Ethics and information security 2

1,011 views

Published on

Tugas SIK 1

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,011
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
32
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Share any examples of unethical behavior you have recently observed?
    Share any security issues you have recently encountered?
    Many students have already experienced identity theft, stolen items, and phishing scams. Asking students to share their stories gets the class excited and involved with ethics and security
  • CLASSROOM OPENER
    NOT-SO-GREAT BUSINESS DECISIONS – Scrushy Faces 30 Years in Prison
    Richard Scrushy, former chief executive of HealthSouth, was convicted of bribing Don Siegelman, former governor of Alabama, for a seat on the state's hospital regulatory board, which oversaw some of his company's facilities.
    The verdict came a year and a day after Mr. Scrushy was found not guilty of involvement in a $2.7 billion accounting fraud at HealthSouth, which he built from scratch into America's largest provider of rehabilitative healthcare. Mr. Siegelman, a Democrat who was governor from 1999 to 2003, was also convicted of bribery and mail fraud, following a seven-week trial and 11 days of jury deliberations. Prosecutors accused Mr. Siegelman of operating a "pay to play" scheme in which companies and contractors gave political donations in return for contracts and favors. The pair could each face up to 30 years in jail for the crimes.
    UBS, the Swiss investment bank, was embroiled in the case through its role as former banker to HealthSouth. A former UBS banker testified that the bank had helped engineer Mr. Scrushy's payment to the lottery campaign by forgiving $250,000 in fees it was owed by a healthcare company through which the donation was funneled.
    Mike Martin, HealthSouth's former chief financial officer, told the jury he had put pressure on UBS, at Mr. Scrushy's behest, to help finance the donation. Mr. Scrushy denied the donation was a bribe, arguing he wanted to foster good relations with the governor and support his push to improve public education through a lottery.
    HealthSouth was among the raft of US companies where large scale frauds were discovered in the wake of the accounting scandals at Enron and WorldCom.
  • Break your students into groups and ask them to find a real-world example of each type of ethical issue displayed in the figure 4.1
    Ask your students to find additional ethical issues stemming from technology advances not mentioned in the figure 4.1
    Intellectual property - Intangible creative work that is embodied in physical form
    Copyright - The legal protection afforded an expression of an idea, such as a song, video game, and some types of proprietary documents
    Fair use doctrine - In certain situations, it is legal to use copyrighted material
    Pirated software - The unauthorized use, duplication, distribution, or sale of copyrighted software
    Counterfeit software - Software that is manufactured to look like the real thing and sold as such
  • Privacy is an ethical issue
    There are numerous examples of ethical issues surrounding IT
    List a few ethical IT examples that are currently in the news
    Discuss the infamous case of Napster and present your students with the ethical issues surrounding music sharing and copyright laws
    Do you think tracking customer information from a Web site visit is ethical?
    What if the company sells the information?
    Can you explain the difference between privacy and confidentiality?
  • Privacy during Web interactions is a major concern for many individuals
    Violating someone’s privacy is a sure way to ruin a relationship
    E-business is built on the practice of exchanging large amounts of information between many parties
    Without privacy, there will not be any trust
    Have you ever had their privacy violated on the Internet?
    One of the most common example is someone forwarding or bcc (blind carbon copy) an e-mail without the person’s knowledge or consent
    For e-business to work, companies, customers, partners, and suppliers must trust each other
  • Have you encountered any ethical dilemmas due to technology?
    CLASSROOM EXERCISE
    WHAT RIGHT DO I HAVE?
    Bring a USB drive into class
    At the beginning of class state that you found the USB drive and does it belong to anyone?
    How can you determine whose USB drive it is?
    Should you plug it into your computer and read the information?
    Is that ethical?
    What if the drive has all of the salaries of everyone at college or all of the grades for every student?
    What if the drive contains a virus that wipes out your computer?
    What should you do?
  • Explain to your students that most organizations want to make decisions somewhere in quadrant I, both legal and ethical
    Obviously this does not always happen, or we would not have examples such as Enron and Martha Stewart
    Can you name a company that operates in each quadrant?
