BUSINESS ETHICS

A Project on Ethics In Information Technology Submitted to: Prof. Aftab BY MMS II /Div A Students: Abida Chaudhary (11) Naba Khan Saif Shaikh Yatin Shinde Adeel Khan Arshad Shaikh (21) (48) (54) (18) (46)

Business Ethics: Business ethics (also corporate ethics) is a form of applied ethics or professional ethics that examines ethical principles and moral or ethical problems that arise in a business environment. It applies to all aspects of business conduct and is relevant to the conduct of individuals and entire organizations. Ethics in IT: world today ? Also who is responsible foe ensuring their compliance ? Knowing the difference between what you have the right to do & what is the right thing to do Primarily, ethics are the code of conduct that management & professional organizations institute, & professionals follow, to ensure that they protect the privacy & earn the trust of the customers. Laws are also in place in many industries to legislate the ethical behavior of professionals It cannot be captured in rule is has to come from an individual desire to do the right thing In IT the individuals may bear the burden for ethical behavior IT is usually looked at as the provider of tools to meet the goals of the business, not the business itself In western societies more people are employed collecting handling & distributing information than in any other occupation Ethical Areas of Concern. IT community has neglected to address these ethical issues Issues of the Information Age- Privacy, Accuracy, Property, and Access Privacy -The drive for information privacy is epidemic in the world. There are many advocates for information privacy, but the conflict lies in how to protect something that many value so little they are willing to give in away Going hand in hand with privacy is the concept of anonymity Accuracy -The very nature of the IT industry is the collection & analysis of day .Two major hindrances to information accuracy .Today we are producing so much information about so many people & their activities that our exposure to problems of inaccuracy is enormous 2nd barrier to accuracy is the community of the internet itself. The issue is that there is no control, no peer review, and no obstacle to keep the accurate information from being overshadowed by the disinformation The posters of the inaccurate information are not held liable for their lack of ethics. Property - The area of property is concerned with the rights to use or share the data in question . major ways that non-ethical use of data affects the data owners. Industry Association of America (RIAA)

Abstract Information systems are exposed to different types of security risks. The consequences of information systems security (ISS) breaches can vary from e.g. damaging the data base integrity to physical "destruction" of entire information system facilities, and can result with minor disruptions in less important segments of information systems, or with significant interruptions in information systems functionality. The sources of security risks are different, and can origin from inside or outside of information system facility, and can be intentional or unintentional. The precise calculation of loses caused by such incidents is often not possible because a number of small scale ISS incidents are never detected, or detected with a significant time delay, a part of incidents are interpreted as an accidental mistakes, and all that results with an underestimation of ISS risks. This paper addresses the different types and criteria of information system security risks (threats) classification and gives an overview of most common classifications used in literature and in practice. We define a common set of criteria that can be used for information system security threats classification, which will enable the comparison and evaluation of different security threats from different security threats classifications.

THREATS TO COMPUTER SYSTEMS: AN OVERVIEW Computer systems are vulnerable to many threats which can inflict various types of damage resulting in significant losses. Damage can range from minor errors which sap database integrity to fires which destroy entire computer centers. Losses can stem from the actions of supposedly trusted employees defrauding the system to outside hackers roaming freely through the Internet. The exact amount of computer-related losses is unknowable; many losses are never discovered and others are covered up to avoid unfavorable publicity. This bulletin increases reader awareness of threats to compute systems by giving a broad picture of the threat environment in which systems are operated today. An overview of many of today's common threats will be useful to organizations studying their own threat environments with a view toward developing solutions specific to their organization. It summarizes a chapter of the computer security handbook being developed by CSL. We have already published bulletins summarizing other chapters on establishing a computer security program, considering people issues in computer security, and developing computer security policy. Additional bulletins will be issued as chapters are finalized. Common Threats A wide variety of threats face today's computer systems and the information they process. In order to control the risks of operating an information system, managers and users must know the vulnerabilities of the system and the threats which may exploit them. Knowledge of the threat environment allows the system manager to implement the most cost-effective security measures. In some cases, managers may find it most cost-effective to simply tolerate the expected losses.

