Securing Information System

and Ethical Challenges

IT Security, Ethics, and Society

13-2
IT Security, Ethics, and Society

• Information technology has both

beneficial
and detrimental effects on society
and people
– Manage work activities to minimize the
detrimental effects of information
technology
– Optimize the beneficial effects

13-3
Business Ethics

• Ethics questions that managers

confront as part of their daily
business decision making include
– Equity
– Rights
– Honesty
– Exercise of corporate power

13-4
Categories of Ethical Business Issues

13-5
Corporate Social Responsibility Theories

• Stockholder Theory
– Managers are agents of the stockholders
– Their only ethical responsibility is to increase
the profits of the business without violating
the law or engaging in fraudulent practices
• Social Contract Theory
– Companies have ethical responsibilities to all
members of society, who allow corporations
to exist

13-6
Corporate Social Responsibility Theories

• Stakeholder Theory
– Managers have an ethical
responsibility to manage a firm for the
benefit of all its stakeholders
– Stakeholders are all individuals and
groups
that have a stake in, or claim on, a
company

13-7
Principles of Technology Ethics

• Proportionality
– The good achieved by the technology must
outweigh the harm or risk; there must be no
alternative that achieves the same or
comparable benefits with less harm or risk
• Informed Consent
– Those affected by the technology should
understand and accept the risks

13-8
Principles of Technology Ethics

• Justice
– The benefits and burdens of the technology
should be distributed fairly.
– Those who benefit should bear their fair
share
of the risks, and those who do not benefit
should not suffer a significant increase in risk
• Minimized Risk
– Even if judged acceptable by the other three
guidelines, the technology must be
implemented so as to avoid all unnecessary
risk

13-9
AITP Standards of Professional Conduct

13-10
Responsible Professional Guidelines

• A responsible professional
– Acts with integrity
– Increases personal competence
– Sets high standards of personal
performance
– Accepts responsibility for his/her work
– Advances the health, privacy, and
general
welfare of the public
13-11
Computer Crime

• Computer crime includes

– Unauthorized use, access, modification, or
destruction of hardware, software, data, or
network resources
– The unauthorized release of information
– The unauthorized copying of software
– Denying an end user access to his/her own
hardware, software, data, or network
resources
– Using or conspiring to use computer or
network resources illegally to obtain
information or tangible property

13-12
Hacking

• Hacking is
– The obsessive use of computers
– The unauthorized access and use of
networked computer systems
• Electronic Breaking and Entering
– Hacking into a computer system and reading
files, but neither stealing nor damaging
anything
• Cracker
– A malicious or criminal hacker who maintains
knowledge of the vulnerabilities found for
private advantage

13-13
Common Hacking Tactics

• Denial of Service
– Hammering a website’s equipment with too
many requests for information
– Clogging the system, slowing performance,
or crashing the site
• Scans
– Widespread probes of the Internet to
determine types of computers, services, and
connections
– Looking for weaknesses

13-14
Common Hacking Tactics

• Sniffer
– Programs that search individual packets of
data as they pass through the Internet
– Capturing passwords or entire contents
• Spoofing
– Faking an e-mail address or Web page to
trick users into passing along critical
information
like passwords or credit card numbers

13-15
Common Hacking Tactics

• Trojan House
– A program that, unknown to the user,
contains instructions that exploit a known
vulnerability
in some software
• Back Doors
– A hidden point of entry to be used in case
the original entry point is detected or blocked
• Malicious Applets
– Tiny Java programs that misuse your
computer’s resources, modify files on the
hard disk, send fake email, or steal
passwords
13-16
Common Hacking Tactics

• War Dialing
– Programs that automatically dial thousands
of telephone numbers in search of a way in
through a modem connection
• Logic Bombs
– An instruction in a computer program that
triggers a malicious act
• Buffer Overflow
– Crashing or gaining control of a computer by
sending too much data to buffer memory

13-17
Common Hacking Tactics

• Password Crackers
– Software that can guess passwords
• Social Engineering
– Gaining access to computer systems by
talking unsuspecting company employees
out of
valuable information, such as passwords
• Dumpster Diving
– Sifting through a company’s garbage to find
information to help break into their
computers

