Security & Ethical Challenges13


Published on

Security & Ethical Challenges

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security & Ethical Challenges13

  1. 1. Chapter 13 Security and Ethical Challenges James A. O'Brien, and George Marakas. Management Information Systems with MISource 2007, 8 th ed.  Boston, MA: McGraw-Hill, Inc., 2007.  ISBN: 13 9780073323091
  2. 2. Learning Objectives <ul><li>Identify several ethical issues in how the use of information technologies in business affects: employment, individuality, working conditions, Privacy, crime, health, and solutions to societal problems </li></ul><ul><li>Identify several types of security management strategies and defenses, and explain how they can be used to ensure the security of business applications of information technology </li></ul><ul><li>Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of IT </li></ul>Chapter 13 Security and Ethical Challenges
  3. 3. Case 1 Cyberscams and Cybercriminals <ul><li>Cyberscams are today’s fastest-growing criminal niche </li></ul><ul><ul><li>87 percent of companies surveyed reported a security incident </li></ul></ul><ul><ul><li>The U.S. Federal Trade Commission says identity theft is its top complaint </li></ul></ul><ul><ul><li>eBay has 60 people combating fraud; Microsoft has 65 </li></ul></ul><ul><ul><li>Stolen credit card account numbers are regularly sold online </li></ul></ul>Chapter 13 Security and Ethical Challenges
  4. 4. Case Study Questions <ul><li>What are several reasons why “cyberscams are today’s fastest-growing criminal niche”? </li></ul><ul><ul><li>Explain why the reasons you give contribute to the growth of cyberscams </li></ul></ul><ul><li>What are several security measures that could be implemented to combat the spread of cyberscams? </li></ul><ul><ul><li>Explain why your suggestions would be effective in limiting the spread of cyberscams </li></ul></ul><ul><li>Which one or two of the four top cybercriminals described in this case poses the greatest threat to businesses? To consumers? </li></ul><ul><ul><li>Explain the reasons for your choices, and how businesses and consumers can protect themselves from these cyberscammers </li></ul></ul>Chapter 13 Security and Ethical Challenges
  5. 5. IT Security, Ethics, and Society <ul><li>IT has both beneficial and detrimental effects on society and people </li></ul><ul><ul><li>Manage work activities to minimize the detrimental effects of IT </li></ul></ul><ul><ul><li>Optimize the beneficial effects </li></ul></ul>Chapter 13 Security and Ethical Challenges
  6. 6. Business Ethics <ul><li>Ethics questions that managers confront as part of their daily business decision making include: </li></ul><ul><ul><li>Equity </li></ul></ul><ul><ul><li>Rights </li></ul></ul><ul><ul><li>Honesty </li></ul></ul><ul><ul><li>Exercise of corporate power </li></ul></ul>Chapter 13 Security and Ethical Challenges
  7. 7. Categories of Ethical Business Issues Chapter 13 Security and Ethical Challenges
  8. 8. Corporate Social Responsibility Theories <ul><li>Stockholder Theory </li></ul><ul><ul><li>Managers are agents of the stockholders </li></ul></ul><ul><ul><li>Their only ethical responsibility is to increase the profits of the business without violating the law or engaging in fraudulent practices </li></ul></ul><ul><li>Social Contract Theory </li></ul><ul><ul><li>Companies have ethical responsibilities to all members of society, who allow corporations to exist </li></ul></ul><ul><li>Stakeholder Theory </li></ul><ul><ul><li>Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders </li></ul></ul><ul><ul><li>Stakeholders are all individuals and groups that have a stake in, or claim on, a company </li></ul></ul>Chapter 13 Security and Ethical Challenges
  9. 9. Principles of Technology Ethics <ul><li>Proportionality - The good achieved by the technology must outweigh the harm or risk; there must be no alternative that achieves the same or comparable benefits with less harm or risk </li></ul><ul><li>Informed Consent - Those affected by the technology should understand and accept the risks </li></ul><ul><li>Justice </li></ul><ul><ul><li>The benefits and burdens of the technology should be distributed fairly </li></ul></ul><ul><ul><li>Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk </li></ul></ul><ul><li>Minimized Risk - Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk </li></ul>Chapter 13 Security and Ethical Challenges
