Pertemuan 23 & 24 Security and Ethical Challenges Matakuliah : J0454 / Sistem Informasi Manajemen Tahun : 2006 Versi : 1 / 1 Pertemuan 23 & 24 Security and Ethical Challenges

Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa akan dapat memilih strategi penerapan dan pengembangan manajemen keamanan teknologi informasi  C4

Security, Ethical and Societal Challenges of IT Computer Crime Outline Materi Security, Ethical and Societal Challenges of IT Computer Crime Privacy Issues Security Management of IT Tools of Security Management Internetworked Security Defenses

Security and Ethics Business/IT Security, Ethics, and Society Privacy Employment Privacy Business/IT Security Ethics and Society Health Crime PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphic to identify the universe of issues that surrounding business/IT security, ethics and society. Individuality Working Conditions

Social Contract Theory Stakeholder Theory Security and Ethics Ethical Responsibility Business Ethics Stockholder Theory Social Contract Theory Stakeholder Theory Begin the discussion of business ethics. Compare and contrast the three alternative theories of ethical obligations to the various constituencies in the business world.

Ethical Responsibility Security and Ethics Ethical Responsibility Use the text graphic to explain some of the ethical issues in the corporate world.

Technology Ethics Security and Ethics Use the text graphic to describe the variables in the principles of technology ethics.

Ethical Guidelines Security and Ethics Use the text graphic to describe and explain the AITP standards of professional conduct.

Security Management Security is 6 to 8% of IT Budget in Developing Countries 63% Have or Plan to Have Position of Chief Privacy or Information Officer in the Next Two Years 40% Have a Chief Privacy Officer and Another 6% Intend One in the Next Two Years 39% Acknowledge that their Systems Have Been Compromised in the Past Year 24% Have Cyber Risk Insurance and 5% Intend to Acquire Such Coverage The detailed points of this slide examine some of the statistics presented in the text regarding firms' dealing with security management issues. Some of the statistics are quite dramatic. This discussion continues on the next slide…

Security Technology Used Security Management Security Technology Used Antivirus 96% Virtual Private Networks 86% Intrusion-Detection Systems 85% Content Filtering/Monitoring 77% PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphic to explain and contrast the security technologies in use today. Public-Key Infrastructure 45% Smart Cards 43% Biometrics 19%

PayPal, Inc. Cybercrime on the Internet Security Management PayPal, Inc. Cybercrime on the Internet Online Payment Processing Company Observed Questionable Accounts Being Opened Froze Accounts Used to Buy Expensive Goods For Purchasers in Russia Used Sniffer Software and Located Users Capturing PayPal Ids and Passwords More than $100,000 in Fraudulent Charges Crooks Arrested by FBI The PayPal Incorporated mini-case cites an example of cybercrime on the Internet. This on-line payment processing company used software to observe the opening of questionable accounts. These accounts were used to buy expensive goods being sent to Russia. The accounts were frozen and PayPal used Sniffer Software to identify the criminals. The individuals believed themselves to be safe since they were in Russia, however, the FBI used a ruse to draw them out and arrested them on more than $100,000 in fraudulent charges.

Unauthorized Use of Work Piracy of Intellectual Property Security Management Computer Crime Hacking Cyber Theft Unauthorized Use of Work Piracy of Intellectual Property Computer Viruses and Worms Other forms of computer crime are addressed including hacking, unauthorized use of systems and copyright as well as computer viruses and worms.

Examples of Common Hacking Security Management Examples of Common Hacking Use the text graphic to explain the common forms of system hacking.

Recourse Technologies: Insider Computer Crime Security Management Recourse Technologies: Insider Computer Crime Link Between Company Financial Difficulty and Insider Computer Crimes Use of “Honey Pots” Filled with Phony Data to Attract Hackers Software Catches Criminal Activity in Seconds Crime Exposed and Stopped The Recourse Technologies mini-case addresses a discovered link between financial difficulty or hard times in a company with the level of insider crime. They filled their computer with "Honey Pots" filled with phony data designed to attract hackers. Once a hacker reaches the data software reports the criminal activity in seconds. On many occasions the source of the criminal activity was an insider.

Security Management Internet Abuses in the Workplace Use the text graphic to define and discuss the nature of Internet abuses in the workplace.

