CHAPTER 3

Ethics and Privacy

Week 3
CHAPTER OUTLINE

3.1 Ethical Issues

3.2 Privacy
LEARNING OBJECTIVES
1. Define ethics, list and describe the three
fundamental tenets of ethics, and describe the
four categories of ethical issues related to
information technology.

2. Identify three places that store personal

data, and for each one discuss at least one
potential threat to the privacy of the data stored
there.
3.1 Ethical Issues

Ethical Frameworks

Utilitarian approach
Rights approach
Fairness approach
Common good approach
General Framework for Ethics

1. Recognize an ethical issue

2. Get the facts
3. Evaluate alternative actions
4. Make a decision and test it
5. Act and reflect on the outcome of your
decision
Ethics in the Corporate Environment

Code of ethics

Fundamental tenets of ethics

Responsibility
Accountability
Liability
Unethical vs. Illegal

What is unethical is not necessarily illegal.

Ethics scenarios
Ethics and Information Technology

Four categories of ethical issues

involving IT applications:
Privacy Issues

Accuracy Issues

Property Issues

Accessibility Issues
 3.2 Privacy
Court decisions have followed two rules:

(1) The right of privacy is not absolute.

Your privacy must be balanced against
the needs of society.

(2) The public’s right to know is superior to

the individual’s right of privacy.
 Threats to Privacy
 Data aggregators, digital dossiers, and
profiling
 Electronic Surveillance
 Personal Information in Databases
 Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
Data Aggregators, Digital Dossiers,
and Profiling

© Ilin Sergey/Age Fotostock America, Inc.

Electronic Surveillance

© Ilin Sergey/Age Fotostock America, Inc.

Electronic Surveillance

See "The State of Surveillance" article in

BusinessWeek
See the surveillance slideshow
See additional surveillance slides
And you think you have privacy? (video)
Personal Information in Databases
Banks
Utility companies
Government agencies
Credit reporting agencies

© Nicolas Nadjar/Age Fotostock America, Inc.

Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites

© Marina Bordjieva/Age Fotostock America, Inc.

 Social Networking Sites Can
Cause You Problems

Anyone can post derogatory information about

you anonymously.
(See this Washington Post article.)

You can also hurt yourself, as this article

shows.
 What Can You Do?
First, be careful what information you post on
social networking sites.

Second, a company, ReputationDefender, says

it can remove derogatory information from the
Web.
Protecting Privacy

Privacy Codes and Policies

Opt-out Model Opt-in Model

© Gunnar/Age Fotostock America, Inc.

Chapter Closing Case

• The Problem

• The Solution

• The Results
 CHAPTER 4

Information Security
CHAPTER OUTLINE

4.1 Introduction to Information Security

4.2 Unintentional Threats to Information Security
4.3 Deliberate Threats to Information Security
4.4 What Organizations Are Doing to Protect
Information Resources
4.5 Information Security Controls
LEARNING OBJECTIVES
1. Identify the five factors that contribute to the
increasing vulnerability of information
resources, and provide a specific example of
each one.
2. Compare and contrast human mistakes and
social engineering, and provide a specific
example of each one.
3. Discuss the nine types of deliberate attacks.
LEARNING OBJECTIVES (continued)
4. Define the three risk mitigation strategies,
and provide an example of each one in the
context of you owning a home.
5. Identify the three major types of controls that
organizations can use to protect their
information resources, and provide an example
of each one.
7.1 Introduction to Information Security

© Sebastian/AgeFotostock America, Inc.

Key Information Security Terms

Information Security

Threat
Exposure
Vulnerability
© Sebastian/AgeFotostock America, Inc.

Example of a threat (video)

Five Factors Increasing the Vulnerability
of Information Resources

Today’s interconnected, interdependent,

wirelessly-networked business
environment
Smaller, faster, cheaper computers and
storage devices
Decreasing skills necessary to be a hacker
Organized crime taking over cybercrime
Lack of management support
Networked Business Environment
 Smaller, Faster Devices

© laggerbomber-Fotolia.com
© Dragonian/iStockphoto

© PhotoEdit/Alamy Limited
Decreasing Skills Needed to be a Hacker

New & Easier Tools make it Attacks are becoming

very easy to attack the Network increasingly sophisticated

© Sven Taubert/Age Fotostock America, Inc.

Organized Crime Taking Over Cybercrime

© Stockbroker xtra/AgeFotostock America, Inc.

Lack of Management Support

© Sigrid Olsson/Photo Alto/Age Fotostock

7.2 Unintentional Threats to
Information Systems

George Doyle/ImageSource Limited

Security Threats
Most Dangerous Employees
Human resources and MIS

These
employees hold
ALL the
information

© WAVEBREAKMEDIA LTD/Age Fotostock America, Inc.

