Transcript Slide 1
McGraw-Hill/Irwin McGraw-Hill/Irwin Copyright©©2008 2008, reserved. Copyright by The TheMcGraw-Hill McGraw-HillCompanies, Companies,Inc. Inc.All Allrights rights reserved. Chapter 13 Security and Ethical Challenges McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved. Learning Objectives • Identify several ethical issues in how the use of information technologies in business affects • • • • • • • Employment Individuality Working conditions Privacy Crime Health Solutions to societal problems 13-3 Learning Objectives • Identify several types of security management strategies and defenses, and explain how they can be used to ensure the security of business applications of information technology • Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of information technology 13-4 Case 1: Cyberscams and Cybercriminals • Cyberscams are today’s fastest-growing criminal niche • 87 percent of companies surveyed reported a security incident • The U.S. Federal Trade Commission says identity theft is its top complaint • eBay has 60 people combating fraud; Microsoft has 65 • Stolen credit card account numbers are regularly sold online 13-5 Case Study Questions • What are several reasons why “cyberscams are today’s fastest-growing criminal niche”? • Explain why the reasons you give contribute to the growth of cyberscams • What are several security measures that could be implemented to combat the spread of cyberscams? • Explain why your suggestions would be effective in limiting the spread of cyberscams 13-6 Case Study Questions • Which one or two of the four top cybercriminals described in this case poses the greatest threat to businesses? To consumers? • Explain the reasons for your choices, and how businesses and consumers can protect themselves from these cyberscammers 13-7 IT Security, Ethics, and Society 13-8 IT Security, Ethics, and Society • Information technology has both beneficial and detrimental effects on society and people • Manage work activities to minimize the detrimental effects of information technology • Optimize the beneficial effects 13-9 Business Ethics • Ethics questions that managers confront as part of their daily business decision making include • • • • Equity Rights Honesty Exercise of corporate power 13-10 Categories of Ethical Business Issues 13-11 Corporate Social Responsibility Theories • Stockholder Theory • Managers are agents of the stockholders • Their only ethical responsibility is to increase the profits of the business without violating the law or engaging in fraudulent practices • Social Contract Theory • Companies have ethical responsibilities to all members of society, who allow corporations to exist 13-12 Corporate Social Responsibility Theories • Stakeholder Theory • Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders • Stakeholders are all individuals and groups that have a stake in, or claim on, a company 13-13 Principles of Technology Ethics • Proportionality • The good achieved by the technology must outweigh the harm or risk; there must be no alternative that achieves the same or comparable benefits with less harm or risk • Informed Consent • Those affected by the technology should understand and accept the risks 13-14 Principles of Technology Ethics • Justice • The benefits and burdens of the technology should be distributed fairly. • Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk • Minimized Risk • Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk 13-15 AITP Standards of Professional Conduct 13-16 Responsible Professional Guidelines • A responsible professional • • • • • Acts with integrity Increases personal competence Sets high standards of personal performance Accepts responsibility for his/her work Advances the health, privacy, and general welfare of the public 13-17 Computer Crime • Computer crime includes • Unauthorized use, access, modification, or destruction of hardware, software, data, or network resources • The unauthorized release of information • The unauthorized copying of software • Denying an end user access to his/her own hardware, software, data, or network resources • Using or conspiring to use computer or network resources illegally to obtain information or tangible property 13-18 Cybercrime Protection Measures 13-19 Hacking • Hacking is • The obsessive use of computers • The unauthorized access and use of networked computer systems • Electronic Breaking and Entering • Hacking into a computer system and reading files, but neither stealing nor damaging anything • Cracker • A malicious or criminal hacker who maintains knowledge of the vulnerabilities found for private advantage 13-20 Common Hacking Tactics • Denial of Service • Hammering a website’s equipment with too many requests for information • Clogging the system, slowing performance, or crashing the site • Scans • Widespread probes of the Internet to determine types of computers, services, and connections • Looking for weaknesses 13-21 Common Hacking Tactics • Sniffer • Programs that search individual packets of data as they pass through the Internet • Capturing passwords or entire contents • Spoofing • Faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit card numbers 13-22 Common Hacking Tactics • Trojan House • A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software • Back Doors • A hidden point of entry to be used in case the original entry point is detected or blocked • Malicious Applets • Tiny Java programs that misuse your computer’s resources, modify files on the hard disk, send fake email, or steal passwords 13-23 Common Hacking Tactics • War Dialing • Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection • Logic Bombs • An instruction in a computer