Security Management Network Monitoring Software Most firms use network monitoring software now to exert some control over their system use. The screen shot is an example of such network monitoring software.

Copying Music CDs: Intellectual Property Controversy Security Management Copying Music CDs: Intellectual Property Controversy RIAA Crack Down on Music Piracy Web Sites Fighting Back 140 Million Writable Drives In Use Billions of Blank CDs Sold While Music CD Sales Are Going Down Pirates Reluctant to Go Away The issue of this slide is one of copying music CDs violating intellectual property rights. A discussion is made of the recording industry association crack down on music piracy. Many Websites are fighting back altering techniques to try to avoid being caught. The case states that there are 140 million writable drives in use with billions of blank CDs sold while music CD sales are decreasing.

Facts About Recent Computer Viruses and Worms Security Management Facts About Recent Computer Viruses and Worms Use the text graphic to explain the nature and consequences of the presence of worms and viruses. This discussion continues in a case on the next slide.

University of Chicago: The Nimda Worm Security Management University of Chicago: The Nimda Worm Nimda Worm Launch Sept. 18, 2001 Mass Mailing of Malicious Code Attacking MS-Windows Took Advantage of Back Doors Previously Left Behind In Four Hours the University of Chicago’s Web Servers were Scanned by 7,000 Unique IP Addresses Looking for Weaknesses Many Servers Had to Be Disconnected The University of Chicago mini-case describing their experience with Nimda Worm launch Sept. 18,2001. Within hours many servers were seriously impacted and had to be disconnected.

Computer Libel and Censorship Spamming Flaming Privacy Issues Right to Privacy Computer Profiling Computer Matching Privacy Laws Computer Libel and Censorship Spamming Flaming Right to privacy issues should be discussed in view of system usage for profiling, matching and other legitimate uses as well as for negative applications that create enormous nuisance problems.

Employment Challenges Working Conditions Individuality Issues Privacy Issues Other Challenges Employment Challenges Working Conditions Individuality Issues Health Issues Other challenges to privacy are discussed in the area of employment, individuality, and health issues.

Privacy Issues Ergonomics Use the text graphic to explain ergonomic issues as they impact the user/operator. Cite examples of each where possible. This discussion continues on the next slide...

Cumulative Trauma Disorders (CTDs) Carpal Tunnel Syndrome Privacy Issues Ergonomics Job Stress Cumulative Trauma Disorders (CTDs) Carpal Tunnel Syndrome Human Factors Engineering Societal Solutions Continue the discussion of ergonomic issues describing each of the physical ailments presented in the text and how society is attempting to address solutions to the problem.

Security Management of Information Technology Tools of Security Management Use the text graphic to outline the tools of security management that make up the balance of this chapter.

Security Management of Information Technology Providence Health and Cervalis: Security Management Issues Need for Security Management Caused by Increased Use of Links Between Business Units Greater Openness Means Greater Vulnerabilities Better Use of Identifying, Authenticating Users and Controlling Access to Data Theft Should Be Made as Difficult as Possible The Providence Health and Cervalis mini-case addresses security management issues. The emphasis on this case points out that the demand for increased links between business units forces more vulnerabilities to security risk. The conclusion was that access to data theft should be made as difficulty as possible.

Security Management of Information Technology Internetworked Security Defenses Encryption Public Key Private Key Graphically… Begin the discussion of data encryption using public key/private key techniques. Define the terms. Continue the discussion using the graphic on the next slide…

Security Management of Information Technology Encryption Use the text graphic to conclude the discussion of public key/private key encryption for data security management purposes.

Security Management of Information Technology Firewalls External Firewall Blocks Outsiders 1 2 Internal Firewall Blocks Restricted Materials 3 4 5 Intranet Server Host System Use of Passwords and Browser Security 3 Performs Authentication and Encryption Firewall 4 Router Router 1 Careful Network Interface Design 5 PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphic to show how appropriately placed and configured firewalls can protect a system from Internet-based intrusion. 2 Internet Firewall 4 Intranet Server

Security Management of Information Technology MTV Networks: Denial of Service Defenses MTV.com Website Targeted for Distributed Denial of Service (DDOS) Attacks During Fall Peak Periods Some People Try to Crash MTV Sites Parent Viacom Installed Software to Filter out DDOS Attacks Website Downtime Reduced The MTV Network mini-case describes their solution to Denial of Service attacks made on their systems particularly during peak fall periods. MTV parent Viacom installed software to filter out such attacks and Website downtime was significantly reduced.

