week 13 - information system and society

8/4/2019 Week 13 - Information System and Society

1/78

Security and Ethical Challenges

Chapter

7.1 (week 13 )

McGraw-Hill/Irwin Copyright 2009 by The McGraw-Hill Companies, Inc. All rights reserved.


2/78

Identify several ethical issues in how the useof information technologies in business affects

Employment

Individuality

Working conditions

Privacy

Crime

Health

Solutions to societal problems

Learning Objectives

13-2


3/78

Learning Objectives

Identify several types of securitymanagement strategies and defenses,and explain how they can be used toensure the security of businessapplications of information technology

Propose several ways that businessmanagers and professionals can help to

lessen the harmful effects and increasethe beneficial effects of the use ofinformation technology

13-3


4/78

Case 1: Ethics, Moral Dilemmas, andTough Decisions

The pervasive use of IT in organizations andsociety present individuals with new ethicalchallenges and dilemmas.

If companies dont set ethical policies andguidelines, or dont make sure that

employees know what they are andunderstand them, companies cannot hold

workers accountable for their unethicalbehavior.

13-4


5/78

Case Study Questions

1. Companies are developing ethical policies and guidelinesfor legal reasons, but also to clarify what is acceptableand what is not. Do you think any of the issues raised inthe case required clarification? Would you take exceptionto any of them being classified as inappropriate behavior?

Why do you think these things happen anyway?2. In the first example (Bryans), it is apparent that he did not

believe justice had been ultimately served by the decisionhis company made. Should he have taken the issue to theauthorities? Or, was it enough that he reported theproblem through the proper channels and let theorganization handle it, as was the recommendation ofLinn Hynds? Provide a rationale for the position you arewilling to take on this matter.

13-5


6/78


3. In the case, Gary chose not to stop his bossfrom installing unlicensed software, althoughhe refused to do it himself. If installingunlicensed software is wrong, is there any

difference between refusing to do it versus notstopping somebody else? Do you buy hisargument that it was not really going to hurtanybody? Why or why not?

13-6


7/78

IT Security, Ethics, and Society

13-7


8/78

IT Security, Ethics, and Society

Information technology has bothbeneficialand detrimental effects on society

and people

Manage work activities to minimize thedetrimental effects of information

technology

Optimize the beneficial effects

13-8


9/78

Business Ethics

Ethics questions that managersconfront as part of their dailybusiness decision making include

Equity

Rights

Honesty Exercise of corporate power

13-9


10/78

Categories of Ethical Business Issues

13-10


11/78

Corporate Social Responsibility Theories

Stockholder Theory

Managers are agents of the stockholders

Their only ethical responsibility is to increase

the profits of the business without violatingthe law or engaging in fraudulent practices

Social Contract Theory

Companies have ethical responsibilities to allmembers of society, who allow corporationsto exist

13-11


12/78

Corporate Social Responsibility Theories

Stakeholder Theory

Managers have an ethicalresponsibility to manage a firm for thebenefit of all its stakeholders

Stakeholders are all individuals andgroups

that have a stake in, or claim on, acompany

13-12


13/78

Principles of Technology Ethics

Proportionality

The good achieved by the technology mustoutweigh the harm or risk; there must be no

alternative that achieves the same orcomparable benefits with less harm or risk

Informed Consent

Those affected by the technology shouldunderstand and accept the risks

13-13


14/78

Principles of Technology Ethics

Justice

The benefits and burdens of the technologyshould be distributed fairly.

