McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats and Safeguards

8-2 STUDENT LEARNING OUTCOMES 1. Define ethics and describe the two factors that affect how you make a decision concerning an ethical issue. 2. Define and describe intellectual property, copyright, Fair Use Doctrine, and pirated software. 3. Describe privacy and describe ways in which it can be threatened. 4. Describe the ways in which information on your computer or network is vulnerable and list measures you can take to protect it.

8-3 THEY KNOW ABOUT 96% OF AMERICAN HOUSEHOLDS Customers: 9 of the 10 largest credit-card issuers Acxiom has 20 billion records on 110 million people 96% of households Makes and sells lists to customers Merges and protects databases

8-4 Case Study Questions 1. Do you feel comfortable about so many people collecting information about you and distributing it freely? 2. Is it an invasion of your privacy or just good business? 3. Should there be any laws regulating the collection and use of data by data brokers like Acxiom?

8-5 INTRODUCTION Handling information responsibly means understanding the following issues Ethics Personal privacy Threats to information Protection of information

8-6 CHAPTER ORGANIZATION 1. Ethics Learning Outcomes #1 & #2 2. Privacy Learning Outcome #3 3. Security Learning Outcome #4

8-7 ETHICS Ethics – the principles and standards that guide our behavior toward other people. Ethics are rooted in history, culture, and religion.

8-8 Two Factors that Determine How You Decide Ethical Issues How you collect, store, access, and use information depends to a large extent on your ethics- what you see as right or wrong. Actions in ethical dilemmas determined by two factors: 1. Your basic ethical structure 2. The circumstances of the situation

8-9 1 st Factor: Basic Ethical Structure Your basic ethical structure is developed while you grew up and it determines what you consider to be 1. Minor ethical violations E.g. sending a personal while at work. 1. Serious ethical violations E.g. reading someone else’s Very serious ethical violations E.g. embezzling funds or selling company records to a competitor.

st Factor: Basic Ethical Structure

nd Factor: Circumstances of the Situation Any assessment of what’s right or wrong can rarely be divorced from a variety of considerations: 1. Consequences of the action or inaction 2. Society’s opinion of the action or inaction 3. Likelihood of effect of action or inaction 4. Time to consequences of action or inaction 5. Relatedness of people who will be affected by action or inaction 6. Reach of result of action or inaction

8-12 Intellectual Property Intellectual property – intangible creative work that is embodied in physical form Copyright – legal protection afforded an expression of an idea Having a copyright means that no one can use your Intellectual property without your permission. Fair Use Doctrine – may use copyrighted material in certain situations

8-13 Intellectual Property Using copyrighted software without permission violates copyright law Pirated software – the unauthorized use, duplication, distribution, or sale of copyrighted software

8-14 PRIVACY Privacy – the right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent Dimensions of privacy Psychological: to have a sense of control Legal: to be able to protect yourself

8-15 Privacy and Other Individuals Key logger (key trapper) software – a program that, when installed on a computer, records every keystroke and mouse click Screen capture programs – record what’s on the screen (straight from the video card) is stored on many computers as it travels from sender to recipient and that’s why is completely insecure. Hardware key logger – hardware device that captures keystrokes moving between keyboard and motherboard. Event Data Recorders (EDR) – located in the airbag control module and collects data from your car as you are driving.

8-16 An is Stored on Many Computers

8-17 Privacy: Identity Theft Identity theft – the forging of someone’s identity for the purpose of fraud The fraud is often for financial gain like using the stolen identity to use a credit card or to apply for a loan in the victim’s name.

8-18 Privacy: Identity Theft Phishing (carding, brand spoofing) – a technique to gain personal information for the purpose of identity theft, usually by a fraudulent . NEVER Reply without question to an asking for personal information Click directly on a Web site provided in such an

8-19 Privacy: Identity Theft

8-20 Privacy: Pharming Pharming - rerouting your request for a legitimate Web site. You may type in the correct address for your bank and then be directed to a fake website. or by redirecting you after you are already on the legitimate site Pharming is accomplished by gaining access to the giant databases that Internet providers use to route Web traffic. It often works because it’s hard to spot the tiny difference in the Web site address.

8-21 Privacy and Employees Companies need information about their employees to run their business effectively. After you are hired, your employer can monitor where you go, what you do, what you say, and what you write in s.

8-22 Privacy and Employees As of March 2005, 60% of employers monitored employee s 70% of Web traffic occurs during work hours 78% of employers reported abuse 60% employees admitted abuse Cyberslacking – misuse of company resources Visiting inappropriate sites Gaming, chatting, stock trading, social networking, etc.

8-23 Privacy and Employees: Reasons for Monitoring 1. Hire the best people possible 2. Ensure appropriate behavior on the job and ensure that the company resources are not wasted or misused. 3. Avoid litigation for employee misconduct

8-24 Privacy and Consumers Consumers want businesses to Know who they are, but not to know too much Provide what they want, but not gather information on them Let them know about products, but not pester them with advertising

8-25 Privacy and Consumers: Cookies Cookie – a small file that contains information about you and your Web activities, which a Web site places on your computer Examples on using cookies: keep the ID and password information so you don’t have to enter them every time storing the contents of electronic shopping carts Handle cookies by using Web browser cookie management option Buy a program that manages cookies

8-26 Privacy and Consumers: Spam Spam – unsolicited (electronic junk mail) from businesses advertising goods and services. You can get spam filters to block out spam. However spammers are clever in getting past spam filters by: Inserting extra characters to fool those filters Inserting HTML tags that do nothing Replying usually increases, rather than decreases, amount of spam.