Consultants, Janitors and Security Guards

Source: YouraPechkin/iStockphoto © fatihhoca/iStockphoto

 Human Errors

Carelessness with laptops and portable

computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection and use
And more
Social Engineering

Two examples

Tailgating
Shoulder surfing

© Purestock/Age Fotostock America, Inc

The “King” of Social Engineering

60 Minutes Interview with Kevin Mitnick

Kevin Mitnick served several years in a federal

prison. Upon his release, he opened his own
consulting firm, advising companies on how to
deter people like him
See his company here
7.3 Deliberate Threats to
Information Systems
 There are many types of deliberate
attacks including:
• Espionage or Trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Soft ware attacks
• Alien soft ware
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare
Deliberate Threats
Espionage or trespass
Information extortion
Sabotage or vandalism
Theft of equipment or information
 For example, dumpster diving

© Diego Cervo/Age Fotostock America, Inc.

Deliberate Threats (continued)

Identify theft

Identity theft video

Frederic Lucano/Stone/Getty Images, Inc.

Compromises to intellectual property

Deliberate Threats (continued)
Software attacks
Virus
Worm
1988: first widespread worm, created by Robert T.
Morris, Jr.
(see the rapid spread of the Slammer worm)
Trojan horse
Logic Bomb
 Deliberate Threats (continued)
Software attacks (continued)
Phishing attacks
 Phishing slideshow
 Phishing quiz
 Phishing example
 Phishing example
Distributed denial-of-service attacks
 See botnet demonstration
How to Detect a Phish E-mail
Is the email really from eBay, or
PayPal, or a bank?

As Spammers get better, their emails look

more genuine. How do you tell if it’s a scam
and phishing for personal information?
Here’s how ...
Is the email really from eBay, or PayPal,
or a bank?
As an example, here is what the email said:
 Return-path: <service@paypal.com>
 From: "PayPal"<service@paypal.com>
 Subject: You have 1 new Security Message Alert !

Note that they even give

advice in the right column
about security
Example Continued – bottom of the email
 How to see what is happening
View Source
 In Outlook, right click on email, click ‘view source’
 In GroupWise, open email and click on the Message Source tab
 In Mozilla Thunderbird, click on View, and Source.
 Below is the part of the text that makes the email look official – the images came from
the PayPal website.
 View Source – The Real Link

 In the body it said, “If you are traveling,

“Travelling Confirmation Here”
 Here is where you are really being sent
 href=3Dftp://futangiu:futangiu@209.202.224.140/
index.htm
 Notice that the link is not only not PayPal, it is an
IP address, 2 giveaways of a fraudulent link.
Another Example – Amazon

View Source
Deliberate Threats (continued)
Alien Software
Spyware (see video)
Spamware
Cookies
Cookie demo

© Manfred Grafweg/Age Fotostock America, Inc.

Example of CAPTCHA
Deliberate Threats (continued)
Supervisory control and data acquisition
(SCADA) attacks

© SergeyTitov/iStockphoto
What if a SCADA attack were successful?

Northeastern U.S. power outage in 2003

Results in NYC

Many tourists simply slept on the street or on in hotel lobbies, as

elevators were not working

Hundreds of thousands of people walked home from Manhattan

during the blackout
 Example of SCADA attack
(and cyberwarfare)

The Stuxnet Worm (IT’s About Business 7.2)

© Vladimir Mucibabic/Age Fotostock America, Inc.

Cyberwarfare and Cyberterrorism

See video of cyber warfare

directed at Estonia
7.4 What Organizations Are Doing
to Protect Themselves
Risk Management

Risk
Risk management
Risk analysis
Risk mitigation

© Youri van der Schalk/Age Fotostock

America, Inc.
Risk Mitigation Strategies

Risk Acceptance
Risk limitation
Risk transference
7.5 Information Security Controls

Physical controls
Access controls
Communications (network) controls
Where Defense Mechanisms
(Controls) Are Located
 Access Controls
Authentication
Something the user is (biometrics powerpoints)
 Video on biometrics
 The latest biometric: gait recognition
Something the user has
Something the user does
Something the user knows
 passwords
 passphrases
Access Controls (continued)

Authorization

Privilege
Least privilege
Communications Controls

 Firewalls

 Anti-malware systems

 Whitelisting and Blacklisting

 Encryption
Communication or Network Controls
(continued)

Virtual private networking

Secure Socket Layer (now transport layer
security)
Employee monitoring systems
Basic Home Firewall (top) and
Corporate Firewall (bottom)
How Public Key Encryption
Works
How Digital Certificates Work
Virtual Private Network and Tunneling
Employee Monitoring System

Popular Employee Monitoring Systems include:

• SpectorSoft

• Websense

© Harald Richter/AgeFotostock America, Inc.

Business Continuity Planning, Backup,
and Recovery

Hot Site
Warm Site
Cold Site
Information Systems Auditing

Types of Auditors and Audits

Internal
External
IS Auditing Procedure

Auditing around the computer

Auditing through the computer
Auditing with the computer
Chapter Closing Case

• The Business Problem

• The IT Solutions

• The Results