McGraw-Hill/Irwin McGraw-Hill/Irwin

Copyright 2008 by The McGraw-Hill Companies, Inc. All rights reserved. Copyright ©© 2008, The McGraw-Hill Companies, Inc. All rights reserved.

Chapter

13
Security and Ethical Challenges

McGraw-Hill/Irwin

Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.

Learning Objectives
• Identify several ethical issues in how the use of information technologies in business affects
• • • • • • • Employment Individuality Working conditions Privacy Crime Health Solutions to societal problems

13-3

Learning Objectives
• Identify several types of security management strategies and defenses, and explain how they can be used to ensure the security of business applications of information technology

• Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of information technology

13-4

Case 1: Cyberscams and Cybercriminals
• Cyberscams are today’s fastest-growing criminal niche
• 87 percent of companies surveyed reported a security incident • The U.S. Federal Trade Commission says identity theft is its top complaint • eBay has 60 people combating fraud; Microsoft has 65 • Stolen credit card account numbers are regularly sold online
13-5

Case Study Questions
• What are several reasons why “cyberscams are today’s fastest-growing criminal niche”?
• Explain why the reasons you give contribute to the growth of cyberscams

• What are several security measures that could be implemented to combat the spread of cyberscams?
• Explain why your suggestions would be effective in limiting the spread of cyberscams

13-6

Case Study Questions
• Which one or two of the four top cybercriminals described in this case poses the greatest threat to businesses? To consumers?
• Explain the reasons for your choices, and how businesses and consumers can protect themselves from these cyberscammers

13-7

IT Security, Ethics, and Society

13-8

IT Security, Ethics, and Society
• Information technology has both beneficial and detrimental effects on society and people
• Manage work activities to minimize the detrimental effects of information technology • Optimize the beneficial effects

13-9

Business Ethics
• Ethics questions that managers confront as part of their daily business decision making include
• • • • Equity Rights Honesty Exercise of corporate power

13-10

Categories of Ethical Business Issues

13-11

Corporate Social Responsibility Theories
• Stockholder Theory
• Managers are agents of the stockholders • Their only ethical responsibility is to increase the profits of the business without violating the law or engaging in fraudulent practices

• Social Contract Theory
• Companies have ethical responsibilities to all members of society, who allow corporations to exist

13-12

Corporate Social Responsibility Theories
• Stakeholder Theory
• Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders • Stakeholders are all individuals and groups that have a stake in, or claim on, a company

13-13

Principles of Technology Ethics
• Proportionality
• The good achieved by the technology must outweigh the harm or risk; there must be no alternative that achieves the same or comparable benefits with less harm or risk

• Informed Consent
• Those affected by the technology should understand and accept the risks

13-14

Principles of Technology Ethics
• Justice
• The benefits and burdens of the technology should be distributed fairly. • Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk

• Minimized Risk
• Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk
13-15

AITP Standards of Professional Conduct

13-16

Responsible Professional Guidelines
• A responsible professional
• • • • • Acts with integrity Increases personal competence Sets high standards of personal performance Accepts responsibility for his/her work Advances the health, privacy, and general welfare of the public

13-17

Computer Crime
• Computer crime includes
• Unauthorized use, access, modification, or destruction of hardware, software, data, or network resources • The unauthorized release of information • The unauthorized copying of software • Denying an end user access to his/her own hardware, software, data, or network resources • Using or conspiring to use computer or network resources illegally to obtain information or tangible property
13-18

Cybercrime Protection Measures

13-19

Hacking
• Hacking is
• The obsessive use of computers • The unauthorized access and use of networked computer systems

• Electronic Breaking and Entering
• Hacking into a computer system and reading files, but neither stealing nor damaging anything

• Cracker
• A malicious or criminal hacker who maintains knowledge of the vulnerabilities found for private advantage
13-20

Common Hacking Tactics
• Denial of Service
• Hammering a website’s equipment with too many requests for information • Clogging the system, slowing performance, or crashing the site

• Scans
• Widespread probes of the Internet to determine types of computers, services, and connections • Looking for weaknesses

13-21

Common Hacking Tactics
• Sniffer
• Programs that search individual packets of data as they pass through the Internet • Capturing passwords or entire contents

• Spoofing
• Faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit card numbers

13-22

Common Hacking Tactics
• Trojan House
• A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software

• Back Doors
• A hidden point of entry to be used in case the original entry point is detected or blocked

• Malicious Applets
• Tiny Java programs that misuse your computer’s resources, modify files on the hard disk, send fake email, or steal passwords
13-23

Common Hacking Tactics
• War Dialing
• Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection

• Logic Bombs
• An instruction in a computer program that triggers a malicious act