8-27 Privacy and Consumers: Adware and Spyware Adware – software to generate ads that installs itself when you download another program Adware is a type of Trojan horse software (explained next). There’s usually a disclaimer saying that the software includes this adware. People hit the “I Agree” without reading it!

8-28 Privacy and Consumers: Adware and Spyware Spyware (sneakware, stealthware) – software that comes hidden in downloaded software and collects information about you and your computer and reports it to someone without your permission. E.g. the first release of RealNetworks’ RealJukebox sent information back to the company about what CD’s people were playing on their computers. If you download free software that has a banner ad most likely it has spyware as well. Spywares can stay on your computer even if you uninstall the original software.

8-29 Adware in Free Version of Eudora

8-30 Privacy and Consumers: Trojan Horse Software Trojan horse software – software you don’t want inside software you do want Some ways to detect Trojan horse software AdAware at The Cleaner at Trojan First Aid Kit (TFAK) at Check it out before you download at

8-31 Privacy and Consumers: Web Logs Web log – one line of information for every visitor to a Web site stored on a Web server. It can provide a website company with your clickstream. Clickstream – records information about you during a Web surfing session such as what websites you visited, how long you were there, what ads you looked at, and what you bought. Anonymous Web browsing (AWB) – hides your identity from the Web sites you visit The Anonymizer at SuftSecret at

8-32 Privacy and Government Agencies About 2,000 government agencies have databases with information on people Government agencies need information to operate effectively Whenever you are in contact with government agency, you leave behind information about yourself

8-33 Government Agencies Storing Personal Information Law enforcement NCIC (National Crime Information Center) FBI Electronic Surveillance Carnivore or DCS-1000 Magic Lantern (software key logger) NSA (National Security Agency) Echelon collect electronic information by satellite

8-34 Government Agencies Storing Personal Information IRS Census Bureau Student loan services FICA Social Security Administration Social service agencies Department of Motor Vehicles

8-35 Laws on Privacy Health Insurance Portability and Accountability Act (HIPAA) protects personal health information Financial Services Modernization Act requires that financial institutions protect personal customer information Other laws in Figure 8.6 on page 356

8-36 SECURITY Attacks on information and computer resources come from inside and outside the company Computer sabotage costs about $10 billion per year Companies are increasing their spending on Internet security software. Symantec is the largest developer for computer security software.

8-37 SECURITY AND EMPLOYEES In general, employee misconduct is more costly than assaults from outside Manager theft is about four times that of other employees. Examples: Sending payment to a non-existent vendor Writing payroll checks to non-existent employees Newer crimes: Stealing security codes, credit card numbers, etc. Stealing intellectual property

8-38 SECURITY AND EMPLOYEES

8-39 Security and Outside Threats In 2006, companies spent, on average, $5 million to recover corporate data that was lost or stolen. Hackers – knowledgeable computer users who use their knowledge to invade other people's computers Hackers may have varying motives; could be for fun! Hacktivists- have a philosophical or political message they want to share. Crackers- illegally break in to steal information for a fee (could be $1 million for one job!). White-hat hackers – “good guys” who test the vulnerability of systems in order to take protective measurements.

8-40 Security and Outside Threats: Cyber Crime There are different types of cyber crime:  Computer virus (virus) – software that is written with malicious intent to cause annoyance or damage  Worm – type of virus that spreads itself from computer to computer usually via or other Internet traffic.  A worm can send itself to all the address that you have in your address book.  Denial-of-Service (DoS) attack – floods a Web site with so many requests for service that it slows down or crashes.

8-41 Security and Outside Threats: Cyber Crime Computer Viruses Can’t Hurt your hardware Ex: Monitors, printers, processors, etc. Hurt any files they weren’t designed to attack Ex: A worm designed to attack Outlook won’t attack other programs Infect files on write-protected media

8-42 Security Precautions 1. Anti-virus software – detects and removes or quarantines computer viruses you should update your antivirus regularly and make sure it’s running all the time 2. Anti-spyware and anti-adware software 3. Spam protection software – identifies and marks and/or deletes Spam 4. Anti-phishing software – lets you know when phishing attempts are being made to protect you from identity theft 5. Firewall – hardware and/or software that protects a computer or network from intruders

8-43 Security Precautions: Access Authentication While firewalls keep outsiders out they don’t necessarily keep insiders out, like employees who try to access computers or files. There are three ways for proving your access rights: 1. What you know- like a password 2. What you have- like an ATM card 3. What you look like- like your fingerprint Number one and two can be easily stolen or lost! Biometrics – the use of physiological characteristics for identification purposes. E.g. fingerprint, voice, blood vessels in the eye Fingerprints are the most popular ones.

8-44 Security Precautions: Encryption Encryption – scrambles the contents of a file so that you can’t read it without having the decryption key. Public Key Encryption (PKE) – an encryption system with two keys: a public for everyone and a private one for the recipient