1. ICT Security
1. Introduction
1.1 Definition of ICT
1.2 ICT Security in General Terms
2. Risk Assessment
2.1 Steps
2.2 Governance
3. Security Concerns
3.1 People
3.2 Physical Security of Assets
3.3 Wireless
3.4 Web Threats
4. Risk Assessment of a Private School
2. 1. Introduction
The globalization and ever changing technological landscape of society influenced our way of life to
change rapidly. We concerned with technology in every parts of daily life. Global economy at the present
time depends on new technology, knowledge, and information. Whoever contain effective all of the three
factors is easier to success. So, the old tradition of teaching in school that students learn in the fixed
period of time and wait for only teachers is not enough for the globalization anymore. All students need
to find more information outside the class. Learning by themselves is an important thing that causes a
student to differ from one another. “The illiterate of the 21st century,” according to a noted futurist, “will
not be those who cannot read and write, but those who cannot learn, unlearn and relearn.” (Toffler, 2011)
Information and communication technologies (ICTs) can be one of the most useful tools for student
learning. It supports students to learn what they want to know easier than going to join a tutoring center or
asking some advices from a teacher. Some mediums of ICT are every effective. Students can learn step by
step according to well-designed products. Not only the ICT components expand student’s knowledge,
they also help teacher to access effective knowledge for their students. Teachers will design what to teach
effectively within the fixed period. Students will get the best information from their teachers. Besides, if
there are some parts that students feel that they do not have enough information, they can find out more
by the ICT mediums. It seems like using the ICTs is very simple. In fact, setting the ICTs into the
educational system is very complicated. It concerns complex process, technique, and budget. Indeed,
getting the technology and physically installing it into an environment is the easiest part provided you
have the capital. Other areas of concern include software, training, governance and security. ICT security
in particular is of great import and concern and should be given due consideration when ICT is present in
any capacity.
1.1 Definition of ICT
Information and communication technology or ICT is mostly defined as the internet which is technology
providing accesses to information through telecommunications. Somebody may confuse about its
meaning because of it is similar to information technology or IT. Intact, ICT includes all kinds of
telecommunications, covering phone, Internet, wireless network, and other telecommunication mediums.
ICT is useful for both private and government sectors. The easy example is using ICT in school. With
ICT, learning process in schools at all levels will be more effective due to easy access to information.
Students in one school can search the Internet to find information from anywhere in the world. It is also
convenient for teachers in many aspects such as designing teaching plan, consulting, meeting, and etc.
Therefore, the meaning of ICT is some mediums based on telecommunications.
1.2 ICT Security in General Terms
Another apt expression of writing regarding ICT states, “Our technological powers increase, but the side
effects and potential hazards also escalate” (Toffler, 2011). One of the most important of these “side
effects” and potential hazards in terms of ICT is security. Presently, the meaning of the word security
implies reflections and reasoning which are different from just a few years ago. In the past, society and
business thought about security in terms of physical theft, fraud, sabotage and perhaps more sinister
methods. However, with sensitive information increasingly being entrusted, stored and transmitted using
ICT, security has taken on new meanings and relevance. Businesses must therefore take into account that
defense and the prevention of adverse events with regard to ICT security has become an important
consideration when conducting business over the internet and in an effort to protect the ability to be
productive and competitive. Security is something any business with ICT cannot do without. One
technology writer surmises, “Security is the protection of information, systems and services against
disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised”
(B o r a n S . , 2003).
3. Due to increasing application of information and communication technologies, ICT systems represent the
foundation and the means of transmission for all pieces of information that are fundamental to businesses.
ICT systems are more increasingly more complex and in turn vulnerable with the growing presence of
viruses. In fact, launching or acquiring damaging attacks against ICT systems requires less and less skill.
