Skip to content

Security Risks and Precautions

What you need to Know

Describe and identify the implications for individuals and businesses of the Computer Misuse Act

Describe and identify the security risks of: tracking cookies, DOS (Denial of Service) attacks

Describe how encryption is used to secure transmission of data: use of public and private keys, digital certificates and digital signatures

The Computer Misues Act

“Hacking” - a broad term that covers a few things - is broadly governed by the Computer Misuse Act 1990. It is part of criminal law, and offenders can be jailed for up to ten years and subject to large fines.

For Higher, you need to know the three offences under the Act:

  1. Unauthorised access to computer material
  2. Unauthorised access with intent to commit further offences
  3. Unauthorised modification of computer material

Let’s say, for example, you hack my tracking spreadsheet and change your prelim mark… you have made unauthorised access (getting in) and unauthorised modifications (when you changed the mark).

Encryption, keys and Certificates

You want to send me your super-secret homework, so you encrypt it as you don’t want other people to steal your answers!

I have a public and a private key.

Everyone has my public key - that’s what makes it ‘public’.

Encryption is only a 3 Step Process

Step 1 - You use the public key to encrypt the homework for my-eyes-only.

Step 2 - Your encrypted homework is emailed to me

Step 3 - When I receive your homework, I use my private key to decrypt it.

So when you send a message that’s encrypted with my public key, it can only be decrypted with my private key.

I’m the only one who has the private key, so only I can read the message.

Sometimes, this is a bit much to get your head around!

The video below provide a good demonstration of it at work:

Digital Certificates and Signatures

Digital certificates are a related concept. As Robert explains in the video, it’s useful to know that a message encrypted with my private key definitely came from me.

I can use my digital certificate to prove the key is mine.

Likewise, a website with a digital certificate reassures you, as the customer, that the site is who they say they are (so you don’t accidentally give your card details to a site called Amazzoon or PayPail...)

Keys are sent with a digital certificate.

This certificate says who it’s from, when it expires, and who certified it. The companies that certify these certificates sign it with their digital signature to prove it’s authentic.

Tracking Cookies

Tracking cookies are small text files that are stored in your browser by websites.

They are not programs.

They store details like your log in, your viewing history, products you have shown an interest in, or other data that personalises the browsing experience to you.

You’re often asked for permission before a site uses cookies (this is a more recent change to the law).

But there is a Risk......

If the data in a cookie is sent unencrypted between your browser and the website, it could be intercepted.

For example, a less-trustworthy site might be able to access your browsing habits, what your interests are, and which other websites you’ve visited.

There’s a risk of unauthorised/unwanted access to your personal data.

Denial of Service (DOS) Attacks

A Denial of Service (DOS) attack seeks to bombard a website with so many requests that it can’t serve its real users. The aim is to force the site offline (to “crash” it) with millions of fake traffic requests.

At the very least, it will slow the site down, sometimes dramatically.

The huge number of requests overwhelms the site’s server by:

  • Consuming bandwidth (if the site can only host so many connections at once, the attacker floods them)

  • Resource starvation (say the site needs to run a process or program for each user, adding millions more “fake” users will use up all the system’s resources, slowing it to a crawl)

  • The Domain Name Server (DNS) turns web addresses you enter into IP addresses, like a sort of directory. Attacking the DNS prevents users from looking up the website.

You would notice a site might have been attacked if it is slow, or you can’t access it (it’s gone offline, or “down”).

This could cause financial losses for a business, since they would lose customers during the shutdown, as well as incurring costs to fix the attack.

The reasons for an attack might be personal, financial or political.

Example

You decide to cause a DOS attack on Microsoft Teams (I wouldn’t advise it…), that could be classed as a personal motive as you wanted to avoid homework.

If, on the other hand, you have shares in a rival homework platform, your motive could be financial - you benefit by forcing a rival offline.

In either case, you’re breaking the law.