Security ways the data and ethics at using the technology

1. McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.

2. McGraw-Hill/Irwin Copyright © 2008, The McGraw-Hill Companies, Inc. All rights reserved.
Security and Ethical ChallengesSecurity and Ethical Challenges
Chapter
13
Chapter
13

3. 13-3
• Identify several ethical issues in how the use
of information technologies in business affects
• Employment
• Individuality
• Working conditions
• Privacy
• Crime
• Health
• Solutions to societal problems
Learning ObjectivesLearning Objectives

4. 13-4
Learning ObjectivesLearning Objectives
• Identify several types of security management
strategies and defenses, and explain how they
can be used to ensure the security of business
applications of information technology
• Propose several ways that business managers and
professionals can help to lessen the harmful
effects and increase the beneficial effects of the
use of information technology

5. 13-5
Case 1: Cyberscams and CybercriminalsCase 1: Cyberscams and Cybercriminals
• Cyberscams are today’s fastest-growing
criminal niche
• 87 percent of companies surveyed reported
a security incident
• The U.S. Federal Trade Commission says
identity theft is its top complaint
• eBay has 60 people combating fraud;
Microsoft has 65
• Stolen credit card account numbers are
regularly sold online

6. 13-6
Case Study QuestionsCase Study Questions
• What are several reasons why “cyberscams
are today’s fastest-growing criminal niche”?
• Explain why the reasons you give contribute
to the growth of cyberscams
• What are several security measures that could
be implemented to combat the spread of
cyberscams?
• Explain why your suggestions would be
effective in limiting the spread of cyberscams

7. 13-7
Case Study QuestionsCase Study Questions
• Which one or two of the four top cybercriminals
described in this case poses the greatest threat to
businesses? To consumers?
• Explain the reasons for your choices, and how
businesses and consumers can protect themselves
from these cyberscammers

8. 13-8
IT Security, Ethics, and SocietyIT Security, Ethics, and Society

9. 13-9
IT Security, Ethics, and SocietyIT Security, Ethics, and Society
• Information technology has both beneficial
and detrimental effects on society and people
• Manage work activities to minimize the
detrimental effects of information technology
• Optimize the beneficial effects

10. 13-10
Business EthicsBusiness Ethics
• Ethics questions that managers confront as part
of their daily business decision making include
• Equity
• Rights
• Honesty
• Exercise of corporate power

11. 13-11
Categories of Ethical Business IssuesCategories of Ethical Business Issues

12. 13-12
Corporate Social Responsibility TheoriesCorporate Social Responsibility Theories
• Stockholder Theory
• Managers are agents of the stockholders
• Their only ethical responsibility is to increase
the profits of the business without violating the
law or engaging in fraudulent practices
• Social Contract Theory
• Companies have ethical responsibilities to all
members of society, who allow corporations
to exist

13. 13-13
Corporate Social Responsibility TheoriesCorporate Social Responsibility Theories
• Stakeholder Theory
• Managers have an ethical responsibility to
manage a firm for the benefit of all its
stakeholders
• Stakeholders are all individuals and groups
that have a stake in, or claim on, a company

14. 13-14
Principles of Technology EthicsPrinciples of Technology Ethics
• Proportionality
• The good achieved by the technology must
outweigh the harm or risk; there must be no
alternative that achieves the same or
comparable benefits with less harm or risk
• Informed Consent
• Those affected by the technology should
understand and accept the risks

15. 13-15
Principles of Technology EthicsPrinciples of Technology Ethics
• Justice
• The benefits and burdens of the technology
should be distributed fairly.
• Those who benefit should bear their fair share
of the risks, and those who do not benefit should
not suffer a significant increase in risk
• Minimized Risk
• Even if judged acceptable by the other three
guidelines, the technology must be implemented
so as to avoid all unnecessary risk

16. 13-16
AITP Standards of Professional ConductAITP Standards of Professional Conduct