13-18
Cyber Theft

• Many computer crimes involve the theft of

money
• The majority are “inside jobs” that involve
unauthorized network entry and alternation
of computer databases to cover the tracks
of the employees involved
• Many attacks occur through the Internet
• Most companies don’t reveal that they have
been targets or victims of cybercrime

13-19
Unauthorized Use at Work

• Unauthorized use of computer systems

and networks is time and resource theft
– Doing private consulting
– Doing personal finances
– Playing video games
– Unauthorized use of the Internet or company
networks
• Sniffers
– Used to monitor network traffic or capacity
– Find evidence of improper use

13-20
Internet Abuses in the Workplace

– General email abuses

– Unauthorized usage and access
– Copyright infringement/plagiarism
– Newsgroup postings
– Transmission of confidential data
– Pornography
– Hacking
– Non-work-related download/upload
– Leisure use of the Internet
– Use of external ISPs
– Moonlighting

13-21
 Software Piracy

• Software Piracy
– Unauthorized copying of computer
programs
• Licensing
• Purchasing software is really a payment
for a license for fair use
• Site license allows a certain number of
copies

A third of the software industry’s revenues are lost to

piracy 13-22
Theft of Intellectual Property

• Intellectual Property
– Copyrighted material
– Includes such things as music, videos, images,
articles, books, and software
• Copyright Infringement is Illegal
– Peer-to-peer networking techniques have made
it easy to trade pirated intellectual property
• Publishers Offer Inexpensive Online Music
– Illegal downloading of music and video is
down and continues to drop

13-23
Viruses and Worms

• A virus is a program that cannot work without

being inserted into another program
– A worm can run unaided
• These programs copy annoying or destructive
routines into networked computers
– Copy routines spread the virus
• Commonly transmitted through
– The Internet and online services
– Email and file attachments
– Disks from contaminated computers
– Shareware

13-24
Top Five Virus Families of all Time

• My Doom, 2004
– Spread via email and over Kazaa file-sharing
network
– Installs a back door on infected computers
– Infected email poses as returned message or
one that can’t be opened correctly, urging
recipient
to click on attachment
– Opens up TCP ports that stay open even
after termination of the worm
– Upon execution, a copy of Notepad is
opened, filled with nonsense characters

13-25
Top Five Virus Families of all Time

• Netsky, 2004
– Mass-mailing worm that spreads by
emailing itself to all email addresses
found on infected computers
– Tries to spread via peer-to-peer file
sharing
by copying itself into the shared folder
– It renames itself to pose as one of 26
other common files along the way
13-26
Top Five Virus Families of all Time

• SoBig, 2004
– Mass-mailing email worm that arrives as
an attachment
• Examples: Movie_0074.mpg.pif, Document003.pif
– Scans all .WAB, .WBX, .HTML, .EML, and
.TXT files looking for email addresses to
which it can send itself
– Also attempts to download updates for itself

13-27
Top Five Virus Families of all Time

• Klez, 2002
– A mass-mailing email worm that arrives
with a randomly named attachment
– Exploits a known vulnerability in MS
Outlook to auto-execute on unpatched
clients
– Tries to disable virus scanners and then
copy itself to all local and networked drives
with a random file name
– Deletes all files on the infected machine and
any mapped network drives on the 13th of all
even-numbered months

13-28
Top Five Virus Families of all Time

• Sasser, 2004
– Exploits a Microsoft vulnerability to
spread
from computer to computer with no
user intervention
– Spawns multiple threads that scan
local subnets for vulnerabilities

13-29
The Cost of Viruses, Trojans, Worms

• Cost of the top five virus families

– Nearly 115 million computers in 200
countries were infected in 2004
– Up to 11 million computers are believed to
be permanently infected
– In 2004, total economic damage from virus
proliferation was $166 to $202 billion
– Average damage per computer is between
$277 and $366

13-30
Adware and Spyware

• Adware
– Software that purports to serve a useful purpose, and
often does
– Allows advertisers to display pop-up and banner ads
without the consent of the computer users
• Spyware
– Adware that uses an Internet connection in the
background, without the user’s permission
or knowledge
– Captures information about the user and sends
it over the Internet