Security Management of Information Technology Defending Against Denial of Service Attacks Use the text graphic to discuss alternatives for defending against Denial of Service attacks.

Security Management of Information Technology Sonalysts, Inc.: Corporate e-Mail Monitoring e-Sniff Monitoring Device Searches e-Mail by Key Word or Records of Web Sites Visited 82% of Businesses Monitor Web Use Close to 100% of Workers Register Some Improper Use The Sonalysts, Inc. mini-case gives an example of corporate e-mail monitoring. Their e-Sniff monitoring device examined e-mail by key word and also made records of Websites visited. The case states that 82% of businesses monitor Web use. The case reports that close to 100% of workers registered some improper use. It also presented a situation where a particular use appeared to be improper turned out to be quite legitimate. The summary was don't jump to conclusions.

Security Management of Information Technology TrueSecure and 724 Inc.: Limitations of Antivirus Software Much Software Was Unable to Stop Nimda Worm Software Alone is Often Not Enough to Clean System Until Better Software is Developed, A Complete System Disconnect and Purge May Be the Only Solution The TrueSecure and 724 Inc. mini-case discussed limitations of anti-virus software. It states that much software was unable to stop the Nimda Worm and that software alone is not enough to clean the system. In many cases a complete system disconnect and purge may be the only solution.

Security Management of Information Technology Example Security Suite Interface The screen shot is an example of Security Suite Interface-McAfee.com. Functions of the suite can be identified from the screen shot.

Security Management of Information Technology Other Security Measures Security Codes Multilevel Password System Smart Cards Backup Files Child, Parent, Grandparent Files System Security Monitors Biometric Security Other security measures are described including the use of security codes, passwords, smartcards, and biometic applications. Multiple backup redundancy is encouraged. The use of system security monitors provide another feedback in case of violation-and example is on the next slide.

Security Management of Information Technology Example Security Monitor The screen shot is an example of a security monitor system used to monitor system usage.

Security Management of Information Technology Evaluation of Biometric Security Use the text graphic to lead a discussion evaluating the effectiveness of biometric techniques.

Security Management of Information Technology Computer Failure Controls Fault Tolerant Systems Fail-Over Fail-Safe Fail-Soft Disaster Recovery Discuss and define the alternative types of computer failure controls presented in the text. Stress the importance of a disaster recovery plan in case of crisis.

Security Management of Information Technology Methods of Fault Tolerance Use the text graphic to describe the methods of fault tolerance. Emphasis the threats to each specific layer and the method used to protect the environment.

Security Management of Information Technology Visa International: Fault Tolerant Systems Only 100% Uptime is Acceptable Only 98 Minutes of Downtime in 12 Years 1 Billion Transactions Worth $2 Trillion in Transactions a Year 4 Global Processing Centers Multiple Layers of Redundancy and Backup Software Testing and Art Form The Visa International mini-case describes their fault tolerance systems where downtime is totally unacceptable. Visa has experienced only 98 minutes of downtime in 12 years. They process billions of transactions representing trillions of dollars worldwide and have implemented massive backup and redundant systems because their data is so vital. They have developed software testing to an art form.

Systems Controls and Audits Information System Controls Garbage-In, Garbage-Out (GIGO) Auditing IT Security Audit Trails Control Logs Introduce the concept of systems controls and audits. Emphasis should be placed on auditing IT security, development of audit trails, and maintenance of control logs for longitudinal consistency.

Systems Controls and Audits Processing Controls Software Controls Hardware Controls Firewalls Checkpoints Input Controls Output Controls Security Codes Encryption Data Entry Screens Error Signals Control Totals Security Codes Encryption Control Totals Control Listings End User Feedback PATIENTLY ALLOW TIME FOR ANIMATIONS TO WORK Use the animated graphics to demonstrate where control systems exist and how they relate to each other. Storage Controls Security Codes Encryption Backup Files Library Procedures Database Administration

Ethical and Societal Dimensions Ethical Responsibility in Business Summary Ethical and Societal Dimensions Ethical Responsibility in Business Security Management

Sumber Materi PPT O’Brien, James A. (2005). Introduction to Information Systems (12th Edition). McGraw – Hill. Bab 11. Official PPT.