information technology foundations-bit 112 chapter 3 ethics, privacy and information security

Information Technology Foundations-BIT 112

CHAPTER 3

Ethics, Privacy and Information Security


2

Chapter Outline

• 3.1 Ethical Issues

• 3.2 Threats to Information Security

• 3.3 Protecting Information Resources


3

Learning Objectives

• Describe the major ethical issues related to information technology and identify situations in which they occur.

• Describe the many threats to information security.

• Understand the various defense mechanisms used to protect information systems.

• Explain IT auditing and planning for disaster recovery.


4

TJX: The Worst Data Breach Ever?

• 2007

• 46 Million customer accounts compromised.

http://www.tjx.com/


5

Ethics Defined

• Ethics– A branch of philosophy that deals with what is considered

to be right and wrong.

• A Code of Ethics – A code of ethics is a collection of principles intended as a

guide for members of a company or organization.


6

Fundamental Tenets of Ethics

• Responsibility – means that you accept the consequences of your decisions

and actions.

• Accountability – means a determination of who is responsible for actions that

were taken.

• Liability – a legal concept meaning that individuals have the right to

recover the damages done to them by other individuals, organizations, or systems.


7

Ethical Issue Frameworks

• The diversity and ever expanding use of IT applications have created a variety of ethical issues.

• These issues fall into four general categories: – 1. Privacy issues involve collecting, storing, and

disseminating information about individuals. – 2. Accuracy issues involve the authenticity, fidelity, and

accuracy of information that is collected and processed. – 3. Property issues involve the ownership and value of

information. – 4. Accessibility issues revolve around who should have

access to information and whether they should have to pay for this access.


8

Unethical vs. Illegal

• What is unethical is not necessarily illegal.

• Ethics scenarios

http://bcs.wiley.com/he-bcs/Books?action=resource&bcsId=2942&itemId=0471736368&resourceId=8968


9

ethical? legal? File Sharing case

• You have recently bought some graphic design software that is a far superior product, you believe, to its competitors on the market. The price is rather high, but the purchase was authorised by your boss for work related purposes. The software is delivered on a single CD ROM. You believe that many of your friends who work for other companies would benefit if they were able to use this software – and that the software developer would benefit as well through additional sales. From an ethical perspective, you believe that it would be unethical to keep this information to yourself, given its likely value for your friends, so you decide to share it with them. You make 10 copies on CD ROM and send it to them as a gift.

• Is this action legal? Is it ethical?

• What would you do?


10

Freedom of Speech; Censorship; National Interest

• Your country is current at war with a powerful neighbor. The government is urging all citizens to support the government and the armed forces, since a lack of consensus can only act to weaken the country and reduce the likelihood of victory.

• As an investigative journalist, you stumble upon a startling, classified government report: 30% of the senior officials in the government have vested interests in the war via their connections with private companies, some of which have been secretly arming the enemy for the last few years. This material is clearly in the public interest, yet publication is likely to bring about the fall of the government, and possible defeat in the war.

• What should you do?


11

ethical? legal? Cybersquatting

• Cybersquatting is the practice of buying domain names on the Internet and then holding them for your own purposes. You might keep the site empty –no content – and wait for someone to offer you a good price. Alternatively, you might choose to put your own content on the site. This has the potential to misrepresent other individuals and organizations when your domain name is very similar to the name of a real organization.

• Do you think that cybersquatting should be illegal – or that it is no more than an extension to the right to own property? Can anyone “own” the word “ten”? Or “whitehouse”?


12

The Four Categories of Ethical Issues

• The diversity and ever expanding use of IT applications have created a variety of ethical issues.

• These issues fall into one or more of the following four general categories: – 1. Privacy issues involve collecting, storing, and

disseminating information about individuals. – 2. Accuracy issues involve the authenticity, fidelity, and

accuracy of information that is collected and processed. – 3. Property issues involve the ownership and value of

information. – 4. Accessibility issues revolve around who should have

access to information and whether they should have to pay for this access.


13

Privacy Issues

How much privacy do we have left?


14

Privacy Defined

• Privacy. The right to be left alone and to be free of unreasonable personal intrusions.

• Court decisions have followed two rules:– (1) The right of privacy is not absolute. Your privacy must

be balanced against the needs of society.– (2) The public’s right to know is superior to the individual’s

right of privacy.


15

Threats to Privacy

• Data aggregators, digital dossiers, and profiling.

• Electronic Surveillance.

• Personal Information in Databases.

• Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites.


16

Threats to Privacy: Data Aggregators, Digital Dossiers, and Profiling

• Data aggregators – companies that collect public data (e.g., real estate records,

telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.

• Digital dossier – is an electronic description of you and your habits.