Those who benefit should bear their fairshareof the risks, and those who do not benefitshould not suffer a significant increase in risk

Minimized Risk

Even if judged acceptable by the other threeguidelines, the technology must beimplemented so as to avoid all unnecessaryrisk

13-14


15/78

AITP Standards of Professional Conduct

13-15


16/78

Responsible Professional Guidelines

A responsible professional

Acts with integrity

Increases personal competence Sets high standards of personal

performance

Accepts responsibility for his/her work Advances the health, privacy, and

generalwelfare of the public

13-16


17/78

Computer Crime

Computer crime includes

Unauthorized use, access, modification, ordestruction of hardware, software, data, ornetwork resources

The unauthorized release of information The unauthorized copying of software

Denying an end user access to his/her ownhardware, software, data, or network

resources Using or conspiring to use computer ornetwork resources illegally to obtaininformation or tangible property

13-17


18/78

Hacking

Hacking is The obsessive use of computers The unauthorized access and use of

networked computer systems

Electronic Breaking and Entering Hacking into a computer system and reading

files, but neither stealing nor damaginganything

Cracker A malicious or criminal hacker who maintains

knowledge of the vulnerabilities found forprivate advantage

13-18


19/78

Common Hacking Tactics

Denial of Service

Hammering a websites equipment with toomany requests for information

Clogging the system, slowing performance,or crashing the site

Scans

Widespread probes of the Internet to

determine types of computers, services, andconnections

Looking for weaknesses

13-19


20/78


Sniffer

Programs that search individual packets ofdata as they pass through the Internet

Capturing passwords or entire contents

Spoofing

Faking an e-mail address or Web page to

trick users into passing along criticalinformationlike passwords or credit card numbers

13-20


21/78


Trojan House A program that, unknown to the user,

contains instructions that exploit a knownvulnerabilityin some software

Back Doors A hidden point of entry to be used in case

the original entry point is detected or blocked

Malicious Applets Tiny Java programs that misuse your

computers resources, modify files on thehard disk, send fake email, or stealpasswords

13-21


22/78


War Dialing

Programs that automatically dial thousandsof telephone numbers in search of a way inthrough a modem connection

Logic Bombs

An instruction in a computer program thattriggers a malicious act

Buffer Overflow

Crashing or gaining control of a computer bysending too much data to buffer memory

13-22


23/78


Password Crackers Software that can guess passwords

Social Engineering

Gaining access to computer systems bytalking unsuspecting company employeesout ofvaluable information, such as passwords

Dumpster Diving

Sifting through a companys garbage to findinformation to help break into theircomputers

13-23


24/78

Cyber Theft

Many computer crimes involve the theft ofmoney

The majority are inside jobs that involveunauthorized network entry and alternation

of computer databases to cover the tracksof the employees involved

Many attacks occur through the Internet

Most companies dont reveal that they have

been targets or victims of cybercrime

13-24


25/78

Unauthorized Use at Work

Unauthorized use of computer systemsand networks is time and resource theft

Doing private consulting

Doing personal finances Playing video games

Unauthorized use of the Internet or companynetworks

Sniffers Used to monitor network traffic or capacity

Find evidence of improper use

13-25


26/78

Internet Abuses in the Workplace

General email abuses

Unauthorized usage and access

Copyright infringement/plagiarism

Newsgroup postings

Transmission of confidential data

Pornography

Hacking

Non-work-related download/upload

Leisure use of the Internet

Use of external ISPs

Moonlighting

13-26


27/78

Software Piracy

Software Piracy

Unauthorized copying of computerprograms

Licensing

Purchasing software is really a paymentfor a license for fair use

Site license allows a certain number ofcopies

A third of the software industrys revenues are lost to

piracy 13-27


28/78

Theft of Intellectual Property

Intellectual Property

Copyrighted material

Includes such things as music, videos, images,articles, books, and software

Copyright Infringement is Illegal Peer-to-peer networking techniques have made

it easy to trade pirated intellectual property

Publishers Offer Inexpensive Online Music

Illegal downloading of music and video isdown and continues to drop

13-28


29/78

Viruses and Worms

A virus is a program that cannot work withoutbeing inserted into another program A worm can run unaided

