Transcript Slide 1
Chapter
13
Security and Ethical Challenges
Learning Objectives
• Identify several ethical issues in how the use of information technologies in business affects • Employment • Individuality • Working conditions • Privacy • Crime • Health • Solutions to societal problems
13-2
Learning Objectives
• Identify several types of security management strategies and defenses, and explain how they can be used to ensure the security of business applications of information technology • Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of information technology
13-3
IT Security, Ethics, and Society
13-4
IT Security, Ethics, and Society
• Information technology has both beneficial and detrimental effects on society and people • Manage work activities to minimize the detrimental effects of information technology • Optimize the beneficial effects
13-5
Business Ethics
• Ethics questions that managers confront as part of their daily business decision making include • Equity • Rights • Honesty • Exercise of corporate power
13-6
Categories of Ethical Business Issues
13-7
Corporate Social Responsibility Theories
• Stockholder Theory • Managers are agents of the stockholders • Their only ethical responsibility is to increase the profits of the business without violating the law or engaging in fraudulent practices • Social Contract Theory • Companies have ethical responsibilities to all members of society, who allow corporations to exist
13-8
Corporate Social Responsibility Theories
• Stakeholder Theory • Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders • Stakeholders are all individuals and groups that have a stake in, or claim on, a company
13-9
Principles of Technology Ethics
• Proportionality • The good achieved by the technology must outweigh the harm or risk; there must be no alternative that achieves the same or comparable benefits with less harm or risk • Informed Consent • Those affected by the technology should understand and accept the risks
13-10
Principles of Technology Ethics
• Justice • The benefits and burdens of the technology should be distributed fairly. • Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk • Minimized Risk • Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk
13-11
AITP Standards of Professional Conduct
13-12
Responsible Professional Guidelines
• A responsible professional • Acts with integrity • Increases personal competence • Sets high standards of personal performance • Accepts responsibility for his/her work • Advances the health, privacy, and general welfare of the public
13-13
Computer Crime
• Computer crime includes • Unauthorized use, access, modification, or destruction of hardware, software, data, or network resources • The unauthorized release of information • The unauthorized copying of software • Denying an end user access to his/her own hardware, software, data, or network resources • Using or conspiring to use computer or network resources illegally to obtain information or tangible property
13-14
Cybercrime Protection Measures
13-15
Hacking
• Hacking is • The obsessive use of computers • The unauthorized access and use of networked computer systems • Electronic Breaking and Entering • Hacking into a computer system and reading files, but neither stealing nor damaging anything • Cracker • A malicious or criminal hacker who maintains knowledge of the vulnerabilities found for private advantage
13-16
Common Hacking Tactics
• Denial of Service • Hammering a website’s equipment with too many requests for information • Clogging the system, slowing performance, or crashing the site • Scans • Widespread probes of the Internet to determine types of computers, services, and connections • Looking for weaknesses
13-17
Common Hacking Tactics
• Sniffer • Programs that search individual packets of data as they pass through the Internet • Capturing passwords or entire contents • Spoofing • Faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit card numbers
13-18
Common Hacking Tactics
• • Trojan House • A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software • Back Doors • A hidden point of entry to be used in case the original entry point is detected or blocked Malicious Applets • Tiny Java programs that misuse your computer’s resources, modify files on the hard disk, send fake email, or steal passwords
13-19
Common Hacking Tactics
• War Dialing • Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection • Logic Bombs • An instruction in a computer program that triggers a malicious act • Buffer Overflow • Crashing or gaining control of a computer by sending too much data to buffer memory
13-20
Common Hacking Tactics
• Password Crackers • Software that can guess passwords • Social Engineering • Gaining access to computer systems by talking unsuspecting company employees out of valuable information, such as passwords • Dumpster Diving • Sifting through a company’s garbage to find information to help break into their computers
13-21
Cyber Theft
• Many computer crimes involve the theft of money • The majority are “inside jobs” that involve unauthorized network entry and alternation of computer databases to cover the tracks of the employees involved • Many attacks occur through the Internet • Most companies don’t reveal that they have been targets or victims of cybercrime
13-22
Unauthorized Use at Work
• • Unauthorized use of computer systems and networks is
time and resource theft
• Doing private consulting • Doing personal finances • Playing video games • Unauthorized use of the Internet or company networks Sniffers • Used to monitor network traffic or capacity • Find evidence of improper use
13-23
Internet Abuses in the Workplace
• General email abuses • Unauthorized usage and access • Copyright infringement/plagiarism • Newsgroup postings • Transmission of confidential data • Pornography • Hacking • Non-work-related download/upload • Leisure use of the Internet • Use of external ISPs • Moonlighting
13-24
Software Piracy
• Software Piracy • Unauthorized copying of computer programs • Licensing • Purchasing software is really a payment for a license for fair use • Site license allows a certain number of copies A third of the software industry’s revenues are lost to piracy
13-25
Theft of Intellectual Property