program that triggers a malicious act • Buffer Overflow • Crashing or gaining control of a computer by sending too much data to buffer memory 13-24 Common Hacking Tactics • Password Crackers • Software that can guess passwords • Social Engineering • Gaining access to computer systems by talking unsuspecting company employees out of valuable information, such as passwords • Dumpster Diving • Sifting through a company’s garbage to find information to help break into their computers 13-25 Cyber Theft • Many computer crimes involve the theft of money • The majority are “inside jobs” that involve unauthorized network entry and alternation of computer databases to cover the tracks of the employees involved • Many attacks occur through the Internet • Most companies don’t reveal that they have been targets or victims of cybercrime 13-26 Unauthorized Use at Work • Unauthorized use of computer systems and networks is time and resource theft • • • • Doing private consulting Doing personal finances Playing video games Unauthorized use of the Internet or company networks • Sniffers • Used to monitor network traffic or capacity • Find evidence of improper use 13-27 Internet Abuses in the Workplace • • • • • • • • • • • General email abuses Unauthorized usage and access Copyright infringement/plagiarism Newsgroup postings Transmission of confidential data Pornography Hacking Non-work-related download/upload Leisure use of the Internet Use of external ISPs Moonlighting 13-28 Software Piracy • Software Piracy • Unauthorized copying of computer programs • Licensing • Purchasing software is really a payment for a license for fair use • Site license allows a certain number of copies A third of the software industry’s revenues are lost to piracy 13-29 Theft of Intellectual Property • Intellectual Property • Copyrighted material • Includes such things as music, videos, images, articles, books, and software • Copyright Infringement is Illegal • Peer-to-peer networking techniques have made it easy to trade pirated intellectual property • Publishers Offer Inexpensive Online Music • Illegal downloading of music and video is down and continues to drop 13-30 Viruses and Worms • A virus is a program that cannot work without being inserted into another program • A worm can run unaided • These programs copy annoying or destructive routines into networked computers • Copy routines spread the virus • Commonly transmitted through • • • • The Internet and online services Email and file attachments Disks from contaminated computers Shareware 13-31 Top Five Virus Families of all Time • My Doom, 2004 • Spread via email and over Kazaa file-sharing network • Installs a back door on infected computers • Infected email poses as returned message or one that can’t be opened correctly, urging recipient to click on attachment • Opens up TCP ports that stay open even after termination of the worm • Upon execution, a copy of Notepad is opened, filled with nonsense characters 13-32 Top Five Virus Families of all Time • Netsky, 2004 • Mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers • Tries to spread via peer-to-peer file sharing by copying itself into the shared folder • It renames itself to pose as one of 26 other common files along the way 13-33 Top Five Virus Families of all Time • SoBig, 2004 • Mass-mailing email worm that arrives as an attachment • Examples: Movie_0074.mpg.pif, Document003.pif • Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for email addresses to which it can send itself • Also attempts to download updates for itself 13-34 Top Five Virus Families of all Time • Klez, 2002 • A mass-mailing email worm that arrives with a randomly named attachment • Exploits a known vulnerability in MS Outlook to auto-execute on unpatched clients • Tries to disable virus scanners and then copy itself to all local and networked drives with a random file name • Deletes all files on the infected machine and any mapped network drives on the 13th of all even-numbered months 13-35 Top Five Virus Families of all Time • Sasser, 2004 • Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention • Spawns multiple threads that scan local subnets for vulnerabilities 13-36 The Cost of Viruses, Trojans, Worms • Cost of the top five virus families • Nearly 115 million computers in 200 countries were infected in 2004 • Up to 11 million computers are believed to be permanently infected • In 2004, total economic damage from virus proliferation was $166 to $202 billion • Average damage per computer is between $277 and $366 13-37 Adware and Spyware • Adware • Software that purports to serve a useful purpose, and often does • Allows advertisers to display pop-up and banner ads without the consent of the computer users • Spyware • Adware that uses an Internet connection in the background, without the user’s permission or knowledge • Captures information about the user and sends it over the Internet 13-38 Spyware Problems • Spyware can steal private information and also • • • • Add advertising links to Web pages Redirect affiliate payments Change a users home page and search settings Make a modem randomly call premium-rate phone numbers • Leave security holes that let Trojans in • Degrade system performance • Removal programs are often not completely successful in eliminating spyware 13-39 Privacy Issues • The power of information technology to store and retrieve information can have a negative effect on every individual’s right to privacy • Personal information is collected with every visit to a Web site • Confidential information stored by credit bureaus, credit card companies, and the government has been stolen or misused 13-40 Opt-in Versus Opt-out • Opt-In • You explicitly