Security and Ethical Challenges Chapter 13 McGraw-Hill/IrwinCopyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved.

13-2 Learning Objectives Identify several ethical issues regarding how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions to societal problems. Identify several types of security management strategies and defenses and explain how they can be used to ensure the security of business applications of information technology.

13-3 Learning Objectives Propose several ways that business managers and professionals can help lessen the harmful effects and increase the beneficial effects of the use of information technology.

13-4 RWC 1: Ethics, IT and Compliance IT Challenges –Technical functionality –Business requirements –Ethical standards –Correct behaviors 2 views of Corporate Ethics –Set of legal and minimum standards –Set of values integral to doing business Most companies have ethics and compliance programs Few can truly execute an ethical agenda

13-5 IT Security, Ethics, and Society

13-6 Categories of Ethical Business Issues

13-7 Corporate Social Responsibility Theories Stockholder Theory –Managers are agents of the stockholders –Only responsible to increase profits without violating the law or fraud Social Contract Theory –Responsible to all of society Stakeholder Theory –Responsible to anyone affected by company

13-8 Principles of Technology Ethics Proportionality –Good must outweigh the harm or risk Informed Consent –Those affected should understand and accept risks Justice –Benefits and burdens distributed fairly Minimized Risk –Avoid all unnecessary risk

13-9 AITP Standards of Professional Conduct

13-10 Security from Cyber Crime

13-11 Hacking Obsessive use of computers Unauthorized access and use of networked computer systems Electronic Breaking and Entering –Accessing without stealing nor damaging Cracker (black hat or darkside hacker) –Maintains knowledge of vulnerabilities for private advantage Common Hacking Tactics –Figure 13.7

13-12 Cyber Theft Most involve theft of money “Inside jobs” Unauthorized activity Attacks through the Internet Most companies don’t report

13-13 Cyberterrorism Use IT to attack electronic infrastructure, exchange information or make threats Terror related –More political motivation than criminal Examples –Attempt to disrupt life support at Antarctic research station –Release of untreated sewage in Australia –Shut down of government network and banks in Estonia –Non-deliberate shut down of systems at nuclear reactor

13-14 Unauthorized Use at Work Time and resource theft –Doing private consulting –Doing personal finances –Playing video games –Unauthorized use of the Internet or networks –Recreational surfing –Racist or offensive –Pornographic sites Sniffers –Monitor network traffic or capacity –Find evidence of improper use

13-15 Internet Abuses in the Workplace General abuses Unauthorized usage and access Copyright infringement/plagiarism Newsgroup postings Transmission of confidential data Pornography Hacking Non-work-related download/upload Leisure use of the Internet Use of external ISPs Moonlighting

13-16 Software Piracy Unauthorized copying of computer programs Licensing –Purchase – payment for fair use –Site license – allows a certain number of copies –Shareware – allows copies –Public Domain – not copyrighted Software industry losses –⅓ to ½ of revenues –Millions of copies in educational market –90% pirated software in China Sales negligible

13-17 Theft of Intellectual Property Intellectual Property –Copyrighted material –Music, videos, images, articles, books, software Copyright Infringement is Illegal –Easy to trade pirated intellectual property Publishers Offer Inexpensive Online Music –Illegal downloading is declining

13-18 Viruses and Worms Viruses must be inserted into another program Worms can run unaided Spread annoying or destructive routines Commonly transmitted through –Internet and online services – and file attachments –Disks from contaminated computers –Shareware Top 5 Virus Families of all time –Figure 13.9 Cost of Top 5 Virus Families –Figure 13.9

13-19 Adware and Spyware Adware –Useful software allows ads without consent Spyware –Type of Adware –Can steal private information –Add advertising links to Web pages –Redirect affiliate payments –Change a users home page and search settings –Make modem call premium-rate numbers –Leave security holes that let Trojans in –Degrade system performance Removal often not completely successful

13-20 Privacy Issues IT capability can create negative affect on privacy –Personal information is collected –Confidential information stolen or misused Opt-In –Explicitly consent to allow data to be compiled –Default in Europe Opt-Out –Must request data is not collected –Default in the U.S.

