20332 security Legal and ethical issues when a business is providing internet access for individuals © EIT, Author Gay Robertson, 2016

Implications to consider .. Security of information Personal use Virus protection Physical Security Personal safety

Implications for business Security of information …

Security of information … Security of an organization or home business network is become more and more important as people spend more and more time connected to the Internet The increased use of electronic media has increased the possibility of security breaches Compromising network security is often easier than breaking into your building Protection of information / data is the process of securing against use, modification, tampering or disclosure of data by some means of UNAUTHORISED access (internal or external)

Every business needs … Integrity of data Availability of data Data is not tampered with or modified without the modification being detected Availability of data Data is available when required by users who are given the rights to the data Disclosure Only data necessary for the user to perform his task is made available or ‘disclosed’

Security needs to follow data as it moves across the network or WiFi network on different devices

EIT policies dealing with the impact of security of information … Password policies User passwords, file passwords, drive folder passwords and server passwords Passwords should be changed frequently Passwords must not be shared or revealed to others Access policies - all users must Only access, alter or delete information on the system they are authorised to use Use the System for the purposes for which access is granted Regardless of circumstances, username and passwords must never be shared or revealed to anyone else besides the authorised user

Records management policies – User must ensure that data on a laptop or USB device is also located on the server for back up purposes IT Services will not be responsible for recovery of data lost from local computer hard drives or USB devices or any other mobile device Use of EIT Resources, Facilities and Equipment policy Students must use EIT resources, facilities and equipment in a careful and responsible manner and only use them for the legitimate EIT purposes for which they are provided. Students who use Social Networking on EIT resources must be aware of the amount of personal use EIT block sites which are objectionable or illegal for your personal safety

Biometrics are being used for access to equipment eg laptops, servers Authentication based on unique characteristics of that person’s body Fingerprints Iris or Retina Face Security policy availability Students can request access to this at any time Recovering from theft Backup of server kept off site at a secure location

Improper Use of IT Systems policy includes Using computer programmes to decrypt, capture passwords or control information Attempting to circumvent or subvert system security measures Engaging in any activity that may be harmful to systems or to any information stored thereon, such as creating or intentionally propagating viruses, disrupting services, or damaging files Installation or downloading of any software applications (including computer games) that are not approved for use by IT Services on the EIT computer systems Unauthorised use of software applications can pose a serious security risk and IT Services staff will remove any unauthorised software as deemed necessary

Implications for a business Internet for personal use …

Personal use of business email… Business email systems and Internet access is primarily for the business purposes Most businesses allow access to Stuff, Facebook, TradeMe, YouTube, Wikipedia and many other web sites Email Etiquette requires: Personal use should be kept to a minimal amount of time Good personal judgement about the sites you visit is expected of all staff Never send junk mail, random mail or ‘who are you’ messages Limit your use of lists as much as possible and know how to unsubscribe

Monitoring software … Businesses use monitoring software to keep track of personal use Where a user is believed to be in breach of policy or law based on system monitoring the information collected in system monitoring will be passed to the appropriate manager or enforcement agency ‘What is accessed’ and ‘time spent’ is reported to management Frequency of access to sites is also reported to management Businesses can impose ‘time bans’ eg user can only look at Stuff between 12 – 1 pm when network use is low

Implications for business Virus & virus protection …

Virus protection … What are the threats? Email Phishing Websites Removable media Direct connectivity to an end-user service

Emails can contain … Malware Viruses Trojan horse Spyware Worms Tricks computer user into downloading software which is malicious Viruses Computer Viruses replicate (repeat) their structures or effects by infecting other files or structures Trojan horse Malicious software that pretends to be harmless Spyware Programs that monitor your activity on your computer without you knowing Information is reported to others Worms Programs that can replicate (copy or repeat) themselves throughout a network

Phishing … Attempts to steal bank account and credit card numbers, PINs and site passwords by asking you to click a link in an email Email looks genuine with official looking logos and content Any details you provide may be used to access your bank or credit card account or site network

Websites … Malicious code can be delivered via websites Legitimate websites can be hacked into and malicious code attached to popular content eg photos, movies, cooking recipes The hacker waits for users to link to the website or website content If your anti-virus software is out of date you will not be protected If your system is not well protected you could be infected or your policies could be violated

Removable media … These include USB devices, DVDs and CDs Delivered ‘free or really cheaply’ are an effective means to deliver malware eg arrives in the post, or you buy a device from ‘TradeMe’ Malware could be included in Documents Free software Multi media Always run Anti-virus software on devices BEFORE using the device especially in EIT systems

Direct connectivity to end-user service … “Always On” Internet Access that is permanently available eg intentionally open to users inside or outside the network Network based applications have specific network protocols (rules) Applications could include Websites eg Facebook , Twitter Remote access File sharing Email Virtual private networking

What could a business do to provide virus protection? Implement Intrusion Detection System (IDS) This monitors the EIT network/system for malicious activities or policy violations When detected, the IDS will try to stop or prevent the illegal activity by performing system activities that will lead to stopping the attacks aimed at the EIT system/network And the IDS will discover problems in EIT security BEFORE the attackers do

Implement Firewalls impose restrictions on incoming and outgoing packets to and from EIT networks All the traffic, whether incoming or outgoing, must pass through the firewall Firewalls create checkpoints between an internal private network (EIT) and the public Internet Firewalls can limit EIT network exposure by hiding the internal network system and information from the public Internet

Antivirus programs detect and eliminate viruses Implement Antivirus programs and Internet security programs - these are useful in Protecting a computer from malware and other malicious software Antivirus programs detect and eliminate viruses This is the antivirus program used at EIT

Implications for business Physical security …

Lose your data – lose your business What could an intruder do? Write malicious code to servers Steal or damage hard drives Copy hard drives Alter security settings Add equipment to your network

EIT security Security policies to secure premises EIT has security systems, security staff, alarms, locks, swipe cards Detect theft EIT use surveillance cameras inside and outside buildings to track intruders or dishonest insiders

Implications for Digital Citizen Personal safety …

Personal safety when using a business system For your personal safety, businesses block access to sites which are objectionable, offensive, slanderous, illegal, obscene or likely to be offensive Businesses uses monitoring software to keep track of personal safety and ensure compliance with policy and legislation

Personal safety for the Digital Citizen … While you are online, security, privacy and personal safety are always an issue. This is particularly true of broadband connections that are "always on", that is, the connection to the Internet is always open Excellent Sites for information on all aspects of computer security http://www.bbc.co.uk/webwise/0/27606410 http://www.bbc.co.uk/webwise/0/22717881 http://www.gcflearnfree.org/internetsafety/your-browsers-security-features/1/ and especially for if you have kids http://www.gcflearnfree.org/internetsafetyforkids/

Important points for you to think about to enhance your personal safety

Back to the workbook now!!