Security and ethical challenges in mis

Welcome to Our Presentation

Angry Birds

1

2

IT Security, Ethics, and Society Business Ethics Categories of Ethical Business Issues Computer Crime Hacking Common Hacking Tactics Cyber Theft Unauthorized Use at Work Internet Abuses in the Workplace Software Piracy Theft of Intellectual Property Viruses and Worms Top Five Virus Families of all Time The Cost of Viruses, Trojans, Worms Adware and Spyware Spyware Problems Privacy Issues Opt-in Versus Opt-out Protecting Your Privacy on the Internet Health Issues Security Management of IT Security Management Internetworked Security Defenses Public/Private Key Encryption Internetworked Security Defenses Internet and Intranet Firewalls Internetworked Security Defenses Information System Controls 4

IT has both beneficial and detrimental effects on society and people Manage work

activities to minimize the detrimental effects of IT

Optimize the beneficial effects

5

Ethics questions that managers confront as part of their daily business decision making include: Equity Rights Honesty Exercise of corporate power

6

7

Computer crime includes Unauthorized use, access, modification, or

destruction of hardware, software, data, or network resources

The unauthorized release of information The unauthorized copying of software Denying an end user access to his/her own

hardware, software, data, or network resources Using or conspiring to use computer or network

resources illegally to obtain information or tangible property

8

Hacking is The obsessive use of computers The unauthorized access and use of networked

computer systems Electronic Breaking and Entering

Hacking into a computer system and reading files, but neither stealing nor damaging anything

Cracker A malicious or criminal hacker who maintains

knowledge of the vulnerabilities found for private advantage

9

Denial of Service Hammering a website’s equipment with too many requests for

information Clogging the system, slowing performance, or crashing the site

Scans Widespread probes of the Internet to determine types of computers,

services, and connections Looking for weaknesses

Sniffer Programs that search individual packets of data as they pass through the

Internet Capturing passwords or entire contents

Spoofing Faking an e-mail address or Web page to trick users into passing along

critical information like passwords or credit card numbers

10

Trojan House A program that, unknown to the user, contains instructions that

exploit a known vulnerability in some software Back Doors

A hidden point of entry to be used in case the original entry point is detected or blocked

Malicious Applets Tiny Java programs that misuse your computer’s resources, modify

files on the hard disk, send fake email, or steal passwords War Dialing

Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection

Logic Bombs An instruction in a computer program that triggers a malicious act

11

Buffer Overflow Crashing or gaining control of a computer by sending too much data to

buffer memory Password Crackers

Software that can guess passwords Social Engineering

Gaining access to computer systems by talking unsuspecting company employees out of valuable information, such as passwords

Dumpster Diving Sifting through a company’s garbage to find information to help break

into their computers

12

Many computer crimes involve the theft of money

The majority are “inside jobs” that involve unauthorized network entry and alternation of computer databases to cover the tracks of the employees involved

Many attacks occur through the Internet

Most companies don’t reveal that they have been targets or victims of cybercrime

13

Unauthorized use of computer systems and networks is time and resource theft Doing private consulting Doing personal finances Playing video games Unauthorized use of the Internet or company networks

Sniffers Used to monitor network traffic or capacity Find evidence of improper use

14

General email abuses Unauthorized usage and access Transmission of confidential data Pornography Hacking Non-work-related download/upload Leisure use of the Internet Use of external ISPs

15

Software Piracy Unauthorized copying of computer programs

Licensing Purchasing software is really a payment

for a license for fair use Site license allows a certain number of copies

16

A third of the software industry’s revenues are lost to

piracy

Intellectual Property Copyrighted material Includes such things as music, videos, images, articles,

books, and software Copyright Infringement is Illegal

Peer-to-peer networking techniques have made it easy to trade pirated intellectual property

Publishers Offer Inexpensive Online Music Illegal downloading of music and video is

down and continues to drop

17

A virus is a program that cannot work without being inserted into another program A worm can run unaided

