K4K9YY3L

1
Security and Ethical
Challenges
IT Security, Ethics, and Society
 IT has both beneficial
and detrimental effects
on society and people
 Manage work
activities to minimize
the detrimental
effects of IT
 Optimize the
beneficial effects

3
Business Ethics
 Ethics questions that managers confront as part of
their daily business decision making include:
 Equity
 Rights
 Honesty
 Exercise of corporate power

4
Categories of Ethical Business
Issues

5
Corporate Social Responsibility
Theories
 Stockholder Theory
 Managers are agents of the stockholders
 Their only ethical responsibility is to increase the profits of the
business without violating the law or engaging in fraudulent
practices
 Social Contract Theory
 Companies have ethical responsibilities to all members of society,
who allow corporations to exist
 Stakeholder Theory
 Managers have an ethical responsibility to manage a firm for the
benefit of all its stakeholders
 Stakeholders are all individuals and groups that have a stake in, or
claim on, a company
6
Principles of Technology Ethics
 Proportionality - The goods achieved by the technology must
outweigh the harm or risk; there must be no alternative that achieves
the same or comparable benefits with less harm or risk
 Informed Consent - Those affected by the technology should
understand and accept the risks
 Justice
 The benefits and burdens of the technology should be distributed
fairly
 Those who benefit should bear their fair share of the risks, and
those who do not benefit should not suffer a significant increase
in risk
 Minimized Risk - Even if judged acceptable by the other three
guidelines, the technology must be implemented so as to avoid all
unnecessary risk

7
AITP Standards of Professional Conduct
www.aitp.org

8
Responsible Professional
Guidelines
 A responsible professional
 Acts with integrity
 Increases personal competence
 Sets high standards of personal performance
 Accepts responsibility for his/her work
 Advances the health, privacy, and general
welfare of the public

9
Computer Crime
 Computer crime includes
 Unauthorized use, access, modification, or
destruction of hardware, software, data, or network
resources
 The unauthorized release of information
 The unauthorized copying of software
 Denying an end user access to his/her own
hardware, software, data, or network resources
 Using or conspiring to use computer or network
resources illegally to obtain information or tangible
property
10
Cybercrime Protection Measures

11
Hacking
 Hacking is
 The obsessive use of computers
 The unauthorized access and use of networked
computer systems
 Electronic Breaking and Entering
 Hacking into a computer system and reading files,
but neither stealing nor damaging anything
 Cracker
 A malicious or criminal hacker who maintains
knowledge of the vulnerabilities found for
private advantage
12
Common Hacking Tactics
 Denial of Service
 Hammering a website’s equipment with too many requests for
information
 Clogging the system, slowing performance, or crashing the site
 Scans
 Widespread probes of the Internet to determine types of computers,
services, and connections
 Looking for weaknesses
 Sniffer
 Programs that search individual packets of data as they pass through
the Internet
 Capturing passwords or entire contents
 Spoofing
 Faking an e-mail address or Web page to trick users into passing along
critical information like passwords or credit card numbers

13
Common Hacking Tactics
 Trojan Horse
 A program that, unknown to the user, contains instructions that
exploit a known vulnerability in some software
 Back Doors
 A hidden point of entry to be used in case the original entry point is
detected or blocked
 Malicious Applets
 Tiny Java programs that misuse your computer’s resources, modify
files on the hard disk, send fake email, or steal passwords
 War Dialing
 Programs that automatically dial thousands of telephone numbers in
search of a way in through a modem connection
 Logic Bombs
 An instruction in a computer program that triggers a malicious act

14
Common Hacking Tactics
 Buffer Overflow
 Crashing or gaining control of a computer by sending too much data to
buffer memory
 Password Crackers
 Software that can guess passwords
 Social Engineering
 Gaining access to computer systems by talking unsuspecting company
employees out of valuable information, such as passwords
 Dumpster Diving
 Sifting through a company’s garbage to find information to help break
into their computers

