Slide 1

Download Report

Transcript Slide 1

Chapter

13

Security and Ethical Challenges

Learning Objectives

• Identify several ethical issues in how the use of information technologies in business affects • Employment • Individuality • Working conditions • Privacy • Crime • Health • Solutions to societal problems

13-2

Learning Objectives

• Identify several types of security management strategies and defenses, and explain how they can be used to ensure the security of business applications of information technology • Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of information technology

13-3

IT Security, Ethics, and Society

13-4

IT Security, Ethics, and Society

• Information technology has both beneficial and detrimental effects on society and people • Manage work activities to minimize the detrimental effects of information technology • Optimize the beneficial effects

13-5

Business Ethics

• Ethics questions that managers confront as part of their daily business decision making include • Equity • Rights • Honesty • Exercise of corporate power

13-6

Categories of Ethical Business Issues

13-7

Corporate Social Responsibility Theories

• Stockholder Theory • Managers are agents of the stockholders • Their only ethical responsibility is to increase the profits of the business without violating the law or engaging in fraudulent practices • Social Contract Theory • Companies have ethical responsibilities to all members of society, who allow corporations to exist

13-8

Corporate Social Responsibility Theories

• Stakeholder Theory • Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders • Stakeholders are all individuals and groups that have a stake in, or claim on, a company

13-9

Principles of Technology Ethics

• Proportionality • The good achieved by the technology must outweigh the harm or risk; there must be no alternative that achieves the same or comparable benefits with less harm or risk • Informed Consent • Those affected by the technology should understand and accept the risks

13-10

Principles of Technology Ethics

• Justice • The benefits and burdens of the technology should be distributed fairly. • Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk • Minimized Risk • Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk

13-11

AITP Standards of Professional Conduct

13-12

Responsible Professional Guidelines

• A responsible professional • Acts with integrity • Increases personal competence • Sets high standards of personal performance • Accepts responsibility for his/her work • Advances the health, privacy, and general welfare of the public

13-13

Computer Crime

• Computer crime includes • Unauthorized use, access, modification, or destruction of hardware, software, data, or network resources • The unauthorized release of information • The unauthorized copying of software • Denying an end user access to his/her own hardware, software, data, or network resources • Using or conspiring to use computer or network resources illegally to obtain information or tangible property

13-14

Cybercrime Protection Measures

13-15

Hacking

• Hacking is • The obsessive use of computers • The unauthorized access and use of networked computer systems • Electronic Breaking and Entering • Hacking into a computer system and reading files, but neither stealing nor damaging anything • Cracker • A malicious or criminal hacker who maintains knowledge of the vulnerabilities found for private advantage

13-16

Common Hacking Tactics

• Denial of Service • Hammering a website’s equipment with too many requests for information • Clogging the system, slowing performance, or crashing the site • Scans • Widespread probes of the Internet to determine types of computers, services, and connections • Looking for weaknesses

13-17

Common Hacking Tactics

• Sniffer • Programs that search individual packets of data as they pass through the Internet • Capturing passwords or entire contents • Spoofing • Faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit card numbers

13-18

Common Hacking Tactics

• • Trojan House • A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software • Back Doors • A hidden point of entry to be used in case the original entry point is detected or blocked Malicious Applets • Tiny Java programs that misuse your computer’s resources, modify files on the hard disk, send fake email, or steal passwords

13-19

Common Hacking Tactics

• War Dialing • Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection • Logic Bombs • An instruction in a computer program that triggers a malicious act • Buffer Overflow • Crashing or gaining control of a computer by sending too much data to buffer memory

13-20

Common Hacking Tactics

• Password Crackers • Software that can guess passwords • Social Engineering • Gaining access to computer systems by talking unsuspecting company employees out of valuable information, such as passwords • Dumpster Diving • Sifting through a company’s garbage to find information to help break into their computers

13-21

Cyber Theft

• Many computer crimes involve the theft of money • The majority are “inside jobs” that involve unauthorized network entry and alternation of computer databases to cover the tracks of the employees involved • Many attacks occur through the Internet • Most companies don’t reveal that they have been targets or victims of cybercrime

13-22

Unauthorized Use at Work

• • Unauthorized use of computer systems and networks is

time and resource theft

• Doing private consulting • Doing personal finances • Playing video games • Unauthorized use of the Internet or company networks Sniffers • Used to monitor network traffic or capacity • Find evidence of improper use

13-23

Internet Abuses in the Workplace

• General email abuses • Unauthorized usage and access • Copyright infringement/plagiarism • Newsgroup postings • Transmission of confidential data • Pornography • Hacking • Non-work-related download/upload • Leisure use of the Internet • Use of external ISPs • Moonlighting

13-24

Software Piracy

• Software Piracy • Unauthorized copying of computer programs • Licensing • Purchasing software is really a payment for a license for fair use • Site license allows a certain number of copies A third of the software industry’s revenues are lost to piracy