• Buffer Overflow
• Crashing or gaining control of a computer by sending too much data to buffer memory
13-24

Common Hacking Tactics
• Password Crackers
• Software that can guess passwords

• Social Engineering
• Gaining access to computer systems by talking unsuspecting company employees out of valuable information, such as passwords

• Dumpster Diving
• Sifting through a company’s garbage to find information to help break into their computers

13-25

Cyber Theft
• Many computer crimes involve the theft of money • The majority are “inside jobs” that involve unauthorized network entry and alternation of computer databases to cover the tracks of the employees involved • Many attacks occur through the Internet • Most companies don’t reveal that they have been targets or victims of cybercrime
13-26

Unauthorized Use at Work
• Unauthorized use of computer systems and networks is time and resource theft
• • • • Doing private consulting Doing personal finances Playing video games Unauthorized use of the Internet or company networks

• Sniffers
• Used to monitor network traffic or capacity • Find evidence of improper use
13-27

Internet Abuses in the Workplace
• • • • • • • • • • • General email abuses Unauthorized usage and access Copyright infringement/plagiarism Newsgroup postings Transmission of confidential data Pornography Hacking Non-work-related download/upload Leisure use of the Internet Use of external ISPs Moonlighting
13-28

Software Piracy
• Software Piracy
• Unauthorized copying of computer programs

• Licensing
• Purchasing software is really a payment for a license for fair use • Site license allows a certain number of copies
A third of the software industry’s revenues are lost to piracy

13-29

Theft of Intellectual Property
• Intellectual Property
• Copyrighted material • Includes such things as music, videos, images, articles, books, and software

• Copyright Infringement is Illegal
• Peer-to-peer networking techniques have made it easy to trade pirated intellectual property

• Publishers Offer Inexpensive Online Music
• Illegal downloading of music and video is down and continues to drop
13-30

Viruses and Worms
• A virus is a program that cannot work without being inserted into another program
• A worm can run unaided

• These programs copy annoying or destructive routines into networked computers
• Copy routines spread the virus

• Commonly transmitted through
• • • • The Internet and online services Email and file attachments Disks from contaminated computers Shareware
13-31

Top Five Virus Families of all Time
• My Doom, 2004
• Spread via email and over Kazaa file-sharing network • Installs a back door on infected computers • Infected email poses as returned message or one that can’t be opened correctly, urging recipient to click on attachment • Opens up TCP ports that stay open even after termination of the worm • Upon execution, a copy of Notepad is opened, filled with nonsense characters
13-32

Top Five Virus Families of all Time
• Netsky, 2004
• Mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers • Tries to spread via peer-to-peer file sharing by copying itself into the shared folder • It renames itself to pose as one of 26 other common files along the way

13-33

Top Five Virus Families of all Time
• SoBig, 2004
• Mass-mailing email worm that arrives as an attachment
• Examples: Movie_0074.mpg.pif, Document003.pif

• Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for email addresses to which it can send itself • Also attempts to download updates for itself

13-34

Top Five Virus Families of all Time
• Klez, 2002
• A mass-mailing email worm that arrives with a randomly named attachment • Exploits a known vulnerability in MS Outlook to auto-execute on unpatched clients • Tries to disable virus scanners and then copy itself to all local and networked drives with a random file name • Deletes all files on the infected machine and any mapped network drives on the 13th of all even-numbered months
13-35

Top Five Virus Families of all Time
• Sasser, 2004
• Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention • Spawns multiple threads that scan local subnets for vulnerabilities

13-36

The Cost of Viruses, Trojans, Worms
• Cost of the top five virus families
• Nearly 115 million computers in 200 countries were infected in 2004 • Up to 11 million computers are believed to be permanently infected • In 2004, total economic damage from virus proliferation was $166 to $202 billion • Average damage per computer is between $277 and $366

13-37

Adware and Spyware
• Adware
• Software that purports to serve a useful purpose, and often does • Allows advertisers to display pop-up and banner ads without the consent of the computer users

• Spyware
• Adware that uses an Internet connection in the background, without the user’s permission or knowledge • Captures information about the user and sends it over the Internet
13-38

Spyware Problems
• Spyware can steal private information and also
• • • • Add advertising links to Web pages Redirect affiliate payments Change a users home page and search settings Make a modem randomly call premium-rate phone numbers • Leave security holes that let Trojans in • Degrade system performance

• Removal programs are often not completely successful in eliminating spyware
13-39

Privacy Issues
• The power of information technology to store and retrieve information can have a negative effect on every individual’s right to privacy
• Personal information is collected with every visit to a Web site • Confidential information stored by credit bureaus, credit card companies, and the government has been stolen or misused

13-40

Opt-in Versus Opt-out
• Opt-In
• You explicitly consent to allow data to be compiled about you • This is the default in Europe

• Opt-Out
• Data can be compiled about you unless you specifically request it not be • This is the default in the U.S.

