Security Ethical Issues • Ethics refers to the principles of right and wrong that individuals use to make choices to guide their behaviors. • A code of ethics is a collection of principles that are intended to guide decision making by members of the organization. • Fundamental tenets of ethics include responsibility, accountability and liability. • Responsibility means that you accept the consequences of your decisions and actions. • Accountability means a determination of who is responsible for actions that were taken. • Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations or systems. IT related ethical issues • Privacy issues involve collecting, sorting, disseminating information about the individuals. • Accuracy issues involve the authenticity, fidelity, and accuracy of information that is collected and processed. • Property issues involve the ownership and value of information. • Accessibility issues revolve around who should have access to information and whether they should have to pay for this access. Framework of ethical issues • Privacy issues: • What information about oneself should an individual be required to reveal to others? • What kind of surveillance can an employer use on its employee? • What types of personal information can people keep to themselves and not be forced to reveal to others? • What information about individuals should be kept in database, and how secure is the data stored there? Framework of ethical issues • Accuracy issue: • Who is responsible for the authenticity, fidelity and accuracy of the information collected? • How can we ensure that the information will be processed properly and presented accurately to users? • How can we ensure that errors in databases, data transmissions, and data processing are accidental and not intentional? • Who is to be held accountable for errors in information, and how should the injured parties be compensated? Framework of ethical issues • Property issues: • Who owns the information? • What are the just and fair prices for its exchange? • How should one handle software privacy? • Under what circumstances can one use proprietary database? • Can corporate computers be used for private purposes? • How should access to channels be allocated? Framework of ethical issues • Accessibility issues: • Who is allowed to access the information? • How much should companies charge for permitting accessibility to information? • How can accessibility to computers be provided for employees with disabilities? • Who will be provided with equipment needed for accessing information? • What information does a person or an organization have a right or a privilege to obtain, under what conditions and with what safeguards? Privacy codes and policies • Privacy policies or privacy codes are an organization’s guidelines with respect to protecting the privacy of customers, clients, and employees. • The opt-out model of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected. • Privacy advocates prefer the opt-in model of informed consent, whereby a business is prohibited from collecting any personal information unless the customer specifically authorizes it. Threats to Information System • Today’s interconnected, interdependent, wirelessly networked business environment • Government legislation • Smaller, faster, cheaper computers and storage devices • Decreasing skills necessary to be a computer hacker • International organized crime taking over cybercrime • Downstream liability • Increased employee use of unmanaged devices • Lack of management support Threats to Information Systems • Unintentional acts • Natural disasters • Technical failures • Management failures • Deliberate acts Unintentional acts • Human errors • It is comprised by the regular workers working at different levels of the organization. • The higher the level of employee, the greater the threat the employee poses to information security because higher-level employees typically have greater access to corporate data and enjoy greater privileges on organizational information systems. • Moreover employees in 2 areas of the firm poses highest threats – human resources and information systems. • Human resources employees generally have access to sensitive personal information about all employees. • Information System employees have access not only to sensitive information of organization, but they often control the means to create, store, transmit and modify the data. • Social engineering is an attack whereby the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential company information such as passwords. • Reverse social engineering, is an attack wherein the employees approach the attacker. • Technical failures: • It includes problems with hardware and software. • The most common hardware problem is a crash of a hard disk drive. • A notable hardware problem occurred when Intel released a Pentium chip with a defect that caused the chip to perform some mathematical calculations incorrectly. • Natural disasters: • Natural disasters include floods, earthquakes, hurricanes, tornados, lightning, and in, some cases, fires. • In many cases, acts of Gods can cause catastrophic loss of systems and data. • To avoid such loss, companies must engage in proper planning for backup and recovery of information systems and data . • Management failures • It involves a lack of funding for information security efforts and a lack of information security efforts and a lack of interest in those efforts. • Such lack of leadership will cause the information security of the organization to suffer. • Deliberate acts: • Espionage or trespass • Information extortion • Sabotage or vandalism • Theft of equipment or information • Identity theft • Comprises to intellectual property • Software attacks Types of software attacks • Virus – Segment of computer code that performs malicious actions by attaching to another computer program. • Worm – Segment of computer code that performs malicious actions and will replicate, or spread, by itself (without requiring another computer). • Trojan Horse – Software programs that hide in other computer programs and reveal their designed behavior only when they are achieved. Types of Software Attacks • Back door: Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to got through any security procedures (also called trap door). • Logic bomb: Segment of a computer code that is embedded with an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time or date. • Alien software – It is clandestine software that is installed on your computer through duplicitous methods. It is not as malicious as viruses, worms, or trojan horses, but it does use up the valuable information and resources. • Adware software is designed to help pop-up advertisements appear on your screen. • Spyware is software that collects personal information about users without their consent. • Cookies are small amount of information that web sites store on your computer, temporarily or more or less permanently. • Cyberterrorism and cyberwarfare attackers use a target’s computer systems, particularly via the Internet, to cause physical, real world harm or severe disruption, usually with a political agenda. What are companies doing? • Online commerce industry were not willing to install the safeguards that would make it harder to complete the transactions. E.g., measures for actions adapted is OTP in every financial transactions. • Companies are developing software and services that can deliver early warnings of trouble on internet. Unlike traditional antivirus software, which is reactive, early-warning systems are proactive, scanning the web for new viruses and alerting companies to the danger. • The new systems are emerging in response to ever more effective virus writers. As virus writers are becoming more experts, the gap between the time when they learn of vulnerabilities and they exploit them is closing quickly. Hackers are now producing new virun worms in a matter of hours. Communication controls • It secures the movement of data across the networks. • Anti-malware systems: • Also known as anti virus software, are the software packages that attempt to identify and eliminate viruses, worms, and other malicious software. • Whitelisting and blacklisting: • Whitelisting is a process in which a company identifies the software that it allows to run and does not try to recognize malware. • Blacklisting is a process in which certain types of software that are not allowed to run in company environment. • Firewall: • A system that prevents a specific type of information from moving between untrusted networks, such as internet and private network. • Virtual Private Networking: • It is a private network that uses a public network to connect users. • As such, VPNs integrate the global connectivity of the internet with the security of a private network and thereby extend the reach of the firm’s networks. • They are labelled “Virtual” because the connections (among organizations, between remote sites of an organization, or an organization and its off-site employees) are created when a transmission needs to be made and terminated when the transmission has been sent. • There are several advantages: • First they allow remote users to access the company network. • They allow flexibility, i.e., without being constrained by the need for dedicated connections, mobile users can access the organization’s network properly configured remote devices. • Organizations can impose security policies through VPNs. Thank You