    I – Amazon
    II – Microsoft – the government ruled that Microsoft was breaking antitrust laws and operating a monopoly, although Microsoft felt it was operating ethically and legally
    III – Some lawyers
    IV – Drug Dealer
  • For these reasons it falls on the shoulders of those who lord over the information to develop ethical guidelines on how to mange it
    Review the figure discussing the current established information-related laws
  • Organizations should develop written policies establishing employee guidelines, personnel procedures, and organizational rules
    These policies set employee expectations about the organization's practices and standards and protect the organization from misuse of computer systems and IT resources
    Are any of these policies used at your college?
  • For example: an ethical computer use policy might state that users should refrain from playing computer games during working hours
    CLASSROOM EXERCISE
    Analyzing An Ethical Computer Use Policy
    Break your students into groups and ask them to develop and define several ethical computer use policies that would be appropriate for your school or for a business of your choice. Have your students present their policies to the entire class.
    Examples: Users will not send spam
    Users will not send harmful viruses
    Users will not use offensive language or send offensive material
    Extra exercise: Have your students research the Internet for current law suits based on offensive e-mail
  • Review the six principles for ethical information management and rank them in order of greatest importance to least importance for an organization
    Makes for an excellent classroom debate
  • Would you mind if your Visa company shared all of your purchasing information?
    Who owns the information on your Visa?
    Why would people want to purchase Visa information?
    To find marketing and sales opportunities
  • Adoption and implementation of a privacy policy – an organization engaged in online activities or e-business has a responsibility to adopt and implement a policy for protecting the privacy of personal information
    Notice and disclosure – an organization’s privacy policy must be easy to find, read, and understand
    Choice and consent – individuals must be given the opportunity to exercise choice regarding how personal information collected from them online may be used when such use is unrelated to the purpose for which the information was collected
    Information security – organization’s creating, maintaining, using, or disseminating personal information should take appropriate measures to assure its reliability and protect it from loss, misuse, or alteration
    Information quality and access – organizations should establish appropriate processes or mechanisms so that inaccuracies in material personal information may be corrected.
  • Do you have any incidents when someone online repudiated their actions?
    Remind your students that they should keep all of their e-mail since this is one way to hold someone accountable (nonrepudiation)
  • Most of your students probably signed an AUP when signing up with their ISP
    ISPs typically require each customer to sign an AUP
    Ask your students to rank the acceptable use policy stipulations in order of greatest importance to least importance for an ISP
  • Explain to your students that e-mail is not safe
    E-mail can easily be read by:
    Anyone who works for the Internet service provider
    Anyone who works for the recipient's Internet service provider
    Anyone who operates any of the perhaps dozens of Internet routers that the data packets will pass through
    Anyone with physical access to the telephone switching equipment in the phone company's office
    Do your students know that if they speak on the telephone with anyone in the United States, the telephone switching equipment at the phone company offices has wiretaps built into it for easy access by authorities - or actually anyone with the password, such as maintenance personnel. These wiretaps started appearing after the U.S. Congress passed the Digital Telephony Act, because of complaints by law enforcement that modern digital telephone systems were becoming harder to tap.
  • Explain to your students that e-mail is not safe
    E-mail can easily be read by:
    Anyone who works for the Internet service provider
    Anyone who works for the recipient's Internet service provider
    Anyone who operates any of the perhaps dozens of Internet routers that the data packets will pass through
    Anyone with physical access to the telephone switching equipment in the phone company's office
    Do your students know that if they speak on the telephone with anyone in the United States, the telephone switching equipment at the phone company offices has wiretaps built into it for easy access by authorities - or actually anyone with the password, such as maintenance personnel. These wiretaps started appearing after the U.S. Congress passed the Digital Telephony Act, because of complaints by law enforcement that modern digital telephone systems were becoming harder to tap.
  • 80 percent of professional workers identified e-mail as their preferred means of corporate communications
    Trends also show a dramatic increase in the adoption rate of instant messaging (IM) in the workplace
    Ask your students to rank the e-mail privacy policy stipulations in order of greatest importance to least importance for an ISP
  • There are many reasons why an organization should implement an Internet use policy including:
    Large amounts of computing resources that Internet users can expend
    Numerous materials that some might feel are offensive
    Ask your students to rank the Internet use policy stipulations in order of greatest importance to least importance for an ISP
  • A few methods that an organization can follow to prevent spam include
    Disguise e-mail addresses posted in a public electronic place – instead of actually posting all of your employee e-mails on the corporate Web site, just post the name without the @xyz.com. That way spam collecting devices will not recognize the e-mail addresses and will not be able to send e-mail
    Opt-out of member directories that may place an e-mail address online – choose not to participate in any activities that place e-mail addresses online
    Use a filter – Use a spam filter to help prevent spam
  • The organization needs to protect itself by knowing what its employees are doing, however does it have to monitor everything throughout the workplace?