15
Cyber Theft
 Many computer crimes involve the theft of money
 The majority are “inside jobs” that involve
unauthorized network entry and alternation of
computer databases to cover the tracks of the
employees involved
 Many attacks occur through the Internet
 Most companies don’t reveal that they have been
targets or victims of cybercrime

16
Unauthorized Use at Work
 Unauthorized use of computer systems and networks
is time and resource theft
 Doing private consulting
 Doing personal finances
 Playing video games
 Unauthorized use of the Internet or company
networks
 Sniffers
 Used to monitor network traffic or capacity
 Find evidence of improper use

17
Internet Abuses in the Workplace
 General email abuses
 Unauthorized usage and access
 Copyright infringement/plagiarism
 Newsgroup postings
 Transmission of confidential data
 Pornography
 Hacking
 Non-work-related download/upload
 Leisure use of the Internet
 Use of external ISPs
 Moonlighting
18
Software Piracy
 Software Piracy
 Unauthorized copying of computer programs
 Licensing
 Purchasing software is really a payment
for a license for fair use
 Site license allows a certain number of copies

A third of the software

industry’s revenues are
lost to piracy

19
Theft of Intellectual Property
 Intellectual Property
 Copyrighted material
 Includes such things as music, videos, images,
articles, books, and software
 Copyright Infringement is Illegal
 Peer-to-peer networking techniques have made it
easy to trade pirated intellectual property
 Publishers Offer Inexpensive Online Music
 Illegal downloading of music and video is
down and continues to drop

20
Viruses and Worms
 A virus is a program that cannot work without being
inserted into another program
 A worm can run unaided
 These programs copy annoying or destructive routines
into networked computers
 Copy routines spread the virus
 Commonly transmitted through
 The Internet and online services
 Email and file attachments
 Disks from contaminated computers
 Shareware

21
Top Five Virus Families of all Time
 My Doom, 2004
 Spread via email and over Kazaa file-sharing network
 Installs a back door on infected computers
 Infected email poses as returned message or one that can’t be opened
correctly, urging recipient to click on attachment
 Opens up TCP ports that stay open even after termination of the worm
 Upon execution, a copy of Notepad is opened, filled with nonsense
characters
 Netsky, 2004
 Mass-mailing worm that spreads by emailing itself to all email
addresses found on infected computers
 Tries to spread via peer-to-peer file sharing by copying itself into the
shared folder
 It renames itself to pose as one of 26 other common files along the
way

22
Top Five Virus Families of all Time
 SoBig, 2004
 Mass-mailing email worm that arrives as
an attachment
 Examples: Movie_0074.mpg.pif, Document003.pif
 Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for
email addresses to which it can send itself
 Also attempts to download updates for itself
 Klez, 2002
 A mass-mailing email worm that arrives with a randomly named
attachment
 Exploits a known vulnerability in MS Outlook to auto-execute on
unpatched clients
 Tries to disable virus scanners and then copy itself to all local and
networked drives with a random file name
 Deletes all files on the infected machine and any mapped network
drives on the 13th of all even-numbered months
23
Top Five Virus Families of all Time
 Sasser, 2004
 Exploits a Microsoft vulnerability to spread from computer to
computer with no user intervention
 Spawns multiple threads that scan local subnets for vulnerabilities

24
The Cost of Viruses, Trojans,
Worms
 Cost of the top five virus families
 Nearly 115 million computers in 200 countries
were infected in 2004
 Up to 11 million computers are believed to
be permanently infected
 In 2004, total economic damage from virus
proliferation was $166 to $202 billion
 Average damage per computer is between
$277 and $366

25
Adware and Spyware
 Adware
 Software that purports to serve a useful purpose,
and often does
 Allows advertisers to display pop-up and banner
ads without the consent of the computer users
 Spyware
 Adware that uses an Internet connection in the
background, without the user’s permission
or knowledge
 Captures information about the user and sends it
over the Internet