  10. 10. AITP Standards of Professional Conduct Chapter 13 Security and Ethical Challenges
  11. 11. Responsible Professional Guidelines <ul><li>A responsible professional </li></ul><ul><ul><li>Acts with integrity </li></ul></ul><ul><ul><li>Increases personal competence </li></ul></ul><ul><ul><li>Sets high standards of personal performance </li></ul></ul><ul><ul><li>Accepts responsibility for his/her work </li></ul></ul><ul><ul><li>Advances the health, privacy, and general welfare of the public </li></ul></ul>Chapter 13 Security and Ethical Challenges
  12. 12. Computer Crime <ul><li>Computer crime includes </li></ul><ul><ul><li>Unauthorized use, access, modification, or destruction of hardware, software, data, or network resources </li></ul></ul><ul><ul><li>The unauthorized release of information </li></ul></ul><ul><ul><li>The unauthorized copying of software </li></ul></ul><ul><ul><li>Denying an end user access to his/her own hardware, software, data, or network resources </li></ul></ul><ul><ul><li>Using or conspiring to use computer or network resources illegally to obtain information or tangible property </li></ul></ul>Chapter 13 Security and Ethical Challenges
  13. 13. Cybercrime Protection Measures Chapter 13 Security and Ethical Challenges
  14. 14. Hacking <ul><li>Hacking is </li></ul><ul><ul><li>The obsessive use of computers </li></ul></ul><ul><ul><li>The unauthorized access and use of networked computer systems </li></ul></ul><ul><li>Electronic Breaking and Entering </li></ul><ul><ul><li>Hacking into a computer system and reading files, but neither stealing nor damaging anything </li></ul></ul><ul><li>Cracker </li></ul><ul><ul><li>A malicious or criminal hacker who maintains knowledge of the vulnerabilities found for private advantage </li></ul></ul>Chapter 13 Security and Ethical Challenges
  15. 15. Common Hacking Tactics <ul><li>Denial of Service </li></ul><ul><ul><li>Hammering a website’s equipment with too many requests for information </li></ul></ul><ul><ul><li>Clogging the system, slowing performance, or crashing the site </li></ul></ul><ul><li>Scans </li></ul><ul><ul><li>Widespread probes of the Internet to determine types of computers, services, and connections </li></ul></ul><ul><ul><li>Looking for weaknesses </li></ul></ul><ul><li>Sniffer </li></ul><ul><ul><li>Programs that search individual packets of data as they pass through the Internet </li></ul></ul><ul><ul><li>Capturing passwords or entire contents </li></ul></ul><ul><li>Spoofing </li></ul><ul><ul><li>Faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit card numbers </li></ul></ul>Chapter 13 Security and Ethical Challenges
  16. 16. Common Hacking Tactics <ul><li>Trojan House </li></ul><ul><ul><li>A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software </li></ul></ul><ul><li>Back Doors </li></ul><ul><ul><li>A hidden point of entry to be used in case the original entry point is detected or blocked </li></ul></ul><ul><li>Malicious Applets </li></ul><ul><ul><li>Tiny Java programs that misuse your computer’s resources, modify files on the hard disk, send fake email, or steal passwords </li></ul></ul><ul><li>War Dialing </li></ul><ul><ul><li>Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection </li></ul></ul><ul><li>Logic Bombs </li></ul><ul><ul><li>An instruction in a computer program that triggers a malicious act </li></ul></ul>Chapter 13 Security and Ethical Challenges
  17. 17. Common Hacking Tactics <ul><li>Buffer Overflow </li></ul><ul><ul><li>Crashing or gaining control of a computer by sending too much data to buffer memory </li></ul></ul><ul><li>Password Crackers </li></ul><ul><ul><li>Software that can guess passwords </li></ul></ul><ul><li>Social Engineering </li></ul><ul><ul><li>Gaining access to computer systems by talking unsuspecting company employees out of valuable information, such as passwords </li></ul></ul><ul><li>Dumpster Diving </li></ul><ul><ul><li>Sifting through a company’s garbage to find information to help break into their computers </li></ul></ul>Chapter 13 Security and Ethical Challenges