17. 13-17
Responsible Professional GuidelinesResponsible Professional Guidelines
• A responsible professional
• Acts with integrity
• Increases personal competence
• Sets high standards of personal performance
• Accepts responsibility for his/her work
• Advances the health, privacy, and general
welfare of the public

18. 13-18
Computer CrimeComputer Crime
• Computer crime includes
• Unauthorized use, access, modification, or
destruction of hardware, software, data, or
network resources
• The unauthorized release of information
• The unauthorized copying of software
• Denying an end user access to his/her own
hardware, software, data, or network resources
• Using or conspiring to use computer or network
resources illegally to obtain information or
tangible property

19. 13-19
Cybercrime Protection MeasuresCybercrime Protection Measures

20. 13-20
HackingHacking
• Hacking is
• The obsessive use of computers
• The unauthorized access and use of networked
computer systems
• Electronic Breaking and Entering
• Hacking into a computer system and reading
files, but neither stealing nor damaging anything
• Cracker
• A malicious or criminal hacker who maintains
knowledge of the vulnerabilities found for
private advantage

21. 13-21
Common Hacking TacticsCommon Hacking Tactics
• Denial of Service
• Hammering a website’s equipment with too
many requests for information
• Clogging the system, slowing performance,
or crashing the site
• Scans
• Widespread probes of the Internet to determine
types of computers, services, and connections
• Looking for weaknesses

22. 13-22
Common Hacking TacticsCommon Hacking Tactics
• Sniffer
• Programs that search individual packets of
data as they pass through the Internet
• Capturing passwords or entire contents
• Spoofing
• Faking an e-mail address or Web page to trick
users into passing along critical information
like passwords or credit card numbers

23. 13-23
Common Hacking TacticsCommon Hacking Tactics
• Trojan House
• A program that, unknown to the user, contains
instructions that exploit a known vulnerability
in some software
• Back Doors
• A hidden point of entry to be used in case the
original entry point is detected or blocked
• Malicious Applets
• Tiny Java programs that misuse your computer’s
resources, modify files on the hard disk, send
fake email, or steal passwords

24. 13-24
Common Hacking TacticsCommon Hacking Tactics
• War Dialing
• Programs that automatically dial thousands of
telephone numbers in search of a way in through
a modem connection
• Logic Bombs
• An instruction in a computer program that
triggers a malicious act
• Buffer Overflow
• Crashing or gaining control of a computer by
sending too much data to buffer memory

25. 13-25
Common Hacking TacticsCommon Hacking Tactics
• Password Crackers
• Software that can guess passwords
• Social Engineering
• Gaining access to computer systems by talking
unsuspecting company employees out of
valuable information, such as passwords
• Dumpster Diving
• Sifting through a company’s garbage to find
information to help break into their computers

26. 13-26
Cyber TheftCyber Theft
• Many computer crimes involve the theft of
money
• The majority are “inside jobs” that involve
unauthorized network entry and alternation
of computer databases to cover the tracks
of the employees involved
• Many attacks occur through the Internet
• Most companies don’t reveal that they have
been targets or victims of cybercrime

27. 13-27
Unauthorized Use at WorkUnauthorized Use at Work
• Unauthorized use of computer systems and
networks is time and resource theft
• Doing private consulting
• Doing personal finances
• Playing video games
• Unauthorized use of the Internet or company
networks
• Sniffers
• Used to monitor network traffic or capacity
• Find evidence of improper use

28. 13-28
Internet Abuses in the WorkplaceInternet Abuses in the Workplace
• General email abuses
• Unauthorized usage and access
• Copyright infringement/plagiarism
• Newsgroup postings
• Transmission of confidential data
• Pornography
• Hacking
• Non-work-related download/upload
• Leisure use of the Internet
• Use of external ISPs
• Moonlighting

29. 13-29
Software PiracySoftware Piracy
• Software Piracy
• Unauthorized copying of computer programs
• Licensing
• Purchasing software is really a payment
for a license for fair use
• Site license allows a certain number of copies
A third of the software
industry’s revenues are
lost to piracy

