1 Security, Privacy, and Security, Privacy, and Ethical Issues in Ethical Issues in Information Systems and Information Systems and the Internet the Internet Chapter 9 Chapter 9
Dec 26, 2015
11
Security, Privacy, and Ethical Security, Privacy, and Ethical Issues in Information Issues in Information
Systems and the InternetSystems and the Internet
Chapter 9Chapter 9
22
Social Issues in Information Social Issues in Information SystemsSystems
Computer Waste & MistakesComputer Waste & Mistakes Computer CrimeComputer Crime PrivacyPrivacy Health ConcernsHealth Concerns Ethical IssuesEthical Issues Patent and copyright violationsPatent and copyright violations
33
Computer WasteComputer Waste
Discarding technology that still has valueDiscarding technology that still has value Unused systemsUnused systems Personal use of corporate time and Personal use of corporate time and
technologytechnology SpamSpam Time spent configuring / “optimizing” Time spent configuring / “optimizing”
computerscomputers
Companies should establish policies to Companies should establish policies to prevent waste and mistakesprevent waste and mistakes
44
Computer CrimeComputer Crime
55
Number of Incidents Reported to Number of Incidents Reported to CERTCERT
66
Computer Crime and Security Computer Crime and Security SurveySurvey
Source: http://www.gocsi.com/press/20020407.jhtml?_requestid=449980
(1996: 16%)
77
Identity theftIdentity theft
Fastest Growing Crime in the USFastest Growing Crime in the US Use someone else’s identity to obtain credit, Use someone else’s identity to obtain credit,
conduct crimes etcconduct crimes etc Necessary info: SSN, Name, (Date of Birth)Necessary info: SSN, Name, (Date of Birth) How often do you get a credit card application with How often do you get a credit card application with
your name on it?your name on it? Consumer complaints about fraud and identity theft:Consumer complaints about fraud and identity theft:
http://www.consumer.gov/sentinel/pubs/http://www.consumer.gov/sentinel/pubs/Top10Fraud_2002.pdf Top10Fraud_2002.pdf
Largest Identity theft case in US historyLargest Identity theft case in US history http://www.computerworld.com/securitytopics/security/cybhttp://www.computerworld.com/securitytopics/security/cyb
ercrime/story/0,10801,76252,00.htmlercrime/story/0,10801,76252,00.html
Identity theft survival guideIdentity theft survival guide http://money.cnn.com/2002/11/26/pf/saving/q_identity/ http://money.cnn.com/2002/11/26/pf/saving/q_identity/
88
Recent Cybercrime Recent Cybercrime HeadlinesHeadlines
12/4/03: Trojans on the Rise12/4/03: Trojans on the Rise 11/24/03: U.S. House Passes Controversial Antispam Bill11/24/03: U.S. House Passes Controversial Antispam Bill 11/19/03: Wi-Fi Starts Leaping Security Barriers11/19/03: Wi-Fi Starts Leaping Security Barriers 11/12/03: Microsoft Plugs Five New Security Holes 11/12/03: Microsoft Plugs Five New Security Holes
Source: Daily cybercrime report Source: Daily cybercrime report ((http://http://www.newsfactor.com/perl/section/cybercrimewww.newsfactor.com/perl/section/cybercrime//))
99
The Computer as a Tool to The Computer as a Tool to Commit CrimeCommit Crime
Social engineeringSocial engineering Posing as someone else to gain trust of user to give out Posing as someone else to gain trust of user to give out
passwordpassword Dumpster divingDumpster diving
Search garbage for clues on how to gain access to a Search garbage for clues on how to gain access to a systemsystem
Shoulder SurfingShoulder Surfing Stand next to someone in a public place to get vital Stand next to someone in a public place to get vital
informationinformation Install keyboard loggerInstall keyboard logger
Record every keystroke and send back to criminalRecord every keystroke and send back to criminal CyberterrorismCyberterrorism
E.g. Distributed Denial-of-service (DDOS) attackE.g. Distributed Denial-of-service (DDOS) attack
1010
Computers as Objects of Computers as Objects of CrimeCrime
Illegal access and useIllegal access and use Hackers Hackers
‘‘Hacking’ away at programming and using a computer to Hacking’ away at programming and using a computer to its fullest capabilitiesits fullest capabilities
Crackers (criminal hacker)Crackers (criminal hacker)
Information and equipment theftInformation and equipment theft Software and Internet piracySoftware and Internet piracy Computer-related scamsComputer-related scams
Nigerian 419Nigerian 419 Scamming the scammers: Scamming the scammers:
http://www.ebolamonkeyman.com/ http://www.ebolamonkeyman.com/ International computer crimeInternational computer crime
1111
Data Alteration and Data Alteration and DestructionDestruction
VirusVirus WormWorm Logic bombLogic bomb Trojan horseTrojan horse
© Hal Mayforth 2003
1212
Virus CharacteristicsVirus Characteristics Similar to biological Similar to biological