  18. 18. Cyber Theft <ul><li>Many computer crimes involve the theft of money </li></ul><ul><li>The majority are “inside jobs” that involve unauthorized network entry and alternation of computer databases to cover the tracks of the employees involved </li></ul><ul><li>Many attacks occur through the Internet </li></ul><ul><li>Most companies don’t reveal that they have been targets or victims of cybercrime </li></ul>Chapter 13 Security and Ethical Challenges
  19. 19. Unauthorized Use at Work <ul><li>Unauthorized use of computer systems and networks is time and resource theft </li></ul><ul><ul><li>Doing private consulting </li></ul></ul><ul><ul><li>Doing personal finances </li></ul></ul><ul><ul><li>Playing video games </li></ul></ul><ul><ul><li>Unauthorized use of the Internet or company networks </li></ul></ul><ul><li>Sniffers </li></ul><ul><ul><li>Used to monitor network traffic or capacity </li></ul></ul><ul><ul><li>Find evidence of improper use </li></ul></ul>Chapter 13 Security and Ethical Challenges
  20. 20. Internet Abuses in the Workplace <ul><ul><li>General email abuses </li></ul></ul><ul><ul><li>Unauthorized usage and access </li></ul></ul><ul><ul><li>Copyright infringement/plagiarism </li></ul></ul><ul><ul><li>Newsgroup postings </li></ul></ul><ul><ul><li>Transmission of confidential data </li></ul></ul><ul><ul><li>Pornography </li></ul></ul><ul><ul><li>Hacking </li></ul></ul><ul><ul><li>Non-work-related download/upload </li></ul></ul><ul><ul><li>Leisure use of the Internet </li></ul></ul><ul><ul><li>Use of external ISPs </li></ul></ul><ul><ul><li>Moonlighting </li></ul></ul>Chapter 13 Security and Ethical Challenges
  21. 21. Software Piracy <ul><li>Software Piracy </li></ul><ul><ul><li>Unauthorized copying of computer programs </li></ul></ul><ul><li>Licensing </li></ul><ul><ul><li>Purchasing software is really a payment for a license for fair use </li></ul></ul><ul><ul><li>Site license allows a certain number of copies </li></ul></ul>A third of the software industry’s revenues are lost to piracy Chapter 13 Security and Ethical Challenges
  22. 22. Theft of Intellectual Property <ul><li>Intellectual Property </li></ul><ul><ul><li>Copyrighted material </li></ul></ul><ul><ul><li>Includes such things as music, videos, images, articles, books, and software </li></ul></ul><ul><li>Copyright Infringement is Illegal </li></ul><ul><ul><li>Peer-to-peer networking techniques have made it easy to trade pirated intellectual property </li></ul></ul><ul><li>Publishers Offer Inexpensive Online Music </li></ul><ul><ul><li>Illegal downloading of music and video is down and continues to drop </li></ul></ul>Chapter 13 Security and Ethical Challenges
  23. 23. Viruses and Worms <ul><li>A virus is a program that cannot work without being inserted into another program </li></ul><ul><ul><li>A worm can run unaided </li></ul></ul><ul><li>These programs copy annoying or destructive routines into networked computers </li></ul><ul><ul><li>Copy routines spread the virus </li></ul></ul><ul><li>Commonly transmitted through </li></ul><ul><ul><li>The Internet and online services </li></ul></ul><ul><ul><li>Email and file attachments </li></ul></ul><ul><ul><li>Disks from contaminated computers </li></ul></ul><ul><ul><li>Shareware </li></ul></ul>Chapter 13 Security and Ethical Challenges
  24. 24. Top Five Virus Families of all Time <ul><li>My Doom, 2004 </li></ul><ul><ul><li>Spread via email and over Kazaa file-sharing network </li></ul></ul><ul><ul><li>Installs a back door on infected computers </li></ul></ul><ul><ul><li>Infected email poses as returned message or one that can’t be opened correctly, urging recipient to click on attachment </li></ul></ul><ul><ul><li>Opens up TCP ports that stay open even after termination of the worm </li></ul></ul><ul><ul><li>Upon execution, a copy of Notepad is opened, filled with nonsense characters </li></ul></ul><ul><li>Netsky, 2004 </li></ul><ul><ul><li>Mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers </li></ul></ul><ul><ul><li>Tries to spread via peer-to-peer file sharing by copying itself into the shared folder </li></ul></ul><ul><ul><li>It renames itself to pose as one of 26 other common files along the way </li></ul></ul>Chapter 13 Security and Ethical Challenges