    It is difficult to determine when employee monitoring crosses the ethical lines
    What can an organization do to protect itself from such things as sexual harassment, discrimination, and other forms of unethical behavior where it can be held liable?
    A recent survey of workplace monitoring and surveillance practices by the American Management Association (AMA) and the ePolicy Institute showed the degree to which companies are turning to monitoring:
    82 percent (of the 1,627 companies surveyed) acknowledged conducting some form of electronic monitoring or physical surveillance
    63 percent stated that they monitor Internet connections
    47 percent acknowledged storing and reviewing employee e-mail messages
  • Discuss the different types of monitoring technologies outlined in the figure
    Monitoring Employee E-Mail: Efficient Workplaces Vs. Employee Privacy
    Try this as a debate with your students
    http://searchtechtarget.techtarget.com/originalContent/0,289142,sid19_gci1202445,00.html
  • Key logger, or key trapper software A program that, when installed on a computer, records every keystroke and mouse click
    Hardware key logger A hardware device that captures keystrokes on their journey from the keyboard to the motherboard.
    Cookie A small file deposited on a hard drive by a Web site containing information about customers and their Web activities. Cookies allow Web sites to record the comings and goings of customers, usually without their knowledge or consent
    Adware Software generates ads that install themselves on a computer when a person downloads some other program from the Internet.
    Spyware (sneakware or stealthware) Software that comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer, or uses a computer’s CPU and storage for some task the user knows nothing about
    Web log Consists of one line of information for every visitor to a Web site and is usually stored on a Web server
    Clickstream Records information about a customer during a Web surfing session such as what Web sites were visited, how long the visit was, what ads were viewed, and what was purchased
  • Ask your students to rank the employee monitoring policy stipulations in order of greatest importance to least importance for an organization
  • This section takes a look at information security two primary lines of defense
    People
    Technology
    CLASSROOM OPENER
    GREAT BUSINESS DECISIONS – The American Express Charge Card
    The product that led to the question “cash or charge?” was the American Express card, or, as Forbes called it: “the late-twentieth-century piece of magic that replaced checks, money, and charge accounts.” The American Express card, and every other charge card, evolved from the company’s greatest invention, the traveler’s check, which was introduced in 1891. With an American Express traveler’s check in hand, a visitor otherwise unknown, could obtain hard cash in a matter of moments. It was a whole new concept, selling people the honor of being trusted, and it caught on. The security of carrying a traveler’s check instead of cash was one of its biggest benefits. The security of carrying a credit card instead of cash was an even bigger benefit. American Express celebrated its 100th birthday in 1950, and its staying power can be ascribed to its understanding that “A credit card, in short, is not a mere commodity, {but} it says something about the person who uses it.” The company understood that the card could be considered much more than financial security, it could be a status symbol.
  • Do you agree that information requires protection?
    What happens if all sales information for a business falls into the hands of its customers?
    What happens if all employee pay rates and bonus information are distributed to all employees?
    What happens if customer credit card numbers are posted to a Web site for anyone to view?
    These are a few of the reasons why it is critical that information must be highly-protected
    With business strategies such as CRM organizations can determine such things as their most valuable customers
    Why would an organization want to protect this type of information?
    Why does e-business automatically creates security risks?
    How much critical information is freely flowing over the Internet to customers, partners, and suppliers?
    How has HIPAA helped protect the privacy and security of personal health records?
    HIPAA requires health care organizations to develop, implement, and maintain appropriate security measures when sending electronic health information
  • Knowing how important information security is for an organization, do the above spending amounts seem correct? Why or why not?
    CLASSROOM EXERCISE
    Pizza Video
    You can use this video in a number of classes – it relates well to both information security and ethics
    http://www.adcritic.com/interactive/view.php?id=5927
  • The figure displays the spending per employee on computer security
    The highest average computer security spending per employee was in the transportation industry and federal government - not surprising after 9/11
    Why is the transportation industry spending so high?
    Why is the medical and retail industry spending so low?
    Why is there such a large gap between federal government spending and local government spending?
  • Most information security breaches result from people misusing an organization's information either advertently or inadvertently.