30. 13-30
Theft of Intellectual PropertyTheft of Intellectual Property
• Intellectual Property
• Copyrighted material
• Includes such things as music, videos, images,
articles, books, and software
• Copyright Infringement is Illegal
• Peer-to-peer networking techniques have made
it easy to trade pirated intellectual property
• Publishers Offer Inexpensive Online Music
• Illegal downloading of music and video is
down and continues to drop

31. 13-31
Viruses and WormsViruses and Worms
• A virus is a program that cannot work without
being inserted into another program
• A worm can run unaided
• These programs copy annoying or destructive
routines into networked computers
• Copy routines spread the virus
• Commonly transmitted through
• The Internet and online services
• Email and file attachments
• Disks from contaminated computers
• Shareware

32. 13-32
Top Five Virus Families of all TimeTop Five Virus Families of all Time
• My Doom, 2004
• Spread via email and over Kazaa file-sharing
network
• Installs a back door on infected computers
• Infected email poses as returned message or one
that can’t be opened correctly, urging recipient
to click on attachment
• Opens up TCP ports that stay open even after
termination of the worm
• Upon execution, a copy of Notepad is opened,
filled with nonsense characters

33. 13-33
Top Five Virus Families of all TimeTop Five Virus Families of all Time
• Netsky, 2004
• Mass-mailing worm that spreads by emailing
itself to all email addresses found on infected
computers
• Tries to spread via peer-to-peer file sharing
by copying itself into the shared folder
• It renames itself to pose as one of 26 other
common files along the way

34. 13-34
Top Five Virus Families of all TimeTop Five Virus Families of all Time
• SoBig, 2004
• Mass-mailing email worm that arrives as
an attachment
• Examples: Movie_0074.mpg.pif, Document003.pif
• Scans all .WAB, .WBX, .HTML, .EML, and
.TXT files looking for email addresses to
which it can send itself
• Also attempts to download updates for itself

35. 13-35
Top Five Virus Families of all TimeTop Five Virus Families of all Time
• Klez, 2002
• A mass-mailing email worm that arrives
with a randomly named attachment
• Exploits a known vulnerability in MS
Outlook to auto-execute on unpatched clients
• Tries to disable virus scanners and then copy
itself to all local and networked drives with a
random file name
• Deletes all files on the infected machine and
any mapped network drives on the 13th of all
even-numbered months

36. 13-36
Top Five Virus Families of all TimeTop Five Virus Families of all Time
• Sasser, 2004
• Exploits a Microsoft vulnerability to spread
from computer to computer with no user
intervention
• Spawns multiple threads that scan local subnets
for vulnerabilities

37. 13-37
The Cost of Viruses, Trojans, WormsThe Cost of Viruses, Trojans, Worms
• Cost of the top five virus families
• Nearly 115 million computers in 200 countries
were infected in 2004
• Up to 11 million computers are believed to
be permanently infected
• In 2004, total economic damage from virus
proliferation was $166 to $202 billion
• Average damage per computer is between
$277 and $366

38. 13-38
Adware and SpywareAdware and Spyware
• Adware
• Software that purports to serve a useful purpose,
and often does
• Allows advertisers to display pop-up and banner
ads without the consent of the computer users
• Spyware
• Adware that uses an Internet connection in the
background, without the user’s permission
or knowledge
• Captures information about the user and sends
it over the Internet

39. 13-39
Spyware ProblemsSpyware Problems
• Spyware can steal private information and also
• Add advertising links to Web pages
• Redirect affiliate payments
• Change a users home page and search settings
• Make a modem randomly call premium-rate
phone numbers
• Leave security holes that let Trojans in
• Degrade system performance
• Removal programs are often not completely
successful in eliminating spyware

40. 13-40
Privacy IssuesPrivacy Issues
• The power of information technology to store
and retrieve information can have a negative
effect on every individual’s right to privacy
• Personal information is collected with every
visit to a Web site
• Confidential information stored by credit
bureaus, credit card companies, and the
government has been stolen or misused

41. 13-41
Opt-in Versus Opt-outOpt-in Versus Opt-out
• Opt-In
• You explicitly consent to allow data to be
compiled about you
• This is the default in Europe
• Opt-Out
• Data can be compiled about you unless you
specifically request it not be
• This is the default in the U.S.