consent to allow data to be compiled about you • This is the default in Europe • Opt-Out • Data can be compiled about you unless you specifically request it not be • This is the default in the U.S. 13-41 Privacy Issues • Violation of Privacy • Accessing individuals’ private email conversations and computer records • Collecting and sharing information about individuals gained from their visits to Internet websites • Computer Monitoring • Always knowing where a person is • Mobile and paging services are becoming more closely associated with people than with places 13-42 Privacy Issues • Computer Matching • Using customer information gained from many sources to market additional business services • Unauthorized Access of Personal Files • Collecting telephone numbers, email addresses, credit card numbers, and other information to build customer profiles 13-43 Protecting Your Privacy on the Internet • There are multiple ways to protect your privacy • Encrypt email • Send newsgroup postings through anonymous remailers • Ask your ISP not to sell your name and information to mailing list providers and other marketers • Don’t reveal personal data and interests on online service and website user profiles 13-44 Privacy Laws • Electronic Communications Privacy Act and Computer Fraud and Abuse Act • Prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems • U.S. Computer Matching and Privacy Act • Regulates the matching of data held in federal agency files to verify eligibility for federal programs 13-45 Privacy Laws • Other laws impacting privacy and how much a company spends on compliance • Sarbanes-Oxley • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley • USA Patriot Act • California Security Breach Law • Securities and Exchange Commission rule 17a-4 13-46 Computer Libel and Censorship • The opposite side of the privacy debate… • Freedom of information, speech, and press • Biggest battlegrounds • Bulletin boards • Email boxes • Online files of Internet and public networks • Weapons used in this battle • • • • Spamming Flame mail Libel laws Censorship 13-47 Computer Libel and Censorship • Spamming • Indiscriminate sending of unsolicited email messages to many Internet users • Flaming • Sending extremely critical, derogatory, and often vulgar email messages or newsgroup posting to other users on the Internet or online services • Especially prevalent on special-interest newsgroups 13-48 Cyberlaw • Laws intended to regulate activities over the Internet or via electronic communication devices • Encompasses a wide variety of legal and political issues • Includes intellectual property, privacy, freedom of expression, and jurisdiction 13-49 Cyberlaw • The intersection of technology and the law is controversial • Some feel the Internet should not be regulated • Encryption and cryptography make traditional form of regulation difficult • The Internet treats censorship as damage and simply routes around it • Cyberlaw only began to emerge in 1996 • Debate continues regarding the applicability of legal principles derived from issues that had nothing to do with cyberspace 13-50 Other Challenges • Employment • IT creates new jobs and increases productivity • It can also cause significant reductions in job opportunities, as well as requiring new job skills • Computer Monitoring • Using computers to monitor the productivity and behavior of employees as they work • Criticized as unethical because it monitors individuals, not just work, and is done constantly • Criticized as invasion of privacy because many employees do not know they are being monitored 13-51 Other Challenges • Working Conditions • IT has eliminated monotonous or obnoxious tasks • However, some skilled craftsperson jobs have been replaced by jobs requiring routine, repetitive tasks or standby roles • Individuality • Dehumanizes and depersonalizes activities because computers eliminate human relationships • Inflexible systems 13-52 Health Issues • Cumulative Trauma Disorders (CTDs) • Disorders suffered by people who sit at a PC or terminal and do fast-paced repetitive keystroke jobs • Carpal Tunnel Syndrome • Painful, crippling ailment of the hand and wrist • Typically requires surgery to cure 13-53 Ergonomics • Designing healthy work environments • Safe, comfortable, and pleasant for people to work in • Increases employee morale and productivity • Also called human factors engineering 13-54 Ergonomics Factors 13-55 Societal Solutions • Using information technologies to solve human and social problems • • • • • • Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement Job placement 13-56 Societal Solutions • The detrimental effects of information technology • Often caused by individuals or organizations not accepting ethical responsibility for their actions 13-57 Security Management of IT • The Internet was developed for inter-operability, not impenetrability • Business managers and professionals alike are responsible for the security, quality, and performance of business information systems • Hardware, software, networks, and data resources must be protected by a variety of security measures 13-58 Case 2: Data Security Failures • Security Breach Headlines • Identity thieves stole information on 145,000 people from ChoicePoint • Bank of America lost backup tapes that held data on over 1 million credit card holders • DSW had its stores’ credit card data breached; over 1 million had been accessed • Corporate America is finally owning up to a long-held secret • It can’t safeguard its most valuable data 13-59 Case Study Questions • Why have there been so many recent incidents of data security breaches and loss of customer data by reputable companies? • What security safeguards must companies have to deter electronic break-ins into their computer networks, business applications, and data resources like the incident at Lowe’s? 13-60 Case Study Questions • What security safeguards would have deterred the loss of customer data at • TCI • Bank of America • ChoicePoint? 