  25. 25. Top Five Virus Families of all Time <ul><li>SoBig, 2004 </li></ul><ul><ul><li>Mass-mailing email worm that arrives as an attachment </li></ul></ul><ul><ul><ul><li>Examples: Movie_0074.mpg.pif, Document003.pif </li></ul></ul></ul><ul><ul><li>Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for email addresses to which it can send itself </li></ul></ul><ul><ul><li>Also attempts to download updates for itself </li></ul></ul><ul><li>Klez, 2002 </li></ul><ul><ul><li>A mass-mailing email worm that arrives with a randomly named attachment </li></ul></ul><ul><ul><li>Exploits a known vulnerability in MS Outlook to auto-execute on unpatched clients </li></ul></ul><ul><ul><li>Tries to disable virus scanners and then copy itself to all local and networked drives with a random file name </li></ul></ul><ul><ul><li>Deletes all files on the infected machine and any mapped network drives on the 13th of all even-numbered months </li></ul></ul>Chapter 13 Security and Ethical Challenges
  26. 26. Top Five Virus Families of all Time <ul><li>Sasser, 2004 </li></ul><ul><ul><li>Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention </li></ul></ul><ul><ul><li>Spawns multiple threads that scan local subnets for vulnerabilities </li></ul></ul>Chapter 13 Security and Ethical Challenges
  27. 27. The Cost of Viruses, Trojans, Worms <ul><li>Cost of the top five virus families </li></ul><ul><ul><li>Nearly 115 million computers in 200 countries were infected in 2004 </li></ul></ul><ul><ul><li>Up to 11 million computers are believed to be permanently infected </li></ul></ul><ul><ul><li>In 2004, total economic damage from virus proliferation was $166 to $202 billion </li></ul></ul><ul><ul><li>Average damage per computer is between $277 and $366 </li></ul></ul>Chapter 13 Security and Ethical Challenges
  28. 28. Adware and Spyware <ul><li>Adware </li></ul><ul><ul><li>Software that purports to serve a useful purpose, and often does </li></ul></ul><ul><ul><li>Allows advertisers to display pop-up and banner ads without the consent of the computer users </li></ul></ul><ul><li>Spyware </li></ul><ul><ul><li>Adware that uses an Internet connection in the background, without the user’s permission or knowledge </li></ul></ul><ul><ul><li>Captures information about the user and sends it over the Internet </li></ul></ul>Chapter 13 Security and Ethical Challenges
  29. 29. Spyware Problems <ul><li>Spyware can steal private information and also </li></ul><ul><ul><li>Add advertising links to Web pages </li></ul></ul><ul><ul><li>Redirect affiliate payments </li></ul></ul><ul><ul><li>Change a users home page and search settings </li></ul></ul><ul><ul><li>Make a modem randomly call premium-rate phone numbers </li></ul></ul><ul><ul><li>Leave security holes that let Trojans in </li></ul></ul><ul><ul><li>Degrade system performance </li></ul></ul><ul><li>Removal programs are often not completely successful in eliminating spyware </li></ul>Chapter 13 Security and Ethical Challenges
  30. 30. Privacy Issues <ul><li>The power of information technology to store and retrieve information can have a negative effect on every individual’s right to privacy </li></ul><ul><ul><li>Personal information is collected with every visit to a Web site </li></ul></ul><ul><ul><li>Confidential information stored by credit bureaus, credit card companies, and the government has been stolen or misused </li></ul></ul>Chapter 13 Security and Ethical Challenges
  31. 31. Opt-in Versus Opt-out <ul><li>Opt-In </li></ul><ul><ul><li>You explicitly consent to allow data to be compiled about you </li></ul></ul><ul><ul><li>This is the default in Europe </li></ul></ul><ul><li>Opt-Out </li></ul><ul><ul><li>Data can be compiled about you unless you specifically request it not be </li></ul></ul><ul><ul><li>This is the default in the U.S. </li></ul></ul>Chapter 13 Security and Ethical Challenges
