Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security

Chapter SECTION 4.1 ETHICS

Chapter 4 ETHICS What is ethics? Legal versus ethical 4-7

Chapter 4 TECHNOLOGY AND ETHICS Intellectual property Copyright Fair use doctrine Pirated software Counterfeit software 4-7

Chapter 4 PEOPLE AND ETHICS Individuals form the only ethical component of IT  Individuals copy, use, and distribute software  Search organizational databases for sensitive and personal information  Individuals create and spread viruses  Individuals hack into computer systems to steal information  Employees destroy and steal information 4-10

Chapter 4 PRIVACY, CONFIDENTIALITY, & TRUST Privacy Confidentiality 4-8

Chapter 4 INFORMATION MANAGEMENT POLICIES Ethical computer use policy Information privacy policy Acceptable use policy privacy policy Internet use policy Anti-spam policy 4-13

Chapter 4 INFORMATION PRIVACY POLICY 1. Notice and disclosure 2. Choice and consent 3. Information security 4. Information quality and access 4-17

Chapter 4 PRIVACY POLICY 4-21

Chapter 4 INTERNET USE POLICY Describes available Internet services Defines the purpose and restriction of Internet access Describes user responsibilities States the ramification for violations 4-23

Chapter 4 WORKPLACE MONITORING Workplace monitoring To monitor or not to monitor, that is the question 4-25

Chapter 4 MONITORING TECHNOLOGIES Key logger or key trapper software Hardware key logger Cookie Adware 4-26

Chapter 4 MONITORING TECHNOLOGIES Spyware Web log 4-26

Chapter SECTION 4.2 INFORMATION SECURITY

Chapter 4 PROTECTING INTELLECTUAL ASSETS Information security 4-32

Chapter 4 THREATS AND SOURCES People Technologies Techniques eBusiness Downtime

Chapter 4 INSIDERS Organizations must enable employees, customers, and partners to access information electronically 33% of security incidents originate within the organization 4-35

Chapter 4 HACKERS Hacker Cracker White-hat hacker Black-hat hacker Hactivist Script kiddies or script bunnies Cyberterrorist 4-52

Chapter 4 HUMAN FAILURES Social engineering Identity theft Phishing 4-42

Chapter 4 MALICIOUS SOFTWARE (MALWARE) Virus Worm Polymorphic virus and worm Trojan-horse virus 4-53

Chapter 4 MALICIOUS SOFTWARE (MALWARE) Backdoor program Spyware Sniffer 4-53

Chapter 4 DENIAL OF SERVICE Denial-of-service attack (DoS) Distributed denial-of-service attack (DDoS)

Chapter 4 EBUSINESS THREATS Elevation of privilege Hoaxes Spoofing Packet tampering 4-54

Chapter 4 DOWNTIME How Much Will Downtime Cost Your Business? 4-31

Chapter 4 TECHNOLOGY DEFENSES Authentication and authorization Prevention and resistance Detection and response 4-39

Chapter 4 AUTHENTICATION AND AUTHORIZATION Authentication Authorization 4-40

Chapter 4 AUTHENTICATION Something the user knows Something the user has  Tokens and Smart cards Something the user does Something the user is  Biometrics

Chapter 4 AUTHORIZATION Resource Type(s) of Access Person or Group Least Access Required

Chapter 4 PREVENTION AND RESISTANCE Content filtering Encryption Firewalls 4-45

Chapter 4 CONTENT FILTERING

Chapter 4 ENCRYPTION  Encryption  Public key encryption (PKE) 4-47

Chapter 4 PUBLIC KEY ENCRYPTION 4-48

Chapter 4 FIREWALLS 4-49

Chapter 4 DETECTION AND RESPONSE Anti-malware tools Backups 4-51

Chapter 4 ANTI-MALWARE TOOLS Antivirus software Anti-spyware software 4-51

Chapter 4 BACKUPS Data Customized software Type RAID Removable media Streaming Location Offline Offsite Secure 4-51

Chapter 4