These programs copy annoying or destructive

routines into networked computers Copy routines spread the virus

Commonly transmitted through The Internet and online services

Email and file attachments

Disks from contaminated computers

Shareware

13-29


30/78


31/78

Top Five Virus Families of all Time

Netsky, 2004

Mass-mailing worm that spreads byemailing itself to all email addresses

found on infected computers

Tries to spread via peer-to-peer filesharing

by copying itself into the shared folder It renames itself to pose as one of 26

other common files along the way

13-31


32/78


SoBig, 2004

Mass-mailing email worm that arrives asan attachment

Examples: Movie_0074.mpg.pif, Document003.pif

Scans all .WAB, .WBX, .HTML, .EML, and.TXT files looking for email addresses towhich it can send itself

Also attempts to download updates for itself

13-32


33/78


Klez, 2002 A mass-mailing email worm that arrives

with a randomly named attachment

Exploits a known vulnerability in MS

Outlook to auto-execute on unpatchedclients

Tries to disable virus scanners and thencopy itself to all local and networked driveswith a random file name

Deletes all files on the infected machine andany mapped network drives on the 13th of alleven-numbered months

13-33


34/78


Sasser, 2004

Exploits a Microsoft vulnerability tospread

from computer to computer with nouser intervention

Spawns multiple threads that scan

local subnets for vulnerabilities

13-34


35/78

The Cost of Viruses, Trojans, Worms

Cost of the top five virus families

Nearly 115 million computers in 200countries were infected in 2004

Up to 11 million computers are believed tobe permanently infected

In 2004, total economic damage from virusproliferation was $166 to $202 billion

Average damage per computer is between$277 and $366

13-35


36/78

Adware and Spyware

Adware Software that purports to serve a useful purpose, and

often does

Allows advertisers to display pop-up and banner adswithout the consent of the computer users

Spyware Adware that uses an Internet connection in the

background, without the users permissionor knowledge

Captures information about the user and sendsit over the Internet

13-36


37/78

Spyware Problems

Spyware can steal private information and also Add advertising links to Web pages

Redirect affiliate payments

Change a users home page and search settings

Make a modem randomly call premium-rate phonenumbers

Leave security holes that let Trojans in

Degrade system performance

Removal programs are often not completelysuccessful in eliminating spyware

13-37


38/78

Privacy Issues

The power of information technology tostore and retrieve information can have anegative effect on every individuals right

to privacy Personal information is collected with every

visit to a Web site

Confidential information stored by credit

bureaus, credit card companies, and thegovernment has been stolen or misused

13-38


39/78


40/78

Privacy Issues

Violation of PrivacyAccessing individuals private email

conversations and computer records

Collecting and sharing information about

individuals gained from their visits toInternet websites

Computer Monitoring

Always knowing where a person is

Mobile and paging services are becomingmore closely associated with people thanwith places

13-40


41/78

Privacy Issues

Computer Matching

Using customer information gained frommany sources to market additional business

services Unauthorized Access of Personal Files

Collecting telephone numbers, emailaddresses, credit card numbers, and other

information to build customer profiles

13-41


42/78

Protecting Your Privacy on the Internet

There are multiple ways to protect yourprivacy

Encrypt email

Send newsgroup postings throughanonymous remailers

Ask your ISP not to sell your name andinformation to mailing list providers and

other marketers

Dont reveal personal data and interests on

online service and website user profiles

13-42


43/78

Privacy Laws

Electronic Communications Privacy Actand Computer Fraud and Abuse Act

Prohibit intercepting data communications

messages, stealing or destroying data, ortrespassing in federal-related computersystems

U.S. Computer Matching and Privacy Act

Regulates the matching of data held infederal agency files to verify eligibilityfor federal programs

13-43


44/78

Privacy Laws

Other laws impacting privacy and howmuch a company spends on compliance

Sarbanes-Oxley

Health Insurance Portability andAccountability Act (HIPAA)

Gramm-Leach-Bliley

USA Patriot Act

California Security Breach Law

Securities and Exchange Commission rule17a-4

13-44


45/78

Computer Libel and Censorship

The opposite side of the privacy debate Freedom of information, speech, and press

