Ethics in Information

Technology, Fourth Edition

Chapter 3
Computer and Internet Crime
 Objective
s
• As you read this chapter, consider the following
questions:
- What key tradeoffs and ethical issues are
associated with the safeguarding of data and
information systems?
- Why has there been a dramatic increase in the
number of computer-related security incidents
in recent years?
- What are the most common types of computer
security attacks?

Ethics in Information Technology, Fourth Edition

 Objectives (cont'd.)
- Who are the primary culprits of computer crime, and
what are their objectives?
- What are the key elements of a multilayer process
for managing security vulnerabilities based on
the concept of reasonable assurance?
- What actions must be taken in response to a security
incident?
- What is computer forensics, and what role does it
play in responding to a computer incident?

Ethics in Information Technology, Fourth Edition

 CIA security triad
Confidentiality, integrity, and availability (CIA)

The IT security practices of organizations worldwide are

focused on ensuring confidentiality, maintaining integrity,
and guaranteeing the availability of systems and data.
• Confidentiality ensures that only those individuals
with the proper authority can access sensitive data
such as employee personal data, customer and
product sales data, and new product and advertising
plans.
• Integrity ensures that data can only be changed by
authorized individuals so that the accuracy,
consistency, and trustworthiness of data are
guaranteed.
Continued…
• Availability ensures that the data can be accessed
when and where needed, including during times of
both normal and disaster recovery operations.

No organization can ever be completely secured from an

attack. The key to prevention of a computer security
incident is to implement a layered security solution, if an
attacker breaks through one layer of security, another
layer must then be overcome.
Implementing CIA at the
Organization Level
Implementing CIA at the Organization
Level
• Security Strategy
• Risk Assessment
• Disaster Recovery
• Security Policies
• Regulatory Standards Compliance
• Security Dashboard
 Security Strategy

• To ensure business continuity in the event of a

cyberattack
• Recovery plan that ensures the availability of key
data and information technology assets
 Risk Assessment
• Process of assessing security-related risks:
- To an organization's computers and networks
- From both internal and external threats
• Identifies investments that best protect from most
likely and serious threats
• Focuses security efforts on areas of highest
payoff

Ethics in Information Technology, Fourth Edition

 Risk Assessment
(cont'd.)
• Eight-step risk assessment process
- #1 Identify assets of most concern
- #2 Identify loss events that could occur
- #3 Assess the frequency of events
- #4 Determine the impact of each threat
- #5 Determine how each threat could be mitigated
- #6 Assess feasibility of mitigation options
- #7 Perform cost-benefit analysis
- #8 Decide which countermeasures to
implement

Ethics in Information Technology, Fourth Edition

Risk Assessment (cont'd.)
 Disaster Recovery

• Data availability requires implementing products,

services, policies, and procedures that ensure that
data are accessible even during disaster recovery
operations.
• To accomplish this goal, organizations typically
implement a disaster recovery plan.
• Disasters can be natural (for example, earthquake,
fire, and flood) or manmade (for example, accident,
civil unrest, and terrorism)
• Cloud computing has added another dimension to
disaster recovery planning.
 Establishing a Security
Policy
• A security policy defines:
- Organization's security requirements
- Controls and sanctions needed to meet the
requirements
• Defines responsibilities and expected
behavior
• Outlines what needs to be done
- Not how to do it
• Automated system policies should mirror written
policies
Ethics in Information Technology, Fourth Edition
Establishing a Security Policy
(cont'd.)
• The SysAdmin, Audit, Network, Security (SANS)
offers a number of security-related policy templates
that can help an organization to quickly develop
effective security policies.
• Areas of concern
- Email attachments
- Wireless devices
• VPN (virtual private network) uses the Internet to
relay communications but maintains privacy
through security features
Ethics in Information Technology, Fourth Edition
 Security Audits

• A security audit that evaluates whether an

organization has a well-considered security policy in
place and if it is being followed.
• For example, if a policy says that all users must
change their passwords every 30 days, the audit
must check how well that policy is being
implemented.
 Regulatory Standards
Compliance
Your organization’s security program must include a
definition of what those standards are and how the
organization will fulfill.
 Security Dashboard
The purpose of a security dashboard is to reduce the
effort required to monitor and identify threats in time
to take action.
Implementing CIA at the Network
Level
Implementing CIA at the Network Level

• Authentication Methods
• Firewall
• Routers
• Encryption
• Proxy Servers and Virtual Private Networks
• Intrusion Detection System
Implementing CIA at the
Application Level
Implementing CIA at the
Application Level
• Authentication Methods
• Something you know, such as a PIN or password
• Something you have, such as some form of security card or token
• Something you are, such as a biometric (for example, a fingerprint or
retina scan)
• User Roles and Accounts
• Data Encryption
Implementing CIA at the End-
User Level
 Educating Employees,
Contractors, and Part-Time
• Educate Workers
and motivate users to understand and
follow policy
• Discuss recent security incidents
• Help protect information systems by:
- Guarding passwords
- Not allowing sharing of passwords
- Applying strict access controls to protect data
- Reporting all unusual activity
- Protecting portable computing and data storage
devices

Ethics in Information Technology, Fourth Edition