The following threats and associated losses are based on their prevalence and significance in the current computing environment and their expected growth. The list is not exhaustive; some threats may combine elements from more than one area. Errors and Omissions Users, data entry clerks, system operators, and programmers frequently make unintentional errors which contribute to security problems, directly and indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, errors create vulnerabilities. Errors can occur in all phases of the system life cycle. Programming and development errors, often called bugs, range in severity from benign to catastrophic. In the past decade, software quality has improved measurably to reduce this threat, yet software "horror stories" still abound. Installation and maintenance errors also cause security problems. Errors and omissions are important threats to data integrity. Errors are caused not only by data entry clerks processing hundreds of transactions per day, but by all users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions. The computer age saying "garbage in, gospel out" contains a large measure of truth. People often assume that the information they receive from a computer system is more accurate than it really is. Many organizations address errors and omissions in their computer security, software quality, and data quality programs. Fraud and Theft Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, thus generating a significant sum for their own use. Also, deposits may be intentionally misdirected. Financial systems are not the only ones subject to fraud. Systems which control access to any resource are targets, such as time and attendance systems, inventory systems, school grading systems, or long-distance telephone systems. Fraud can be committed by insiders or outsiders. The majority of fraud uncovered on computer systems is perpetrated by insiders who are authorized users of a system. Since insiders have both access to and familiarity with the victim computer system, including what resources it controls and where the flaws are, authorized system users are in a better position to commit crimes. An organization's former employees may also pose threats, particularly if their access is not terminated promptly. Disgruntled Employees Disgruntled employees can create both mischief and sabotage on a computer system. Employees are the group most familiar with their employer's computers and applications, including knowing what actions might cause the most damage. Organizational downsizing in both public and private sectors has created a group of individuals with organizational knowledge who may retain

potential system access. System managers can limit this threat by invalidating passwords and deleting system accounts in a timely manner. However, disgruntled current employees actually cause more damage than former employees. Common examples of computer-related employee sabotage include: Entering data incorrectly Changing data Deleting data Destroying data or programs with logic bombs "Crashing" systems Holding data hostage Destroying hardware or facilities

Physical and Infrastructure The loss of supporting infrastructure includes power failures(including outages, spikes and brownouts), loss of communications, water outages and leaks, sewer problems, lack of transportation services, fire, flood, civil unrest, strikes, and so forth. These losses include dramatic events such as the explosion at the World Trade Center and the Chicago tunnel flood as well as more common events such as a broken water pipe. System owners must realize that more loss is associated with fires and floods than with viruses and other more widely publicized threats. A loss of infrastructure often results in system downtime, sometimes in unexpected ways. For example, employees may not be able to get to work during a winter storm, although the computer system may be functional. Malicious Hackers Hackers, sometimes called crackers, are a real and present danger to most organizational computer systems linked by networks. From outside the organization, sometimes from another continent, hackers break into computer systems and compromise the privacy and integrity of data before the unauthorized access is even detected. Although insiders cause more damage than hackers, the hacker problem remains serious and widespread. The effect of hacker activity on the public switched telephone network has been studied in depth. Studies by the National Research Council and the National Security Telecommunications Advisory Committee show that hacker activity is not limited to toll fraud. It also includes the ability to break into telecommunications systems (such as switches) resulting in the degradation or disruption of system availability. While unable to reach a conclusion about the degree of threat or risk, these studies underscore the ability of hackers to cause serious damage. The hacker threat often receives more attention than more common and dangerous threats. The U.S. Department of Justice's Computer Crime Unit suggests three reasons. First, the hacker threat is a more recently encountered threat. Organizations have always had to worry about the actions of their own employees and could use disciplinary measures to reduce that threat. However, these controls are ineffective against outsiders who are not subject to the rules and regulations of the employer.

