Professional Documents
Culture Documents
1
Security and Ethical
Challenges
IT Security, Ethics, and Society
IT has both beneficial
and detrimental effects
on society and people
Manage work
activities to minimize
the detrimental
effects of IT
Optimize the
beneficial effects
3
Business Ethics
Ethics questions that managers confront as part of
their daily business decision making include:
Equity
Rights
Honesty
Exercise of corporate power
4
Categories of Ethical Business
Issues
5
Corporate Social Responsibility
Theories
Stockholder Theory
Managers are agents of the stockholders
Their only ethical responsibility is to increase the profits of the
business without violating the law or engaging in fraudulent
practices
Social Contract Theory
Companies have ethical responsibilities to all members of society,
who allow corporations to exist
Stakeholder Theory
Managers have an ethical responsibility to manage a firm for the
benefit of all its stakeholders
Stakeholders are all individuals and groups that have a stake in, or
claim on, a company
6
Principles of Technology Ethics
Proportionality - The goods achieved by the technology must
outweigh the harm or risk; there must be no alternative that achieves
the same or comparable benefits with less harm or risk
Informed Consent - Those affected by the technology should
understand and accept the risks
Justice
The benefits and burdens of the technology should be distributed
fairly
Those who benefit should bear their fair share of the risks, and
those who do not benefit should not suffer a significant increase
in risk
Minimized Risk - Even if judged acceptable by the other three
guidelines, the technology must be implemented so as to avoid all
unnecessary risk
7
AITP Standards of Professional Conduct
www.aitp.org
8
Responsible Professional
Guidelines
A responsible professional
Acts with integrity
Increases personal competence
Sets high standards of personal performance
Accepts responsibility for his/her work
Advances the health, privacy, and general
welfare of the public
9
Computer Crime
Computer crime includes
Unauthorized use, access, modification, or
destruction of hardware, software, data, or network
resources
The unauthorized release of information
The unauthorized copying of software
Denying an end user access to his/her own
hardware, software, data, or network resources
Using or conspiring to use computer or network
resources illegally to obtain information or tangible
property
10
Cybercrime Protection Measures
11
Hacking
Hacking is
The obsessive use of computers
The unauthorized access and use of networked
computer systems
Electronic Breaking and Entering
Hacking into a computer system and reading files,
but neither stealing nor damaging anything
Cracker
A malicious or criminal hacker who maintains
knowledge of the vulnerabilities found for
private advantage
12
Common Hacking Tactics
Denial of Service
Hammering a website’s equipment with too many requests for
information
Clogging the system, slowing performance, or crashing the site
Scans
Widespread probes of the Internet to determine types of computers,
services, and connections
Looking for weaknesses
Sniffer
Programs that search individual packets of data as they pass through
the Internet
Capturing passwords or entire contents
Spoofing
Faking an e-mail address or Web page to trick users into passing along
critical information like passwords or credit card numbers
13
Common Hacking Tactics
Trojan Horse
A program that, unknown to the user, contains instructions that
exploit a known vulnerability in some software
Back Doors
A hidden point of entry to be used in case the original entry point is
detected or blocked
Malicious Applets
Tiny Java programs that misuse your computer’s resources, modify
files on the hard disk, send fake email, or steal passwords
War Dialing
Programs that automatically dial thousands of telephone numbers in
search of a way in through a modem connection
Logic Bombs
An instruction in a computer program that triggers a malicious act
14
Common Hacking Tactics
Buffer Overflow
Crashing or gaining control of a computer by sending too much data to
buffer memory
Password Crackers
Software that can guess passwords
Social Engineering
Gaining access to computer systems by talking unsuspecting company
employees out of valuable information, such as passwords
Dumpster Diving
Sifting through a company’s garbage to find information to help break
into their computers
15
Cyber Theft
Many computer crimes involve the theft of money
The majority are “inside jobs” that involve
unauthorized network entry and alternation of
computer databases to cover the tracks of the
employees involved
Many attacks occur through the Internet
Most companies don’t reveal that they have been
targets or victims of cybercrime
16
Unauthorized Use at Work
Unauthorized use of computer systems and networks
is time and resource theft
Doing private consulting
Doing personal finances
Playing video games
Unauthorized use of the Internet or company
networks
Sniffers
Used to monitor network traffic or capacity
Find evidence of improper use
17
Internet Abuses in the Workplace
General email abuses
Unauthorized usage and access
Copyright infringement/plagiarism
Newsgroup postings
Transmission of confidential data
Pornography
Hacking
Non-work-related download/upload
Leisure use of the Internet
Use of external ISPs
Moonlighting
18
Software Piracy
Software Piracy
Unauthorized copying of computer programs
Licensing
Purchasing software is really a payment
for a license for fair use
Site license allows a certain number of copies
19
Theft of Intellectual Property
Intellectual Property
Copyrighted material
Includes such things as music, videos, images,
articles, books, and software
Copyright Infringement is Illegal
Peer-to-peer networking techniques have made it
easy to trade pirated intellectual property
Publishers Offer Inexpensive Online Music
