Typical secure building layout
Success Criteria
Can you describe...
• What the three categories of
threats are?
• What is classed as an event-
based threat?
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
Software Security Controls
information and security
measures that can be put in
place to help protect it.
• Software security is often called logic controls because
Success Criteria
the barriers to the system are not physical, but coded
Can you describe... into the system
• What the three categories of
threats are?
• Why do we need it?
• What is classed as an event- – Billions of dollars and thousands of hours are dedicated to
based threat? computer security each year
• What protection and
detection is? – Attacks prevented each year is increasing
• The advantages and – Successful attacks also increasing
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Protection & Detection
measures that can be put in
place to help protect it.
• Security is primarily concerned with protection but also
Success Criteria includes detection
Can you describe...
• What the three categories of
• Protection – prevent malicious attacks on data
threats are?
• Detection – tracking or ”watching” files for intruders
• What is classed as an event-
based threat?
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Security Controls
measures that can be put in
place to help protect it.
• Firewalls
Success Criteria
• Antivirus Software
Can you describe...
• What the three categories of • Spam Filters
threats are?
• What is classed as an event-
• Honeypot Intrusion Detection
based threat?
• User Authentication
• What protection and
detection is? • Encryption
• The advantages and Will be covered in Software
disadvantages of symmetric • Version Control Development Practices
and asymmetric encryption?
• how logical and physical • Software Updates
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Security Controls
measures that can be put in
place to help protect it.
• Firewalls
Success Criteria – a software or hardware system that controls and monitors the
Can you describe... traffic in and out of a network to authorised access only
• What the three categories of
threats are? – controls outward traffic too, limiting what users of the
• What is classed as an event- network can access online
based threat?
– mostly protecting a system from hackers entering the network
• What protection and
detection is? to do harm to the system or data stores
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Security Controls
measures that can be put in
place to help protect it.
• Antivirus Software
Success Criteria – scans your system for known viruses or detects system
Can you describe... behaviour that may indicate an infection
• What the three categories of
threats are? • Spam Filter
• What is classed as an event-
based threat?
– Worms often present themselves as an email attachment
• What protection and – Having an effective spam filter with up-to-date definitions can
detection is?
prevent this
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Security Controls
measures that can be put in
place to help protect it.
• Honeypot Intrusion Detection
Success Criteria – A “honeypot” is a server that set up as generically as possible
Can you describe... and without much protection to lure intruders
• What the three categories of
threats are? – It is often populated with old or useless data that seems
• What is classed as an event- legitimate and valuable
based threat?
– The “honeypot” is often inside the firewall of the network, but
• What protection and
detection is? removed from the real servers
• The advantages and – It has active logs and trace software in operation. Traffic on it
disadvantages of symmetric
and asymmetric encryption? can immediately alert admin of an intrusion
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• User Authentication
Success Criteria – falls into three categories:
Can you describe... • ownership factors (based on something the user has)
• What the three categories of • knowledge factors (based on something the user knows)
threats are?
• What is classed as an event-
• Inherence factors (based on something the user is)
based threat?
• What protection and
detection is?
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• User Authentication
Success Criteria – ownership factors
Can you describe... • ID card, security token, mobile phone, implanted device
• What the three categories of
threats are? – knowledge factors
• What is classed as an event- • a password, a pass phrase, a Personal Identification Number (PIN),
based threat? answer to a security question, response to a question (such as a
• What protection and ‘captcha’)
detection is?
• The advantages and
– Inherence factors
disadvantages of symmetric • fingerprint, retinal pattern, DNA sequence, signature, face, voice
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Encryption
Success Criteria – The process of encoding information so that it is unreadable.
Can you describe...
– Requires the use of an algorithm known as a cipher.
• What the three categories of
threats are? • The original information is known as ‘plaintext’
• What is classed as an event- • The encoded information is known as ‘ciphertext’
based threat?
– There are two main types of encryption:
• What protection and
detection is? • Symmetric key encryption
• The advantages and • Asymmetric key encryption
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Symmetric Key Encryption
Success Criteria – Used to send large amounts of information across the Internet
Can you describe...
– How it works:
• What the three categories of
threats are? • The ‘plaintext’ version is encrypted using a ‘secret key’
• What is classed as an event- • It is then sent to the recipient
based threat? • The recipient then decrypts it using the same key
• What protection and
detection is?
– Very secure way of sending information
• The advantages and – The problem that arises is how does the sender let the recipient
disadvantages of symmetric
and asymmetric encryption?
know what the secret key is?
• how logical and physical
• It needs to be exchanged via another method that is secure
security are different? (use
examples)
– But how long will that key remain secure?