13-31
Spyware Problems

• Spyware can steal private information and also

– Add advertising links to Web pages
– Redirect affiliate payments
– Change a users home page and search settings
– Make a modem randomly call premium-rate phone
numbers
– Leave security holes that let Trojans in
– Degrade system performance
• Removal programs are often not completely
successful in eliminating spyware

13-32
Privacy Issues

• The power of information technology to

store and retrieve information can have a
negative effect on every individual’s right
to privacy
– Personal information is collected with every
visit to a Web site
– Confidential information stored by credit
bureaus, credit card companies, and the
government has been stolen or misused

13-33
Opt-in Versus Opt-out

• Opt-In
– You explicitly consent to allow data to be
compiled about you
– This is the default in Europe
• Opt-Out
– Data can be compiled about you unless you
specifically request it not be
– This is the default in the U.S.

13-34
Privacy Issues

• Violation of Privacy
– Accessing individuals’ private email
conversations and computer records
– Collecting and sharing information about
individuals gained from their visits to
Internet websites
• Computer Monitoring
– Always knowing where a person is
– Mobile and paging services are becoming
more closely associated with people than
with places

13-35
Privacy Issues

• Computer Matching
– Using customer information gained from
many sources to market additional business
services
• Unauthorized Access of Personal Files
– Collecting telephone numbers, email
addresses, credit card numbers, and other
information to build customer profiles

13-36
Protecting Your Privacy on the Internet

• There are multiple ways to protect your

privacy
– Encrypt email
– Send newsgroup postings through
anonymous remailers
– Ask your ISP not to sell your name and
information to mailing list providers and
other marketers
– Don’t reveal personal data and interests on
online service and website user profiles

13-37
Privacy Laws

• Electronic Communications Privacy Act

and Computer Fraud and Abuse Act
– Prohibit intercepting data communications
messages, stealing or destroying data, or
trespassing in federal-related computer
systems
• U.S. Computer Matching and Privacy Act
– Regulates the matching of data held in
federal agency files to verify eligibility
for federal programs

13-38
Privacy Laws

• Other laws impacting privacy and how

much a company spends on compliance
– Sarbanes-Oxley
– Health Insurance Portability and
Accountability Act (HIPAA)
– Gramm-Leach-Bliley
– USA Patriot Act
– California Security Breach Law
– Securities and Exchange Commission rule
17a-4

13-39
Computer Libel and Censorship

• The opposite side of the privacy debate…

– Freedom of information, speech, and press
• Biggest battlegrounds
– Bulletin boards
– Email boxes
– Online files of Internet and public networks
• Weapons used in this battle
– Spamming
– Flame mail
– Libel laws
– Censorship

13-40
Computer Libel and Censorship

• Spamming
– Indiscriminate sending of unsolicited email
messages to many Internet users
• Flaming
– Sending extremely critical, derogatory, and
often vulgar email messages or newsgroup
posting to other users on the Internet or
online services
– Especially prevalent on special-interest
newsgroups
13-41
Cyberlaw

• Laws intended to regulate activities

over
the Internet or via electronic
communication devices
– Encompasses a wide variety of legal
and
political issues
– Includes intellectual property, privacy,
freedom of expression, and jurisdiction

13-42
Cyberlaw

• The intersection of technology and the law

is controversial
– Some feel the Internet should not be regulated
– Encryption and cryptography make traditional form of
regulation difficult
– The Internet treats censorship as damage and simply
routes around it
• Cyberlaw only began to emerge in 1996
– Debate continues regarding the applicability
of legal principles derived from issues that
had nothing to do with cyberspace

13-43
Other Challenges

• Employment
– IT creates new jobs and increases productivity
– It can also cause significant reductions in job
opportunities, as well as requiring new job skills
• Computer Monitoring
– Using computers to monitor the productivity
and behavior of employees as they work
– Criticized as unethical because it monitors individuals,
not just work, and is done constantly
– Criticized as invasion of privacy because many
employees do not know they are being monitored

13-44
Other Challenges

• Working Conditions
– IT has eliminated monotonous or obnoxious tasks
– However, some skilled craftsperson jobs have been
replaced by jobs requiring routine,
repetitive tasks or standby roles
• Individuality
• Dehumanizes and depersonalizes activities
because computers eliminate human
relationships
– Inflexible systems