• Intellectual Property • Copyrighted material • Includes such things as music, videos, images, articles, books, and software • Copyright Infringement is Illegal • Peer-to-peer networking techniques have made it easy to trade pirated intellectual property • Publishers Offer Inexpensive Online Music • Illegal downloading of music and video is down and continues to drop
13-26
Viruses and Worms
• • • A virus is a program that cannot work without being inserted into another program • A worm can run unaided These programs copy annoying or destructive routines into networked computers • Copy routines spread the virus Commonly transmitted through • The Internet and online services • Email and file attachments • Disks from contaminated computers • Shareware
13-27
Top Five Virus Families of all Time
• My Doom, 2004 • Spread via email and over Kazaa file-sharing network • Installs a back door on infected computers • Infected email poses as returned message or one that can’t be opened correctly, urging recipient to click on attachment • Opens up TCP ports that stay open even after termination of the worm • Upon execution, a copy of Notepad is opened, filled with nonsense characters
13-28
Top Five Virus Families of all Time
• Netsky, 2004 • Mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers • Tries to spread via peer-to-peer file sharing by copying itself into the shared folder • It renames itself to pose as one of 26 other common files along the way
13-29
Top Five Virus Families of all Time
• SoBig, 2004 • Mass-mailing email worm that arrives as an attachment • Examples: Movie_0074.mpg.pif, Document003.pif
• Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for email addresses to which it can send itself • Also attempts to download updates for itself
13-30
Top Five Virus Families of all Time
• Klez, 2002 • A mass-mailing email worm that arrives with a randomly named attachment • Exploits a known vulnerability in MS Outlook to auto-execute on unpatched clients • Tries to disable virus scanners and then copy itself to all local and networked drives with a random file name • Deletes all files on the infected machine and any mapped network drives on the 13th of all even-numbered months
13-31
Top Five Virus Families of all Time
• Sasser, 2004 • Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention • Spawns multiple threads that scan local subnets for vulnerabilities
13-32
The Cost of Viruses, Trojans, Worms
• Cost of the top five virus families • Nearly 115 million computers in 200 countries were infected in 2004 • Up to 11 million computers are believed to be permanently infected • In 2004, total economic damage from virus proliferation was $166 to $202 billion • Average damage per computer is between $277 and $366
13-33
Adware and Spyware
• Adware • Software that purports to serve a useful purpose, and often does • Allows advertisers to display pop-up and banner ads without the consent of the computer users • Spyware • Adware that uses an Internet connection in the background, without the user’s permission or knowledge • Captures information about the user and sends it over the Internet
13-34
Spyware Problems
• Spyware can steal private information and also • Add advertising links to Web pages • Redirect affiliate payments • Change a users home page and search settings • Make a modem randomly call premium-rate phone numbers • Leave security holes that let Trojans in • Degrade system performance • Removal programs are often not completely successful in eliminating spyware
13-35
Privacy Issues
• The power of information technology to store and retrieve information can have a negative effect on every individual’s right to privacy • Personal information is collected with every visit to a Web site • Confidential information stored by credit bureaus, credit card companies, and the government has been stolen or misused
13-36
Opt-in Versus Opt-out
• Opt-In • You explicitly consent to allow data to be compiled about you • This is the default in Europe • Opt-Out • Data can be compiled about you unless you specifically request it not be • This is the default in the U.S.
13-37
Privacy Issues
• Violation of Privacy • Accessing individuals’ private email conversations and computer records • Collecting and sharing information about individuals gained from their visits to Internet websites • Computer Monitoring • Always knowing where a person is • Mobile and paging services are becoming more closely associated with people than with places
13-38
Privacy Issues
• Computer Matching • Using customer information gained from many sources to market additional business services • Unauthorized Access of Personal Files • Collecting telephone numbers, email addresses, credit card numbers, and other information to build customer profiles
13-39
Protecting Your Privacy on the Internet
• There are multiple ways to protect your privacy • Encrypt email • Send newsgroup postings through anonymous remailers • Ask your ISP not to sell your name and information to mailing list providers and other marketers • Don’t reveal personal data and interests on online service and website user profiles
13-40
Privacy Laws
• Electronic Communications Privacy Act and Computer Fraud and Abuse Act • Prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems • U.S. Computer Matching and Privacy Act • Regulates the matching of data held in federal agency files to verify eligibility for federal programs
13-41
Privacy Laws
• Other laws impacting privacy and how much a company spends on compliance • Sarbanes-Oxley • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley • USA Patriot Act • California Security Breach Law • Securities and Exchange Commission rule 17a-4
13-42
Computer Libel and Censorship
• • • The opposite side of the privacy debate… • Freedom of information, speech, and press Biggest battlegrounds • Bulletin boards • Email boxes • Online files of Internet and public networks Weapons used in this battle • Spamming • Flame mail • Libel laws • Censorship
13-43
Computer Libel and Censorship
• Spamming • Indiscriminate sending of unsolicited email messages to many Internet users • Flaming • Sending extremely critical, derogatory, and often vulgar email messages or newsgroup posting to other users on the Internet or online services • Especially prevalent on special-interest newsgroups