    For example, many people freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open to intruders
    CLASSROOM EXERCISE
    Ask your students to research the Internet to find the latest version of the CSI/FBI Computer Crime and Security Survey to find the newest information on computer crime and security breeches
  • Have your students to review the sample information security plan in Figure 4.18
    CLASSROOM EXERCISE:
    Break your students into groups and ask them to research and review your school’s information security plan
    What did the plan address that your students found surprising?
    What is the plan missing or failing to address?
    If your students were responsible for updating the plan, what would they add?
  • Ask your students to share any experiences they have had with social engineering through stolen passwords or identity theft
    If they had to try to social engineer a password from another student what would they do?
  • Have your students review the five steps for creating an information security plan detailed in Figure 4.19
    Develop the information security policies
    Simple yet effective types of information security policies include:
    Requiring users to log off of their systems before leaving for lunches or meetings
    Never sharing passwords, and changing personal passwords every 60 days.
    Ask your students what other types of information security policies they have encountered
    Communicate the information security policies
    Train all employees and establish clear expectations for following the policies.
    For example – a formal reprimand can be expected if a computer is left unsecured.
    Identify critical information assets and risks
    Require the use of user IDs, passwords, and antivirus software on all systems.
    Ensure that systems that contain links to external networks have firewalls and IDS software.
    Test and reevaluate risks
    Continually perform security reviews, audits, background checks, and security assessment
    Obtain stakeholder support
    Gain the approval and support of the information security policies by the Board of Directors and all stakeholders
  • CLASSROOM EXERCISE
    Defending People
    Break your students into groups and ask them to rank the questions in order of importance
    Ask your students to identify any additional questions not covered in the text
    Have your students present their ranking and additional questions to the rest of the class
    This makes for an excellent debate
  • International Data Corp. estimated worldwide spending on IT security software, hardware, and services would top $35 billion in 2004. Organizations can deploy numerous technologies to prevent information security breaches. When determining which types of technologies to invest in, it helps to understand the three primary information security areas:
    Authentication and authorization
    Prevention and resistance
    Detection and response
  • What types of authentication are you using today?
    What type is used at your bank?
    What type is used for your online banking?
    Is it secure? Why or why not?
    What type would you like for your online banking?
  • Have any of you ever had your authentication method hacked? What was the outcome?
    How many of you have had to call a help-desk due to a password related issue?
  • Discuss the identity theft examples covered in Figure 4.21
    An 82-year-old woman in Fort Worth, Texas, discovered that her identity had been stolen when the woman using her name was involved in a four-car collision. For 18 months, she kept getting notices of lawsuits and overdue medical bills that were really meant for someone else. It took seven years for her to get her financial good name restored after the identity thief charged over $100,000 on her 12 fraudulently acquired credit cards.
    A 42-year-old retired Army captain in Rocky Hill, Connecticut, found that an identity thief had spent $260,000 buying goods and services that included two trucks, a Harley-Davidson motorcycle, and a time-share vacation home in South Carolina. The victim discovered his problem only when his retirement pay was garnished to pay the outstanding bills.
    In New York, members of a pickpocket ring forged the driver’s licenses of their victims within hours of snatching the women’s purses. Stealing a purse typically results in around $200, if not less. But stealing the person’s identity can net on average between $4,000 and $10,000.A crime gang took out $8 million worth of second mortgages on victims’ homes. It turned out the source of all the instances of identity theft came from a car dealership.
    The largest identity-theft scam to date in U.S. history was broken up by police in 2002 when they discovered that three men had downloaded credit reports using stolen passwords and sold them to criminals on the street for $60 each. Many millions of dollars were stolen from people in all 50 states.
  • The above figure displays identity theft losses by 2005 (billions of dollars)
    Have any of you ever been the victim of identity theft? How did the theft occur? What was stolen? How difficult was it to recover?
    What could you have done to prevent the theft?
    A new business is growing for identity theft insurance, which costs between $15 and $50 per month. Would you purchase this insurance? Why or why not?
  • Smart cards can act as identification instruments, a form of digital cash, or a data storage device with the ability to store an entire medical record
    Identify a business opportunity that could take advantage of smart card technology?
    Europe is deploying smart cards for season ticket holders of soccer games. Could the U.S. use the same for NFL games?
    Yes, we could offer smart cards for NFL games, however, many NFL season tickets are owned be a group of people who share the tickets – how would they share a smart card?
