3. ethics, privacy and information security sec 2
DESCRIPTION
EticaTRANSCRIPT
![Page 1: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/1.jpg)
Ethics, Privacy and Information Security Professors: Fernando Vásquez & Claudio Díaz
![Page 2: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/2.jpg)
Ethical Issues
• Ethics
• Code of Ethics
![Page 3: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/3.jpg)
Ethics
• A set of moral principles, especially ones relating to or affirming a specified group, field, or form of conduct
![Page 4: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/4.jpg)
![Page 5: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/5.jpg)
Ethics Code
• A system or collection of rules or regulations on any subject, in this case, ethical
![Page 6: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/6.jpg)
![Page 7: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/7.jpg)
Fundamental Tenets of Ethics
• Responsibility • Accept the consequences of your decisions and
actions • Accountability
• Determining who is responsible for actions that were taken
• Liability • Legal concept that gives individuals the right to
recover the damages done to them by other individuals, organizations, or systems
![Page 8: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/8.jpg)
Unethical vs. Illegal
What is unethical is not necessarily illegal.
![Page 9: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/9.jpg)
Ethical Issues Categories • Privacy
• Collect, store and disseminate information of people
• Veracity • Authenticity, accuracy and truthfulness of the
information collected and processed
• Property • Owners of information and its value
• Accessibility • Who should have access to information and whether
they should pay for this
![Page 10: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/10.jpg)
Privacy
• Scope of privacy you have the right to protect any interference – RAE
• Two rules have been followed by Courts of the World,
1. The right of privacy is not absolute , must be balanced with the needs of society
2. The public right to knowledge is superior to individual privacy
![Page 11: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/11.jpg)
Video
![Page 12: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/12.jpg)
![Page 13: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/13.jpg)
Threats to Privacy • Data aggregators (lexisnexis.com), digital dossiers, and profiling
• Electronic Surveillance
• Personal InformaIon in Databases
• InformaIon on Internet BulleIn Boards, Newsgroups, and Social Networking Sites
![Page 14: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/14.jpg)
Personal InformaIon in Databases
• Banks
• UIlity companies
• Government agencies
• Credit reporIng agencies
![Page 15: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/15.jpg)
Social Networking Sites Can Cause You Problems Anyone can post derogatory informaIon about you anonymously.
You can also hurt yourself.
![Page 16: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/16.jpg)
Ejemplo • Name: Luciano Caramori Gonzalez • At Facebook, Twitter(@LucianoCaramori), LinkedIn • Origin: Santiago, Chile • Lives: Santiago de Chile • Studies: Colegio Alcántara de Los Altos de Peñalolen, Los
Andes Country Day College and UAI • Travels: Uruguay (2013) • Family: Bruno Caramori (Brother) • Girlfriend: Dani Riquelme Herrera, In a relationship since
24 February 2015 • Likes: Motorcycles (as his brother), Colo-Colo, Soccer,
Reggae, Rap&HipHop, Friends, House
![Page 17: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/17.jpg)
Ethics?
![Page 18: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/18.jpg)
What Can You Do? First, be careful what informaIon you post on social networking sites.
Second, a company, ReputaIonDefender, says it can remove derogatory informaIon from the Web.
![Page 19: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/19.jpg)
ProtecIng Privacy
• Privacy Codes and Policies
• Opt-‐out Model
• Opt-‐in Model
![Page 20: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/20.jpg)
Factors Increasing the Threats to Information Security
• Today’s interconnected, interdependent, wirelessly-‐networked business environment
• Government legislaIon
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a computer hacker
![Page 21: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/21.jpg)
Factors Increasing the Threats to Information Security (continued)
• Downstream liability
• InternaIonal organized crime taking over cyber-‐crime
• Unmanaged devices
• Lack of management support
![Page 22: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/22.jpg)
Key InformaIon Security Terms
• Threat • Danger to be exposed
• Exposure • Harm, loss, or damage if real
• Vulnerability • Possibility of harm
• Risk • Likehood o threat occur
• InformaIon system controls • Prevent compromise
![Page 23: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/23.jpg)
Categories of Threats to InformaIon Systems
• UnintenIonal acts
• Natural disasters
• Technical failures
• Management failures
• Deliberate acts
![Page 24: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/24.jpg)
UnintenIonal Acts
• Human errors
• DeviaIons in quality of service by service providers (e.g., uIliIes)
• Environmental hazards (e.g., dirt, dust, humidity)
![Page 25: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/25.jpg)
Terremoto 2010 • NetGlobalis y S&A: Sin problemas; los tres operadores de NetGlobails funcionaron con el
generador eléctrico del datacenter tras el terremoto y no tuvieron caída alguna.
• Adexus (Miraflores 383, piso 2): Funciona sin problemas ni interrupciones desde el día ”D” y posteriores.
• NOC Telefónica Chile (San Martin 50): Sin problemas.
• Entel: El datacenter y centro de operaciones principal de la ex empresa estatal están ubicados bajo la torre de 127 metros que coordina la comunicación entre los diversos puntos del país, y ambos respondieron sin problemas. Luego del terremoto de 1960 se tomaron las precauciones necesarias a nivel constructivo, las que fueron aplicadas en la construcción de la emblemática estructura.
• Sin embargo el más nuevo Data Center de la epoca, Ciudad de Los Valles, sufrio varias caidas debido a que no partiieron los grupos generadores.
