2. Objectives
Describing on what is ethics and network
security aspects.
Explanations on the existing security and
standard in network system.
prepared by HYGM
3. Ethics In Network Security
- The word "ethics" is derived from the Greek word
ethos (character), and from the Latin word mores
(customs).
- Together, they combine to define how individuals
choose to interact with one another.
- In philosophy, ethics defines what is good for the
individual and for society and establishes the nature
of duties that people owe themselves and one
another.
prepared by HYMG
5. ETHICS (cont)
- Though law often embodies ethical principals, law
and ethics are far from co-extensive.
- Many acts that would be widely condemned as
unethical are not prohibited by law -- lying or
betraying the confidence of a friend, for example.
prepared by HYGM
6. Ethics and Internet
• Communication knows no physical boundaries
Interconnected globe humming with electronic
transmissions – a chattering planet nestled in
provident silence of space
“every person everywhere”
• The Internet has a number of striking features. It is
instantaneous, immediate, worldwide, decentralized,
interactive, endlessly expandable in contents and
outreach, flexible and adaptable to a remarkable
degree
• Anyone with the necessary equipment and modest
technical skill can be an active presence in cyberspace
prepared by HYMG
7. Security Concerns in Electronic Environment
not while data transfer over public / private
media only, but while storage as well.
Ethics and Internet
prepared by HYMG
Confidentiality Integrity Availability
8. Classes of Ethical Problems
• Personal Intrusion
• Privacy
• Morality
• Deception
• Security
• Access
• Intellectual Property
• Ownership and control
• Technology and social responsibility
prepared by HYMG
9. - Network ethics covers ethical issues faced by a computer
professional as well as relationship with and responsibilities toward
customers, clients, coworkers, employees, employers and other
users.
- Most professions have highly detailed and enforceable codes for their
respective memberships.
- In some cases these are spoken of as "professional ethics," or in the
case of law, "legal ethics“.
- For example, the American Medical Association (http://www.ama-
assn.org/) has the Principles of Medical Ethics and the American Bar
Association (http://www.abanet.org/) has the Model Rules of
Professional Conduct
(http://www.law.cornell.edu/ethics/aba/index.htm).
Ethics In Network Security
prepared by HYMG
10. - Other professions with codes include dentistry, social
work, education, government service, engineering,
journalism, real estate, advertising, architecture, banking,
insurance, and human resources management.
- Some of these codes have been incorporated into the
public law. All are likely to have some effect on judgments
about professional conduct in litigation. Generally, failure
to comply with a code of professional ethics may result in
expulsion from the profession or some lesser sanction.
Ethics In Network Security
prepared by HYMG
11. Terminology
A set of rules outlining the responsibilities of a proper practices
for an individual/organization.
- Guidelines that help determine if a specific action is
ethical/unethical.
Formal set of statements that define how the network resources
are to be allocated among its clients network based.
prepared by HYMG
13. Scenarios
• Preeti has walked away from a lab computer without logging off.
Arjun sits down and, still logged in as Preeti, sends inflammatory e-
mail messages out to a number of students and posts similar
messages on the class newsgroup
• A secretary on the campus of a tax-supported university has been
requested to give her staff password to her supervisor. The
supervisor would like to check the secretarys e-mail when she is
not at work to see if departmental-related mail is coming in. The
secretary is not comfortable giving her password to her supervisor,
but is afraid to say no.
prepared by HYMG
14. • Tina's e-mail is being diverted and sent out to her entire class.
The messages are quite personal and Tina is very embarrassed
• Maria figures out that when she is logged into the server she
can look at others' directories, make copies of files, and deposit
new files. The operating system was designed to allow this
functionality so that people could share their work. Mr. Farham
objects when he observes Maria poking around in another
student's directory. But Maria responds by saying, "If the system
allows me to do it and there's no specific rule against it, what's
the problem?"
Scenarios
prepared by HYMG
15. •Alice had a report to write on acid rain. She used several
sources -- books, magazines, newspaper articles, and an
electronic encyclopedia. She listed all these sources in her
bibliography at the end of the report. She found the
encyclopedia to be the most convenient source because she
could highlight portions of the text and paste them into her word
processing document
• Nurli really enjoys music but doesn't have much money to buy
new CDs. He notices that the public library has a lot of CDs and
decides to check them out. Once Joy has the CDs at home he
realizes that he can burn the CDs and keep copies for himself.
Scenarios
prepared by HYMG
16. Who Should Act?
• Government
• Regulatory Authority
• Organizations
• Educators
• Parents
• Individuals
prepared by HYMG
17. Professional Bodies In Malaysia-
Examples
Profession Professionals
Doctor - Persatuan Perubatan Malaysia
Lawyer - Majlis Peguam Malaysia
Engineer - Lembaga Jurutera Malaysia
Architect - Pertubuhan Arkitek Malaysia
Akauntan - Institut Perakaunan Malaysia
Kaunselor - Persatuan Kaunseling Malaysia
prepared by HYMG
18. Standardization and Auditing
• Need for Standardization
E.g HIPAA, ISO 17799, BS7799
• Auditing
• Policy of the organization
prepared by HYMG
19. Association for Computing
Machinery (ACM)
This Code, consisting of 24 imperatives formulated as statements
of personal responsibility, identifies the elements of such a
commitment
GENERAL MORAL IMPERATIVES
• Contribute to society and human well-being
• Avoid harm to others.
