Professional Documents
Culture Documents
Ethics, Privacy and Infn Security
Ethics, Privacy and Infn Security
Ethics, Privacy and Infn Security
Chapter Outline
1 Ethical Issues 2 Threats to Information Security 3 Protecting Information Resources
Learning Objectives
Describe the major ethical issues related to information technology and identify situations in which they occur. Describe the many threats to information security. Understand the various defense mechanisms used to protect information systems. Explain IT auditing and planning for disaster recovery.
4
1.Ethical Issues
Ethics. A branch of philosophy that deals with what is considered to be right and wrong. A Code of Ethics is a collection of principles that are intended to guide decision making by members of an organization.
Protecting Privacy
Privacy. The right to be left alone and to be free of unreasonable personal intrusions. Two rules have been followed fairly closely in past court decision in many countries:
The right of privacy is not absolutes. Privacy must be balanced against the needs of society The publics right to know is superior to the individuals right of privacy.
7
11
Unintentional Threats
Human errors can occur in the design of the hardware and/or information system. Also can occur in programming, testing, data collection, data entry, authorization and procedures. Contribute to more than 50% of control and security-related problems in organizations.
12
Intentional Threats
Typically, criminal in nature. Cybercrimes are fraudulent activities committed using computers and communications networks, particularly the Internet. Average cybercrime involves about $600,000 according to FBI.
14
Cyber Crime can be categorized as: Unauthorized access Unauthorized access to computer systems or networks means any person who secures access or attempts to secure access to a protected system. Email bombing Email bombing refers to sending a large amount of emails to the victim resulting in the victim's email account (in case of an individual) or mail server (in case of a company or an email service provider) crashing.
15
Cyber Crime can be categorized as: Data diddling This kind of an attack involves altering the raw data just before it is processed by a computer and then changing it back after the processing is completed. Salami attack This attack is used for the commission of financial crimes. The key here is to make the alteration so insignificant that in a single case it would go completely unnoticed, e.g. a bank employee inserts a program into the bank's servers, that deducts a small amount of money (say Rs.5 a month) from the account of every customer. No single account holder will probably notice this unauthorized debit, but the bank employee will make a sizable amount of money every month.
16
Cyber Crime can be categorized as: Internet time theft This connotes the usage by an unauthorized person of the Internet hours paid for by another person. Logic bomb This is event dependent program. This implies that this program is created to do something only when a certain event (known as a trigger event) occurs, e.g. some viruses may be termed logic bombs because they lie dormant all through the year and become active only on a particular date (like the Chernobyl virus).
17
Cyber Crime can be categorized as: Virus / worm attack Virus is a program that attach itselves to a computer or a file and then circulate itselves to other files and to other computers on a network. They usually affect the data on a computer, either by altering or deleting it. Worms, unlike viruses do not need the host to attach themselves to. They merely make functional copies of themselves and do this repeatedly till they eat up all the available space on a computer's memory.
18
Cyber Crime can be categorized as: Trojan attack A Trojan, the program is aptly called an unauthorized program which functions from inside what seems to be an authorized program, thereby concealing what it is actually doing. Denial of service attack This involves flooding a computer resource with more requests than it can handle. This causes the resource (e.g. a web server) to crash thereby denying authorized users the service offered by the resource.
19
Cyber Crime can be categorized as: Distributed denial of Service attack This is a denial of service attack wherein the perpetrators are many and are geographically widespread. It is very difficult to control such attacks. Cyber pornography This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc.)
20
Cyber Crime can be categorized as: Email spoofing A spoofed email is one that appears to originate from one source but actually has been sent from another source. Intellectual Property Crime This includes software piracy, copyright. infringement, trademarks violations etc. Cyber Stalking The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking involves following a person's movements across the Internet by posting messages (sometimes threatening) on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the victim, constantly bombarding the victim with emails etc.
21
Espionage or Trespass
The act of gaining access to the information an organization is trying to protect by an unauthorized individual. Industrial espionage occurs in areas where researching information about the competition goes beyond the legal limits. Governments practice industrial espionage against companies in other countries. Shoulder surfing is looking at a computer monitor or ATM screen over another persons shoulder.
23
Information Extortion
When an attacker or formerly trusted employee steal information from a computer system and then demands compensation for its return or an agreement not to disclose it.
24
Sabotage or Vandalism
A popular type of online vandalism is hacktivist or cyberactivist activities. Hacktivist or cyberactivist use technology for high-tech civil disobedience to protest operations, policies, or actions of an individual, an organization, or a government agency.
25
Identity Theft
Crime in which someone uses the personal information of others, usually obtained from the Internet, to create a false identity and then commits fraud. Fastest growing white-collar crime. Biggest problem is restoring victims damaged credit rating.
27
Software Attacks
Malicious software (malware) designed to damage, destroy, or deny service to the targeted systems. Most common types of software attacks are viruses, worms, Trojan horses, logic bombs, back doors, denial-of-service, alien software, phishing and pharming.
28
Alien Software
Pestware. Clandestine software that uses up valuable system resources and can report on your Web surfing habits and other personal information. Adware. Designed to help popup advertisements appear on your screen. Spyware. Software that gathers user information through the users Internet connection without their knowledge (i.e. keylogger, password capture).
31
35
(1) implement controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality.
37
Controls
Controls evaluation. Identifies security deficiencies and calculates the costs of implementing adequate control measures. General controls. Established to protect the system regardless of their application.
Physical controls. Physical protection of computer facilities and resources. Access controls. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
39
Controls (Continued)
Communications (networks) controls. To protect the movement of data across networks and include border security controls, authentication and authorization.
Firewalls. System that enforces access-control policy between two networks. Encryption. Process of converting an original message into a form that cannot be read by anyone except the intended receiver.
40
Controls (Continued)
All encryption systems use a key. Symmetric encryption. Sender and the recipient use the same key. Public-key encryption. Uses two different keys: a public key and a private key. Certificate authority. Asserts that each computer is identified accurately and provides the public keys to each computer.
41
Controls (Continued)
Virtual Private Networking. Uses the Internet to carry information within a company and among business partners but with increased security by uses of encryption, authentication and access control. Application controls. Controls that protect specific applications and include: input, processing and output controls.
42
Controls (Continued)
Information systems auditing. Independent or unbiased observers task to ensure that information systems work properly. Types of Auditors and Audits
Internal. Performed by corporate internal auditors. External. Reviews internal audit as well as the inputs, processing and outputs of information systems. Audit. Examination of information systems, their inputs, outputs and processing.
43
IS Auditing Procedure
Auditing around the computer means verifying processing by checking for known outputs or specific inputs. Auditing through the computer means inputs, outputs and processing are checked. Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.
44