Security and Ethical Challenges Chapter 13 McGraw-Hill/IrwinCopyright © 2011 by The McGraw-Hill...
-
Upload
elvin-scott -
Category
Documents
-
view
214 -
download
0
Transcript of Security and Ethical Challenges Chapter 13 McGraw-Hill/IrwinCopyright © 2011 by The McGraw-Hill...
Security and Ethical Challenges
Chapter13
McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved.
13-2
Learning Objectives
• Identify several ethical issues regarding how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions to societal problems.
• Identify several types of security management strategies and defenses and explain how they can be used to ensure the security of business applications of information technology.
13-3
Learning Objectives
• Propose several ways that business managers and professionals can help lessen the harmful effects and increase the beneficial effects of the use of information technology.
13-4
RWC 1: Ethics, IT and Compliance
• IT Challenges– Technical functionality– Business requirements– Ethical standards– Correct behaviors
• 2 views of Corporate Ethics– Set of legal and minimum standards– Set of values integral to doing business
• Most companies have ethics and compliance programs
• Few can truly execute an ethical agenda
13-7
Corporate Social Responsibility Theories
• Stockholder Theory
– Managers are agents of the stockholders
– Only responsible to increase profits without violating the law or fraud
• Social Contract Theory
– Responsible to all of society
• Stakeholder Theory
– Responsible to anyone affected by company
13-8
Principles of Technology Ethics
• Proportionality
– Good must outweigh the harm or risk
• Informed Consent
– Those affected should understand and accept risks
• Justice– Benefits and burdens distributed fairly
• Minimized Risk – Avoid all unnecessary risk
13-11
Hacking
• Obsessive use of computers• Unauthorized access and use of networked
computer systems
• Electronic Breaking and Entering– Accessing without stealing nor damaging
• Cracker (black hat or darkside hacker)– Maintains knowledge of vulnerabilities for private
advantage• Common Hacking Tactics
– Figure 13.7
13-12
Cyber Theft
• Most involve theft of money
• “Inside jobs”
• Unauthorized activity
• Attacks through the Internet
• Most companies don’t report
13-13
Cyberterrorism
• Use IT to attack electronic infrastructure, exchange information or make threats
• Terror related – More political motivation than criminal
• Examples– Attempt to disrupt life support at Antarctic
research station
– Release of untreated sewage in Australia
– Shut down of government network and banks in Estonia
– Non-deliberate shut down of systems at nuclear reactor
13-14
Unauthorized Use at Work
• Time and resource theft– Doing private consulting
– Doing personal finances
– Playing video games
– Unauthorized use of the Internet or networks– Recreational surfing– Racist or offensive e-mail– Pornographic sites
• Sniffers– Monitor network traffic or capacity
– Find evidence of improper use
13-15
Internet Abuses in the Workplace
• General email abuses• Unauthorized usage and access• Copyright infringement/plagiarism• Newsgroup postings• Transmission of confidential data• Pornography• Hacking• Non-work-related download/upload• Leisure use of the Internet• Use of external ISPs• Moonlighting
13-16
Software Piracy
• Unauthorized copying of computer programs
• Licensing– Purchase – payment for fair use
– Site license – allows a certain number of copies– Shareware – allows copies– Public Domain – not copyrighted
• Software industry losses – ⅓ to ½ of revenues– Millions of copies in educational market – 90% pirated software in China
• Sales negligible
13-17
Theft of Intellectual Property
• Intellectual Property– Copyrighted material
– Music, videos, images, articles, books, software
• Copyright Infringement is Illegal– Easy to trade pirated intellectual property
• Publishers Offer Inexpensive Online Music– Illegal downloading is declining
13-18
Viruses and Worms
• Viruses must be inserted into another program• Worms can run unaided• Spread annoying or destructive routines• Commonly transmitted through
– Internet and online services– Email and file attachments– Disks from contaminated computers– Shareware
• Top 5 Virus Families of all time– Figure 13.9
• Cost of Top 5 Virus Families– Figure 13.9
13-19
Adware and Spyware
• Adware– Useful software allows ads without consent
• Spyware– Type of Adware– Can steal private information
– Add advertising links to Web pages
– Redirect affiliate payments
– Change a users home page and search settings
– Make modem call premium-rate numbers
– Leave security holes that let Trojans in
– Degrade system performance
• Removal often not completely successful
13-20
Privacy Issues
• IT capability can create negative affect on privacy– Personal information is collected
– Confidential information stolen or misused• Opt-In
– Explicitly consent to allow data to be compiled
– Default in Europe
• Opt-Out– Must request data is not collected
– Default in the U.S.