Damage can often occur without the knowledge of the users and transmission of viruses can be
accomplished covertly and unwittingly. ICT systems themselves are also becoming more complex and as
a consequence are likely to be exposed to intrusions and technology develops. Further, the spread and
increasing use of wireless technology has created new opportunities for attacks, which are difficult to
defend as they are literally and figuratively available to anyone. In spite of all these factors, most attacks
to ICT systems still take advantage of weaknesses that have no clear solutions in the never ending war
between attackers and defenders. The different classifications of attacks to ICT are numerous with the
most prevalent being:
Theft of information storage hardware (laptops, hard drives, hard disks, tapes, etc.)
Denial of service
Virus contamination
Trojan horses
Piracy and fraud
Unauthorized access or changes to information or system data/settings
Unauthorized use
2. Risk Assessment
It is nearly impossible to be completely prescriptive about ICT security and one of the first tasks
required when dealing with ICT security is to identify and assess overall and specific risks. The process is
usually divided into four main phases.
1. Identifying the risk
2. Evaluating the risk
3. Analyzing the risk
4. Managing the risk
There will always be a need to assess ICT security, and doing so is good practice for any business that
wants to carry on its function because without knowing what the risks are it is impossible to manage
them. Although risks to ICT systems will change and evolve as technology is adopted to support a
business’ mission, it is not a subject that should be taken lightly or disregarded in any stretch of the
imagination. Since ICT is at the core of how businesses operate and function, particular care to this part
of an organization, company or business is paramount.
2.1 Steps
First, it is important to identify any possible areas of risk and glean the most understanding possible of
what those risks may be. Second, once identified thought must be given to how the risk may cause harm
to the business and how likely that risk may occur (e.g. high, medium, low likelihood). Next, an analysis
is conducted to determine what possible consequences would result if the risk did occur. Finally, once the
risk factors have been established and researched, systems, policies and procedures can be put in place to
eliminate or at least minimize the risk. ICT security risk assessment needs to be included in any business
organization’s overall risk management strategy.
4. 2.2 Governance
Merely having policies and procedures in place to combat security risks is in itself not enough. These
policies and procedures will need to be enforced and regularly reviewed for relevance. This means that
one or several members of an organization’s staff, depending on the nature of the organization, is clearly
identified and given the responsibility of assessing, planning for, carrying out, and documenting ICT risk
assessments. These staff members will also be given the task of reviewing those policies and procedures
put in place for effectiveness and compliance. The overall decisions on ICT security policy should be
made at the managerial level. It is important that decisions be made within the framework of the
organization’s function and overall goals and thus decisions and recommendations concerning ICT
security should be reviewed by management or someone who is aware of the wider strategic issues,
whether or not they are technically competent.
3. Security Concerns
3.1 People
People are the biggest threat to the security of ICTs, whether inadvertently or deliberately. The very core
idea of human nature is that we are not infallible and that we make mistakes, again often inadvertently.
No matter how technically complex an ICT security policy, people are usually the weak link that creates
or exacerbates risk. It is important that an organization’s staff be educated about the potential risks and
how they can avoid them. Proper training should be given to all members of an organization regarding the
policies and procedures of ICT.
“Information security (IS) management polls continue to reveal that insider threat, due to
disgruntled employees or dishonest employees, is the number one risk to the security of computing
resources. Likewise, the 1996 National Retail Security Survey indicates that 42% of inventory
shrinkage is due to employee theft. Further, today’s highly competitive, technologically advanced
workplace generates an environment where talented technicians move from one organization to
another, and take their knowledge with them” (K r a u s e , M i c k i , & T i p t o n , 1997).
3.2 Physical Security of Assets
ICT hardware is generally expensive and therefore should be safeguarded from theft, not only from the
point of the theft itself, but also because of the valuable information housed within. Taking precautions
will reduce the risks associated with ICT hardware and any possible disastrous results.
3.3 Wireless
ICT systems sometimes become susceptible to risk because of the wireless standards used by an
organization. All standards of wireless fidelity (WiFi) are accessible by anyone with the right equipment
and skills. Therefore any system using wireless could be tapped into and information compromised,
altered, or stolen. With the sensitive nature of the information stored on ICT these days, particular care
should be exercised when using wireless as a means of information transmission. Since all data
transmissions using wireless travel through the frequency waves, it becomes possible to intercept or copy
the information transferred.