13-25

Theft of Intellectual Property

• Intellectual Property • Copyrighted material • Includes such things as music, videos, images, articles, books, and software • Copyright Infringement is Illegal • Peer-to-peer networking techniques have made it easy to trade pirated intellectual property • Publishers Offer Inexpensive Online Music • Illegal downloading of music and video is down and continues to drop

13-26

Viruses and Worms

• • • A virus is a program that cannot work without being inserted into another program • A worm can run unaided These programs copy annoying or destructive routines into networked computers • Copy routines spread the virus Commonly transmitted through • The Internet and online services • Email and file attachments • Disks from contaminated computers • Shareware

13-27

Top Five Virus Families of all Time

• My Doom, 2004 • Spread via email and over Kazaa file-sharing network • Installs a back door on infected computers • Infected email poses as returned message or one that can’t be opened correctly, urging recipient to click on attachment • Opens up TCP ports that stay open even after termination of the worm • Upon execution, a copy of Notepad is opened, filled with nonsense characters

13-28

Top Five Virus Families of all Time

• Netsky, 2004 • Mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers • Tries to spread via peer-to-peer file sharing by copying itself into the shared folder • It renames itself to pose as one of 26 other common files along the way

13-29

Top Five Virus Families of all Time

• SoBig, 2004 • Mass-mailing email worm that arrives as an attachment • Examples: Movie_0074.mpg.pif, Document003.pif

• Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for email addresses to which it can send itself • Also attempts to download updates for itself

13-30

Top Five Virus Families of all Time

• Klez, 2002 • A mass-mailing email worm that arrives with a randomly named attachment • Exploits a known vulnerability in MS Outlook to auto-execute on unpatched clients • Tries to disable virus scanners and then copy itself to all local and networked drives with a random file name • Deletes all files on the infected machine and any mapped network drives on the 13th of all even-numbered months

13-31

Top Five Virus Families of all Time

• Sasser, 2004 • Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention • Spawns multiple threads that scan local subnets for vulnerabilities

13-32

The Cost of Viruses, Trojans, Worms

• Cost of the top five virus families • Nearly 115 million computers in 200 countries were infected in 2004 • Up to 11 million computers are believed to be permanently infected • In 2004, total economic damage from virus proliferation was $166 to $202 billion • Average damage per computer is between $277 and $366

13-33

Adware and Spyware

• Adware • Software that purports to serve a useful purpose, and often does • Allows advertisers to display pop-up and banner ads without the consent of the computer users • Spyware • Adware that uses an Internet connection in the background, without the user’s permission or knowledge • Captures information about the user and sends it over the Internet

13-34

Spyware Problems

• Spyware can steal private information and also • Add advertising links to Web pages • Redirect affiliate payments • Change a users home page and search settings • Make a modem randomly call premium-rate phone numbers • Leave security holes that let Trojans in • Degrade system performance • Removal programs are often not completely successful in eliminating spyware

13-35

Privacy Issues

• The power of information technology to store and retrieve information can have a negative effect on every individual’s right to privacy • Personal information is collected with every visit to a Web site • Confidential information stored by credit bureaus, credit card companies, and the government has been stolen or misused

13-36

Opt-in Versus Opt-out

• Opt-In • You explicitly consent to allow data to be compiled about you • This is the default in Europe • Opt-Out • Data can be compiled about you unless you specifically request it not be • This is the default in the U.S.

13-37

Privacy Issues

• Violation of Privacy • Accessing individuals’ private email conversations and computer records • Collecting and sharing information about individuals gained from their visits to Internet websites • Computer Monitoring • Always knowing where a person is • Mobile and paging services are becoming more closely associated with people than with places

13-38

Privacy Issues

• Computer Matching • Using customer information gained from many sources to market additional business services • Unauthorized Access of Personal Files • Collecting telephone numbers, email addresses, credit card numbers, and other information to build customer profiles

13-39

Protecting Your Privacy on the Internet

• There are multiple ways to protect your privacy • Encrypt email • Send newsgroup postings through anonymous remailers • Ask your ISP not to sell your name and information to mailing list providers and other marketers • Don’t reveal personal data and interests on online service and website user profiles

13-40

Privacy Laws

• Electronic Communications Privacy Act and Computer Fraud and Abuse Act • Prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems • U.S. Computer Matching and Privacy Act • Regulates the matching of data held in federal agency files to verify eligibility for federal programs

13-41

Privacy Laws

• Other laws impacting privacy and how much a company spends on compliance • Sarbanes-Oxley • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley • USA Patriot Act • California Security Breach Law • Securities and Exchange Commission rule 17a-4

13-42

Computer Libel and Censorship

• • • The opposite side of the privacy debate… • Freedom of information, speech, and press Biggest battlegrounds • Bulletin boards • Email boxes • Online files of Internet and public networks Weapons used in this battle • Spamming • Flame mail • Libel laws • Censorship

13-43

Computer Libel and Censorship

• Spamming • Indiscriminate sending of unsolicited email messages to many Internet users • Flaming • Sending extremely critical, derogatory, and often vulgar email messages or newsgroup posting to other users on the Internet or online services • Especially prevalent on special-interest newsgroups

