Information and Ethics, Information Security and Malicious Programs BSAD 141 Dave Novak

Topics Covered Information and ethics Information security Incidental, intentional or accidental loss of data, data integrity or data confidentiality Intellectual property Discussion of Viruses How does encryption work? What is a digital signature?

Ethics and Information Ethics – The principles and standards that guide our behavior toward other people Information ethics – Govern the ethical and moral issues arising from the development and use of information technologies, as well as the creation, collection, duplication, distribution, and processing of information

Ethics and Information Business issues related to information ethics Intellectual property Copyright Pirated software Counterfeit software Are ethical standards the same across cultures?

Ethics and Information Privacy is a major ethical issue in the US Privacy – The right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent Confidentiality – the assurance that messages and information are available only to those who are authorized to view them

Ethics and Information Individuals form the only ethical component of MIS Software and hardware do not engage in ethical or unethical behavior Information does not care how it is used Will not stop itself from sending spam, viruses, or highly-sensitive information Information-based ethical policies therefore focus on the behavior and choices of individuals using various technologies

Ethics and Information Ethical Issues Copying, using, and distributing software Searching organizational databases for sensitive and personal information Creating and/or spreading viruses or other malicious programs Viewing and/or stealing information Destroying information

Legal versus Ethical EthicalNot Ethical Legal Not Legal Legal = Laws Ethical = Values

Organizational Information Management Policies Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement 1) Computer use policy 2) Information privacy policy 3) Acceptable use policy 4) privacy policy 5) Social media policy 6) Workplace monitoring policy

1) Computer Use Policy General principles to guide computer user behavior The ethical computer user policy ensures: all users are informed of the rules, and by agreeing to use the system on that basis, consent to abide by the rules

2) Information Privacy Policy General principles regarding information privacy The unethical use of information typically occurs “unintentionally” when it is used for new purposes Who decides how an organization uses information and exactly what information they use?

3) Acceptable Use Policy Set of rules that restricts how a particular technological resource may be used Requires a user to agree to follow the policy to access to the resource (corporate , information systems, and the Internet) Nonrepudiation – A contractual stipulation to ensure that ebusiness participants do not deny their online actions

4) Privacy Policy Details the extent to which messages may be read by others Organizations can mitigate the risks of and instant messaging communication tools by implementing and adhering to an privacy policy Extends well beyond spam…

4) Privacy Policy Can the government read your private e- mails? .htm .htm

5) Social Media Policy Guidelines or principles governing employee online communications – extends beyond There is no such thing as a private or truly restricted social media site /policies.php /policies.php /02/25/6-reasons-why-your- company-needs-a-social-media- policy/ /02/25/6-reasons-why-your- company-needs-a-social-media- policy/

6) Workplace Monitoring Policy Addresses organization’s policies regarding monitoring employee behavior both in and out of work The dilemma surrounding employee monitoring in the workplace is that an organization is placing itself at risk if it fails to monitor its employees; however, some people feel that monitoring employees is unethical or goes “too far”

6) Workplace Monitoring Policy “A 2007 survey by the American Management Association and the ePolicy Institute found that two-thirds of employers monitor their employees' web site visits in order to prevent inappropriate surfing. And 65% use software to block connections to web sites deemed off limits for employees. This is a 27% increase since 2001 when the survey was first conducted. Employers are concerned about employees visiting adult sites with sexual content, as well as games, social networking, entertainment, shopping and auctions, sports, and external blogs. Of the 43% of companies that monitor , nearly three-fourths use technology to automatically monitor . And 28% of employers have fired workers for misuse.American Management Association and the ePolicy Institute Close to half of employers track content, keystrokes, and time spent at the keyboard. And 12% monitor blogs to see what is being written about the company. Another 10% monitor social networking sites”. source: quote directly from:

6) Workplace Monitoring Policy Employee monitoring policy – Explicitly state how, when, and where the company monitors its employees Key logger or key trapper software Cookie Adware Spyware Web log Clickstream

6) Workplace Monitoring Policy What can my employer monitor? work.htm#2a work.htm#2a

Protecting Intellectual Assets Organizational information is intellectual capital - it must be protected Information security – protection of information from accidental loss of access, intentional misuse of or lost confidence in the integrity of data and information systems Downtime – Refers to a period of time when a system is unavailable

Threats Caused by Hackers and Viruses Virus - Software / code written to replicate and may have malicious intent Backdoor program Polymorphic virus Trojan-horse virus Worm Denial-of-service attack (DoS) – floods a computer or site with requests

Primary Difference Between Viruses and Worms?