42. 13-42
Privacy IssuesPrivacy Issues
• Violation of Privacy
• Accessing individuals’ private email
conversations and computer records
• Collecting and sharing information about
individuals gained from their visits to
Internet websites
• Computer Monitoring
• Always knowing where a person is
• Mobile and paging services are becoming more
closely associated with people than with places

43. 13-43
Privacy IssuesPrivacy Issues
• Computer Matching
• Using customer information gained from many
sources to market additional business services
• Unauthorized Access of Personal Files
• Collecting telephone numbers, email addresses,
credit card numbers, and other information to
build customer profiles

44. 13-44
Protecting Your Privacy on the InternetProtecting Your Privacy on the Internet
• There are multiple ways to protect your privacy
• Encrypt email
• Send newsgroup postings through anonymous
remailers
• Ask your ISP not to sell your name and
information to mailing list providers and
other marketers
• Don’t reveal personal data and interests on
online service and website user profiles

45. 13-45
Privacy LawsPrivacy Laws
• Electronic Communications Privacy Act
and Computer Fraud and Abuse Act
• Prohibit intercepting data communications
messages, stealing or destroying data, or
trespassing in federal-related computer systems
• U.S. Computer Matching and Privacy Act
• Regulates the matching of data held in
federal agency files to verify eligibility
for federal programs

46. 13-46
Privacy LawsPrivacy Laws
• Other laws impacting privacy and how
much a company spends on compliance
• Sarbanes-Oxley
• Health Insurance Portability and
Accountability Act (HIPAA)
• Gramm-Leach-Bliley
• USA Patriot Act
• California Security Breach Law
• Securities and Exchange Commission rule 17a-4

47. 13-47
Computer Libel and CensorshipComputer Libel and Censorship
• The opposite side of the privacy debate…
• Freedom of information, speech, and press
• Biggest battlegrounds
• Bulletin boards
• Email boxes
• Online files of Internet and public networks
• Weapons used in this battle
• Spamming
• Flame mail
• Libel laws
• Censorship

48. 13-48
Computer Libel and CensorshipComputer Libel and Censorship
• Spamming
• Indiscriminate sending of unsolicited email
messages to many Internet users
• Flaming
• Sending extremely critical, derogatory, and often
vulgar email messages or newsgroup posting to
other users on the Internet or online services
• Especially prevalent on special-interest
newsgroups

49. 13-49
CyberlawCyberlaw
• Laws intended to regulate activities over
the Internet or via electronic communication
devices
• Encompasses a wide variety of legal and
political issues
• Includes intellectual property, privacy,
freedom of expression, and jurisdiction

50. 13-50
CyberlawCyberlaw
• The intersection of technology and the law
is controversial
• Some feel the Internet should not be regulated
• Encryption and cryptography make traditional
form of regulation difficult
• The Internet treats censorship as damage and
simply routes around it
• Cyberlaw only began to emerge in 1996
• Debate continues regarding the applicability
of legal principles derived from issues that
had nothing to do with cyberspace

51. 13-51
Other ChallengesOther Challenges
• Employment
• IT creates new jobs and increases productivity
• It can also cause significant reductions in job
opportunities, as well as requiring new job skills
• Computer Monitoring
• Using computers to monitor the productivity
and behavior of employees as they work
• Criticized as unethical because it monitors
individuals, not just work, and is done constantly
• Criticized as invasion of privacy because many
employees do not know they are being monitored