13-41

Privacy Issues
• Violation of Privacy
• Accessing individuals’ private email conversations and computer records • Collecting and sharing information about individuals gained from their visits to Internet websites

• Computer Monitoring
• Always knowing where a person is • Mobile and paging services are becoming more closely associated with people than with places
13-42

Privacy Issues
• Computer Matching
• Using customer information gained from many sources to market additional business services

• Unauthorized Access of Personal Files
• Collecting telephone numbers, email addresses, credit card numbers, and other information to build customer profiles

13-43

Protecting Your Privacy on the Internet
• There are multiple ways to protect your privacy
• Encrypt email • Send newsgroup postings through anonymous remailers • Ask your ISP not to sell your name and information to mailing list providers and other marketers • Don’t reveal personal data and interests on online service and website user profiles

13-44

Privacy Laws
• Electronic Communications Privacy Act and Computer Fraud and Abuse Act
• Prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems

• U.S. Computer Matching and Privacy Act
• Regulates the matching of data held in federal agency files to verify eligibility for federal programs

13-45

Privacy Laws
• Other laws impacting privacy and how much a company spends on compliance
• Sarbanes-Oxley • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley • USA Patriot Act • California Security Breach Law • Securities and Exchange Commission rule 17a-4

13-46

Computer Libel and Censorship
• The opposite side of the privacy debate…
• Freedom of information, speech, and press

• Biggest battlegrounds
• Bulletin boards • Email boxes • Online files of Internet and public networks

• Weapons used in this battle
• • • • Spamming Flame mail Libel laws Censorship
13-47

Computer Libel and Censorship
• Spamming
• Indiscriminate sending of unsolicited email messages to many Internet users

• Flaming
• Sending extremely critical, derogatory, and often vulgar email messages or newsgroup posting to other users on the Internet or online services • Especially prevalent on special-interest newsgroups

13-48

Cyberlaw
• Laws intended to regulate activities over the Internet or via electronic communication devices
• Encompasses a wide variety of legal and political issues • Includes intellectual property, privacy, freedom of expression, and jurisdiction

13-49

Cyberlaw
• The intersection of technology and the law is controversial
• Some feel the Internet should not be regulated • Encryption and cryptography make traditional form of regulation difficult • The Internet treats censorship as damage and simply routes around it

• Cyberlaw only began to emerge in 1996
• Debate continues regarding the applicability of legal principles derived from issues that had nothing to do with cyberspace
13-50

Other Challenges
• Employment
• IT creates new jobs and increases productivity • It can also cause significant reductions in job opportunities, as well as requiring new job skills

• Computer Monitoring
• Using computers to monitor the productivity and behavior of employees as they work • Criticized as unethical because it monitors individuals, not just work, and is done constantly • Criticized as invasion of privacy because many employees do not know they are being monitored
13-51

Other Challenges
• Working Conditions
• IT has eliminated monotonous or obnoxious tasks • However, some skilled craftsperson jobs have been replaced by jobs requiring routine, repetitive tasks or standby roles

• Individuality
• Dehumanizes and depersonalizes activities because computers eliminate human relationships • Inflexible systems

13-52

Health Issues
• Cumulative Trauma Disorders (CTDs)
• Disorders suffered by people who sit at a PC or terminal and do fast-paced repetitive keystroke jobs

• Carpal Tunnel Syndrome
• Painful, crippling ailment of the hand and wrist • Typically requires surgery to cure

13-53

Ergonomics
• Designing healthy work environments
• Safe, comfortable, and pleasant for people to work in • Increases employee morale and productivity • Also called human factors engineering

13-54

Ergonomics Factors

13-55

Societal Solutions
• Using information technologies to solve human and social problems
• • • • • • Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement Job placement

13-56

Societal Solutions
• The detrimental effects of information technology
• Often caused by individuals or organizations not accepting ethical responsibility for their actions

13-57

Security Management of IT
• The Internet was developed for inter-operability, not impenetrability
• Business managers and professionals alike are responsible for the security, quality, and performance of business information systems • Hardware, software, networks, and data resources must be protected by a variety of security measures

13-58

Case 2: Data Security Failures
• Security Breach Headlines
• Identity thieves stole information on 145,000 people from ChoicePoint • Bank of America lost backup tapes that held data on over 1 million credit card holders • DSW had its stores’ credit card data breached; over 1 million had been accessed

• Corporate America is finally owning up to a long-held secret
• It can’t safeguard its most valuable data
13-59

Case Study Questions
• Why have there been so many recent incidents of data security breaches and loss of customer data by reputable companies? • What security safeguards must companies have to deter electronic break-ins into their computer networks, business applications, and data resources like the incident at Lowe’s?