Secondly, organizations do not know the purposes of a hacker; some hackers only browse, some steal, some damage. This inability to identify purposes can suggest that hacker attacks have no limitations. Finally, hacker attacks make people feel vulnerable because the perpetrators are unknown. Industrial Espionage Industrial espionage involves collecting proprietary data from private corporations or government agencies for the benefit of another company or organization. Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is known as economic espionage. Industrial espionage is on the rise. The most damaging types of stolen information include manufacturing and product development information. Other types of information stolen include sales and cost data, client lists, and research and planning information. Within the area of economic espionage, the Central Intelligence Agency states that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation concurs that technology-related information is the main target, but also cites corporate proprietary information such as negotiating positions and other contracting data as a target. Malicious Code Malicious code refers to viruses, worms, Trojan horses, logic bombs, and other "uninvited" software. Malicious code is sometimes mistakenly associated only with personal computers, but can also attack more sophisticated systems. However, actual costs attributed to the presence of malicious code have resulted primarily from system outages and staff time involved in repairing the systems. Nonetheless, these costs can be significant. Malicious Software: A Few Key Terms Virus: A code segment which replicates by attaching copies of itself to existing executables. The new copy of the virus is executed when a user executes the new host program. The virus may include an additional "payload" that triggers when specific conditions are met. For example, some viruses display a text string on a particular date. There are many types of viruses including variants, overwriting, resident, stealth, and polymorphic. Trojan Horse: A program that performs a desired task, but also includes unexpected (and undesirable) functions. Consider as an example an editing program for a multi-user system. This program could be modified to randomly delete one of the users' files each time they perform a useful function (editing) but the deletions are unexpected and definitely undesired!

Worm: A self-replicating program which is self-contained and does not require a host program. The program creates a copy of itself and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other host systems. The number of known viruses is increasing, and the rate of virus incidents is growing moderately. Most organizations use anti- virus software and other protective measures to limit the risk of virus infection. Foreign Government Espionage In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions. Threats to Personal Privacy The accumulation of vast amounts of electronic information about individuals by the government, credit bureaus, and private companies combined with the ability of computers to monitor, process, aggregate, and record information about individuals have created a very real threat to individual privacy. The possibility that all of this information and technology could be linked together has loomed as a specter of the modern information age. This phenomenon is known as "big brother." The threat to personal privacy arises from many sources. Several cases have been reported involving the sale of personal information by federal and state employees to private investigators or other "information brokers." One such case was uncovered in 1992 when the Justice Department announced the arrest of over two dozen individuals engaged in buying and selling information from Social Security Administration (SSA) computer files. In the course of the investigation, auditors learned that SSA employees had unrestricted access to over 130 million employment records. Just recently, an investigation found that five percent of the employees in one region of the Internal Revenue Service had browsed through tax records of friends, relatives, and celebrities. Some employees used the information to create fraudulent tax refunds, but many acted simply out of curiosity.

As more of these cases come to light, many individuals express increased concern about threats to their personal privacy. Over the years, Congress has enacted legislation, such as the Privacy Act of 1974 and the Computer Matching and Privacy Protection Act of 1988, which defines the boundaries of the legitimate uses of personal information collected by the government. While the magnitude and cost to society of the personal privacy threat are difficult to gauge, information technology has become powerful enough to warrant fears of both government and corporate "big brothers." Increased awareness of the problem is needed. Conclusion Today's computer systems, linked by national and global networks, face a variety of threats which can result in significant financial and information losses. Threats vary considerably,

from threats to data integrity resulting from unintentional errors and omissions to threats to system availability from malicious hackers attempting to crash a system. An understanding of the types of threats in today's computing environment can assist a security manager in selecting appropriate cost-effective controls to protect valuable information resources.