virusesviruses Replicates on its ownReplicates on its own May mutateMay mutate Can be benign or Can be benign or
maliciousmalicious Attaches to a ’host’ Attaches to a ’host’
programprogram Constructed by a Constructed by a
programmerprogrammer
Top 10 last month:Top 10 last month:http://http://www.sophos.com/www.sophos.com/virusinfo/topten/virusinfo/topten/
1313
Virus elementsVirus elements
Distribution VectorDistribution Vector How does it move from one computer to the next?How does it move from one computer to the next? Virus: Attaches to other program, user must take action Virus: Attaches to other program, user must take action
to spreadto spread Worm: Self-propagatesWorm: Self-propagates
PayloadPayload What does it do when it gets there?What does it do when it gets there? Types of damage (payload)Types of damage (payload)
Destruction of data, programs or hardwareDestruction of data, programs or hardware Loss of productivityLoss of productivity AnnoyanceAnnoyance
Ability to mutateAbility to mutate Makes it harder to detect, like the AIDS virusMakes it harder to detect, like the AIDS virus
1414
Virus DistributionVirus Distribution EmailEmail
Executable attachment that masquerades as image file (”Click to Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”)see picture of Anna Kournikova!”)
HTML code that executes automatically in email program (esp. HTML code that executes automatically in email program (esp. Outlook and Outlook Express)Outlook and Outlook Express)
WormWorm Spreads directly from computer to computerSpreads directly from computer to computer Often exploiting ’open ports’ or other vulnerabilitiesOften exploiting ’open ports’ or other vulnerabilities
Trojan Horse / Logic BombTrojan Horse / Logic Bomb Virus disguised inside other programVirus disguised inside other program
Greeting Cards (or other web sites)Greeting Cards (or other web sites) Clicking link may cause nasty things to happenClicking link may cause nasty things to happen
HoaxHoax Email about a ‘false’ threat. May ask user to delete important Email about a ‘false’ threat. May ask user to delete important
system file and forward email to other userssystem file and forward email to other users
1515
Virus Example: SoBig Email Virus Example: SoBig Email virusvirus
Distribution vector: EmailDistribution vector: Email Arrives in email message, installs own SMTP engine (allows for Arrives in email message, installs own SMTP engine (allows for
sending email without using installed email program)sending email without using installed email program) Sends itself to all email addresses in address booksSends itself to all email addresses in address books Forges Sender address, so the person that the email appears Forges Sender address, so the person that the email appears
to come from may not be infected (“email spoofing”)to come from may not be infected (“email spoofing”) User must execute attachment to be infectedUser must execute attachment to be infected Tried to copy itself to Windows shares (unsuccessful, due to Tried to copy itself to Windows shares (unsuccessful, due to
bugs)bugs) Payload: None (except for extra traffic)Payload: None (except for extra traffic)
Might download malicious software from web siteMight download malicious software from web site Expired September 10, 2003Expired September 10, 2003
Source: Source: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@http://securityresponse.symantec.com/avcenter/venc/data/[email protected] mm.html
1616
Symantec’s Virus guidelinesSymantec’s Virus guidelines Turn off and remove unneeded services. By default, many operating Turn off and remove unneeded services. By default, many operating
systems install auxiliary services that are not critical, such as an FTP systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch attack and you have fewer services to maintain through patch updates. updates.
If a blended threat exploits one or more network services, disable, or If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the your organization. Perform a forensic analysis and restore the computers using trusted media. computers using trusted media.
Train employees not to open attachments unless they are expecting Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser compromised Web site can cause infection if certain browser vulnerabilities are not patched. vulnerabilities are not patched.
1717
The Six Computer Incidents with The Six Computer Incidents with the Greatest Worldwide the Greatest Worldwide
Economic ImpactEconomic Impact
ILOVEYOU was started by student in Philippines who had a project rejected by a teacher!
1818
Measures of ProtectionMeasures of Protection
General controlsGeneral controls Physical Physical
A guard in front of a locked door can prevent A guard in front of a locked door can prevent many problems...many problems...