  • How many of your students would like to have an iris scan performed each time they entered your classroom or took an exam?
  • How much it would cost eBay or Amazon.com if their systems were down for one day?
    One 22-hour outage in June 2000 caused eBay’s market cap to plunge $5.7 billion
  • How many spam messages do you receive each day?
    What types of preventative measures have they taken to stop spam?
    How many use antivirus software to prevent spam? More importantly, how many have current, up-to-date antivirus software, and how frequently do they actually run it and scan their computers for viruses?
    Research the Internet and find several different spam filters and antivirus software that protect computer users
  • How long would it take a hacker to break an encryption code on a Word document?
    Many hundreds of years, although on television it only take 10 minutes
    Research the Web to find information about encryption technologies that you can use to protect sensitive information
  • An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.
  • A firewall examines each message that wants entrance to the network, and unless the message has the correct marking, the firewall prevents it from entering the network
    What would happen to an organization that did not have firewalls at the entrance of its networks?
    This organization’s servers would not be operating for long because they would be continually hacked
  • A firewall examines each message that wants entrance to the network, and unless the message has the correct marking, the firewall prevents it from entering the network
    Point out to your students the placement of the firewalls between the servers and the Internet
  • A single worm can cause massive damage
    In August 2003, the “Blaster worm” infected over 50,000 computers worldwide and was one of the worst outbreaks of the year
    Jeffrey Lee Parson, 18, was arrested by U.S. cyber investigators for unleashing the damaging worm on the Internet
    The worm replicated itself repeatedly, eating up computer capacity, but did not damage information or programs
    The worm generated so much traffic that it brought entire networks down
  • White-hat hackers—work at the request of the system owners to find system vulnerabilities and plug the holes
    Black-hat hackers—break into other people’s computer systems and may just look around or may steal and destroy information
    Hactivists—have philosophical and political reasons for breaking into systems and will often deface the Web site as a protest
    Script kiddies or script bunnies—find hacking code on the Internet and click-and-point their way into systems to cause damage or spread viruses
    Cracker—a hacker with criminal intent
    Cyberterrorists—seek to cause harm to people or to destroy critical systems or information and use the Internet as a weapon of mass destruction
  • Worm—a type of virus that spreads itself, not only from file to file, but also from computer to computer. The primary difference between a virus and a worm is that a virus must attach to something, such as an executable file, in order to spread. Worms do not need to attach to anything to spread and can tunnel themselves into computers.
    Denial-of-service attack (DoS)—floods a Web site with so many requests for service that it slows down or crashes the site
    Distributed denial-of-service attack (DDoS)—attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes. A common type is the Ping of Death, in which thousands of computers try to access a Web site at the same time, overloading it and shutting it down.
    Trojan-horse virus—hides inside other software, usually as an attachment or a downloadable file
    Backdoor programs—viruses that open a way into the network for future attacks
    Polymorphic viruses and worms—change their form as they propagate
  • Elevation of privilege is a process by which a user misleads a system into granting unauthorized rights, usually for the purpose of compromising or destroying the system. For example, an attacker might log on to a network by using a guest account, and then exploit a weakness in the software that lets the attacker change the guest privileges to administrative privileges.
    Hoaxes attack computer systems by transmitting a virus hoax, with a real virus attached. By masking the attack in a seemingly legitimate message, unsuspecting users more readily distribute the message and send the attack on to their co-workers and friends, infecting many users along the way.
    Malicious code includes a variety of threats such as viruses, worms, and Trojan horses
    Spoofing is the forging of the return address on an e-mail so that the e-mail message appears to come from someone other than the actual sender. This is not a virus but rather a way by which virus authors conceal their identities as they send out viruses.
    Spyware is software that comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer, or uses a computer’s CPU and storage for some task the user knows nothing about. According to the National Cyber Security Alliance, 91 percent of the study had spyware on their computers that can cause extremely slow performance, excessive pop-up ads, or hijacked home pages.
    A snifferis a program or device that can monitor data traveling over a network. Sniffers can show all the data being transmitted over a network, including passwords and sensitive information. Sniffers tend to be a favorite weapon in the hacker’s arsenal.
    Packet tampering consists of altering the contents of packets as the travel over the Internet or altering data on computer disks after penetrating a network. For example, an attacker might place a tap on a network line to intercept packets as they leave the computer. The attacker could eavesdrop or alter the information as it leaves the network.