13-44

Cyberlaw

• Laws intended to regulate activities over the Internet or via electronic communication devices • Encompasses a wide variety of legal and political issues • Includes intellectual property, privacy, freedom of expression, and jurisdiction

13-45

Cyberlaw

• The intersection of technology and the law is controversial • Some feel the Internet should not be regulated • Encryption and cryptography make traditional form of regulation difficult • The Internet treats censorship as damage and simply routes around it • Cyberlaw only began to emerge in 1996 • Debate continues regarding the applicability of legal principles derived from issues that had nothing to do with cyberspace

13-46

Other Challenges

• • Employment • IT creates new jobs and increases productivity • It can also cause significant reductions in job opportunities, as well as requiring new job skills Computer Monitoring • Using computers to monitor the productivity and behavior of employees as they work • Criticized as unethical because it monitors individuals, not just work, and is done constantly • Criticized as invasion of privacy because many employees do not know they are being monitored

13-47

Other Challenges

• Working Conditions • IT has eliminated monotonous or obnoxious tasks • However, some skilled craftsperson jobs have been replaced by jobs requiring routine, repetitive tasks or standby roles • Individuality • Dehumanizes and depersonalizes activities because computers eliminate human relationships • Inflexible systems

13-48

Health Issues

• Cumulative Trauma Disorders (CTDs) • Disorders suffered by people who sit at a PC or terminal and do fast-paced repetitive keystroke jobs • Carpal Tunnel Syndrome • Painful, crippling ailment of the hand and wrist • Typically requires surgery to cure

13-49

Ergonomics

• Designing healthy work environments • Safe, comfortable, and pleasant for people to work in • Increases employee morale and productivity • Also called

human factors engineering

13-50

Ergonomics Factors

13-51

Societal Solutions

• Using information technologies to solve human and social problems • Medical diagnosis • Computer-assisted instruction • Governmental program planning • Environmental quality control • Law enforcement • Job placement

13-52

Societal Solutions

• The detrimental effects of information technology • Often caused by individuals or organizations not accepting ethical responsibility for their actions

13-53

Security Management of IT

• The Internet was developed for inter-operability, not impenetrability • Business managers and professionals alike are responsible for the security, quality, and performance of business information systems • Hardware, software, networks, and data resources must be protected by a variety of security measures

13-54

Security Management

• The goal of security management is the accuracy, integrity, and safety of all information system processes and resources

13-55

Internetworked Security Defenses

• Encryption • Data is transmitted in scrambled form • It is unscrambled by computer systems for authorized users only • The most widely used method uses a pair of public and private keys unique to each individual

13-56

Public/Private Key Encryption

13-57

Internetworked Security Defenses

• Firewalls • A gatekeeper system that protects a company’s intranets and other computer networks from intrusion • Provides a filter and safe transfer point for access to/from the Internet and other networks • Important for individuals who connect to the Internet with DSL or cable modems • Can deter hacking, but cannot prevent it

13-58

Internet and Intranet Firewalls

13-59

Denial of Service Attacks

• Denial of service attacks depend on three layers of networked computer systems • The victim’s website • The victim’s Internet service provider • Zombie or slave computers that have been commandeered by the cybercriminals

13-60

Defending Against Denial of Service

• At Zombie Machines • Set and enforce security policies • Scan for vulnerabilities • At the ISP • Monitor and block traffic spikes • At the Victim’s Website • Create backup servers and network connections

13-61

Internetworked Security Defenses

• Email Monitoring • Use of content monitoring software that scans for troublesome words that might compromise corporate security • Virus Defenses • Centralize the updating and distribution of antivirus software • Use a security suite that integrates virus protection with firewalls, Web security, and content blocking features

13-62

Other Security Measures

• Security Codes • Multilevel password system • Encrypted passwords • Smart cards with microprocessors • • Backup Files • Duplicate files of data or programs Security Monitors • Monitor the use of computers and networks • Protects them from unauthorized use, fraud, and destruction

13-63

Other Security Measures

• Biometrics • Computer devices measure physical traits that make each individual unique • Voice recognition, fingerprints, retina scan • Computer Failure Controls • Prevents computer failures or minimizes its effects • Preventive maintenance • Arrange backups with a disaster recovery organization

13-64

Other Security Measures

• In the event of a system failure,

fault-tolerant systems

have redundant processors, peripherals, and software that provide •

Fail-over capability:

shifts to back up components •

Fail-save capability:

the system continues to operate at the same level •

Fail-soft capability:

the system continues to operate at a reduced but acceptable level

13-65

Other Security Measures

• A

disaster recovery plan

contains formalized procedures to follow in the event of a disaster • Which employees will participate • What their duties will be • What hardware, software, and facilities will be used • Priority of applications that will be processed • Use of alternative facilities • Offsite storage of databases

13-66

Information System Controls

• Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities

13-67

Auditing IT Security

• IT Security Audits • Performed by internal or external auditors • Review and evaluation of security measures and management policies • Goal is to ensure that that proper and adequate measures and policies are in place

13-68

Protecting Yourself from Cybercrime

13-69