• Profiling – is the process of creating a digital dossier.

http://www.choicepoint.com/

http://www.acxiom.com/

http://www.lexisnexis.com/


17

Threats to Privacy: Electronic Surveillance

• The tracking of people‘s activities, online or offline, with the aid of computers.

• The image demonstrates that many people are blissfully unaware that they can be under electronic surveillance while they are using their computers.


18

Electronic Surveillance

• See "The State of Surveillance" article in BusinessWeek

http://www.businessweek.com/magazine/content/05_32/b3946001_mz001.htm

http://www.businessweek.com/magazine/content/05_32/b3946001_mz001.htm


19

Electronic Surveillance

• See the surveillance slideshow

• See additional surveillance slides

• And you think you have privacy? (video)

• Sense-through-the-Wall

http://images.businessweek.com/ss/05/07/surveillance/index_01.htm

http://www.auburn.edu/~rainerk/surveillance.ppt

http://www.aclu.org/pizza/images/screen.swf

http://oceanit.com/images/stories/Animations/Oceanit_PDA-STTW.wmv


20

Threats to Privacy: Personal Information in Databases

• Banks

• Utility companies

• Government agencies

• Credit reporting agencies

http://www.experian.com/

http://www.transunion.com/

http://www.equifax.com/


21

Threats to Privacy: Personal Information on Social Networking Sites

http://www.flickr.com/

http://www.myspace.com/

http://www.linkedin.com/

http://www.facebook.com/

http://www.friendster.com/

http://twitter.com/


22

Social Networking Sites Can Cause You Problems

Anyone can post derogatory information about you anonymously.

(See this Washington Post article.)

You can also hurt yourself, as this article shows.

http://www.washingtonpost.com/wp-dyn/content/article/2007/03/06/AR2007030602705.html

http://www.msnbc.msn.com/id/20202935/from/ET/


23

What Can You Do?

• First, be careful what information you post on social networking sites.

• Second, a company, ReputationDefender, says it can remove derogatory information from the Web.

http://www.reputationdefender.com/


24

Protecting Privacy

• Privacy Codes and Policies– An organization’s guidelines with respect to protecting the

privacy of customers, clients, and employees.

• Two Models– Opt-out Model of Informed Consent

• Permits the company to collect personal information until the customer specifically requests that the data not be collected.

– Opt-in Model of Informed Consent • Means that organizations are prohibited from collecting

any personal information unless the customer specifically authorizes it. (Preferred by privacy advocates.)


25

Key Information Security Terms

• Threat– Is any danger to which a system/information resource may be

exposed.

• Exposure– Is the harm, loss or damage that can result if a threat compromises

an information resource.

• Vulnerability– Is the possibility that the system/information resource will suffer

harm by a threat.

• Risk– Is the likelihood that a threat will occur.

• Information system controls– Are the procedures, devices, or software aimed at preventing a

compromise to a system.


26

Factors Increasing the Threats to Information Security

• Today’s interconnected, interdependent, wirelessly-networked business environment

• Government legislation

• Smaller, faster, cheaper computers and storage devices

• Decreasing skills necessary to be a computer hacker.

• International organized crime turning to cybercrime

• Downstream liability

• Increased employee use of unmanaged devices

• Lack of management support


27

A Look at Unmanaged Devices

Wi-Fi at McDonalds

Wi-Fi at Starbucks

Hotel Business Center


28

Security Threats (Figure 3.1)


29

Categories of Threats to Information Systems

• Unintentional acts

• Natural disasters

• Technical failures

• Management failures

• Deliberate acts(from Whitman and Mattord, 2003)

• Example of a threat (video)

http://business.auburn.edu/~corleij/EDS/Suki_30.mpg


30

Categories of Threats: Unintentional Acts

• Human errors

• Deviations in quality of service by service providers (e.g., utilities)

• Environmental hazards (e.g., dirt, dust, humidity)


31

Human Errors

• Tailgating

• Shoulder surfing

• Carelessness with laptops and portable computing devices

• Opening questionable e-mails

• Careless Internet surfing

• Poor password selection and use

• And more


32

Anti-Tailgating Door

• To deter tailgating, many companies have anti-tailgating doors protecting the entrance into high-security areas.

• Note that only one person at a time can go through this door.


33

Shoulder Surfing

• Occurs when the attacker watches another person’s computer screen over that person’s shoulder. Particularly dangerous in public areas such as airports, commuter trains, and on airplanes.


34

Most Dangerous Employees

• The biggest threat to the security of an organization’s information assets are the company’s employees.

• In fact, the most dangerous employees are those in human resources and IT. – HR employees have access to

sensitive personal data on all employees.

– IT employees not only have access to sensitive personal data, but control the means to create, store, transmit, and modify these data.

Remember, employees hold ALL

the information


35

Social Engineering

• An attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords.

• Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker.