• Be honest and trustworthy.
• Be fair and take action not to discriminate
• Honor property rights including copyrights and patent
• Give proper credit for intellectual property
• Respect the privacy of others
• Honor confidentiality
prepared by HYMG
20. Users Responsibility
• That Which is Not Yours
• Sharing that Which is Yours
• Protecting that Which is Yours
prepared by HYMG
23. Introduction
The law plays a critical part in IT security and organizations
need to manage legal risks proactively to avoid legal liability.
Some of the key legal issues relate to digital evidence
management, compliance with prevailing legislation and
the need to take into account privacy rules and personal
data protection.
Digital evidence management is a critical aspect of e-
security management and the success of criminal
prosecution is dependent on successful digital evidence
management.
IT and Computer Security professionals need to work
closely with law enforcement agencies closely.
prepared by HYMG
24. Computer Crime Legislation
In most countries there are laws against accessing, altering or
preventing authorized access to electronically stored data
without proper authorization.
This is because it deals with 3 pillars of protection and attack:
confidentiality, integrity and availability.
Example of the laws available are US Digital Millennium
Copyright Act, in Malaysia there are Communications and
Multimedia Act 1998, Malaysian Communications and
Multimedia Commission Act 1998, Digital Signature Act
1997, Computer Crimes Act 1997 and Telemedicine Act 1997
prepared by HYMG
25. Digital Evidence
Log Files: critical form of evidence to prove that a
criminal intrusion has taken place – hearsay evidence
and not admissible in court.
Assist system admin to determine who did what and
when on a system.
Provide reliable and relevant evidence
Example of the convergence of the law and IT
security.
prepared by HYMG
26. Legal Liability Avoidance
• IT security professionals working with their legal
counterpart (lawyer & judge) must ensure that the
organization they work for are not exposed to legal
liabilities which will typically result in higher cost for
the company. This is because it is a primary concern
for all organization.
• Examples of legal liabilities: ‘pirated’ software, data
leaking, staff misuse of IT facilities for hacking or
virus spread and etc.
prepared by HYMG
27. • An explicit warning should strengthen the legal case
against intruders because their continued use of the
system after viewing the warning implies that they
acknowledge the security policy and give permission
to be monitored.
• Log in messages however may be an effective way to
ensure that all the users of a system are aware of the
company’s security policy.
Legal Liability Avoidance (cont)
prepared by HYMG
28. Personal Data Protection & Privacy
• Another example of the role of law in IT security is the
area of personal data protection and the need to
ensure privacy.
• IT security professionals typically have full access to the
system and the capability to view the contents of user’s
actions.
• The best way to carry out this kind of job is limiting
what the security professional needs to know to only
those things necessary to implement and enforce the
security policy, debug problems etc.
prepared by HYMG
29. Personal Data Protection & Privacy
(cont)
• Some law in certain countries may place a legal
obligation on the part of administrators not to exceed
the limits of what they monitor failing which it may raise
legal liability issues on the part of the organization.
• Therefore should IT Security professionals become aware
of any form illegal activity on the network or system,
they may in turn have a legal obligation to ensure
security and will need to investigate and report it, or stop
the activity itself if it violates security policy.
prepared by HYMG
30. Incident Handling
• The collection of evidence during incident handling is
a constant for IT Security professionals and they
need to understand the role of law.
• This is because computer data is volatile and so
easily modified and sensitive to damage, it maybe
quite difficult to preserve the integrity of evidence in
order for it to be successfully presented in court.
prepared by HYMG
31. Incident Handling (cont)
• The defense can easily cast doubt on the evidence by
looking at when it is collected, who was in charge of
it, where it was stored and so on.
• Very important here is that the quality of evidence
will be critical and this would include factors such as
the location of the program or data, its timestamp
and accessibility.
prepared by HYMG
32. Incident Handling (cont)
• A better strategy in this matter is to copy logs and
any other relevant files to read-only media like a CD.
• Data treated in this manner after a crime will carry a
much greater weight in court than data from a
system that was compromised and continued to be
left in operation.
prepared by HYMG
33. Relationship with Law Enforcement
Agencies
• When an incident takes place, IT professionals should
carry out certain checks before calling the law
enforcement officers to ensure that no obstacles are
created during the investigation process.
• As a general practice, it is important to do one’s own
investigation of before contacting the law
enforcement agencies.
prepared by HYMG
34. Relationship with Law Enforcement
Agencies(cont)
• This is because the IT professionals would have all
the relevant information that is needed for an initial
interview with the investigating agencies.
• They can save a lot of time investigating, should they
trace any irregularities or inconsistency by looking at
the logs and by asking the administrator of the
machines to examine their logs initially. Example of
this can be related to an attack on the organizations’
IT system.
prepared by HYMG
35. Problem Statement 1()
• As a newly employed System Administrator of
Perunding NWS (M) Sdn Bhd, you are responsible
for ensuring that all computers, servers, network
devices, and any other types of computing
devices that you support comply with all
published standards. This includes educating your
supported users about their role in securing their
computing devices and data. Conduct a research
on various Security & Standards in Network
System to simplify your task.
prepared by HYMG
36. Problem Statement 1()
prepared by HYMG
Security & Standard In Network System
Definition
Categories/Types
Importance/Benefits
Example of standard
Ethical issues
Etc.
Physical security
Network device Security
Wireless Network Security
Operating System Security
Database security