Illegal downloading of music and video is
down and continues to drop
20
Viruses and Worms
A virus is a program that cannot work without being
inserted into another program
A worm can run unaided
These programs copy annoying or destructive routines
into networked computers
Copy routines spread the virus
Commonly transmitted through
The Internet and online services
Email and file attachments
Disks from contaminated computers
Shareware
21
Top Five Virus Families of all Time
My Doom, 2004
Spread via email and over Kazaa file-sharing network
Installs a back door on infected computers
Infected email poses as returned message or one that can’t be opened
correctly, urging recipient to click on attachment
Opens up TCP ports that stay open even after termination of the worm
Upon execution, a copy of Notepad is opened, filled with nonsense
characters
Netsky, 2004
Mass-mailing worm that spreads by emailing itself to all email
addresses found on infected computers
Tries to spread via peer-to-peer file sharing by copying itself into the
shared folder
It renames itself to pose as one of 26 other common files along the
way
22
Top Five Virus Families of all Time
SoBig, 2004
Mass-mailing email worm that arrives as
an attachment
Examples: Movie_0074.mpg.pif, Document003.pif
Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for
email addresses to which it can send itself
Also attempts to download updates for itself
Klez, 2002
A mass-mailing email worm that arrives with a randomly named
attachment
Exploits a known vulnerability in MS Outlook to auto-execute on
unpatched clients
Tries to disable virus scanners and then copy itself to all local and
networked drives with a random file name
Deletes all files on the infected machine and any mapped network
drives on the 13th of all even-numbered months
23
Top Five Virus Families of all Time
Sasser, 2004
Exploits a Microsoft vulnerability to spread from computer to
computer with no user intervention
Spawns multiple threads that scan local subnets for vulnerabilities
24
The Cost of Viruses, Trojans,
Worms
Cost of the top five virus families
Nearly 115 million computers in 200 countries
were infected in 2004
Up to 11 million computers are believed to
be permanently infected
In 2004, total economic damage from virus
proliferation was $166 to $202 billion
Average damage per computer is between
$277 and $366
25
Adware and Spyware
Adware
Software that purports to serve a useful purpose,
and often does
Allows advertisers to display pop-up and banner
ads without the consent of the computer users
Spyware
Adware that uses an Internet connection in the
background, without the user’s permission
or knowledge
Captures information about the user and sends it
over the Internet
26
Spyware Problems
Spyware can steal private information and also
Add advertising links to Web pages
Redirect affiliate payments
Change a users home page and search settings
Make a modem randomly call premium-rate phone
numbers
Leave security holes that let Trojans in
Degrade system performance
Removal programs are often not completely successful
in eliminating spyware
27
Privacy Issues
The power of information technology to store and
retrieve information can have a negative effect on
every individual’s right to privacy
Personal information is collected with every
visit to a Web site
Confidential information stored by credit
bureaus, credit card companies, and the
government has been stolen or misused
28
Opt-in Versus Opt-out
Opt-In
You explicitly consent to allow data to be
compiled about you
This is the default in Europe
Opt-Out
Data can be compiled about you unless you
specifically request it not be
This is the default in the U.S.
29
Privacy Issues
Violation of Privacy
Accessing individuals’ private email conversations and computer
records
Collecting and sharing information about individuals gained from
their visits to Internet websites
Computer Monitoring
Always knowing where a person is
Mobile and paging services are becoming more closely associated
with people than with places
Computer Matching
Using customer information gained from many sources to market
additional business services
Unauthorized Access of Personal Files
Collecting telephone numbers, email addresses, credit card
numbers, and other information to build customer profiles
30
Protecting Your Privacy on the
Internet
There are multiple ways to protect your privacy
Encrypt email
Send newsgroup postings through anonymous
remailers
Ask your ISP not to sell your name and
information to mailing list providers and
other marketers
Don’t reveal personal data and interests on
online service and website user profiles
31
Privacy Laws
Electronic Communications Privacy Act
and Computer Fraud and Abuse Act
Prohibit intercepting data communications messages, stealing or
destroying data, or trespassing in federal-related computer systems
U.S. Computer Matching and Privacy Act
Regulates the matching of data held in federal agency files to verify
eligibility for federal programs
Other laws impacting privacy and how much a company spends on
compliance
Sarbanes-Oxley
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley
USA Patriot Act
California Security Breach Law
Securities and Exchange Commission rule 17a-4
32
Computer Libel and Censorship
The opposite side of the privacy debate…
Freedom of information, speech, and press
Biggest battlegrounds - bulletin boards, email boxes, and online files
of Internet and public networks
Weapons used in this battle – spamming, flame mail, libel* laws, and
censorship
Spamming - Indiscriminate sending of unsolicited email messages to
many Internet users
Flaming
Sending extremely critical, derogatory, and often vulgar email
messages or newsgroup posting to other users on the Internet or
online services
Especially prevalent on special-interest newsgroups
*a published false statement that is damaging to a person's reputation; a written defamation