Threats to Security Threats to computers and information systems are quite real. In previous newsletters, weve discussed hacking risks to your information systems, but this is just as mall element of the big picture of threats and vulnerabilities to information security. Identifying threats are only part of the picture; once threats are identified, it is up to you to find the vulnerabilities in your information system and find ways to keep these threats from occurring. Although threats to information systems are evolving and abundant, they can all be broken down into three categories: Natural Threats: These can best be thought of as threats caused by Mother Naturefloods, quakes, tornadoes, temperature extremes, hurricanes, and storms are all examples. Intentional Threats: Computer crimes are the best examples of intentional threats, or when someone purposely damages property or information. Computer crimes include espionage, identity theft, child pornography, and credit card crime. Unintentional Threats: These threats basically include the unauthorized or accidental modification of software.

Top 10 information security threats for 2013 according to Perimeter E-Security: 1. Malware

Last year, Malware was listed as the second highest ranked threat to organizations on Perimeter E-Security's list of top threats. There are many methods to install malware on systems, including the use of client-side software vulnerabilities. Browsers remain a top target for vulnerabilities. In 2009, the FBI reported that for the first time ever, revenue from cybercrime had exceeded drug trafficking, estimated at taking in more than one billion annually in profits.

2. Malicious insiders

Malicious insiders were listed as the top threat for 2009, but have fallen to the #2 spot for 2010. With the downturn in the economy last year, it was no surprise that many desperate and disgruntled employees attempted to exploit the companies they currently or previously worked for. There is no way to eliminate the threat of malicious insiders completely, but through good security policies and followed procedures, the incidents could be a fraction of what they are today. With the economy still suffering and still high unemployment levels, Malicious Insiders will continue to be a threat.

3. Exploited vulnerabilities

Vulnerability exploit is at the heart of hacking and data breaches. Worms, viruses, malware, and a host of other attack types often rely on vulnerability exploit to infect, spread and perform the actions cyber criminals want. And yet, organizations are still not doing what they need to for patch management. Hackers are more often exploiting client side vulnerabilities and other vulnerabilities associated with 3rd party applications.

4. Careless employees

Careless and untrained insiders will continue to be a very serious threat to organizations in 2010. Insiders can be broken down into three categories: careless & untrained employees, employees

that are duped or fall prey to social engineering type attacks, and malicious employees. Protecting a network and critical and sensitive data is done very differently for each type. Policies, procedures, training and a little technology can make a world of difference in reducing an organization's risk to careless insiders.

5. Mobile devices

Mobile devices have become a plague for information security professionals. There are worms and other malware that specifically target these devices such as the iPhone worm that would steal banking data and enlist these devices in a botnet. Theft is still a major cause of data breaches as mobile devices, especially laptops, are the main culprits. Tens of thousands of laptops are stolen each year and often these have sensitive data that require public disclosure as a data breach.

6. Social networking

Social networking sites such as Facebook, MySpace, Twitter and others have changed the way people communicate with each other, but these sites can pose serious threats to organizations. One main problem is that there is a trust component to these sites which makes them fertile ground for identity thieves. There is also a personal safety issue. Social networking sites are a stalker's dream come true. Social networking sites are breeding grounds for SPAM, scams, scareware and a host of other attacks and these threats will continue to rise.

7. Social engineering

Social engineering is always a popular tool used by cyber criminals and phishing is still a popular method for doing just that. In fact, these new venues make social engineering even more effective. This year will have an added measure of complexity when it comes to social engineering attacks. Beginning sometime mid-2010, domain names will be expanded to include Japanese, Arabic, Hindi and even Greek characters, and with all of these characters being available for domain names, no longer will looking at a domain help one determine if it's legitimate or not.

8. Zero-day exploits

Zero-day exploits are when an attacker can compromise a system based on a known vulnerability but no patch or fix exists, and they have become a very serious threat to information security. Zero-day vulnerabilities are being discovered in traditionally very secure protocols such as SSL and TLS. The zero-day vulnerability could also be in providers.

9. Cloud computing security threats

Using cloud based (i.e. Internet based) applications may not be as secure as once thought with many stories in 2009 regarding cloud based security issues. Many are calling for forced encryption to access "in the cloud" services. As cloud computing grows in popularity over the next few years, cloud security will become a very big issue.