These programs copy annoying or destructive routines into networked computers Copy routines spread the virus

Commonly transmitted through The Internet and online services Email and file attachments Disks from contaminated computers Shareware

18

My Doom, 2004 Spread via email and over Kazaa file-sharing network Installs a back door on infected computers Infected email poses as returned message or one that can’t be opened

correctly, urging recipient to click on attachment Opens up TCP ports that stay open even after termination of the worm Upon execution, a copy of Notepad is opened, filled with nonsense

characters Netsky, 2004

Mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers

Tries to spread via peer-to-peer file sharing by copying itself into the shared folder

It renames itself to pose as one of 26 other common files along the way

19

SoBig, 2004 Mass-mailing email worm that arrives as

an attachment▪ Examples: Movie_0074.mpg.pif, Document003.pif

Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for email addresses to which it can send itself

Also attempts to download updates for itself Klez, 2002

A mass-mailing email worm that arrives with a randomly named attachment

Exploits a known vulnerability in MS Outlook to auto-execute on unpatched clients

Tries to disable virus scanners and then copy itself to all local and networked drives with a random file name

Deletes all files on the infected machine and any mapped network drives on the 13th of all even-numbered months

20

Sasser, 2004

Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention

Spawns multiple threads that scan local subnets for vulnerabilities

21

Cost of the top five virus families Nearly 115 million computers in 200 countries

were infected in 2004 Up to 11 million computers are believed to

be permanently infected In 2004, total economic damage from virus

proliferation was $166 to $202 billion Average damage per computer is between

$277 and $366

22

Adware Software that purports to serve a useful purpose,

and often does Allows advertisers to display pop-up and banner

ads without the consent of the computer users Spyware

Adware that uses an Internet connection in the background, without the user’s permission or knowledge

Captures information about the user and sends it over the Internet

23

Spyware can steal private information and also Add advertising links to Web pages Redirect affiliate payments Change a users home page and search settings Make a modem randomly call premium-rate phone

numbers Leave security holes that let Trojans in Degrade system performance

Removal programs are often not completely successful in eliminating spyware

24

The power of information technology to store and retrieve information can have a negative effect on every individual’s right to privacy Personal information is collected with every

visit to a Web site Confidential information stored by credit

bureaus, credit card companies, and the government has been stolen or misused

25

Opt-In You explicitly consent to allow data to be compiled

about you This is the default in Europe

Opt-Out Data can be compiled about you unless you

specifically request it not be This is the default in the U.S.

26

There are multiple ways to protect your privacy Encrypt email Send newsgroup postings through anonymous

remailers Ask your ISP not to sell your name and information to

mailing list providers and other marketers

Don’t reveal personal data and interests on online service and website user profiles

27

Cumulative Trauma Disorders (CTDs) Disorders suffered by people who sit at a

PC or terminal and do fast-paced repetitive keystroke jobs

Carpal Tunnel Syndrome Painful, crippling ailment of the hand

and wrist Typically requires surgery to cure

28

The Internet was developed for inter-operability, not impenetrability Business managers and professionals alike

are responsible for the security, quality, and performance of business information systems

Hardware, software, networks, and data resources must be protected by a variety of security measures

29

The goal of securitymanagement is the accuracy, integrity, and safety of allinformation system processes and resources

30

Encryption Data is transmitted in scrambled form It is unscrambled by computer systems for

authorized users only The most widely used method uses a pair of public

and private keys unique to each individual

31

32

Firewalls A gatekeeper system that protects a company’s

intranets and other computer networks from intrusion

Provides a filter and safe transfer point for access to/from the Internet and other networks

Important for individuals who connect to the Internet with DSL or cable modems

Can deter hacking, but cannot prevent it

33

34

Email Monitoring Use of content monitoring software that scans

for troublesome words that might compromise corporate security

Virus Defenses Centralize the updating and distribution of

antivirus software Use a security suite that integrates virus protection

with firewalls, Web security, and content blocking features

35

Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities

36

37