  32. 32. Privacy Issues <ul><li>Violation of Privacy </li></ul><ul><ul><li>Accessing individuals’ private email conversations and computer records </li></ul></ul><ul><ul><li>Collecting and sharing information about individuals gained from their visits to Internet websites </li></ul></ul><ul><li>Computer Monitoring </li></ul><ul><ul><li>Always knowing where a person is </li></ul></ul><ul><ul><li>Mobile and paging services are becoming more closely associated with people than with places </li></ul></ul><ul><li>Computer Matching </li></ul><ul><ul><li>Using customer information gained from many sources to market additional business services </li></ul></ul><ul><li>Unauthorized Access of Personal Files </li></ul><ul><ul><li>Collecting telephone numbers, email addresses, credit card numbers, and other information to build customer profiles </li></ul></ul>Chapter 13 Security and Ethical Challenges
  33. 33. Protecting Your Privacy on the Internet <ul><li>There are multiple ways to protect your privacy </li></ul><ul><ul><li>Encrypt email </li></ul></ul><ul><ul><li>Send newsgroup postings through anonymous remailers </li></ul></ul><ul><ul><li>Ask your ISP not to sell your name and information to mailing list providers and other marketers </li></ul></ul><ul><ul><li>Don’t reveal personal data and interests on online service and website user profiles </li></ul></ul>Chapter 13 Security and Ethical Challenges
  34. 34. Privacy Laws <ul><li>Electronic Communications Privacy Act and Computer Fraud and Abuse Act </li></ul><ul><ul><li>Prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems </li></ul></ul><ul><li>U.S. Computer Matching and Privacy Act </li></ul><ul><ul><li>Regulates the matching of data held in federal agency files to verify eligibility for federal programs </li></ul></ul><ul><li>Other laws impacting privacy and how much a company spends on compliance </li></ul><ul><ul><li>Sarbanes-Oxley </li></ul></ul><ul><ul><li>Health Insurance Portability and Accountability Act (HIPAA) </li></ul></ul><ul><ul><li>Gramm-Leach-Bliley </li></ul></ul><ul><ul><li>USA Patriot Act </li></ul></ul><ul><ul><li>California Security Breach Law </li></ul></ul><ul><ul><li>Securities and Exchange Commission rule 17a-4 </li></ul></ul>Chapter 13 Security and Ethical Challenges
  35. 35. Computer Libel and Censorship <ul><li>The opposite side of the privacy debate… </li></ul><ul><ul><li>Freedom of information, speech, and press </li></ul></ul><ul><li>Biggest battlegrounds - bulletin boards, email boxes, and online files of Internet and public networks </li></ul><ul><li>Weapons used in this battle – spamming, flame mail, libel laws, and censorship </li></ul><ul><li>Spamming - Indiscriminate sending of unsolicited email messages to many Internet users </li></ul><ul><li>Flaming </li></ul><ul><ul><li>Sending extremely critical, derogatory, and often vulgar email messages or newsgroup posting to other users on the Internet or online services </li></ul></ul><ul><ul><li>Especially prevalent on special-interest newsgroups </li></ul></ul>Chapter 13 Security and Ethical Challenges
  36. 36. Cyberlaw <ul><li>Laws intended to regulate activities over the Internet or via electronic communication devices </li></ul><ul><ul><li>Encompasses a wide variety of legal and political issues </li></ul></ul><ul><ul><li>Includes intellectual property, privacy, freedom of expression, and jurisdiction </li></ul></ul><ul><li>The intersection of technology and the law is controversial </li></ul><ul><ul><li>Some feel the Internet should not be regulated </li></ul></ul><ul><ul><li>Encryption and cryptography make traditional form of regulation difficult </li></ul></ul><ul><ul><li>The Internet treats censorship as damage and simply routes around it </li></ul></ul><ul><li>Cyberlaw only began to emerge in 1996 </li></ul><ul><ul><li>Debate continues regarding the applicability of legal principles derived from issues that had nothing to do with cyberspace </li></ul></ul>Chapter 13 Security and Ethical Challenges