Biggest battlegrounds Bulletin boards

Email boxes Online files of Internet and public networks

Weapons used in this battle Spamming

Flame mail

Libel laws Censorship

13-45


46/78

Computer Libel and Censorship

Spamming

Indiscriminate sending of unsolicited emailmessages to many Internet users

Flaming

Sending extremely critical, derogatory, andoften vulgar email messages or newsgroupposting to other users on the Internet or

online services

Especially prevalent on special-interestnewsgroups

13-46


47/78

Cyberlaw

Laws intended to regulate activitiesoverthe Internet or via electronic

communication devices Encompasses a wide variety of legal

andpolitical issues

Includes intellectual property, privacy,freedom of expression, and jurisdiction

13-47


48/78

Cyberlaw

The intersection of technology and the lawis controversial Some feel the Internet should not be regulated

Encryption and cryptography make traditional form ofregulation difficult

The Internet treats censorship as damage and simplyroutes around it

Cyberlaw only began to emerge in 1996 Debate continues regarding the applicability

of legal principles derived from issues thathad nothing to do with cyberspace

13-48


49/78

Other Challenges

Employment IT creates new jobs and increases productivity

It can also cause significant reductions in jobopportunities, as well as requiring new job skills

Computer Monitoring Using computers to monitor the productivityand behavior of employees as they work

Criticized as unethical because it monitors individuals,not just work, and is done constantly

Criticized as invasion of privacy because manyemployees do not know they are being monitored

13-49


50/78

Other Challenges

Working Conditions

IT has eliminated monotonous or obnoxious tasks

However, some skilled craftsperson jobs have beenreplaced by jobs requiring routine,

repetitive tasks or standby roles Individuality

Dehumanizes and depersonalizes activitiesbecause computers eliminate human

relationships Inflexible systems

13-50


51/78

Health Issues

Cumulative Trauma Disorders (CTDs)

Disorders suffered by people who sit at aPC or terminal and do fast-paced repetitive

keystroke jobs Carpal Tunnel Syndrome

Painful, crippling ailment of the handand wrist

Typically requires surgery to cure

13-51


52/78

Ergonomics

Designing healthy workenvironments

Safe, comfortable, and pleasant forpeopleto work in

Increases employee morale and

productivity Also called human factors engineering

13-52


53/78

Ergonomics Factors

13-53


54/78

Societal Solutions

Using information technologies to solvehuman and social problems

Medical diagnosis

Computer-assisted instruction

Governmental program planning

Environmental quality control

Law enforcement Job placement

13-54


55/78

Societal Solutions

The detrimental effects ofinformation technology

Often caused by individualsor organizations notaccepting ethicalresponsibility for

their actions

13-55


56/78

Security Management of IT

The Internet was developed for inter-operability, not impenetrability

Business managers and professionals alike

are responsible for the security, quality, andperformance of business informationsystems

Hardware, software, networks, and data

resources must be protected by a varietyof security measures

13-56


57/78

Case 2: Raymond James Financial, BCDTravel, Houston Texans, and Others

For companies like Raymond James, leakage ofsensitive customer data or proprietary information isa new priority.

Companies are starting to focus on keepingsensitive information within their boundaries.

Companies are deploying Outbound contentmanagement tools to monitor outgoing information.

Companies not only have to monitor e-mailmessages, but also the explosion of alternativecommunication mechanisms that employees areusing, including instant messaging, blogs, FTPtransfers, Web mail, and message boards.

13-57


58/78


1. Barring illegal activities, why do you think that employees in

the organizations featured in the case do not realizethemselves the dangers of loosely managing proprietary andsensitive information? Would you have thought of theseissues?

2. How should organizations strike the right balance between

monitoring and invading their employees privacy, even if itwould be legal for them to do so? Why is it important thatcompanies achieve this balance? What would be theconsequences of being too biased to one side?

3. The IT executives in the case all note that outbound

monitoring and management technologies are only part of anoverall strategy, and not their primary defense. What shouldbe the other components of this strategy? Which weightwould you give to human and technological factors? Why?