10. Cyber espionage

Cyber espionage is a threat that's being heard more and more all the time and there have been a flood of stories in 2009 on this subject. Most of these incidents surround government bodies and agencies and therefore have not been a huge threat to most individual organizations. However, since cyber espionage has major implications for the government, it is a rising threat that must be closely monitored.

Prevention of data loss should be a key part of any business's IT strategy. The consequences of data falling into the wrong hands can include breaches of confidentiality, non-compliance penalties, industrial espionage, financial losses (to your business, employees and customers) and compromised reputation. The Risks Theft or inadvertent loss of data on portable devices (such as USB-connected devices, laptops, phones and tablets). Data being inappropriately emailed. Data being uploaded to a website, ftp site or cloud-based storage. Data being inappropriately printed. Data being removed from the company on a CD or DVD. Examples of data loss include illicit removal by departing salespeople taking customer databases with them, and corrupt employees selling data to criminals, competitors or saboteurs. There are also countless cases of data having been inadvertently lost by employees leaving portable devices in public places.

Protect Your Data There are a number of methods that you can use to protect your data: Conduct a risk analysis by reviewing the information stored on the company network, who has access to it and the consequences of its loss. Establish document classification in order to identify categories of confidentiality. Control who has access to what data by setting access levels. Establish and enforce clear policies about what employees can do with confidential or business-critical data. Educate the workforce. Ban or restrict the use of portable devices. Disable USB ports by either electronic or physical means. Encrypt corporate data. Consider purchasing a commercial Data Loss Prevention solution.

3 Implications & Consequences of Data Loss, Corruption, Theft

legal implications (e.g. describe what might happen to a company if an employee lost/corrupted or stole user data?) impact on customers (e.g. describe two ways customers might be affected by data loss/theft) impact on employees (e.g. describe what might happen to employees if they lost data?) impact on organisation (e.g. describe at least two ways in which the organisation might lose out as a result of data loss/theft)

Computer crime

Computer crime, or Cyber crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet. Dr. Debarati Halder and Dr. K. Jaishankar (2011) defines Cybercrimes as: "Offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)". Such crimes may threaten a nations security and financial health. Issues surrounding these types of crimes have become high-profile, particularly those surrounding cracking, copyright infringement, child pornography, and child grooming. There are also problems of privacy whenconfidential information is lost or intercepted, lawfully or otherwise. Computer virus

A computer virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes. However, not all viruses carry a destructive payload or attempt to hide themselvesthe defining characteristic of viruses is that they are selfreplicating computer programs which install themselves without the user's consent. Virus writers use social engineering and exploit detailed knowledge of security vulnerabilities to gain access to their hosts' computing resources. The vast majority of viruses (over 99%) target systems running Microsoft Windows, employing a variety of mechanisms to infect new hosts, and often using complex anti-detection/stealth strategies to evade antivirus software. Motives for creating viruses can include seeking profit, desire to send a political message, personal amusement, to demonstrate that a vulnerability exists in software, for sabotage and denial of service, or simply because they wish to explore artificial life and evolutionary algorithms. Computer viruses currently cause billions of dollars worth of economic damage each year, due to causing systems failure, wasting computer resources, corrupting data, increasing maintenance costs, etc. In response, free, open-source anti-virus tools have been developed, and a multi-billion dollar industry of anti-virus software vendors has cropped up, selling virus protection to Windows users. Unfortunately, no currently existing anti-virus software is able to catch all computer viruses (especially new ones); computer security researchers are actively searching for new ways to enable antivirus solutions to more effectively detect emerging viruses, before they have already become widely distributed.