• 60 Minutes Interview with Kevin Mitnick, the “King of Social Engineering”

• Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him,– See his company here

http://video.google.com/videoplay?docid=-867690210032956546&q=Kevin+Mitnick&total=55&start=0&num=10&so=0&type=search&plindex=2

http://www.kevinmitnick.com/


36

Categories of Threats: Natural Disasters


37

Categories of Threats: Deliberate Acts

• Espionage or trespass– Competitive intelligence consists of legal information-

gathering techniques. Espionage crosses the legal boundary.

• Information extortion

• Sabotage or vandalism

• Theft of equipment or information– For example, dumpster diving


38

Deliberate Acts (continued)

• Compromises to intellectual property– Intellectual property. Property created by individuals or

corporations which is protected under trade secret, patent, and copyright laws.• Trade secret. Intellectual work, such as a business plan,

that is a company secret and is not based on public information.

• Patent. Document that grants the holder exclusive rights on an invention or process for 20 years.

• Copyright. Statutory grant that provides creators of intellectual property with ownership of the property for life of the creator plus 70 years.

– Piracy. Copying a software program without making payment to the owner.


39


• Software attacks– Virus

• a segment of computer code that performs malicious actions by attaching to another computer program.

– Worm • 1988: first widespread worm, created by Robert T. Morris, Jr.• (see the rapid spread of the Slammer worm)• a segment of computer code that spreads by itself and performs

malicious actions without requiring another computer program.– Trojan horse

• a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.

– Logic Bomb• a segment of computer code that is embedded within an organization’s

existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

http://images.google.com/imgres?imgurl=http://www.nndb.com/people/466/000027385/rtm-morris.jpg&imgrefurl=http://www.nndb.com/people/466/000027385/&h=240&w=262&sz=9&hl=en&start=2&sig2=g3yQs-HrPEq9rvZu_topyA&tbnid=8b77iGuY_72fEM:&tbnh=103&tbnw=112&ei=KHn5Rrm

http://www.auburn.edu/~rainerk/slammer.ppt


40


• Software attacks (continued)– Phishing attacks

• use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

– Distributed denial-of-service attacks• attacker first takes over many computers. These

computers are called zombies or bots. Together, these bots form a botnet.

• See botnet demonstration

http://images.businessweek.com/ss/05/05/hacker_botnet/index_01.htm


41

How to Detect a Phish E-mail


42


• Alien Software– Spyware (see video)

• Collects personal information about users without their consent. Two types of spyware are keystroke loggers (keyloggers) and screen scrapers. Keystroke loggers record your keystrokes and your Web browsing history. Screen scrapers record a continuous “movie” of what you do on a screen.

– Spamware• is alien software that is designed to use your computer as a

launchpad for spammers. Spam is unsolicited e-mail.– Cookies

• are small amounts of information that Web sites store on your computer. The cookie demo will show you how much information your computer sends when you connect to a Web site.

http://www.microsoft.com/protect/videos/Spyware/SpywareMSLo.html


43


• Supervisory control and data acquisition (SCADA) attacks.– A large-scale, distributed, measurement and control system.– SCADA systems are the link between the electronic world

and the physical world.

Wireless sensor

Video of an experimental SCADA attack that was successful.

http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCVideo


44

What if a SCADA attack were successful?

Northeastern U.S. power outage in 2003


45

3.3 Protecting Information Resources


46

Risk!

There is always risk!


47

And then there is real risk!


48

Risk Management

• Risk. – The probability that a threat will impact an information resource.

• Risk management. – To identify, control and minimize the impact of threats.

• Risk analysis. – To assess the value of each asset being protected, estimate the

probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.

• Risk mitigation – When an organization takes concrete actions against risk. It has two

functions:– (1) implement controls to prevent identified threats from occurring,

and– (2) developing a means of recovery should the threat become a

reality.


49

Risk Mitigation Strategies

• Risk Acceptance. – Accept the potential risk, continue operating with no

controls, and absorb any damages that occur.

• Risk Limitation. – Limit the risk by implementing controls that minimize the

impact of threat.

• Risk Transference. – Transfer the risk by using other means to compensate for

the loss, such as purchasing insurance.


50

Risk Optimization


51

Risk Limitation: Controls

• To protect their information assets, organizations implement controls, or defense mechanisms ( also called countermeasures).

• Controls are intended to prevent accidental hazards, deter intentional acts, detect problems as early as possible, enhance damage recovery, and correct problems.

• Security controls are designed to protect all of the components of an information system, including data, software, hardware, and networks.

• Because there are so many diverse threats, organizations utilize layers of controls.


52

Risk Limitation: Control Layers

• Physical controls. – Physical protection of computer facilities and resources.

• Access controls. – Restrict unauthorized individuals from using information

resources. These controls involve two major functions: authentication and authorization.

• Communications (network) controls. – Secure the movement of data across networks. Consist of firewalls,

anti malware systems, intrusion detection systems, encryption, virtual private networking ( VPN), and vulnerability management systems.