13-21
Privacy Issues
• Violation of Privacy– Accessing conversations and records– Collecting and sharing visits to websites
• Computer Monitoring– Mobile and paging services can track people
• Computer Matching– Market additional business services
• Unauthorized Access of Personal Files– Build profiles of contact and credit information
13-22
Protecting Your Privacy on the Internet
• Encrypt email
• Send anonymous postings
• Ask your ISP not to sell your information
• Don’t reveal personal data and interests
13-23
Privacy Laws
• Electronic Communications Privacy Act and Computer Fraud and Abuse Act– Prohibit intercepting data communications
messages, stealing or destroying data, or trespassing in federal-related computer systems
• U.S. Computer Matching and Privacy Act– Regulates the matching of data held in
federal agency files to verify eligibility for federal programs
13-24
Privacy Laws
• Sarbanes-Oxley– Positive – strengthens accounting controls
– Negative – overly complex and regulatory
• Health Insurance Portability and Accountability Act (HIPAA)– Safeguards for health-related information
• Gramm-Leach-Bliley
• USA Patriot Act
• California Security Breach Law
• Securities and Exchange Commission Rule 17a-4
13-25
Computer Libel and Censorship
• The opposite side of the privacy debate… – Freedom of information, speech, and press
• Biggest battlegrounds– Bulletin boards– Email boxes– Online files of Internet and public networks
• Weapons used in this battle– Spamming– Flame mail– Libel laws– Censorship
13-26
Cyberlaw
• Regulate activities electronic communications– Wide variety of legal and political issues
– Intellectual property, privacy, freedom of expression, and jurisdiction
• Body of law emerged 1996• Controversy
– Some feel the Internet should not be regulated• Encryption and cryptography make regulation
difficult– Websites work around censorship– Applicability of legal principles
• Better laws to come
13-27
Other Challenges
• Employment– Job opportunities changing
• Computer Monitoring– Effective but controversial
• Working Conditions– Eliminated monotonous or obnoxious tasks
– Eliminated some skilled jobs
• Individuality– Dehumanizes and depersonalizes
13-28
Health Issues
• Cumulative Trauma Disorders (CTDs)
– Disorders caused by fast-paced repetitive keystroke jobs
• Carpal Tunnel Syndrome
– Painful, crippling ailment of the hand and wrist
– Typically requires surgery to cure
• Ergonomics
– Designing healthy work environments
13-30
Societal Solutions
• Use IT to solve human and social problems– Medical diagnosis
– Computer-assisted instruction (CAI)
– Computer based training (CBT)
– Governmental program planning
– Environmental quality control
– Law enforcement
– Job placement
• Detrimental effects– Actions without ethical responsibility
13-31
Security Management of IT
• Security is number 1 problem with the Internet– Internet was developed for inter-operability, not
impenetrability
– Users responsible for security, quality, and performance
– Resources must be protected
• Goal of security management– Accuracy, integrity, and safety of all information
system processes and resources
13-32
RWC 2: End-Point Security
• Security a complex, moving target• Delicate balance between access and security• Two approaches
– Secure devices– Secure data wherever it lives
• Encryption• HIPAA regulations• Classify data, set policies
• Smartphones ongoing challenges– Balance personal and business use
• BlackBerries have management infrastructure• Phones not secured yet
13-35
Denial of Service Attacks
• Depend on three layers of networked computer systems– The victim’s website– The victim’s Internet service provider– Zombie or slave computers commandeered by
cybercriminals
• Defense– At Zombie Machines
• Set and enforce security policies• Scan for vulnerabilities
– At the ISP• Monitor and block traffic spikes
– At the Victim’s Website• Create backup servers and network connections
13-36
Internetworked Security Defenses
• Email Monitoring• Virus Defenses• Security Codes• Backup Files• Security Monitors• Biometrics• Computer Failure Controls• Disaster recovery plan
13-37
Information System Controls
• Methods and devices to ensure accuracy, validity, and propriety
• IT Security Audits
– Performed by internal or external auditors
– Review and evaluation of security measures and management policies
– Goal: Ensure proper and adequate measures and policies are in place
13-39
RWC 3: Challenges of Working in IT
• IT presents ethical challenges and dilemmas.
• To hold workers accountable– Must set ethical policies and guidelines– Make sure that employees know and understand
them
13-40
• Leakage of sensitive customer data or proprietary information is a new priority
• Focus on keeping sensitive information• Deploy outbound content management tools
– e-mail messages, – Alternative communication mechanisms – Including instant messaging– Blogs – FTP transfers– Web mail– Message boards
RWC 4: Worry About What Goes Out