Professional Documents
Culture Documents
13-2
IT Security, Ethics, and Society
13-3
Business Ethics
13-4
Categories of Ethical Business Issues
13-5
Corporate Social Responsibility Theories
• Stockholder Theory
– Managers are agents of the stockholders
– Their only ethical responsibility is to increase
the profits of the business without violating
the law or engaging in fraudulent practices
• Social Contract Theory
– Companies have ethical responsibilities to all
members of society, who allow corporations
to exist
13-6
Corporate Social Responsibility Theories
• Stakeholder Theory
– Managers have an ethical
responsibility to manage a firm for the
benefit of all its stakeholders
– Stakeholders are all individuals and
groups
that have a stake in, or claim on, a
company
13-7
Principles of Technology Ethics
• Proportionality
– The good achieved by the technology must
outweigh the harm or risk; there must be no
alternative that achieves the same or
comparable benefits with less harm or risk
• Informed Consent
– Those affected by the technology should
understand and accept the risks
13-8
Principles of Technology Ethics
• Justice
– The benefits and burdens of the technology
should be distributed fairly.
– Those who benefit should bear their fair
share
of the risks, and those who do not benefit
should not suffer a significant increase in risk
• Minimized Risk
– Even if judged acceptable by the other three
guidelines, the technology must be
implemented so as to avoid all unnecessary
risk
13-9
AITP Standards of Professional Conduct
13-10
Responsible Professional Guidelines
• A responsible professional
– Acts with integrity
– Increases personal competence
– Sets high standards of personal
performance
– Accepts responsibility for his/her work
– Advances the health, privacy, and
general
welfare of the public
13-11
Computer Crime
13-12
Hacking
• Hacking is
– The obsessive use of computers
– The unauthorized access and use of
networked computer systems
• Electronic Breaking and Entering
– Hacking into a computer system and reading
files, but neither stealing nor damaging
anything
• Cracker
– A malicious or criminal hacker who maintains
knowledge of the vulnerabilities found for
private advantage
13-13
Common Hacking Tactics
• Denial of Service
– Hammering a website’s equipment with too
many requests for information
– Clogging the system, slowing performance,
or crashing the site
• Scans
– Widespread probes of the Internet to
determine types of computers, services, and
connections
– Looking for weaknesses
13-14
Common Hacking Tactics
• Sniffer
– Programs that search individual packets of
data as they pass through the Internet
– Capturing passwords or entire contents
• Spoofing
– Faking an e-mail address or Web page to
trick users into passing along critical
information
like passwords or credit card numbers
13-15
Common Hacking Tactics
• Trojan House
– A program that, unknown to the user,
contains instructions that exploit a known
vulnerability
in some software
• Back Doors
– A hidden point of entry to be used in case
the original entry point is detected or blocked
• Malicious Applets
– Tiny Java programs that misuse your
computer’s resources, modify files on the
hard disk, send fake email, or steal
passwords
13-16
Common Hacking Tactics
• War Dialing
– Programs that automatically dial thousands
of telephone numbers in search of a way in
through a modem connection
• Logic Bombs
– An instruction in a computer program that
triggers a malicious act
• Buffer Overflow
– Crashing or gaining control of a computer by
sending too much data to buffer memory
13-17
Common Hacking Tactics
• Password Crackers
– Software that can guess passwords
• Social Engineering
– Gaining access to computer systems by
talking unsuspecting company employees
out of
valuable information, such as passwords
• Dumpster Diving
– Sifting through a company’s garbage to find
information to help break into their
computers
13-18
Cyber Theft
13-19
Unauthorized Use at Work
13-20
Internet Abuses in the Workplace
13-21
Software Piracy
• Software Piracy
– Unauthorized copying of computer
programs
• Licensing
• Purchasing software is really a payment
for a license for fair use
• Site license allows a certain number of
copies
• Intellectual Property
– Copyrighted material
– Includes such things as music, videos, images,
articles, books, and software
• Copyright Infringement is Illegal
– Peer-to-peer networking techniques have made
it easy to trade pirated intellectual property
• Publishers Offer Inexpensive Online Music
– Illegal downloading of music and video is
down and continues to drop
13-23
Viruses and Worms
13-24
Top Five Virus Families of all Time
• My Doom, 2004
– Spread via email and over Kazaa file-sharing
network
– Installs a back door on infected computers
– Infected email poses as returned message or
one that can’t be opened correctly, urging
recipient
to click on attachment
– Opens up TCP ports that stay open even
after termination of the worm
– Upon execution, a copy of Notepad is
opened, filled with nonsense characters
13-25
Top Five Virus Families of all Time
• Netsky, 2004
– Mass-mailing worm that spreads by
emailing itself to all email addresses
found on infected computers
– Tries to spread via peer-to-peer file
sharing
by copying itself into the shared folder
– It renames itself to pose as one of 26
other common files along the way
13-26
Top Five Virus Families of all Time
• SoBig, 2004
– Mass-mailing email worm that arrives as
an attachment
• Examples: Movie_0074.mpg.pif, Document003.pif
– Scans all .WAB, .WBX, .HTML, .EML, and
.TXT files looking for email addresses to
which it can send itself
– Also attempts to download updates for itself
13-27
Top Five Virus Families of all Time
• Klez, 2002
– A mass-mailing email worm that arrives
with a randomly named attachment
– Exploits a known vulnerability in MS
Outlook to auto-execute on unpatched
clients
– Tries to disable virus scanners and then
copy itself to all local and networked drives
with a random file name
– Deletes all files on the infected machine and
any mapped network drives on the 13th of all
even-numbered months
13-28
Top Five Virus Families of all Time
• Sasser, 2004
– Exploits a Microsoft vulnerability to
spread
from computer to computer with no
user intervention
– Spawns multiple threads that scan
local subnets for vulnerabilities
13-29
The Cost of Viruses, Trojans, Worms
13-30
Adware and Spyware
• Adware
– Software that purports to serve a useful purpose, and
often does
– Allows advertisers to display pop-up and banner ads
without the consent of the computer users
• Spyware
– Adware that uses an Internet connection in the
background, without the user’s permission
or knowledge
– Captures information about the user and sends
it over the Internet
13-31
Spyware Problems
13-32
Privacy Issues
13-33
Opt-in Versus Opt-out
• Opt-In
– You explicitly consent to allow data to be
compiled about you
– This is the default in Europe
• Opt-Out
– Data can be compiled about you unless you
specifically request it not be
– This is the default in the U.S.
