Security and Ethical Challenges

Chapter13

McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved.

13-2

Learning Objectives

• Identify several ethical issues regarding how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions to societal problems.

• Identify several types of security management strategies and defenses and explain how they can be used to ensure the security of business applications of information technology.

13-3

Learning Objectives

• Propose several ways that business managers and professionals can help lessen the harmful effects and increase the beneficial effects of the use of information technology.

13-4

RWC 1: Ethics, IT and Compliance

• IT Challenges– Technical functionality– Business requirements– Ethical standards– Correct behaviors

• 2 views of Corporate Ethics– Set of legal and minimum standards– Set of values integral to doing business

• Most companies have ethics and compliance programs

• Few can truly execute an ethical agenda

13-5

IT Security, Ethics, and Society

13-6

Categories of Ethical Business Issues

13-7

Corporate Social Responsibility Theories

• Stockholder Theory

– Managers are agents of the stockholders

– Only responsible to increase profits without violating the law or fraud

• Social Contract Theory

– Responsible to all of society

• Stakeholder Theory

– Responsible to anyone affected by company

13-8

Principles of Technology Ethics

• Proportionality

– Good must outweigh the harm or risk

• Informed Consent

– Those affected should understand and accept risks

• Justice– Benefits and burdens distributed fairly

• Minimized Risk – Avoid all unnecessary risk

13-9

AITP Standards of Professional Conduct

13-10

Security from Cyber Crime

13-11

Hacking

• Obsessive use of computers• Unauthorized access and use of networked

computer systems

• Electronic Breaking and Entering– Accessing without stealing nor damaging

• Cracker (black hat or darkside hacker)– Maintains knowledge of vulnerabilities for private

advantage• Common Hacking Tactics

– Figure 13.7

13-12

Cyber Theft

• Most involve theft of money

• “Inside jobs”

• Unauthorized activity

• Attacks through the Internet

• Most companies don’t report

13-13

Cyberterrorism

• Use IT to attack electronic infrastructure, exchange information or make threats

• Terror related – More political motivation than criminal

• Examples– Attempt to disrupt life support at Antarctic

research station

– Release of untreated sewage in Australia

– Shut down of government network and banks in Estonia

– Non-deliberate shut down of systems at nuclear reactor

13-14

Unauthorized Use at Work

• Time and resource theft– Doing private consulting

– Doing personal finances

– Playing video games

– Unauthorized use of the Internet or networks– Recreational surfing– Racist or offensive e-mail– Pornographic sites

• Sniffers– Monitor network traffic or capacity

– Find evidence of improper use

13-15

Internet Abuses in the Workplace

• General email abuses• Unauthorized usage and access• Copyright infringement/plagiarism• Newsgroup postings• Transmission of confidential data• Pornography• Hacking• Non-work-related download/upload• Leisure use of the Internet• Use of external ISPs• Moonlighting

13-16

Software Piracy

• Unauthorized copying of computer programs

• Licensing– Purchase – payment for fair use

– Site license – allows a certain number of copies– Shareware – allows copies– Public Domain – not copyrighted

• Software industry losses – ⅓ to ½ of revenues– Millions of copies in educational market – 90% pirated software in China

• Sales negligible

13-17

Theft of Intellectual Property

• Intellectual Property– Copyrighted material

– Music, videos, images, articles, books, software

• Copyright Infringement is Illegal– Easy to trade pirated intellectual property

• Publishers Offer Inexpensive Online Music– Illegal downloading is declining

13-18

Viruses and Worms

• Viruses must be inserted into another program• Worms can run unaided• Spread annoying or destructive routines• Commonly transmitted through

– Internet and online services– Email and file attachments– Disks from contaminated computers– Shareware

• Top 5 Virus Families of all time– Figure 13.9

• Cost of Top 5 Virus Families– Figure 13.9

13-19

Adware and Spyware

• Adware– Useful software allows ads without consent

• Spyware– Type of Adware– Can steal private information

– Add advertising links to Web pages

– Redirect affiliate payments

– Change a users home page and search settings

– Make modem call premium-rate numbers

– Leave security holes that let Trojans in

– Degrade system performance

• Removal often not completely successful

13-20

Privacy Issues

• IT capability can create negative affect on privacy– Personal information is collected

– Confidential information stolen or misused• Opt-In

– Explicitly consent to allow data to be compiled

– Default in Europe

• Opt-Out– Must request data is not collected

– Default in the U.S.