  37. 37. Other Challenges <ul><li>Employment </li></ul><ul><ul><li>IT creates new jobs and increases productivity </li></ul></ul><ul><ul><li>It can also cause significant reductions in job opportunities, as well as requiring new job skills </li></ul></ul><ul><li>Computer Monitoring </li></ul><ul><ul><li>Using computers to monitor the productivity and behavior of employees as they work </li></ul></ul><ul><ul><li>Criticized as unethical because it monitors individuals, not just work, and is done constantly </li></ul></ul><ul><ul><li>Criticized as invasion of privacy because many employees do not know they are being monitored </li></ul></ul><ul><li>Working Conditions </li></ul><ul><ul><li>IT has eliminated monotonous or obnoxious tasks </li></ul></ul><ul><ul><li>However, some skilled craftsperson jobs have been replaced by jobs requiring routine, repetitive tasks or standby roles </li></ul></ul><ul><li>Individuality </li></ul><ul><ul><li>Dehumanizes and depersonalizes activities because computers eliminate human relationships </li></ul></ul><ul><ul><li>Inflexible systems </li></ul></ul>Chapter 13 Security and Ethical Challenges
  38. 38. Health Issues <ul><li>Cumulative Trauma Disorders (CTDs) </li></ul><ul><ul><li>Disorders suffered by people who sit at a PC or terminal and do fast-paced repetitive keystroke jobs </li></ul></ul><ul><li>Carpal Tunnel Syndrome </li></ul><ul><ul><li>Painful, crippling ailment of the hand and wrist </li></ul></ul><ul><ul><li>Typically requires surgery to cure </li></ul></ul>Chapter 13 Security and Ethical Challenges
  39. 39. Ergonomics <ul><li>Designing healthy work environments </li></ul><ul><ul><li>Safe, comfortable, and pleasant for people to work in </li></ul></ul><ul><ul><li>Increases employee morale and productivity </li></ul></ul><ul><ul><li>Also called human factors engineering </li></ul></ul>Chapter 13 Security and Ethical Challenges Ergonomics Factors
  40. 40. Societal Solutions <ul><li>Using information technologies to solve human and social problems </li></ul><ul><ul><li>Medical diagnosis </li></ul></ul><ul><ul><li>Computer-assisted instruction </li></ul></ul><ul><ul><li>Governmental program planning </li></ul></ul><ul><ul><li>Environmental quality control </li></ul></ul><ul><ul><li>Law enforcement </li></ul></ul><ul><ul><li>Job placement </li></ul></ul><ul><li>The detrimental effects of IT </li></ul><ul><ul><li>Often caused by individuals or organizations not accepting ethical responsibility for their actions </li></ul></ul>Chapter 13 Security and Ethical Challenges
  41. 41. Security Management of IT <ul><li>The Internet was developed for inter-operability, not impenetrability </li></ul><ul><ul><li>Business managers and professionals alike are responsible for the security, quality, and performance of business information systems </li></ul></ul><ul><ul><li>Hardware, software, networks, and data resources must be protected by a variety of security measures </li></ul></ul>Chapter 13 Security and Ethical Challenges
  42. 42. Case 2 Data Security Failures <ul><li>Security Breach Headlines </li></ul><ul><ul><li>Identity thieves stole information on 145,000 people from ChoicePoint </li></ul></ul><ul><ul><li>Bank of America lost backup tapes that held data on over 1 million credit card holders </li></ul></ul><ul><ul><li>DSW had its stores’ credit card data breached; over 1 million had been accessed </li></ul></ul><ul><li>Corporate America is finally owning up to a long-held secret </li></ul><ul><ul><li>It can’t safeguard its most valuable data </li></ul></ul>Chapter 13 Security and Ethical Challenges
  43. 43. Case Study Questions <ul><li>Why have there been so many recent incidents of data security breaches and loss of customer data by reputable companies? </li></ul><ul><li>What security safeguards must companies have to deter electronic break-ins into their computer networks, business applications, and data resources like the incident at Lowe’s? </li></ul><ul><li>What security safeguards would have deterred the loss of customer data at </li></ul><ul><ul><li>TCI </li></ul></ul><ul><ul><li>Bank of America </li></ul></ul><ul><ul><li>ChoicePoint? </li></ul></ul>Chapter 13 Security and Ethical Challenges