13-34
Privacy Issues
• Violation of Privacy
– Accessing individuals’ private email
conversations and computer records
– Collecting and sharing information about
individuals gained from their visits to
Internet websites
• Computer Monitoring
– Always knowing where a person is
– Mobile and paging services are becoming
more closely associated with people than
with places
13-35
Privacy Issues
• Computer Matching
– Using customer information gained from
many sources to market additional business
services
• Unauthorized Access of Personal Files
– Collecting telephone numbers, email
addresses, credit card numbers, and other
information to build customer profiles
13-36
Protecting Your Privacy on the Internet
13-37
Privacy Laws
13-38
Privacy Laws
13-39
Computer Libel and Censorship
13-40
Computer Libel and Censorship
• Spamming
– Indiscriminate sending of unsolicited email
messages to many Internet users
• Flaming
– Sending extremely critical, derogatory, and
often vulgar email messages or newsgroup
posting to other users on the Internet or
online services
– Especially prevalent on special-interest
newsgroups
13-41
Cyberlaw
13-42
Cyberlaw
13-43
Other Challenges
• Employment
– IT creates new jobs and increases productivity
– It can also cause significant reductions in job
opportunities, as well as requiring new job skills
• Computer Monitoring
– Using computers to monitor the productivity
and behavior of employees as they work
– Criticized as unethical because it monitors individuals,
not just work, and is done constantly
– Criticized as invasion of privacy because many
employees do not know they are being monitored
13-44
Other Challenges
• Working Conditions
– IT has eliminated monotonous or obnoxious tasks
– However, some skilled craftsperson jobs have been
replaced by jobs requiring routine,
repetitive tasks or standby roles
• Individuality
• Dehumanizes and depersonalizes activities
because computers eliminate human
relationships
– Inflexible systems
13-45
Health Issues
13-46
Ergonomics
13-47
Ergonomics Factors
13-48
Societal Solutions
13-49
Societal Solutions
13-50
Security Management of IT
13-51
Security Management
13-52
Internetworked Security Defenses
• Encryption
– Data is transmitted in scrambled form
– It is unscrambled by computer
systems for authorized users only
– The most widely used method uses a
pair of public and private keys unique
to each individual
13-53
Public/Private Key Encryption
13-54
Internetworked Security Defenses
• Firewalls
– A gatekeeper system that protects a
company’s intranets and other computer
networks from intrusion
– Provides a filter and safe transfer point for
access to/from the Internet and other
networks
– Important for individuals who connect to the
Internet with DSL or cable modems
– Can deter hacking, but cannot prevent it
13-55
Internet and Intranet Firewalls
13-56
Denial of Service Attacks
13-57
Defending Against Denial of Service
• At Zombie Machines
– Set and enforce security policies
– Scan for vulnerabilities
• At the ISP
– Monitor and block traffic spikes
• At the Victim’s Website
– Create backup servers and network
connections
13-58
Internetworked Security Defenses
• Email Monitoring
– Use of content monitoring software that
scans
for troublesome words that might
compromise corporate security
• Virus Defenses
– Centralize the updating and distribution of
antivirus software
– Use a security suite that integrates virus
protection with firewalls, Web security,
and content blocking features
13-59
Other Security Measures
• Security Codes
– Multilevel password system
– Encrypted passwords
– Smart cards with microprocessors
• Backup Files
– Duplicate files of data or programs
• Security Monitors
– Monitor the use of computers and networks
– Protects them from unauthorized use, fraud,
and destruction
13-60
Other Security Measures
• Biometrics
– Computer devices measure physical traits
that make each individual unique
• Voice recognition, fingerprints, retina scan
13-61
Other Security Measures
13-62
Other Security Measures
13-63
Information System Controls
13-64
Auditing IT Security
• IT Security Audits
– Performed by internal or external
auditors
– Review and evaluation of security
measures
and management policies
– Goal is to ensure that that proper and
adequate measures and policies are
in place
13-65
Protecting Yourself from Cybercrime
13-66