5. Figure1. Illustration of wireless transmission risk
mobile device eavesdropping server
interference
active attack
(I m a i , 2006)
3.4 Web Threats
The Internet has also played a role in the presence and spread of ICT risk. Just about every aspect of web
based information and communication necessitates the transfer (e.g. downloading, uploading, duplicating)
of information and often risks are present at this stage. Just as the common cold is easily transferred
between people, so also can ICT risk be transferred from device to device, computer to computer, system
to system and network to network. It can then become an amorphous risk to all until it is identified and
managed.
4. Risk Assessment of a Private School
The specific aspects of security mentioned previously were done so because these are also the most
overlooked areas of ICT security at the scrutinized location of this document, a private educational
facility in Southeast Asia. The school in question has ICT infrastructure in place throughout the facility
for use by both staff and students. There is ICT present in most classrooms, two libraries, in the staff
offices, and in various other areas of the school. All of the ICT components operate on a common
network and, with the exception of staff and administration computers, are accessible to the student
population. It is possible to close accessible points to a network. However, the school can provide some
budget and time for the controllers to monitor. If the school does not have enough budgets, frequent
checking is also a powerful method to investigate the happening problem and solve it. Mostly, the risks in
security concern misconfiguration and poor programming of the staff. The school should search for an
effective specialist to be an administrator. If the network is controlled by proper staff, the risks will
reduce. The risks identified at the private educational facility mentioned herein will also be accompanied
by possible and available remedies.
4.1 Configuration Errors- These errors create risks that enable attackers to destroy systems.
Configuration is the most important part to protect the system; however, there maybe some errors
such as incorrect setting file permission, setting poor password, and leaving some services open. The
solution to reduce these configuration errors is setting standard procedures for a system
administrator to follow. Moreover, there should be a follow-up team to monitor some errors that may
happen from configuration. This risk is present at the facility. The administration does not have a
schedule for setting or changing default network passwords and any passwords currently in place are
not safeguarded. As a possible remedy, a member of the ICT department should be tasked with
creating a schedule to change or reset passwords on all facility networks and servers which only the
management echelon will be advised of.
4.2 Default Accounts- Some applications install with default accounts and passwords. In some instances,
the installation programming uses a default user ID and password that the installer uses with the
intention of changing at a later time. Most of these default accounts have default passwords
6. associated with them, and even if administrators have changed the default passwords on these
accounts, the accounts themselves are common targets for attack. Once the account is breached, the
attacker has administrator rights over the system. System administrators should rename or delete
these default accounts so that they are less likely to become targets of attack.
4.3 File Permissions- Improper file permissions can also be a source of vulnerability. File permissions
determine what the user has access to and what programs that user can run. Additionally, since some
programs run under the context of a higher-level user, mis-configuration of security settings on these
programs could allow a user to elevate their access. Sometimes, settings directories give full
programming access to the “everyone” group, giving any user access into the system programming.
The facility should regularly review file permissions and set them at the most restrictive level
possible while still achieving the desired level of the sharing.
4.4 Network Architecture- A secure network should be designed and constructed to separate the internal
network from access by external sources using the Internet and all incoming and outgoing traffic
should be filtered through a robust and effective firewall. At present, all ICT resources in classrooms
at the facility have direct connections through local access networks (LAN) without the benefit of
being monitored or filtered by any security methods. Additionally, students with access to the
school’s computers are also in possession of portable information storing devices such as external
hard drives, CDs and DVDs, and USB drives. In this way viruses and other forms of malicious
software are downloaded from various sources and then transmitted or spread throughout the
network. As a remedy, classroom computers should have their access to the Internet routed through
administrator controlled firewalls that are closely monitored. Additionally, use of external
information storage devices should be restricted to only those computers that are free of risks and
regulated by competent school staff.