13-58


59/78

Security Management

The goal of securitymanagement is theaccuracy, integrity,

and safety of allinformation systemprocesses and resources

13-59


60/78

Internetworked Security Defenses

Encryption

Data is transmitted in scrambled form

It is unscrambled by computersystems for authorized users only

The most widely used method uses apair of public and private keys unique

to each individual

13-60


61/78

Public/Private Key Encryption

13-61


62/78


Firewalls

A gatekeeper system that protects acompanys intranets and other computer

networks from intrusion

Provides a filter and safe transfer point foraccess to/from the Internet and othernetworks

Important for individuals who connect to theInternet with DSL or cable modems

Can deter hacking, but cannot prevent it

13-62


63/78

Internet and Intranet Firewalls

13-63


64/78

Denial of Service Attacks

Denial of service attacks depend onthreelayers of networked computer

systems The victims website

The victims Internet service provider

Zombie or slave computers that havebeen commandeered by thecybercriminals

13-64


65/78

Defending Against Denial of Service

At Zombie Machines

Set and enforce security policies

Scan for vulnerabilities

At the ISP

Monitor and block traffic spikes

At the Victims Website Create backup servers and network

connections

13-65


66/78


Email Monitoring

Use of content monitoring software thatscansfor troublesome words that might

compromise corporate security

Virus Defenses

Centralize the updating and distribution ofantivirus software

Use a security suite that integrates virusprotection with firewalls, Web security,and content blocking features

13-66


67/78

Other Security Measures

Security Codes Multilevel password system

Encrypted passwords

Smart cards with microprocessors Backup Files

Duplicate files of data or programs

Security Monitors

Monitor the use of computers and networks

Protects them from unauthorized use, fraud,and destruction

13-67


68/78


Biometrics

Computer devices measure physical traitsthat make each individual unique Voice recognition, fingerprints, retina scan

Computer Failure Controls

Prevents computer failures or minimizesits effects

Preventive maintenance

Arrange backups with a disaster recoveryorganization

13-68


69/78


In the event of a system failure, fault-tolerant systems have redundantprocessors, peripherals, and software

that provide Fail-over capability: shifts to back up

components

Fail-save capability: the system continues

to operate at the same level

Fail-soft capability: the system continuesto operate at a reduced but acceptable level

13-69


70/78


71/78

Information System Controls

Methods and devices that attempt toensure the accuracy, validity, andpropriety of information system activities

13-71


72/78

Auditing IT Security

IT Security Audits

Performed by internal or externalauditors

Review and evaluation of securitymeasuresand management policies

Goal is to ensure that that proper andadequate measures and policies arein place

13-72


73/78

Protecting Yourself from Cybercrime

13-73


74/78

Case 3: Cyberscams and Cybercriminals

Cyberscams are todays fastest-growingcriminal niche

87 percent of companies surveyed reported

a security incident The U.S. Federal Trade Commission says

identity theft is its top complaint

eBay has 60 people combating fraud;

Microsoft has 65

Stolen credit card account numbers areregularly sold online

13-74


75/78


76/78

Case 4: Lowes, TCI, Bank of America,ChoicePoint, and Others

Security Breach Headlines Identity thieves stole information on 145,000

people from ChoicePoint

Bank of America lost backup tapes that held

data on over 1 million credit card holders DSW had its stores credit card data

breached; over 1 million had been accessed

Corporate America is finally owning up toa long-held secret It cant safeguard its most valuable data

13-76


77/78


1. Why have there been so many recentincidents of data security breaches andloss of customer data by reputablecompanies?

2. What security safeguards mustcompanies have to deter electronicbreak-ins into their computer networks,

business applications, and dataresources like the incident at Lowes?

13-77


78/78


3. What security safeguards wouldhave deterred the loss of customerdata at TCI, Bank of America, and

ChoicePoint? Defend yourproposed security measures toavoid the incidents that occurred at

each company.

week 13 - information system and society

Documents