33
Cyberlaw
Laws intended to regulate activities over the Internet or via
electronic communication devices
Encompasses a wide variety of legal and political issues
Includes intellectual property, privacy, freedom of expression,
and jurisdiction
The intersection of technology and the law is controversial
Some feel the Internet should not be regulated
Encryption and cryptography make traditional form of regulation
difficult
The Internet treats censorship as damage and simply routes
around it
Cyberlaw only began to emerge in 1996
Debate continues regarding the applicability of legal principles
derived from issues that had nothing to do with cyberspace
34
Other Challenges
Employment
IT creates new jobs and increases productivity
It can also cause significant reductions in job opportunities, as well as requiring
new job skills
Computer Monitoring
Using computers to monitor the productivity and behavior of employees as they
work
Criticized as unethical because it monitors individuals, not just work, and is done
constantly
Criticized as invasion of privacy because many employees do not know they are
being monitored
Working Conditions
IT has eliminated monotonous or obnoxious tasks
However, some skilled craftsperson jobs have been replaced by jobs requiring
routine, repetitive tasks or standby roles
Individuality
Dehumanizes and depersonalizes activities because computers eliminate human
relationships
Inflexible systems
35
Health Issues
Cumulative Trauma Disorders (CTDs)
Disorders suffered by people who sit at a
PC or terminal and do fast-paced repetitive
keystroke jobs
Carpal Tunnel Syndrome
Painful, crippling ailment of the hand
and wrist
Typically requires surgery to cure
36
Ergonomics Ergonomics Factors
Designing healthy
work environments
Safe,
comfortable,
and pleasant
for people to
work in
Increases
employee
morale and
productivity
Also called
human factors
engineering
37
Societal Solutions
Using information technologies to solve human and
social problems
Medical diagnosis
Computer-assisted instruction
Governmental program planning
Environmental quality control
Law enforcement
Job placement
The detrimental effects of IT
Often caused by individuals or organizations not
accepting ethical responsibility for their actions
38
Security Management of IT
The Internet was developed for inter-operability, not
impenetrability
Business managers and professionals alike
are responsible for the security, quality, and
performance of business information systems
Hardware, software, networks, and data
resources must be protected by a variety
of security measures
39
Security Management
The goal of security
management is the
accuracy, integrity,
and safety of all
information system
processes and resources
40
Internetworked Security Defenses
Encryption
Data is transmitted in scrambled form
It is unscrambled by computer systems for
authorized users only
The most widely used method uses a pair of public
and private keys unique to each individual
41
Public/Private Key Encryption
42
Internetworked Security Defenses
Firewalls
A gatekeeper system that protects a company’s
intranets and other computer networks from
intrusion
Provides a filter and safe transfer point for
access to/from the Internet and other networks
Important for individuals who connect to the
Internet with DSL or cable modems
Can deter hacking, but cannot prevent it
43
Internet and Intranet Firewalls
44
Denial of Service Attacks
Denial of service attacks depend on three
layers of networked computer systems
The victim’s website
The victim’s Internet service provider
Zombie or slave computers that have been
commandeered / hijacked by the cybercriminals
45
Defending Against Denial of Service
At Zombie Machines
Set and enforce security policies
Scan for vulnerabilities
At the ISP
Monitor and block traffic spikes
At the Victim’s Website
Create backup servers and network connections
46
Internetworked Security Defenses
Email Monitoring
Use of content monitoring software that scans
for troublesome words that might compromise
corporate security
Virus Defenses
Centralize the updating and distribution of
antivirus software
Use a security suite that integrates virus protection
with firewalls, Web security, and content blocking
features
47
Other Security Measures
Security Codes
Multilevel password system
Encrypted passwords
Smart cards with microprocessors
Backup Files
Duplicate files of data or programs
Security Monitors
Monitor the use of computers and networks
Protects them from unauthorized use, fraud, and destruction
Biometrics
Computer devices measure physical traits that make each individual
unique
Voice recognition, fingerprints, retina scan
Computer Failure Controls
Prevents computer failures or minimizes its effects
Preventive maintenance
Arrange backups with a disaster recovery organization
48
Other Security Measures
In the event of a system failure, fault-tolerant systems have redundant
processors, peripherals, and software that provide
Fail-over capability: shifts to back up components
Fail-save capability: the system continues to operate at the same level
Fail-soft capability: the system continues to operate at a reduced but
acceptable level
A disaster recovery plan contains formalized procedures to follow in the
event of a disaster
Which employees will participate
What their duties will be
What hardware, software, and facilities will be used
Priority of applications that will be processed
Use of alternative facilities
Offsite storage of databases
49
Information System Controls
Methods and devices that attempt to ensure the accuracy, validity, and
propriety of information system activities 50
Auditing IT Security
IT Security Audits
Performed by internal or external auditors
Review and evaluation of security measures
and management policies
Goal is to ensure that that proper and adequate
measures and policies are in place
51
Protecting Yourself from Cybercrime
52