26
Spyware Problems
 Spyware can steal private information and also
 Add advertising links to Web pages
 Redirect affiliate payments
 Change a users home page and search settings
 Make a modem randomly call premium-rate phone
numbers
 Leave security holes that let Trojans in
 Degrade system performance
 Removal programs are often not completely successful
in eliminating spyware

27
Privacy Issues
 The power of information technology to store and
retrieve information can have a negative effect on
every individual’s right to privacy
 Personal information is collected with every
visit to a Web site
 Confidential information stored by credit
bureaus, credit card companies, and the
government has been stolen or misused

28
Opt-in Versus Opt-out
 Opt-In
 You explicitly consent to allow data to be
compiled about you
 This is the default in Europe
 Opt-Out
 Data can be compiled about you unless you
specifically request it not be
 This is the default in the U.S.

29
Privacy Issues
 Violation of Privacy
 Accessing individuals’ private email conversations and computer
records
 Collecting and sharing information about individuals gained from
their visits to Internet websites
 Computer Monitoring
 Always knowing where a person is
 Mobile and paging services are becoming more closely associated
with people than with places
 Computer Matching
 Using customer information gained from many sources to market
additional business services
 Unauthorized Access of Personal Files
 Collecting telephone numbers, email addresses, credit card
numbers, and other information to build customer profiles
30
Protecting Your Privacy on the
Internet
 There are multiple ways to protect your privacy
 Encrypt email
 Send newsgroup postings through anonymous
remailers
 Ask your ISP not to sell your name and
information to mailing list providers and
other marketers
 Don’t reveal personal data and interests on
online service and website user profiles

31
Privacy Laws
 Electronic Communications Privacy Act
and Computer Fraud and Abuse Act
 Prohibit intercepting data communications messages, stealing or
destroying data, or trespassing in federal-related computer systems
 U.S. Computer Matching and Privacy Act
 Regulates the matching of data held in federal agency files to verify
eligibility for federal programs
 Other laws impacting privacy and how much a company spends on
compliance
 Sarbanes-Oxley
 Health Insurance Portability and Accountability Act (HIPAA)
 Gramm-Leach-Bliley
 USA Patriot Act
 California Security Breach Law
 Securities and Exchange Commission rule 17a-4

32
 Computer Libel and Censorship
 The opposite side of the privacy debate…
 Freedom of information, speech, and press
 Biggest battlegrounds - bulletin boards, email boxes, and online files
of Internet and public networks
 Weapons used in this battle – spamming, flame mail, libel* laws, and
censorship
 Spamming - Indiscriminate sending of unsolicited email messages to
many Internet users
 Flaming
 Sending extremely critical, derogatory, and often vulgar email
messages or newsgroup posting to other users on the Internet or
online services
 Especially prevalent on special-interest newsgroups
*a published false statement that is damaging to a person's reputation; a written defamation

33
Cyberlaw
 Laws intended to regulate activities over the Internet or via
electronic communication devices
 Encompasses a wide variety of legal and political issues
 Includes intellectual property, privacy, freedom of expression,
and jurisdiction
 The intersection of technology and the law is controversial
 Some feel the Internet should not be regulated
 Encryption and cryptography make traditional form of regulation
difficult
 The Internet treats censorship as damage and simply routes
around it
 Cyberlaw only began to emerge in 1996
 Debate continues regarding the applicability of legal principles
derived from issues that had nothing to do with cyberspace

34
 Other Challenges
 Employment
 IT creates new jobs and increases productivity
 It can also cause significant reductions in job opportunities, as well as requiring
new job skills
 Computer Monitoring
 Using computers to monitor the productivity and behavior of employees as they
work
 Criticized as unethical because it monitors individuals, not just work, and is done
constantly
 Criticized as invasion of privacy because many employees do not know they are
being monitored
 Working Conditions
 IT has eliminated monotonous or obnoxious tasks
 However, some skilled craftsperson jobs have been replaced by jobs requiring
routine, repetitive tasks or standby roles
 Individuality
 Dehumanizes and depersonalizes activities because computers eliminate human
relationships
 Inflexible systems
35
Health Issues
 Cumulative Trauma Disorders (CTDs)
 Disorders suffered by people who sit at a
PC or terminal and do fast-paced repetitive
keystroke jobs
 Carpal Tunnel Syndrome
 Painful, crippling ailment of the hand
and wrist
 Typically requires surgery to cure