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Asymmetric Key Encryption
Success Criteria – Uses two keys instead of one
Can you describe... • A public key  can only encrypt information
• What the three categories of • A private key  used to decrypt the information that was encrypted by the
threats are?
public key
• What is classed as an event-
based threat? – How it works:
• What protection and • The sender requests a public key from the recipient to encrypt the
detection is? information
• The advantages and • The recipient (owner of the public and private key) receives the encrypted
disadvantages of symmetric
and asymmetric encryption?
information and decrypts it using the private key
• how logical and physical – Works well but is not good for large amounts of information as it is
security are different? (use slow compared to symmetric key encryption
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Hybrid Encryption
Success Criteria – By using both symmetric and asymmetric encryption, it allows
Can you describe... large amounts of information to be transferred quickly and safely.
• What the three categories of – How it works:
threats are?
• What is classed as an event-
• The sender requests for the recipient to send their public key
based threat? • The sender then encrypts the ‘secret key’ he/she created to encrypt the
• What protection and information to be sent with the recipient’s public key
detection is?
• The sender then sends the public key encrypted ‘secret key’ and the
• The advantages and ‘secret key’ encrypted information to the recipient
disadvantages of symmetric
and asymmetric encryption? • The recipient uses their private key to decrypt the ‘secret key’
• how logical and physical • The recipient then uses the ‘secret key’ to decrypt the encrypted
security are different? (use information
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Version Control
Success Criteria – By maintaining a regular system of version control and
Can you describe... ensuring that key software packages are updated where
• What the three categories of
threats are?
possible, the possibility of vulnerabilities existing and being
• What is classed as an event- exploited is minimised.
based threat?
– Software to help with version control:
• What protection and
detection is? • Subversion (open source)
• The advantages and • Atlassian (Commercial)
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Software Updates
Success Criteria – Hackers investigate weaknesses in software to take
Can you describe...
advantage of any device or user profile they can access.
• What the three categories of
threats are? – Hackers create malware that can use software
• What is classed as an event-
based threat?
vulnerabilities to spread their viruses and exploit users of
• What protection and the software.
detection is?
– The developers of the software develop patches to fix
• The advantages and
disadvantages of symmetric these vulnerabilities as they come to light.
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Software Development Practices
measures that can be put in
place to help protect it.
• Software Updates
Success Criteria – It is always important to ensure update installations are a
Can you describe...
priority in setting up security protocols.
• What the three categories of
threats are? – Common software updates that need to be kept updated are:
• What is classed as an event- • Operating systems
based threat?
• What protection and
• Anti-malware
detection is? • Security software
• The advantages and • Browsers
disadvantages of symmetric
and asymmetric encryption? • Web plugins
• how logical and physical • Applications.
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Minimising Potential Risks
measures that can be put in
place to help protect it.
• Best approach to security is to reduce the risks rather
Success Criteria than eliminate them.
Can you describe...
– Eliminating all risks will be nearly impossible due to how
• What the three categories of
threats are? quickly technology is changing.
• What is classed as an event-
based threat?
• Possible strategies to reduce risks
• What protection and – Software Auditing
detection is?
– Penetration Testing
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Minimising Potential Risks
measures that can be put in
place to help protect it.
• Software Auditing
Success Criteria – The process of investigating:
Can you describe... • the quality of the software
• What the three categories of • its adherence to regulations
threats are?
• What is classed as an event-
• security requirements
based threat? – Auditing is usually done by persons external to, and
• What protection and
detection is?
independent of, the development process.
• The advantages and
disadvantages of symmetric
and asymmetric encryption?
• how logical and physical
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Minimising Potential Risks
measures that can be put in
place to help protect it.
• Software Auditing
Success Criteria – Auditing the security of a software product has a three stage approach:
Can you describe... – Preventive:
• What the three categories of • Attempt to predict potential problems before they occur and make adjustments to
threats are? the software.
• What is classed as an event- – Detective:
based threat?
• Use controls that detect and report the occurrence of an error, omission or
• What protection and
detection is?
malicious act.
• The advantages and – Corrective:
disadvantages of symmetric • Minimise the impact of a threat by resolving problems discovered by detective
and asymmetric encryption? controls, identify and correct the errors, and modify the processing systems to
• how logical and physical minimise future events.
security are different? (use
examples)
Learning Intention
• To understand the types of
threats to data and
information and security
Minimising Potential Risks
measures that can be put in
place to help protect it.
• Penetration Testing
Success Criteria – Also known as a pen test
Can you describe...
– Penetration testing identifies security vulnerabilities in web
• What the three categories of
threats are? applications
• What is classed as an event- – Achieved by challenging every page and line of code in the
based threat?
application for known weaknesses
• What protection and
detection is? – Very time-consuming process if attempted manually
• The advantages and – There are automated security tools that will perform continuous
disadvantages of symmetric
and asymmetric encryption? web application penetration tests
• how logical and physical • These automated tests rely on up-to-date descriptions of the parameters
security are different? (use that can cause a vulnerability
examples)
 LEARNING INTENTION
Learning intention
• To understand the types of threats to data and information and security measures that can be put in
place to help protect it.

Success criteria
Can you describe...
• What the three categories of threats are?
• What is classed as an event-based threat?
• What protection and detection is?
• The advantages and disadvantages of symmetric and asymmetric encryption?
• how logical and physical security are different? (use examples)