  • Ethics and information security 2

    1. 1. 4-1 Chapter Four Overview • SECTION 4.1 - ETHICS – – – – Ethics Information Ethics Developing Information Management Policies Ethics in the Workplace • SECTION 4.2 - INFORMATION SECURITY – Protecting Intellectual Assets – The First Line of Defense - People – The Second Line of Defense - Technology
    2. 2. 4-2 Organizational Fundamentals – Ethics and Security • Ethics and security are two fundamental building blocks that organizations must base their businesses on to be successful • In recent years, such events as the Enron and Martha Stewart, along with 9/11 have shed new light on the meaning of ethics and security
    3. 3. SECTION 4.1 ETHICS McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved
    4. 4. 4-4 ETHICS • Ethics – the principles and standards that guide our behavior toward other people • Issues affected by technology advances – Intellectual property – Copyright – Fair use doctrine – Pirated software – Counterfeit software
    5. 5. 4-5 ETHICS • Privacy is a major ethical issue – Privacy – the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent – Confidentiality – the assurance that messages and information are available only to those who are authorized to view them
    6. 6. 4-6 ETHICS • One of the main ingredients in trust is privacy • Primary reasons privacy issues lost trust for ebusiness
    7. 7. 4-7 INFORMATION ETHICS • Individuals form the only ethical component of IT
    8. 8. 4-8 Information Has No Ethics • Acting ethically and legally are not always the same
    9. 9. 4-9 Information Has No Ethics • Information does not care how it is used • Information will not stop itself from sending spam, viruses, or highly-sensitive information • Information cannot delete or preserve itself
    10. 10. 4-10 DEVELOPING INFORMATION MANAGEMENT POLICIES • Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement • ePolicies typically include: – – – – – – Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy policy Internet use policy Anti-spam policy
    11. 11. 4-11 Ethical Computer Use Policy • Ethical computer use policy – contains general principles to guide computer user behavior • The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules
    12. 12. 4-12 Ethical Computer Use Policy
    13. 13. 4-13 Information Privacy Policy • The unethical use of information typically occurs “unintentionally” when it is used for new purposes – For example, social security numbers started as a way to identify government retirement benefits and are now used as a sort of universal personal ID • Information privacy policy - contains general principles regarding information privacy
    14. 14. 4-14 Information Privacy Policy • Information privacy policy guidelines 1. Adoption and implementation of a privacy policy 2. Notice and disclosure 3. Choice and consent 4. Information security 5. Information quality and access
    15. 15. 4-15 Acceptable Use Policy • Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet • An AUP usually contains a nonrepudiation clause – Nonrepudiation – a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions
    16. 16. 4-16 Acceptable Use Policy
    17. 17. 4-17 E-Mail Privacy Policy • Organizations can mitigate the risks of email and instant messaging communication tools by implementing and adhering to an e-mail privacy policy • E-mail privacy policy – details the extent to which e-mail messages may be read by others
    18. 18. 4-18 E-Mail Privacy Policy
    19. 19. 4-19 E-Mail Privacy Policy
    20. 20. 4-20 Internet Use Policy • Internet use policy – contains general principles to guide the proper use of the Internet
    21. 21. 4-21 Anti-Spam Policy • Spam – unsolicited e-mail • Spam accounts for 40% to 60% of most organizations’ e-mail and cost U.S. businesses over $14 billion in 2005 • Anti-spam policy – simply states that email users will not send unsolicited emails (or spam)
    22. 22. 4-22 ETHICS IN THE WORKPLACE • Workplace monitoring is a concern for many employees • Organizations can be held financially responsible for their employees’ actions • The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees, however, some people feel that monitoring employees is unethical
    23. 23. 4-23 Monitoring Technologies
    24. 24. 4-24 Monitoring Technologies • Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed • Common monitoring technologies include: – – – – – – – Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream
    25. 25. 4-25 Employee Monitoring Policies • Employee monitoring policies – explicitly state how, when, and where the company monitors its employees
    26. 26. SECTION 4.2 INFORMATION SECURITY McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved
    27. 27. 4-27 PROTECTING INTELLECTUAL ASSETS • Organizational information is intellectual capital - it must be protected • Information security – the protection of information from accidental or intentional misuse by persons inside or outside an organization • E-business automatically creates tremendous information security risks for organizations
    28. 28. 4-28 PROTECTING INTELLECTUAL ASSETS
    29. 29. 4-29 PROTECTING INTELLECTUAL ASSETS