13-21

Privacy Issues

• Violation of Privacy– Accessing conversations and records– Collecting and sharing visits to websites

• Computer Monitoring– Mobile and paging services can track people

• Computer Matching– Market additional business services

• Unauthorized Access of Personal Files– Build profiles of contact and credit information

13-22

Protecting Your Privacy on the Internet

• Encrypt email

• Send anonymous postings

• Ask your ISP not to sell your information

• Don’t reveal personal data and interests

13-23

Privacy Laws

• Electronic Communications Privacy Act and Computer Fraud and Abuse Act– Prohibit intercepting data communications

messages, stealing or destroying data, or trespassing in federal-related computer systems

• U.S. Computer Matching and Privacy Act– Regulates the matching of data held in

federal agency files to verify eligibility for federal programs

13-24

Privacy Laws

• Sarbanes-Oxley– Positive – strengthens accounting controls

– Negative – overly complex and regulatory

• Health Insurance Portability and Accountability Act (HIPAA)– Safeguards for health-related information

• Gramm-Leach-Bliley

• USA Patriot Act

• California Security Breach Law

• Securities and Exchange Commission Rule 17a-4

13-25

Computer Libel and Censorship

• The opposite side of the privacy debate… – Freedom of information, speech, and press

• Biggest battlegrounds– Bulletin boards– Email boxes– Online files of Internet and public networks

• Weapons used in this battle– Spamming– Flame mail– Libel laws– Censorship

13-26

Cyberlaw

• Regulate activities electronic communications– Wide variety of legal and political issues

– Intellectual property, privacy, freedom of expression, and jurisdiction

• Body of law emerged 1996• Controversy

– Some feel the Internet should not be regulated• Encryption and cryptography make regulation

difficult– Websites work around censorship– Applicability of legal principles

• Better laws to come

13-27

Other Challenges

• Employment– Job opportunities changing

• Computer Monitoring– Effective but controversial

• Working Conditions– Eliminated monotonous or obnoxious tasks

– Eliminated some skilled jobs

• Individuality– Dehumanizes and depersonalizes

13-28

Health Issues

• Cumulative Trauma Disorders (CTDs)

– Disorders caused by fast-paced repetitive keystroke jobs

• Carpal Tunnel Syndrome

– Painful, crippling ailment of the hand and wrist

– Typically requires surgery to cure

• Ergonomics

– Designing healthy work environments

13-29

Ergonomics Factors

13-29

13-30

Societal Solutions

• Use IT to solve human and social problems– Medical diagnosis

– Computer-assisted instruction (CAI)

– Computer based training (CBT)

– Governmental program planning

– Environmental quality control

– Law enforcement

– Job placement

• Detrimental effects– Actions without ethical responsibility

13-31

Security Management of IT

• Security is number 1 problem with the Internet– Internet was developed for inter-operability, not

impenetrability

– Users responsible for security, quality, and performance

– Resources must be protected

• Goal of security management– Accuracy, integrity, and safety of all information

system processes and resources

13-32

RWC 2: End-Point Security

• Security a complex, moving target• Delicate balance between access and security• Two approaches

– Secure devices– Secure data wherever it lives

• Encryption• HIPAA regulations• Classify data, set policies

• Smartphones ongoing challenges– Balance personal and business use

• BlackBerries have management infrastructure• Phones not secured yet

13-33

Public/Private Key Encryption

13-34

Internet and Intranet Firewalls

13-35

Denial of Service Attacks

• Depend on three layers of networked computer systems– The victim’s website– The victim’s Internet service provider– Zombie or slave computers commandeered by

cybercriminals

• Defense– At Zombie Machines

• Set and enforce security policies• Scan for vulnerabilities

– At the ISP• Monitor and block traffic spikes

– At the Victim’s Website• Create backup servers and network connections

13-36

Internetworked Security Defenses

• Email Monitoring• Virus Defenses• Security Codes• Backup Files• Security Monitors• Biometrics• Computer Failure Controls• Disaster recovery plan

13-37

Information System Controls

• Methods and devices to ensure accuracy, validity, and propriety

• IT Security Audits

– Performed by internal or external auditors

– Review and evaluation of security measures and management policies

– Goal: Ensure proper and adequate measures and policies are in place

13-38

Protecting Yourself from Cybercrime

13-39

RWC 3: Challenges of Working in IT

• IT presents ethical challenges and dilemmas.

• To hold workers accountable– Must set ethical policies and guidelines– Make sure that employees know and understand

them

13-40

• Leakage of sensitive customer data or proprietary information is a new priority

• Focus on keeping sensitive information• Deploy outbound content management tools

– e-mail messages, – Alternative communication mechanisms – Including instant messaging– Blogs – FTP transfers– Web mail– Message boards

RWC 4: Worry About What Goes Out