Hacking Hacking may refer to:

Computer hacking, including the following types of activity:

Hacker (programmer subculture), activity within the computer programmer subculture Hacker (computer security), to access computer networks, legally or otherwise

Computer crime Phone hacking, the practice of intercepting telephone calls or voicemail messages without the consent of the phone's owner Illegal taxicab operation Pleasure riding, horseback riding for purely recreational purposes Shin-kicking, an English martial art The act of stealing jokes Hacking, an area within Hietzing, a municipal district of Vienna, Austria Roof and tunnel hacking In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The subculture that has evolved around hackers is often referred to as the computer underground and is now a known community. While other uses of the word hacker exist that are not related to computer security, such as referring to someone with an advanced understanding of computers and computer networks, they are rarely used in mainstream context. They are subject to the long standing hacker definition controversy about the true meaning of the term hacker. In this controversy, the term hacker is reclaimed by computer programmers who argue that someone breaking into computers is better called a cracker, not making a difference between computer criminals (black hats) and computer security experts (white hats). Some white hat hackers claim that they also deserve the title hacker, and that only black hats should be called crackers. Classification:

Several subgroups of the computer underground with different attitudes use different terms to demarcate themselves from each other, or try to exclude some specific group with which they do not agree.
Eric S. Raymond (author of The New Hacker's Dictionary) advocates that members of the computer underground should be called crackers. Yet, those people see themselves as hackers and even try to include the views of Raymond in what they see as one wider hacker culture, a view harshly rejected by Raymond himself. Instead of a hacker/cracker dichotomy, they give more emphasis to a spectrum of different categories, such as white hat, grey hat, black hat and script kiddie. In contrast to Raymond, they usually reserve the term cracker for more malicious activity.

According to Ralph D. Clifford, a cracker or cracking is to "gain unauthorized access to a computer in order to commit another crime such as destroying information contained in that system". These subgroups may also be defined by the legal status of their activities. White hat A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. The ECCouncil, also known as the International Council of Electronic Commerce Consultants, is one of those organizations that have developed certifications, course-ware, classes, and online training covering the diverse arena of Ethical Hacking. Black hat A "black hat" hacker is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain" (Moore, 2005). Black hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". Black hat hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network. Black hat hackers also are referred to as the "crackers" within the security industry and by modern programmers. Crackers keep the awareness of the vulnerabilities to themselves and do not notify the general public or manufacturer for patches to be applied. Individual freedom and accessibility is promoted over privacy and security. Once they have gained control over a system, they may apply patches or fixes to the system only to keep their reigning control. Richard Stallman invented the definition to express the maliciousness of a criminal hacker versus a white hat hacker that performs hacking duties to identify places to repair. Grey hat A grey hat hacker is a combination of a black hat and a white hat hacker. A grey hat hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect, for example. Then they may offer to correct the defect for a fee. Elite hacker A social status among hackers, elite is used to describe the most skilled. Newly discovered exploits will circulate among these hackers. Elite groups such as Masters of Deception conferred a kind of credibility on their members.

Script kiddie
A script kiddie (also known as a skid or skiddie) is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concepthence the term script (i.e. a prearranged plan or set of activities) kiddie (i.e. kid, childan individual lacking knowledge and experience, immature).

Neophyte A neophyte, "n00b", or "newbie" is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology, and hacking. Blue hat A blue hat hacker is someone outside computer security consulting firms who is used to bug test a system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the term BlueHat to represent a series of security briefing events. Hacktivist A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denial-of-service attacks. Nation state Intelligence agencies and cyber warfare operatives of nation states. Organized criminal gangs Groups of hackers that carry out organized criminal activities for profit.

Phishing

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. A phishing technique was described in detail in 1987, and (according to its creator) the first recorded use of the term "phishing" was made in 1995 by Jason Shannon of AST Computers. The term is a variant of fishing, probably influenced by phreaking, and alludes to "baits" used in hopes that the potential victim will "bite" by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.

List of phishing techniques Phishing Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Spear phishing Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success. Clone phishing A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email. Whaling Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks. Link manipulation Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, http://www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the "yourbank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination, when the link actually goes to the phishers' site. The following example link,//en.wikipedia.org/wiki/Genuine, appears to direct the user to an article entitled "Genuine"; clicking on it will in fact take the user to the article entitled "Deception". In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Hovering your cursor over the link for a couple of seconds may do a similar thing, but this can still be set by the phisher through the HTML tooltip tag.