• Application controls – Are security counter-measures that protect specific applications.

The three major categories of these controls are input, processing, and output controls.


53

Where Defense Mechanisms (Controls) Are Located


54

Access Controls

• Authentication- Major objective is proof of identity. – Something the user is, also known as biometrics, these

access controls examine a user's innate physical characteristics.• The latest biometric: gait recognition• The Raytheon Personal Identification Device

– Something the user has. These access controls include regular ID cards, smart cards, and tokens.

– Something the user does. These access controls include voice and signature recognition.

– Something the user knows. • passwords• passphrases

http://www.youtube.com/watch?v=Voygv1uTF7c

http://www.youtube.com/watch?v=CNKo0wfKsdQ


55

Access Controls (continued)

• Authorization– Permission issued to individuals and groups to do certain

activities with information resources, based on verified identity.

• Privilege– A collection of related computer system operations that can

be performed by users of the system.

• Least privilege– A principle that users be granted the privilege for some

activity only if there is a justifiable need to grant this authorization.


56

Communication or Network Controls

• Firewalls– System that enforces access-control policy between two networks.

• Anti-malware systems (also called antivirus software)– Software packages that attempt to identify and eliminate viruses, worms, and other malicious

software. The logos show three anti-malware companies. Clicking on the link will take you to each company’s homepage.

• Whitelisting – A process in which a company identifies the software that it will allow to run and does not try

to recognize malware.

• Blacklisting – A process in which a company allows all software to run unless it is on the blacklist.

• Intrusion Detection Systems – Designed to detect all types of malicious network traffic and computer usage that cannot be

detected by a firewall.

• Encryption. – Process of converting an original message into a form that cannot be read by anyone except

the intended receiver.

http://www.trendmicro.com/

http://www.symantec.com/

http://www.mcafee.com/


57

Basic Home Firewall (top) and Corporate Firewall (bottom)


58

Basic Home Firewall and Corporate Firewall

• A basic home firewall can be implemented as software on the home computer.

• A corporate firewall has the following components:– (1) external firewall facing the Internet– (2) a demilitarized zone (DMZ) located between the two

firewalls; the DMZ contains company servers that typically handle Web page requests and e-mail.

– (3) an internal firewall that faces the company network


59

How Public Key Encryption Works


60

How Digital Certificates Work

• A digital certificate is an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.

• Certificate authorities, which are trusted intermediaries between two organizations, issue digital certificates.


61

Communication or Network Controls (continued)

• A Virtual Private Network is a private network that uses a public network (usually the Internet) to connect users.

• Secure Socket Layer (SSL), now called Transport Layer Security (TLS), is an encryption standard used for secure transactions such as credit card purchases and online banking.

• Vulnerability Management Systems (also called Security On Demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.

• Employee Monitoring Systems monitor employees’ computers, e-mail activities, and Internet surfing activities.


62

Virtual Private Network and Tunneling

• Tunneling encrypts each data packet that is sent and places each encrypted packet inside another packet.


63

Popular Vulnerability Management Systems

http://www.qualys.com/

http://www.symantec.com/

http://www.trendmicro.com/


64

Employee Monitoring System

• This image provides a demonstration of how an employee monitoring system looks to the network administrator. He or she sees the screens that everyone is on, and can “zoom in” on any one person’s screen.


65

Popular Employee Monitoring Systems

http://www.spectorsoft.com/

http://www.websense.com/


66

Finally…


67

Business Continuity Planning, Backup, and Recovery

• A Business Continuity Plan is also known as a Disaster Recovery Plan.

• Purpose is to keep the business operating after a disaster occurs. Three levels/types of continuity facilities:– A Hot Site is a fully configured computer facility, with all

services, communications links, and physical plant operations.

– A Warm Site provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs.

– A Cold Site provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.


68

Information Systems Auditing

• Companies implement security controls to ensure that Systems are working properly. Independent or unbiased observers are tasked to “Audit”/examine the information systems, their inputs, outputs and processing.

• Types of Auditors and Audits– Internal. Performed by corporate internal auditors.– External. Reviews internal audit as well as the inputs,

processing and outputs of information systems.


69

Auditing Procedure

• Auditing around the computer – Means verifying processing by checking for known outputs

using specific inputs.

• Auditing through the computer – Means inputs, outputs and processing are checked.

Auditors review program logic and test data.

• Auditing with the computer – Means using a combination of client data, auditor software,

and client and auditor hardware. Allows the auditor to perform tasks such as simulating payroll program logic using live data.


70

Chapter Closing Case

http://www.mostchoice.com/

information technology foundations-bit 112 chapter 3 ethics, privacy and information security

Documents

accuracy of information

value of information

information systems

information security

information resources

major ethical issues

variety of ethical issues

privacy issues