Biometric controlsBiometric controls fingerprint, hand print, retina scan, voice, ...fingerprint, hand print, retina scan, voice, ...
Data security controlData security control confidentiality, access control, data integrityconfidentiality, access control, data integrity
1919
Measures of ProtectionMeasures of Protection
Network Protection and FirewallsNetwork Protection and Firewalls Access controlAccess control EncryptionEncryption Firewalls: Most cost-effective defense, but not Firewalls: Most cost-effective defense, but not
100% effective100% effective Example: ZoneAlarmExample: ZoneAlarm
Protection can be assured by conducting Protection can be assured by conducting an auditan audit
Perhaps even hiring a hacker…Perhaps even hiring a hacker…
2020
Common Computer Crime Common Computer Crime MethodsMethods
2121
What can You Do What can You Do Personally?Personally?
Install security patchesInstall security patches For windows: For windows: www.windowsupdate.comwww.windowsupdate.com
Use a virus scannerUse a virus scanner Take backupTake backup Protect your password (beware of Protect your password (beware of social engineeringsocial engineering)) Install a FirewallInstall a Firewall Encrypt sensitive dataEncrypt sensitive data Don’t use IM chat software for sensitive Don’t use IM chat software for sensitive
communication communication (see (see http://news.com.com/2100-1023-976068.htmlhttp://news.com.com/2100-1023-976068.html) ) Changing: Vedndors coming out with ‘corporate’ versions Changing: Vedndors coming out with ‘corporate’ versions
Visit Visit www.grc.comwww.grc.com to make sure your Shields are Up to make sure your Shields are Up
2222
PrivacyPrivacy
2323
Privacy DilemmaPrivacy Dilemma
People’s right to privacy – not be People’s right to privacy – not be monitoredmonitored
Employers need to monitor activity on Employers need to monitor activity on their premisestheir premises Discourage time-wasting behaviorDiscourage time-wasting behavior Prevent criminal activity on networkPrevent criminal activity on network
Law enforcement needs to solve crimesLaw enforcement needs to solve crimes Anonymity makes some people more Anonymity makes some people more
criminal/amoralcriminal/amoral
2424
The Right to Know and the The Right to Know and the Ability to DecideAbility to Decide
2525
Email PrivacyEmail Privacy
Work email is not privateWork email is not private Employers have right to read employee emailEmployers have right to read employee email Can be used as evidence in courtCan be used as evidence in court Companies need to have a policy for storing Companies need to have a policy for storing
emailemail Can also cause problems for elected officialsCan also cause problems for elected officials
Recently Oshkosh School Board was ‘discovered’ Recently Oshkosh School Board was ‘discovered’ to delete messagesto delete messages
Violates open meeting lawsViolates open meeting laws
2626
The Work EnvironmentThe Work Environment
2727
Health ConcernsHealth Concerns
Repetitive Motion Disorder (Repetitive Stress Injury; Repetitive Motion Disorder (Repetitive Stress Injury; RSI)RSI) An injury that can be caused by working with computer An injury that can be caused by working with computer
keyboards and other equipmentkeyboards and other equipment Carpal Tunnel Syndrome (CTS)Carpal Tunnel Syndrome (CTS)
The aggravation of the pathway for nerves that travel The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel)through the wrist (the carpal tunnel)
Current research says computers do not cause Current research says computers do not cause permanentpermanent damage damage a few months without computer will helpa few months without computer will help Research is still being conductedResearch is still being conducted
Technology can also remove dangerous work Technology can also remove dangerous work situationssituations
2828
ErgonomicsErgonomics
The study of designing and positioning The study of designing and positioning computer equipment for employee health computer equipment for employee health and safetyand safety How high should your monitor be?How high should your monitor be? Where should keyboard, mouse be?Where should keyboard, mouse be? Good ways of working to minimize risksGood ways of working to minimize risks
Web sites on ergonomics:Web sites on ergonomics: http://www.ics.uci.edu/~abaker/ergo/http://www.ics.uci.edu/~abaker/ergo/ http://ergo.human.cornell.edu/ergoguide.htmlhttp://ergo.human.cornell.edu/ergoguide.html http://http://www.pao.gov.ab.cawww.pao.gov.ab.ca
/health/ergonomics/computer//health/ergonomics/computer/
2929
That’s itThat’s it
ExamExam Available Friday – Saturday (all minutes Available Friday – Saturday (all minutes
inclusive)inclusive) 2 hours to complete once started2 hours to complete once started
Exam scores on BlackboardExam scores on Blackboard Final grades will be available by Final grades will be available by
WednesdayWednesday