52. 13-52
Other ChallengesOther Challenges
• Working Conditions
• IT has eliminated monotonous or obnoxious tasks
• However, some skilled craftsperson jobs have
been replaced by jobs requiring routine,
repetitive tasks or standby roles
• Individuality
• Dehumanizes and depersonalizes activities
because computers eliminate human relationships
• Inflexible systems

53. 13-53
Health IssuesHealth Issues
• Cumulative Trauma Disorders (CTDs)
• Disorders suffered by people who sit at a
PC or terminal and do fast-paced repetitive
keystroke jobs
• Carpal Tunnel Syndrome
• Painful, crippling ailment of the hand
and wrist
• Typically requires surgery to cure

54. 13-54
ErgonomicsErgonomics
• Designing healthy work environments
• Safe, comfortable, and pleasant for people
to work in
• Increases employee morale and productivity
• Also called human factors engineering

55. 13-55
Ergonomics FactorsErgonomics Factors

56. 13-56
Societal SolutionsSocietal Solutions
• Using information technologies to solve
human and social problems
• Medical diagnosis
• Computer-assisted instruction
• Governmental program planning
• Environmental quality control
• Law enforcement
• Job placement

57. 13-57
Societal SolutionsSocietal Solutions
• The detrimental effects of
information technology
• Often caused by individuals
or organizations not
accepting ethical
responsibility for
their actions

58. 13-58
Security Management of ITSecurity Management of IT
• The Internet was developed for inter-operability,
not impenetrability
• Business managers and professionals alike
are responsible for the security, quality, and
performance of business information systems
• Hardware, software, networks, and data
resources must be protected by a variety
of security measures

59. 13-59
Case 2: Data Security FailuresCase 2: Data Security Failures
• Security Breach Headlines
• Identity thieves stole information on 145,000
people from ChoicePoint
• Bank of America lost backup tapes that held
data on over 1 million credit card holders
• DSW had its stores’ credit card data breached;
over 1 million had been accessed
• Corporate America is finally owning up to
a long-held secret
• It can’t safeguard its most valuable data

60. 13-60
Case Study QuestionsCase Study Questions
• Why have there been so many recent incidents
of data security breaches and loss of customer
data by reputable companies?
• What security safeguards must companies have
to deter electronic break-ins into their computer
networks, business applications, and data
resources like the incident at Lowe’s?

61. 13-61
Case Study QuestionsCase Study Questions
• What security safeguards would have deterred
the loss of customer data at
• TCI
• Bank of America
• ChoicePoint?

62. 13-62
Security ManagementSecurity Management
• The goal of security
management is the
accuracy, integrity,
and safety of all
information system
processes and resources

63. 13-63
Internetworked Security DefensesInternetworked Security Defenses
• Encryption
• Data is transmitted in scrambled form
• It is unscrambled by computer systems for
authorized users only
• The most widely used method uses a pair of
public and private keys unique to each individual

64. 13-64
Public/Private Key EncryptionPublic/Private Key Encryption

65. 13-65
Internetworked Security DefensesInternetworked Security Defenses
• Firewalls
• A gatekeeper system that protects a company’s
intranets and other computer networks from
intrusion
• Provides a filter and safe transfer point for
access to/from the Internet and other networks
• Important for individuals who connect to the
Internet with DSL or cable modems
• Can deter hacking, but cannot prevent it

66. 13-66
Internet and Intranet FirewallsInternet and Intranet Firewalls

67. 13-67
Denial of Service AttacksDenial of Service Attacks
• Denial of service attacks depend on three
layers of networked computer systems
• The victim’s website
• The victim’s Internet service provider
• Zombie or slave computers that have been
commandeered by the cybercriminals

68. 13-68
Defending Against Denial of ServiceDefending Against Denial of Service
• At Zombie Machines
• Set and enforce security policies
• Scan for vulnerabilities
• At the ISP
• Monitor and block traffic spikes
• At the Victim’s Website
• Create backup servers and network connections