13-60

Case Study Questions
• What security safeguards would have deterred the loss of customer data at
• TCI • Bank of America • ChoicePoint?

13-61

Security Management
• The goal of security management is the accuracy, integrity, and safety of all information system processes and resources

13-62

Internetworked Security Defenses
• Encryption
• Data is transmitted in scrambled form • It is unscrambled by computer systems for authorized users only • The most widely used method uses a pair of public and private keys unique to each individual

13-63

Public/Private Key Encryption

13-64

Internetworked Security Defenses
• Firewalls
• A gatekeeper system that protects a company’s intranets and other computer networks from intrusion • Provides a filter and safe transfer point for access to/from the Internet and other networks • Important for individuals who connect to the Internet with DSL or cable modems • Can deter hacking, but cannot prevent it

13-65

Internet and Intranet Firewalls

13-66

Denial of Service Attacks
• Denial of service attacks depend on three layers of networked computer systems
• The victim’s website • The victim’s Internet service provider • Zombie or slave computers that have been commandeered by the cybercriminals

13-67

Defending Against Denial of Service
• At Zombie Machines
• Set and enforce security policies • Scan for vulnerabilities

• At the ISP
• Monitor and block traffic spikes

• At the Victim’s Website
• Create backup servers and network connections

13-68

Internetworked Security Defenses
• Email Monitoring
• Use of content monitoring software that scans for troublesome words that might compromise corporate security

• Virus Defenses
• Centralize the updating and distribution of antivirus software • Use a security suite that integrates virus protection with firewalls, Web security, and content blocking features
13-69

Other Security Measures
• Security Codes
• Multilevel password system • Encrypted passwords • Smart cards with microprocessors

• Backup Files
• Duplicate files of data or programs

• Security Monitors
• Monitor the use of computers and networks • Protects them from unauthorized use, fraud, and destruction
13-70

Other Security Measures
• Biometrics
• Computer devices measure physical traits that make each individual unique
• Voice recognition, fingerprints, retina scan

• Computer Failure Controls
• Prevents computer failures or minimizes its effects • Preventive maintenance • Arrange backups with a disaster recovery organization
13-71

Other Security Measures
• In the event of a system failure, fault-tolerant systems have redundant processors, peripherals, and software that provide
• Fail-over capability: shifts to back up components • Fail-save capability: the system continues to operate at the same level • Fail-soft capability: the system continues to operate at a reduced but acceptable level

13-72

Other Security Measures
• A disaster recovery plan contains formalized procedures to follow in the event of a disaster
• Which employees will participate • What their duties will be • What hardware, software, and facilities will be used • Priority of applications that will be processed • Use of alternative facilities • Offsite storage of databases

13-73

Information System Controls
• Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities

13-74

Auditing IT Security
• IT Security Audits
• Performed by internal or external auditors • Review and evaluation of security measures and management policies • Goal is to ensure that that proper and adequate measures and policies are in place

13-75

Protecting Yourself from Cybercrime

13-76

Case 3: Managing Information Security
• OCTAVE Security Process Methodology
• Risk Evaluation
• • • • Self-direction by people in the organization Adaptable measures that can change with technology A defined process and standard evaluation procedures A foundation for a continual process that improves security over time

• Risk Management
• A forward-looking view • A focus on a “critical few” security issues • Integrated management of security policies and strategies
13-77

Case 3: Managing Information Security
• Organizational and Cultural
• Open communication of risk information and activities build around collaboration • A global perspective on risk in the context of the organization’s mission and business objectives • Teamwork

13-78

Case Study Questions
• What are security managers doing to improve information security? • How does the OCTAVE methodology work to improve security in organizations? • What does Lloyd Hession mean when he says information security is “not addressed simply by the firewalls and antivirus tools that are already in place”?

13-79

Case 4: Maintaining Software Security
• Security professionals have 7 to 21 days before hacker’s tools used to exploit the most recent vulnerabilities become available on the Internet
• Microsoft’s monthly patch-release date is known as “Patch Tuesday” • Security software companies go to work immediately to update their products • Update must be thoroughly tested before being deployed

13-80

Case Study Questions
• What types of security problems are typically addressed by a patch-management strategy?
• Why do such problems arise in the first place?

• What challenges does the process of applying software patches and updates pose for many businesses?
• What are the limitations of the patching process?

13-81

Case Study Questions
• Does the business value of a comprehensive patch-management strategy outweigh its costs, its limitations, and the demands it placed on the IT function?

13-82