13-45
Health Issues

• Cumulative Trauma Disorders (CTDs)

– Disorders suffered by people who sit at a
PC or terminal and do fast-paced repetitive
keystroke jobs
• Carpal Tunnel Syndrome
– Painful, crippling ailment of the hand
and wrist
– Typically requires surgery to cure

13-46
Ergonomics

• Designing healthy work

environments
– Safe, comfortable, and pleasant for
people
to work in
– Increases employee morale and
productivity
– Also called human factors engineering

13-47
Ergonomics Factors

13-48
Societal Solutions

• Using information technologies to solve

human and social problems
– Medical diagnosis
– Computer-assisted instruction
– Governmental program planning
– Environmental quality control
– Law enforcement
– Job placement

13-49
Societal Solutions

• The detrimental effects of

information technology
– Often caused by individuals
or organizations not
accepting ethical
responsibility for
their actions

13-50
Security Management of IT

• The Internet was developed for inter-

operability, not impenetrability
– Business managers and professionals alike
are responsible for the security, quality, and
performance of business information
systems
– Hardware, software, networks, and data
resources must be protected by a variety
of security measures

13-51
 Security Management

• The goal of security

management is the
accuracy, integrity,
and safety of all
information system
processes and resources

13-52
Internetworked Security Defenses

• Encryption
– Data is transmitted in scrambled form
– It is unscrambled by computer
systems for authorized users only
– The most widely used method uses a
pair of public and private keys unique
to each individual

13-53
Public/Private Key Encryption

13-54
Internetworked Security Defenses

• Firewalls
– A gatekeeper system that protects a
company’s intranets and other computer
networks from intrusion
– Provides a filter and safe transfer point for
access to/from the Internet and other
networks
– Important for individuals who connect to the
Internet with DSL or cable modems
– Can deter hacking, but cannot prevent it

13-55
Internet and Intranet Firewalls

13-56
Denial of Service Attacks

• Denial of service attacks depend on

three
layers of networked computer
systems
– The victim’s website
– The victim’s Internet service provider
– Zombie or slave computers that have
been commandeered by the
cybercriminals

13-57
Defending Against Denial of Service

• At Zombie Machines
– Set and enforce security policies
– Scan for vulnerabilities
• At the ISP
– Monitor and block traffic spikes
• At the Victim’s Website
– Create backup servers and network
connections
13-58
Internetworked Security Defenses

• Email Monitoring
– Use of content monitoring software that
scans
for troublesome words that might
compromise corporate security
• Virus Defenses
– Centralize the updating and distribution of
antivirus software
– Use a security suite that integrates virus
protection with firewalls, Web security,
and content blocking features

13-59
Other Security Measures

• Security Codes
– Multilevel password system
– Encrypted passwords
– Smart cards with microprocessors
• Backup Files
– Duplicate files of data or programs
• Security Monitors
– Monitor the use of computers and networks
– Protects them from unauthorized use, fraud,
and destruction

13-60
Other Security Measures

• Biometrics
– Computer devices measure physical traits
that make each individual unique
• Voice recognition, fingerprints, retina scan

• Computer Failure Controls

– Prevents computer failures or minimizes
its effects
– Preventive maintenance
– Arrange backups with a disaster recovery
organization

13-61
Other Security Measures

• In the event of a system failure, fault-

tolerant systems have redundant
processors, peripherals, and software
that provide
– Fail-over capability: shifts to back up
components
– Fail-save capability: the system continues
to operate at the same level
– Fail-soft capability: the system continues
to operate at a reduced but acceptable level

13-62
Other Security Measures

• A disaster recovery plan contains

formalized procedures to follow in the
event of a disaster
– Which employees will participate
– What their duties will be
– What hardware, software, and facilities
will be used
– Priority of applications that will be processed
– Use of alternative facilities
– Offsite storage of databases

13-63
Information System Controls

• Methods and devices that attempt to

ensure the accuracy, validity, and
propriety of information system activities

13-64
Auditing IT Security

• IT Security Audits
– Performed by internal or external
auditors
– Review and evaluation of security
measures
and management policies
– Goal is to ensure that that proper and
adequate measures and policies are
in place
13-65
Protecting Yourself from Cybercrime

13-66