13-44
Cyberlaw
• Laws intended to regulate activities over the Internet or via electronic communication devices • Encompasses a wide variety of legal and political issues • Includes intellectual property, privacy, freedom of expression, and jurisdiction
13-45
Cyberlaw
• The intersection of technology and the law is controversial • Some feel the Internet should not be regulated • Encryption and cryptography make traditional form of regulation difficult • The Internet treats censorship as damage and simply routes around it • Cyberlaw only began to emerge in 1996 • Debate continues regarding the applicability of legal principles derived from issues that had nothing to do with cyberspace
13-46
Other Challenges
• • Employment • IT creates new jobs and increases productivity • It can also cause significant reductions in job opportunities, as well as requiring new job skills Computer Monitoring • Using computers to monitor the productivity and behavior of employees as they work • Criticized as unethical because it monitors individuals, not just work, and is done constantly • Criticized as invasion of privacy because many employees do not know they are being monitored
13-47
Other Challenges
• Working Conditions • IT has eliminated monotonous or obnoxious tasks • However, some skilled craftsperson jobs have been replaced by jobs requiring routine, repetitive tasks or standby roles • Individuality • Dehumanizes and depersonalizes activities because computers eliminate human relationships • Inflexible systems
13-48
Health Issues
• Cumulative Trauma Disorders (CTDs) • Disorders suffered by people who sit at a PC or terminal and do fast-paced repetitive keystroke jobs • Carpal Tunnel Syndrome • Painful, crippling ailment of the hand and wrist • Typically requires surgery to cure
13-49
Ergonomics
• Designing healthy work environments • Safe, comfortable, and pleasant for people to work in • Increases employee morale and productivity • Also called
human factors engineering
13-50
Ergonomics Factors
13-51
Societal Solutions
• Using information technologies to solve human and social problems • Medical diagnosis • Computer-assisted instruction • Governmental program planning • Environmental quality control • Law enforcement • Job placement
13-52
Societal Solutions
• The detrimental effects of information technology • Often caused by individuals or organizations not accepting ethical responsibility for their actions
13-53
Security Management of IT
• The Internet was developed for inter-operability, not impenetrability • Business managers and professionals alike are responsible for the security, quality, and performance of business information systems • Hardware, software, networks, and data resources must be protected by a variety of security measures
13-54
Security Management
• The goal of security management is the accuracy, integrity, and safety of all information system processes and resources
13-55
Internetworked Security Defenses
• Encryption • Data is transmitted in scrambled form • It is unscrambled by computer systems for authorized users only • The most widely used method uses a pair of public and private keys unique to each individual
13-56
Public/Private Key Encryption
13-57
Internetworked Security Defenses
• Firewalls • A gatekeeper system that protects a company’s intranets and other computer networks from intrusion • Provides a filter and safe transfer point for access to/from the Internet and other networks • Important for individuals who connect to the Internet with DSL or cable modems • Can deter hacking, but cannot prevent it
13-58
Internet and Intranet Firewalls
13-59
Denial of Service Attacks
• Denial of service attacks depend on three layers of networked computer systems • The victim’s website • The victim’s Internet service provider • Zombie or slave computers that have been commandeered by the cybercriminals
13-60
Defending Against Denial of Service
• At Zombie Machines • Set and enforce security policies • Scan for vulnerabilities • At the ISP • Monitor and block traffic spikes • At the Victim’s Website • Create backup servers and network connections
13-61
Internetworked Security Defenses
• Email Monitoring • Use of content monitoring software that scans for troublesome words that might compromise corporate security • Virus Defenses • Centralize the updating and distribution of antivirus software • Use a security suite that integrates virus protection with firewalls, Web security, and content blocking features
13-62
Other Security Measures
• Security Codes • Multilevel password system • Encrypted passwords • Smart cards with microprocessors • • Backup Files • Duplicate files of data or programs Security Monitors • Monitor the use of computers and networks • Protects them from unauthorized use, fraud, and destruction
13-63
Other Security Measures
• Biometrics • Computer devices measure physical traits that make each individual unique • Voice recognition, fingerprints, retina scan • Computer Failure Controls • Prevents computer failures or minimizes its effects • Preventive maintenance • Arrange backups with a disaster recovery organization
13-64
Other Security Measures
• In the event of a system failure,
fault-tolerant systems
have redundant processors, peripherals, and software that provide •
Fail-over capability:
shifts to back up components •
Fail-save capability:
the system continues to operate at the same level •
Fail-soft capability:
the system continues to operate at a reduced but acceptable level
13-65
Other Security Measures
• A
disaster recovery plan
contains formalized procedures to follow in the event of a disaster • Which employees will participate • What their duties will be • What hardware, software, and facilities will be used • Priority of applications that will be processed • Use of alternative facilities • Offsite storage of databases
13-66
Information System Controls
• Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities
13-67
Auditing IT Security
• IT Security Audits • Performed by internal or external auditors • Review and evaluation of security measures and management policies • Goal is to ensure that that proper and adequate measures and policies are in place
13-68
Protecting Yourself from Cybercrime
13-69