    30. 30. 4-30 THE FIRST LINE OF DEFENSE - PEOPLE • Organizations must enable employees, customers, and partners to access information electronically • The biggest issue surrounding information security is not a technical issue, but a people issue • 33% of security incidents originate within the organization – Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident
    31. 31. 4-31 THE FIRST LINE OF DEFENSE - PEOPLE • The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan – Information security policies – identify the rules required to maintain information security – Information security plan – details how an organization will implement the information security policies
    32. 32. 4-32 THE FIRST LINE OF DEFENSE - PEOPLE • Hackers frequently use “social engineering” to obtain password – Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker
    33. 33. 4-33 THE FIRST LINE OF DEFENSE - PEOPLE • Five steps to creating an information security plan: 1. 2. 3. 4. 5. Develop the information security policies Communicate the information security policies Identify critical information assets and risks Test and reevaluate risks Obtain stakeholder support
    34. 34. 4-34 THE FIRST LINE OF DEFENSE - PEOPLE
    35. 35. 4-35 THE SECOND LINE OF DEFENSE TECHNOLOGY • There are three primary information technology security areas 1. Authentication and authorization 2. Prevention and resistance 3. Detection and response
    36. 36. 4-36 Authentication and Authorization • Authentication – a method for confirming users’ identities • Authorization – the process of giving someone permission to do or have something • The most secure type of authentication involves: 1. Something the user knows such as a user ID and password 2. Something the user has such as a smart card or token 3. Something that is part of the user such as a fingerprint or voice signature
    37. 37. 4-37 Something the User Knows Such As a User ID and Password • This is the most common way to identify individual users and typically contains a user ID and a password • This is also the most ineffective form of authentication • Over 50 percent of help-desk calls are password related
    38. 38. 4-38 Something the User Knows Such As a User ID and Password • Identity theft – the forging of someone’s identity for the purpose of fraud • Phishing – a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent email
    39. 39. 4-39 Something the User Knows Such As a User ID and Password
    40. 40. 4-40 Something the User Knows Such As a User ID and Password • Smart cards and tokens are more effective than a user ID and a password – Tokens – small electronic devices that change user passwords automatically – Smart card – a device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing
    41. 41. 4-41 Something That Is Part Of The User Such As a Fingerprint or Voice Signature • This is by far the best and most effective way to manage authentication – Biometrics – the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting • Unfortunately, this method can be costly and intrusive
    42. 42. 4-42 Prevention and Resistance • Downtime can cost an organization anywhere from $100 to $1 million per hour • Technologies available to help prevent and build resistance to attacks include: 1. Content filtering 2. Encryption 3. Firewalls
    43. 43. 4-43 Content Filtering • Organizations can use content filtering technologies to filter e-mail and prevent emails containing sensitive information from transmitting and stop spam and viruses from spreading. – – – Content filtering – occurs when organizations use software that filters content to prevent the transmission of unauthorized information Spam – a form of unsolicited e-mail Corporate losses caused by Spam
    44. 44. 4-44 Encryption • If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it – Encryption – scrambles information into an alternative form that requires a key or password to decrypt the information – Public key encryption (PKE) – an encryption system that uses two keys: a public key for everyone and a private key for the recipient
    45. 45. 4-45 Encryption
    46. 46. 4-46 Firewalls • One of the most common defenses for preventing a security breach is a firewall – Firewall – hardware and/or software that guards a private network by analyzing the information leaving and entering the network
    47. 47. 4-47 Firewalls • Sample firewall architecture connecting systems located in Chicago, New York, and Boston
    48. 48. 4-48 Detection and Response • If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage • Antivirus software is the most common type of detection and response technology
    49. 49. 4-49 Detection and Response • Hacker - people very knowledgeable about computers who use their knowledge to invade other people’s computers – – – – – – White-hat hacker Black-hat hacker Hactivist Script kiddies or script bunnies Cracker Cyberterrorist
    50. 50. 4-50 Detection and Response • Virus - software written with malicious intent to cause annoyance or damage – – – – – – Worm Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS) Trojan-horse virus Backdoor program Polymorphic virus and worm
    51. 51. 4-51 Detection and Response • Security threats to e-business include: – Elevation of privilege – Hoaxes – Malicious code – Spoofing – Spyware – Sniffer – Packet tampering

    ×