69. 13-69
Internetworked Security DefensesInternetworked Security Defenses
• Email Monitoring
• Use of content monitoring software that scans
for troublesome words that might compromise
corporate security
• Virus Defenses
• Centralize the updating and distribution of
antivirus software
• Use a security suite that integrates virus
protection with firewalls, Web security,
and content blocking features

70. 13-70
Other Security MeasuresOther Security Measures
• Security Codes
• Multilevel password system
• Encrypted passwords
• Smart cards with microprocessors
• Backup Files
• Duplicate files of data or programs
• Security Monitors
• Monitor the use of computers and networks
• Protects them from unauthorized use, fraud,
and destruction

71. 13-71
Other Security MeasuresOther Security Measures
• Biometrics
• Computer devices measure physical traits
that make each individual unique
• Voice recognition, fingerprints, retina scan
• Computer Failure Controls
• Prevents computer failures or minimizes
its effects
• Preventive maintenance
• Arrange backups with a disaster recovery
organization

72. 13-72
Other Security MeasuresOther Security Measures
• In the event of a system failure, fault-tolerant
systems have redundant processors, peripherals,
and software that provide
• Fail-over capability: shifts to back up
components
• Fail-save capability: the system continues
to operate at the same level
• Fail-soft capability: the system continues
to operate at a reduced but acceptable level

73. 13-73
Other Security MeasuresOther Security Measures
• A disaster recovery plan contains formalized
procedures to follow in the event of a disaster
• Which employees will participate
• What their duties will be
• What hardware, software, and facilities
will be used
• Priority of applications that will be processed
• Use of alternative facilities
• Offsite storage of databases

74. 13-74
Information System ControlsInformation System Controls
• Methods and devices that attempt to ensure the
accuracy, validity, and propriety of information
system activities

75. 13-75
Auditing IT SecurityAuditing IT Security
• IT Security Audits
• Performed by internal or external auditors
• Review and evaluation of security measures
and management policies
• Goal is to ensure that that proper and adequate
measures and policies are in place

76. 13-76
Protecting Yourself from CybercrimeProtecting Yourself from Cybercrime

77. 13-77
Case 3: Managing Information SecurityCase 3: Managing Information Security
• OCTAVE Security Process Methodology
• Risk Evaluation
• Self-direction by people in the organization
• Adaptable measures that can change with technology
• A defined process and standard evaluation procedures
• A foundation for a continual process that improves
security over time
• Risk Management
• A forward-looking view
• A focus on a “critical few” security issues
• Integrated management of security policies and
strategies

78. 13-78
Case 3: Managing Information SecurityCase 3: Managing Information Security
• Organizational and Cultural
• Open communication of risk information and
activities build around collaboration
• A global perspective on risk in the context of the
organization’s mission and business objectives
• Teamwork

79. 13-79
Case Study QuestionsCase Study Questions
• What are security managers doing to improve
information security?
• How does the OCTAVE methodology work
to improve security in organizations?
• What does Lloyd Hession mean when he says
information security is “not addressed simply
by the firewalls and antivirus tools that are
already in place”?

80. 13-80
Case 4: Maintaining Software SecurityCase 4: Maintaining Software Security
• Security professionals have 7 to 21 days before
hacker’s tools used to exploit the most recent
vulnerabilities become available on the Internet
• Microsoft’s monthly patch-release date is
known as “Patch Tuesday”
• Security software companies go to work
immediately to update their products
• Update must be thoroughly tested before
being deployed

81. 13-81
Case Study QuestionsCase Study Questions
• What types of security problems are typically
addressed by a patch-management strategy?
• Why do such problems arise in the first place?
• What challenges does the process of applying
software patches and updates pose for many
businesses?
• What are the limitations of the patching process?

82. 13-82
Case Study QuestionsCase Study Questions
• Does the business value of a comprehensive
patch-management strategy outweigh its costs,
its limitations, and the demands it placed on the
IT function?