36
 Ergonomics Ergonomics Factors
 Designing healthy
work environments
 Safe,
comfortable,
and pleasant
for people to
work in
 Increases
employee
morale and
productivity
 Also called
human factors
engineering

37
Societal Solutions
 Using information technologies to solve human and
social problems
 Medical diagnosis
 Computer-assisted instruction
 Governmental program planning
 Environmental quality control
 Law enforcement
 Job placement
 The detrimental effects of IT
 Often caused by individuals or organizations not
accepting ethical responsibility for their actions

38
Security Management of IT
 The Internet was developed for inter-operability, not
impenetrability
 Business managers and professionals alike
are responsible for the security, quality, and
performance of business information systems
 Hardware, software, networks, and data
resources must be protected by a variety
of security measures

39
Security Management
 The goal of security
management is the
accuracy, integrity,
and safety of all
information system
processes and resources

40
Internetworked Security Defenses
 Encryption
 Data is transmitted in scrambled form
 It is unscrambled by computer systems for
authorized users only
 The most widely used method uses a pair of public
and private keys unique to each individual

41
Public/Private Key Encryption

42
Internetworked Security Defenses
 Firewalls
 A gatekeeper system that protects a company’s
intranets and other computer networks from
intrusion
 Provides a filter and safe transfer point for
access to/from the Internet and other networks
 Important for individuals who connect to the
Internet with DSL or cable modems
 Can deter hacking, but cannot prevent it

43
Internet and Intranet Firewalls

44
Denial of Service Attacks
 Denial of service attacks depend on three
layers of networked computer systems
 The victim’s website
 The victim’s Internet service provider
 Zombie or slave computers that have been
commandeered / hijacked by the cybercriminals

45
Defending Against Denial of Service
 At Zombie Machines
 Set and enforce security policies
 Scan for vulnerabilities
 At the ISP
 Monitor and block traffic spikes
 At the Victim’s Website
 Create backup servers and network connections

46
Internetworked Security Defenses
 Email Monitoring
 Use of content monitoring software that scans
for troublesome words that might compromise
corporate security
 Virus Defenses
 Centralize the updating and distribution of
antivirus software
 Use a security suite that integrates virus protection
with firewalls, Web security, and content blocking
features

47
Other Security Measures
 Security Codes
 Multilevel password system
 Encrypted passwords
 Smart cards with microprocessors
 Backup Files
 Duplicate files of data or programs
 Security Monitors
 Monitor the use of computers and networks
 Protects them from unauthorized use, fraud, and destruction
 Biometrics
 Computer devices measure physical traits that make each individual
unique
 Voice recognition, fingerprints, retina scan
 Computer Failure Controls
 Prevents computer failures or minimizes its effects
 Preventive maintenance
 Arrange backups with a disaster recovery organization
48
Other Security Measures
 In the event of a system failure, fault-tolerant systems have redundant
processors, peripherals, and software that provide
 Fail-over capability: shifts to back up components
 Fail-save capability: the system continues to operate at the same level
 Fail-soft capability: the system continues to operate at a reduced but
acceptable level
 A disaster recovery plan contains formalized procedures to follow in the
event of a disaster
 Which employees will participate
 What their duties will be
 What hardware, software, and facilities will be used
 Priority of applications that will be processed
 Use of alternative facilities
 Offsite storage of databases

49
 Information System Controls

 Methods and devices that attempt to ensure the accuracy, validity, and
propriety of information system activities 50
Auditing IT Security
 IT Security Audits
 Performed by internal or external auditors
 Review and evaluation of security measures
and management policies
 Goal is to ensure that that proper and adequate
measures and policies are in place

51
Protecting Yourself from Cybercrime

52