How Viruses Spread

Threats Caused by Hackers and Viruses Terms to be familiar with: Elevation of privilege Packet tampering Sniffer Spoofing Spyware

Anti-Virus and Anti-Spy Ware Software An easy and effective way to protect yourself (to some degree) is to install anti-virus and anti-spy ware software There is no reason not to do this… Use common sense

People: 1 st Line of Defense To function, organizations must enable employees, customers, and partners to access information electronically The biggest issue surrounding information security is not a technical issue, but a people issue Insiders Social engineering Dumpster diving

Technology: 2 nd Line of Defense There are three primary information technology security areas 1) Authentication and authorization 2) Prevention and resistance 3) Detection and response

1) Authentication and Authorization Authentication –Confirming users’ identities Authorization – The process of giving someone permission to do or have something The most secure type of authentication involves Something the user knows Something the user has Something that is part of the user

Something the User Knows: Username and password is the most common way to identify individual users Also the most ineffective form of authentication Over 50 percent of help-desk calls are password related

Smart cards and tokens are more effective than a user ID and a password Tokens – Small electronic devices that change user passwords automatically Smart card – A device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing Something the User Has:

Something That is Part of the User: Biometrics – using physical characteristics such as a fingerprint, iris, face, voice, or handwriting to obtain access Unfortunately, this method can be costly and intrusive If your fingerprint is compromised, how do you change it?

Securing Data Communications Encryption involves the conversion of plain text into code Both sender and receiver would have to translate the code to read the message Encryption Public key encryption (PKE) Certificate authority Digital certificate

Securing Data Communications Encryption – two basic forms Symmetric or Private key encryption Asymmetric or Public key encryption (PKE)

Public Key Encryption An unpredictable (typically large and random) number is used to begin generation of an acceptable pair of keys suitable for use by an asymmetric key algorithm Source: Public-key cryptography [online] downloaded on 11/29/2010

Public key encryption Source: Public-key cryptography [online] downloaded on 11/29/ In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of that private key.

Public key encryption Source: Public-key cryptography [online] downloaded on 11/29/ In some related signature schemes, the private key is used to sign a message (using a digital signature); but anyone can check the signature using the public key.sign Validity depends on private key security.

Digital Signature Used to ensure that an electronic document is authentic (i.e. an is actually from the person you think it is from) A verifiable “stamp” of authenticity

Digital Signature Requires the ability to obtain a public key from a reputable and known 3 rd party You need to be certain that the public key used for decryption actually belongs to the entity you think it belongs to Certificate Authority

Digital Signature 1) Hashing – transform message into shorter, fixed length value that represents the original message Highly unlikely that hashing other messages produces the same value 2) Message Digest – the output from hashing a message 3) Encrypting message digest with private key yields a digital signature

Digital Signature 1.Hash plaintext, creating a message digest – this is not digital signature 2. Encrypt message digest with sender’s private key  creates digital signature 3. Combine plaintext and digital signature to create signed message and transmit both VERIFY DIGITAL SIGNATURE 5. Hash received plaintext msg with same hashing algorithm sender used  gives message digest 6. Decrypt digital signature with sender’s public key  gives message digest 7. Compare the two message digests Plaintext Message Digest Digital Signature Plaintext Digital Signature Plaintext Message Digest Digital Signature Figure recreated from Kroenke (2008), Experiencing MIS Figure CE23-2, page 587 = ?

Certificate Authority As the trusted provider of Internet infrastructure services for the networked world, VeriSign, Inc. provides authentication and verification of businesses worldwide. Billions of times each day, VeriSign helps companies and consumers all over the world to engage in trusted communications and commerce.

Detection and Response Intrusion detection software – Network monitoring tools that search for patterns and anomalies in network traffic to identify possible security problems Numerous incorrect login attempts on a computer Unexplained shutdowns and reboots Incoming traffic from an unidentified source Attempted access to specific ports

Summary What are ethical issues with respect to information technology and systems? 6 types of Information policies that are used? Viruses Details of 1 st and 2 nd Lines of Defense People Technology Focus on public key encryption and digital signature