• Synapsis: No presentaron problema alguno, y aseguraron que tuvieron un uptime del 100%. Las maquinas no hicieron failover, ni se utilizaron los enlaces de contingencia o backup disponibles.
• Fuente: El mostrador, 2010
![Page 26: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/26.jpg)
Human Errors • Tailgating • Shoulder surfing • Carelessness with laptops and portable computing
devices • Opening questionable e-mails • Careless Internet surfing • Poor password selection and use • And more
![Page 27: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/27.jpg)
Shoulder Surfing
Shoulder surfing occurs when…
![Page 28: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/28.jpg)
Most Dangerous Employees Human resources and MIS
Remember, these employees hold ALL the information
![Page 29: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/29.jpg)
![Page 30: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/30.jpg)
Threats
![Page 31: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/31.jpg)
Social Engineering
• Social engineering
• Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulIng firm, advising companies on how to deter people like him
![Page 32: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/32.jpg)
Kevin Mitnick
![Page 33: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/33.jpg)
Deliberate Acts
• Espionage or trespass
• InformaIon extorIon
• Sabotage or vandalism
• TheY of equipment or informaIon • For example, dumpster diving
![Page 34: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/34.jpg)
Deliberate Acts (conInued)
• SoYware aZacks • Virus
• Worm
• Logic Bomb
![Page 35: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/35.jpg)
• SoYware aZacks (conInued)
• Phishing aZacks
• Distributed denial-‐of-‐service aZacks
![Page 36: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/36.jpg)
![Page 37: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/37.jpg)
![Page 38: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/38.jpg)
![Page 39: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/39.jpg)
Deliberate Acts (conInued)
• Alien SoYware
• Spyware • Ex: Keyloggers
• Spamware • Zombie
• Cookies
![Page 40: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/40.jpg)
Deliberate Acts (conInued) • Supervisory control and data acquisiIon (SCADA) aZacks
![Page 41: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/41.jpg)
Deliberate Acts (conInued) • Supervisory control and data acquisiIon (SCADA) aZacks
![Page 42: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/42.jpg)
Sabotage and Vandalism • Cyberterrorism
• Premeditated politically motivated attacks against information systems , programs, and data
• Cyberwar • Type of war in which the information systems of a
country could be paralyzed by a massive attack made by destructive software
• Theft • Illegal property belonging to another person or
organization takes .
![Page 43: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/43.jpg)
Example: Norse • We can see some attacks using HoneySpots
![Page 44: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/44.jpg)
![Page 45: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/45.jpg)
27 de Enero 2015
http://www.armada.mil.bo/
![Page 46: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/46.jpg)
Risk Management
• Risk
• Risk management
• Risk analysis
• Risk miIgaIon
![Page 47: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/47.jpg)
Risk MiIgaIon Strategies
• Risk Acceptance
• Risk limitaIon
• Risk transference
![Page 48: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/48.jpg)
Defense Mechanisms
![Page 49: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/49.jpg)
Controls
• Physical controls
• Access controls
• CommunicaIons (network) controls
• ApplicaIon controls
![Page 50: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/50.jpg)
Access Controls • AuthenIcaIon
• Something the user is • Something the user has • Something the user does • Something the user knows
• Passwords
• passphrases
![Page 51: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/51.jpg)
Access Controls (conInued)
• AuthorizaIon
• Privilege
• Least privilege
![Page 52: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/52.jpg)
CommunicaIon or Network Controls • Firewalls
• Anti-malware systems • Whitelisting and Blacklisting
• Intrusion detection systems
• Encryption
![Page 53: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/53.jpg)
Firewalls
![Page 54: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/54.jpg)
Private and Public Keys
![Page 55: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/55.jpg)
How Digital CerIficates Work • Digital CerIficate
• CerIficate AuthoriIes
![Page 56: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/56.jpg)
Digital Certificates
![Page 57: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/57.jpg)
CommunicaIon or Network Controls (conInued)
• Virtual private networking
• Secure Socket Layer (now transport layer security)
• Vulnerability management systems
• Employee monitoring systems
![Page 58: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/58.jpg)
Virtual Private Network
![Page 59: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/59.jpg)
Business Continuity Planning, Backup, and Recovery
• Hot Site
• Warm Site
• Cold Site
• Off-‐Site
![Page 60: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/60.jpg)
![Page 61: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/61.jpg)
InformaIon Systems AudiIng • InformaIon systems audiIng
• Audit
• Types of Auditors and Audits • Internal
• External
![Page 62: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/62.jpg)
Procedimiento de Auditoría de un SI
• Auditoría alrededor de la computadora • Verificar el procesamiento de control por outputs conocidos a
inputs específicos
• Auditoría a través de la computadora • Tanto entradas, salidas y procesamiento son verificados
• Auditoría con la computadora • Consiste en utilizar una combinación de datos de los clientes, el
software de auditor, y el hardware del cliente y el auditor
![Page 63: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/63.jpg)
Activity • Imagine you are the CIO of and you are in
charge of personal and private data from clients
1. Answer the 2nd question of 1. Privacy 2. Acurracy 3. Property 4. Accesability
(Cap 3, Table 3.1, Page 77)
2. What mechanisms would you use to defend the personal information of customers?
![Page 64: 3. Ethics, Privacy and Information Security Sec 2](https://reader034.vdocument.in/reader034/viewer/2022042821/563dbac9550346aa9aa80a4d/html5/thumbnails/64.jpg)