  44. 44. Security Management <ul><li>The goal of security management is the accuracy, integrity, and safety of all information system processes and resources </li></ul>Chapter 13 Security and Ethical Challenges
  45. 45. Internetworked Security Defenses <ul><li>Encryption </li></ul><ul><ul><li>Data is transmitted in scrambled form </li></ul></ul><ul><ul><li>It is unscrambled by computer systems for authorized users only </li></ul></ul><ul><ul><li>The most widely used method uses a pair of public and private keys unique to each individual </li></ul></ul>Chapter 13 Security and Ethical Challenges
  46. 46. Public/Private Key Encryption Chapter 13 Security and Ethical Challenges
  47. 47. Internetworked Security Defenses <ul><li>Firewalls </li></ul><ul><ul><li>A gatekeeper system that protects a company’s intranets and other computer networks from intrusion </li></ul></ul><ul><ul><li>Provides a filter and safe transfer point for access to/from the Internet and other networks </li></ul></ul><ul><ul><li>Important for individuals who connect to the Internet with DSL or cable modems </li></ul></ul><ul><ul><li>Can deter hacking, but cannot prevent it </li></ul></ul>Chapter 13 Security and Ethical Challenges
  48. 48. Internet and Intranet Firewalls Chapter 13 Security and Ethical Challenges
  49. 49. Denial of Service Attacks <ul><li>Denial of service attacks depend on three layers of networked computer systems </li></ul><ul><ul><li>The victim’s website </li></ul></ul><ul><ul><li>The victim’s Internet service provider </li></ul></ul><ul><ul><li>Zombie or slave computers that have been commandeered by the cybercriminals </li></ul></ul>Chapter 13 Security and Ethical Challenges
  50. 50. Defending Against Denial of Service <ul><li>At Zombie Machines </li></ul><ul><ul><li>Set and enforce security policies </li></ul></ul><ul><ul><li>Scan for vulnerabilities </li></ul></ul><ul><li>At the ISP </li></ul><ul><ul><li>Monitor and block traffic spikes </li></ul></ul><ul><li>At the Victim’s Website </li></ul><ul><ul><li>Create backup servers and network connections </li></ul></ul>Chapter 13 Security and Ethical Challenges
  51. 51. Internetworked Security Defenses <ul><li>Email Monitoring </li></ul><ul><ul><li>Use of content monitoring software that scans for troublesome words that might compromise corporate security </li></ul></ul><ul><li>Virus Defenses </li></ul><ul><ul><li>Centralize the updating and distribution of antivirus software </li></ul></ul><ul><ul><li>Use a security suite that integrates virus protection with firewalls, Web security, and content blocking features </li></ul></ul>Chapter 13 Security and Ethical Challenges
  52. 52. Other Security Measures <ul><li>Security Codes </li></ul><ul><ul><li>Multilevel password system </li></ul></ul><ul><ul><li>Encrypted passwords </li></ul></ul><ul><ul><li>Smart cards with microprocessors </li></ul></ul><ul><li>Backup Files </li></ul><ul><ul><li>Duplicate files of data or programs </li></ul></ul><ul><li>Security Monitors </li></ul><ul><ul><li>Monitor the use of computers and networks </li></ul></ul><ul><ul><li>Protects them from unauthorized use, fraud, and destruction </li></ul></ul><ul><li>Biometrics </li></ul><ul><ul><li>Computer devices measure physical traits that make each individual unique </li></ul></ul><ul><ul><ul><li>Voice recognition, fingerprints, retina scan </li></ul></ul></ul><ul><li>Computer Failure Controls </li></ul><ul><ul><li>Prevents computer failures or minimizes its effects </li></ul></ul><ul><ul><li>Preventive maintenance </li></ul></ul><ul><ul><li>Arrange backups with a disaster recovery organization </li></ul></ul>Chapter 13 Security and Ethical Challenges