13-21 Privacy Issues Violation of Privacy –Accessing conversations and records –Collecting and sharing visits to websites Computer Monitoring –Mobile and paging services can track people Computer Matching –Market additional business services Unauthorized Access of Personal Files –Build profiles of contact and credit information

13-22 Protecting Your Privacy on the Internet Encrypt Send anonymous postings Ask your ISP not to sell your information Don’t reveal personal data and interests

13-23 Privacy Laws Electronic Communications Privacy Act and Computer Fraud and Abuse Act –Prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems U.S. Computer Matching and Privacy Act –Regulates the matching of data held in federal agency files to verify eligibility for federal programs

13-24 Privacy Laws Sarbanes-Oxley –Positive – strengthens accounting controls –Negative – overly complex and regulatory Health Insurance Portability and Accountability Act (HIPAA) –Safeguards for health-related information Gramm-Leach-Bliley USA Patriot Act California Security Breach Law Securities and Exchange Commission Rule 17a-4

13-25 Computer Libel and Censorship The opposite side of the privacy debate… –Freedom of information, speech, and press Biggest battlegrounds –Bulletin boards – boxes –Online files of Internet and public networks Weapons used in this battle –Spamming –Flame mail –Libel laws –Censorship

13-26 Cyberlaw Regulate activities electronic communications –Wide variety of legal and political issues –Intellectual property, privacy, freedom of expression, and jurisdiction Body of law emerged 1996 Controversy –Some feel the Internet should not be regulated Encryption and cryptography make regulation difficult –Websites work around censorship –Applicability of legal principles Better laws to come

13-27 Other Challenges Employment –Job opportunities changing Computer Monitoring –Effective but controversial Working Conditions –Eliminated monotonous or obnoxious tasks –Eliminated some skilled jobs Individuality –Dehumanizes and depersonalizes

13-28 Health Issues Cumulative Trauma Disorders (CTDs) –Disorders caused by fast-paced repetitive keystroke jobs Carpal Tunnel Syndrome –Painful, crippling ailment of the hand and wrist –Typically requires surgery to cure Ergonomics –Designing healthy work environments

13-29 Ergonomics Factors 13-29

13-30 Societal Solutions Use IT to solve human and social problems –Medical diagnosis –Computer-assisted instruction (CAI) –Computer based training (CBT) –Governmental program planning –Environmental quality control –Law enforcement –Job placement Detrimental effects –Actions without ethical responsibility

13-31 Security Management of IT Security is number 1 problem with the Internet –Internet was developed for inter-operability, not impenetrability –Users responsible for security, quality, and performance –Resources must be protected Goal of security management –Accuracy, integrity, and safety of all information system processes and resources

13-32 RWC 2: End-Point Security Security a complex, moving target Delicate balance between access and security Two approaches –Secure devices –Secure data wherever it lives Encryption HIPAA regulations Classify data, set policies Smartphones ongoing challenges –Balance personal and business use BlackBerries have management infrastructure Phones not secured yet

13-33 Public/Private Key Encryption

13-34 Internet and Intranet Firewalls

13-35 Denial of Service Attacks Depend on three layers of networked computer systems –The victim’s website –The victim’s Internet service provider –Zombie or slave computers commandeered by cybercriminals Defense –At Zombie Machines Set and enforce security policies Scan for vulnerabilities –At the ISP Monitor and block traffic spikes –At the Victim’s Website Create backup servers and network connections

13-36 Internetworked Security Defenses Monitoring Virus Defenses Security Codes Backup Files Security Monitors Biometrics Computer Failure Controls Disaster recovery plan

13-37 Information System Controls Methods and devices to ensure accuracy, validity, and propriety IT Security Audits –Performed by internal or external auditors –Review and evaluation of security measures and management policies –Goal: Ensure proper and adequate measures and policies are in place

13-38 Protecting Yourself from Cybercrime

13-39 RWC 3: Challenges of Working in IT IT presents ethical challenges and dilemmas. To hold workers accountable –Must set ethical policies and guidelines –Make sure that employees know and understand them

13-40 Leakage of sensitive customer data or proprietary information is a new priority Focus on keeping sensitive information Deploy outbound content management tools – messages, –Alternative communication mechanisms –Including instant messaging –Blogs –FTP transfers –Web mail –Message boards RWC 4: Worry About What Goes Out