4.5 Virus and Anti-Virus- Most businesses think anti-virus software is the cure for attacks of this nature.
The threat from viruses varies with the type of malicious activity they attempt to perform. Some
viruses offer only annoyances with no permanent damage done, while others enable remote attackers
to gain unauthorized access to systems, applications and networks. The widespread problems
resulting from these viruses demonstrate a person’s abilities to hide malicious code relatively well. It
also shows how easy it is for users to unknowingly execute this code and compromise the security of
their system. Recent virus-scanning programs are quite advanced, but the scanners are only as good
as the virus definitions. Virus scanners must be constantly updated. Additionally, many new viruses
may not appear in the database and may be missed. Virus-scanning tools that employ heuristics and
sandboxes should be used in an attempt to catch these undefined viruses. Heuristics involve looking
for code or programs that resemble or could potentially be viruses. Sandboxes actually execute the
code or application in a quarantined environment and examine what the program does. If the
program appears to be a virus, the virus package quarantines the program and performs an alert
function. The heuristics and sandboxes hopefully catch any newly developed exploits and viruses
that may not have been included in the most recent virus definitions update. Here at this facility,
while anti-virus software exists, it is often outdated and the definitions seldom updated, a sort of
“install and forget” mentality. The remedy for this problem and area of risk is to regularly update the
anti-virus software and to ensure that the virus scanning software is current with the level of
programming available..
4.6 Wireless Networks- The facility regularly stores sensitive information such as student and staff
personal information, grades, exams and, more importantly, exam answers, on network computers
with wireless capabilities. The area of risk here is that the wireless network is easily accessible. This
network and the information stored within should be structured in an intranet with a centralized
access point for data transmission to outside sources. That centralized access point should use LAN
as opposed to wireless to maintain a better state of security. Currently. Any student with a proper
device such as a laptop can access the wireless network and in turn, with the proper skills and
knowledge, access the information contained therein.
7. 5. Conclusion
The educational facility scrutinized in this document is quite obviously lax in their approach to network
security. In fact, the issues/risks identified here are not the only problems faced by this facility.
Additionally, there is an issue of governance. Perhaps that should be the first step in order to get the
school headed in the right direction with regard to ICT security. Currently there appears to be no
identifiable party tasked with regulating the ICT infrastructure. Until this comes about, the risks faced by
the school will continue to be a source of great concern. As stated by the United Nations Educational ,
Scientific and Cultural Organization, “The use of ICT cuts across all aspects of economic and social life.
Technological developments in ICT are very rapid. Technology quickly becomes obsolete requiring new
skills and knowledge to be mastered frequently. Adaptation is only possible when based on a sound
understanding of the principles and concepts of ICT.” (Daniel J., 2002)
8. References
1. Toffler, Alvin. BrainyQuote.com. Xplore Inc, 2011. 15 February. 2011.
http://www.brainyquote.com/quotes/quotes/a/alvintoffl409080.html
2. Toffler, Alvin. BrainyQuote.com. Xplore Inc, 2011. 15 February. 2011.
http://www.brainyquote.com/quotes/quotes/a/alvintoffl386113.html
3. B o r a n , S e a n . " I T S e c u r i t y C o o k b o o k . " b o r a n . c o m . B o r a n C o n s u l t i n g ,
0 2 . J u n e . 2 0 0 3 . W e b . 1 6 F e b 2 0 1 1 . < h t t p : / / w w w . b o r a n . c o m / s e c u r i t y / >.
4. K r a u s e , M i c k i , a n d H a l T i p t o n . " H a n d b o o k o f I n f o r m a t i o n S e c u r i t y
Management." cccure.com. CRC Press LLC, 1997. Web. 16 Feb 2011.
http://www.cccure.org/Documents/HISM/ewtoc.html
5. Imai, Hideki. Wireless Communications Security. Norwood, MA, USA:
Artech House, Inc., 2006. 44. Print.
6. Daniel, John. Information and Computer Technology in Education: A Curriculum for Schools and
a Programme of Teacher Development. 15 Feb. 2011. United Nations Educational, Scientific and
Cultural Organization. 2002 <http://unesdoc.unesco.org/images/0012/001295/129538e.pdf>.