  53. 53. Other Security Measures <ul><li>In the event of a system failure, fault-tolerant systems have redundant processors, peripherals, and software that provide </li></ul><ul><ul><li>Fail-over capability : shifts to back up components </li></ul></ul><ul><ul><li>Fail-save capability : the system continues to operate at the same level </li></ul></ul><ul><ul><li>Fail-soft capability : the system continues to operate at a reduced but acceptable level </li></ul></ul><ul><li>A disaster recovery plan contains formalized procedures to follow in the event of a disaster </li></ul><ul><ul><li>Which employees will participate </li></ul></ul><ul><ul><li>What their duties will be </li></ul></ul><ul><ul><li>What hardware, software, and facilities will be used </li></ul></ul><ul><ul><li>Priority of applications that will be processed </li></ul></ul><ul><ul><li>Use of alternative facilities </li></ul></ul><ul><ul><li>Offsite storage of databases </li></ul></ul>Chapter 13 Security and Ethical Challenges
  54. 54. Information System Controls <ul><li>Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities </li></ul>Chapter 13 Security and Ethical Challenges
  55. 55. Auditing IT Security <ul><li>IT Security Audits </li></ul><ul><ul><li>Performed by internal or external auditors </li></ul></ul><ul><ul><li>Review and evaluation of security measures and management policies </li></ul></ul><ul><ul><li>Goal is to ensure that that proper and adequate measures and policies are in place </li></ul></ul>Chapter 13 Security and Ethical Challenges
  56. 56. Protecting Yourself from Cybercrime Chapter 13 Security and Ethical Challenges
  57. 57. Case 3 Managing Information Security <ul><li>OCTAVE Security Process Methodology </li></ul><ul><ul><li>Risk Evaluation </li></ul></ul><ul><ul><ul><li>Self-direction by people in the organization </li></ul></ul></ul><ul><ul><ul><li>Adaptable measures that can change with technology </li></ul></ul></ul><ul><ul><ul><li>A defined process and standard evaluation procedures </li></ul></ul></ul><ul><ul><ul><li>A foundation for a continual process that improves security over time </li></ul></ul></ul><ul><ul><li>Risk Management </li></ul></ul><ul><ul><ul><li>A forward-looking view </li></ul></ul></ul><ul><ul><ul><li>A focus on a “critical few” security issues </li></ul></ul></ul><ul><ul><ul><li>Integrated management of security policies and strategies </li></ul></ul></ul>Chapter 13 Security and Ethical Challenges
  58. 58. Case 3 Managing Information Security <ul><ul><li>Organizational and Cultural </li></ul></ul><ul><ul><ul><li>Open communication of risk information and activities build around collaboration </li></ul></ul></ul><ul><ul><ul><li>A global perspective on risk in the context of the organization’s mission and business objectives </li></ul></ul></ul><ul><ul><ul><li>Teamwork </li></ul></ul></ul>Chapter 13 Security and Ethical Challenges
  59. 59. Case Study Questions <ul><li>What are security managers doing to improve information security? </li></ul><ul><li>How does the OCTAVE methodology work to improve security in organizations? </li></ul><ul><li>What does Lloyd Hession mean when he says information security is “not addressed simply by the firewalls and antivirus tools that are already in place”? </li></ul>Chapter 13 Security and Ethical Challenges
  60. 60. Case 4 Maintaining Software Security <ul><li>Security professionals have 7 to 21 days before hacker’s tools used to exploit the most recent vulnerabilities become available on the Internet </li></ul><ul><ul><li>Microsoft’s monthly patch-release date is known as “Patch Tuesday” </li></ul></ul><ul><ul><li>Security software companies go to work immediately to update their products </li></ul></ul><ul><ul><li>Update must be thoroughly tested before being deployed </li></ul></ul>Chapter 13 Security and Ethical Challenges
  61. 61. Case Study Questions <ul><li>What types of security problems are typically addressed by a patch-management strategy? </li></ul><ul><ul><li>Why do such problems arise in the first place? </li></ul></ul><ul><li>What challenges does the process of applying software patches and updates pose for many businesses? </li></ul><ul><ul><li>What are the limitations of the patching process? </li></ul></ul><ul><li>Does the business value of a comprehensive patch-management strategy outweigh its costs, its limitations, and the demands it placed on the IT function? </li></ul>Chapter 13 Security and Ethical Challenges