A further problem with URLs has been found in the handling of Internationalized domain names (IDN) in web browsers, that might allow visually identical web addresses to lead to different, possibly malicious, websites. Despite the publicity surrounding the flaw, known as IDN spoofing or homograph attack, phishers have taken advantage of a similar risk, using open URL redirectors on the websites of trusted organizations to disguise malicious URLs with a trusted domain. Even digital certificates do not solve this problem because it is quite possible for a phisher to purchase a valid certificate and subsequently change content to spoof a genuine website. Filter evasion Phishers have even started using images instead of text to make it harder for antiphishing filters to detect text commonly used in phishing emails. However, this has led to the evolution of more sophisticated anti-phishing filters that are able to recover hidden text in images. These filters use OCR (optical character recognition) to optically scan the image and filter it. Some anti-phishing filters have even used IWR (intelligent word recognition), which is not meant to completely replace OCR, but these filters can even detect cursive, hand-written, rotated (including upside-down text), or distorted (such as made wavy, stretched vertically or laterally, or in different directions) text, as well as text on colored backgrounds (such as in this case, where you can see the otherwise unfilterable text, if it weren't for IWR.) Website forgery Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL. An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal. A Universal Man-in-the-middle (MITM) Phishing Kit, discovered in 2007, provides a simple-to-use interface that allows a phisher to convincingly reproduce websites and capture log-in details entered at the fake site. To avoid anti-phishing techniques that scan websites for phishing-related text, phishers have begun to use Flash-based websites (a technique known as phlashing). These look much like the real website, but hide the text in a multimedia object.

Phone phishing Not all phishing attacks require a fake website. Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialled, prompts told users to enter their account numbers and PIN. Vishing (voice phishing) sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization. Other techniques

Another attack used successfully is to forward the client to a bank's legitimate website, then to place a popup window requesting credentials on top of the page in a way that makes many users think the bank is requesting this sensitive information. One of the latest phishing techniques is tabnabbing. It takes advantage of tabbed browsing, which uses multiple open tabs, that users use and silently redirects a user to the affected site. This technique operates in reverse to most phishing techniques that it doesn't directly take you to the fraudulent site, but instead phishers load their fake page in one of your open tabs. Evil twins is a phishing technique that is hard to detect. A phisher creates a fake wireless network that looks similar to a legitimate public network that may be found in public places such as airports, hotels or coffee shops. Whenever someone logs on to the bogus network, fraudsters try to capture their passwords and/or credit card information.

Damage caused by phishing The damage caused by phishing ranges from denial of access to email to substantial financial loss. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US$929 million. United States businesses lose an estimated US$2 billion per year as their clients become victims. In 2007, phishing attacks escalated. 3.6 million adults lost US$3.2 billion in the 12 months ending in August 2007. Microsoft claims these estimates are grossly exaggerated and puts the annual phishing loss in the US at US$60 million. In the United Kingdom losses from web banking fraudmostly from phishingalmost doubled to GB23.2m in 2005, from GB12.2min 2004, while 1 in 20 computer users claimed to have lost out to phishing in 2005. According to 3rd Microsoft Computing Safer Index Report released in February 2014, the annual worldwide impact of phishing could be as high as $5 billion. The stance adopted by the UK banking body APACS is that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal." Similarly, when the first spate of phishing attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland initially refused to cover losses suffered by its customers (and it still insists that its policy is not to do so), although losses to the tune of 11,300 were made good.

Bibliography
www.fldoe.org/edstandards/pdfs/ethics.pdf

www.ergen.gr/files/IT_Ethics_Handbook_IT_Professionals.pdf
www.aat-ethics.org.uk/.../AAT%20Code%20of%20Professional%20Ethi.

wpweb2.tepper.cmu.edu/ethics/bizethic.pdf www.berkshirehathaway.com/govern/ethics.pdf
ec.europa.eu/bepa/european...ethics/.../ict_final_22_february-adopted.pd.. https://www.isc2.org/uploadedFiles/...ethics/ISC2-Code-of-Ethics.pdf