13-61 Security Management • The goal of security management is the accuracy, integrity, and safety of all information system processes and resources 13-62 Internetworked Security Defenses • Encryption • Data is transmitted in scrambled form • It is unscrambled by computer systems for authorized users only • The most widely used method uses a pair of public and private keys unique to each individual 13-63 Public/Private Key Encryption 13-64 Internetworked Security Defenses • Firewalls • A gatekeeper system that protects a company’s intranets and other computer networks from intrusion • Provides a filter and safe transfer point for access to/from the Internet and other networks • Important for individuals who connect to the Internet with DSL or cable modems • Can deter hacking, but cannot prevent it 13-65 Internet and Intranet Firewalls 13-66 Denial of Service Attacks • Denial of service attacks depend on three layers of networked computer systems • The victim’s website • The victim’s Internet service provider • Zombie or slave computers that have been commandeered by the cybercriminals 13-67 Defending Against Denial of Service • At Zombie Machines • Set and enforce security policies • Scan for vulnerabilities • At the ISP • Monitor and block traffic spikes • At the Victim’s Website • Create backup servers and network connections 13-68 Internetworked Security Defenses • Email Monitoring • Use of content monitoring software that scans for troublesome words that might compromise corporate security • Virus Defenses • Centralize the updating and distribution of antivirus software • Use a security suite that integrates virus protection with firewalls, Web security, and content blocking features 13-69 Other Security Measures • Security Codes • Multilevel password system • Encrypted passwords • Smart cards with microprocessors • Backup Files • Duplicate files of data or programs • Security Monitors • Monitor the use of computers and networks • Protects them from unauthorized use, fraud, and destruction 13-70 Other Security Measures • Biometrics • Computer devices measure physical traits that make each individual unique • Voice recognition, fingerprints, retina scan • Computer Failure Controls • Prevents computer failures or minimizes its effects • Preventive maintenance • Arrange backups with a disaster recovery organization 13-71 Other Security Measures • In the event of a system failure, fault-tolerant systems have redundant processors, peripherals, and software that provide • Fail-over capability: shifts to back up components • Fail-save capability: the system continues to operate at the same level • Fail-soft capability: the system continues to operate at a reduced but acceptable level 13-72 Other Security Measures • A disaster recovery plan contains formalized procedures to follow in the event of a disaster • Which employees will participate • What their duties will be • What hardware, software, and facilities will be used • Priority of applications that will be processed • Use of alternative facilities • Offsite storage of databases 13-73 Information System Controls • Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities 13-74 Auditing IT Security • IT Security Audits • Performed by internal or external auditors • Review and evaluation of security measures and management policies • Goal is to ensure that that proper and adequate measures and policies are in place 13-75 Protecting Yourself from Cybercrime 13-76 Case 3: Managing Information Security • OCTAVE Security Process Methodology • Risk Evaluation • • • • Self-direction by people in the organization Adaptable measures that can change with technology A defined process and standard evaluation procedures A foundation for a continual process that improves security over time • Risk Management • A forward-looking view • A focus on a “critical few” security issues • Integrated management of security policies and strategies 13-77 Case 3: Managing Information Security • Organizational and Cultural • Open communication of risk information and activities build around collaboration • A global perspective on risk in the context of the organization’s mission and business objectives • Teamwork 13-78 Case Study Questions • What are security managers doing to improve information security? • How does the OCTAVE methodology work to improve security in organizations? • What does Lloyd Hession mean when he says information security is “not addressed simply by the firewalls and antivirus tools that are already in place”? 13-79 Case 4: Maintaining Software Security • Security professionals have 7 to 21 days before hacker’s tools used to exploit the most recent vulnerabilities become available on the Internet • Microsoft’s monthly patch-release date is known as “Patch Tuesday” • Security software companies go to work immediately to update their products • Update must be thoroughly tested before being deployed 13-80 Case Study Questions • What types of security problems are typically addressed by a patch-management strategy? • Why do such problems arise in the first place? • What challenges does the process of applying software patches and updates pose for many businesses? • What are the limitations of the patching process? 13-81 Case Study Questions • Does the business value of a comprehensive patch-management strategy outweigh its costs, its limitations, and the demands it placed on the IT function? 13-82