chapter 3 ethics, privacy and information security
Post on 19-Dec-2015
230 views
TRANSCRIPT
CHAPTER 3
Ethics, Privacy and Information Security
CHAPTER OUTLINE
3.1 Ethical Issues
3.2 Threats to Information Security
3.3 Protecting Information Resources
LEARNING OBJECTIVES
Describe the major ethical issues related to information technology and identify situations in which they occur.
Describe the many threats to information security.
Understand the various defense mechanisms used to protect information systems.
Explain IT auditing and planning for disaster recovery.
Ethical Issues
Ethics Code of Ethics
Fundamental Tenets of Ethics
Responsibility means that you accept the consequences of your decisions and actions
Accountability means a determination of who is responsible for actions that were taken
Liability is a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems
Unethical vs. Illegal
What is unethical is not necessarily illegal.
Ethics scenarios
The Four Categories of Ethical Issues
Privacy Issues involve collecting, storing and disseminating information about individuals
Accuracy Issues involve the authenticity, fidelity and accuracy of information that is collected and processed.
Property Issues involve the ownership and value of information
Accessibility Issues revolve around who should have access to information and whether they should have to pay for this access.
Privacy
Privacy: The right to be left alone and to be free of unreasonable personal intrusions.
Court decisions have followed two rules:
(1) The right of privacy is not absolute. Your privacy must be balanced against the needs of society.
(2) The public’s right to know is superior to the individual’s right of privacy.
Threats to Privacy
Data aggregators, digital dossiers, and profiling
Data aggregators are companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.
Digital dossier is an electronic description of you and your habits.
Profiling is the process of creating a digital dossier.
Threats to Privacy contd..
Electronic Surveillance You can be watched without you knowing
about it Personal Information in Databases
Personal Data (Name, address, phone) were sold by individuals in the outsourced companies in India
Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites You put an ad (bulletin board or newspaper) Facebook
Data Aggregators, Digital Dossiers, and Profiling
Electronic Surveillance(The tracking of people‘s activities, online or offline, with the aid of computers.)
Electronic Surveillance. The tracking of people‘s activities, online or offline, with the aid of computers.The image demonstrates that many people are blissfully unaware that they can be under electronic surveillance while they are using their computers.
Personal Information in Databases
Banks Utility companies Government agencies Credit reporting agencies
Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites
Social Networking Sites Can Cause You Problems
Anyone can post derogatory information about you anonymously.
(See this Washington Post article.)
You can also hurt yourself, as this article shows.
What Can You Do?
First, be careful what information you post on social networking sites.
Second, a company, ReputationDefender, says it can remove derogatory information from the Web.
3.2 Threats to Information Security
Factors Increasing the Threats to Information Security Today’s interconnected, interdependent,
wirelessly-networked business environment Government legislation Smaller, faster, cheaper computers and
storage devices Decreasing skills necessary to be a computer
hacker
A Look at Unmanaged Devices
Wi-Fi at McDonalds
Wi-Fi at Starbucks
Hotel Business Center
Key Information Security Terms Threat to an information resource is any
danger to which a system may be exposed. Exposure of an information resources is the
harm, loss or damage that can result if a threat compromises that resource.
Vulnerability is the possibility that the system will suffer harm by a threat.
Risk is the likelihood that a threat will occur Information system controls are the
procedures, devices, or software aimed at preventing a compromise to the system.
Categories of Threats to Information Systems
Unintentional acts Natural disasters Technical failures Management failures Deliberate acts
(from Whitman and Mattord, 2003)
Example of a threat (video)
Unintentional Acts
Human errors Deviations in quality of service by service
providers (e.g., utilities) Environmental hazards (e.g., dirt, dust,
humidity)
Human Errors
Tailgating Shoulder surfing Carelessness with laptops and portable
computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use And more
Shoulder Surfing
Most Dangerous Employees
Human resources and MIS
Remember, these employees hold ALL the information and they pose the biggest threat to the organizational information security
Social Engineering
Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords
Social engineering is a typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker
Natural Disasters
Deliberate Acts (continued)
Software attacks Virus: A virus is a segment of computer code that performs
malicious actions by attaching to another computer program. Worm : A worm is a segment of computer code that spreads by
itself and performs malicious actions without requiring another computer program
Trojan horse: A Trojan horse is a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
Logic Bomb: A logic bomb is a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
Phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.
The phishing slideshow presents a nice demonstration of how phishing works.
The phishing quiz presents a variety of e-mails. You must decide which are legitimate and which are phishing attempts.
The phishing examples show actual phishing attempts.
Deliberate Acts (continued)
3.3 Protecting Information Resources
Risk!
There is always risk!
And then there is real risk!
Risk Management
Risk. The probability that a threat will impact an information resource.
Risk management. To identify, control and minimize the impact of threats.
Risk analysis. To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation is when the organization takes concrete actions against risk. It has two functions: (1) implement controls to prevent identified threats from
occurring, and (2) developing a means of recovery should the threat
become a reality.
Risk Mitigation Strategies
Risk Acceptance. Accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation. Limit the risk by implementing controls that minimize the impact of threat.
Risk transference. Transfer the risk by using other means to compensate for the loss, such as purchasing insurance
Controls
Physical controls. Physical protection of computer facilities and resources.
Access controls. Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
Communications (network) controls. To protect the movement of data across networks and include
border security controls, authentication and authorization.
Application controls protect specific applications.
Information Systems Auditing
Types of Auditors and Audits Internal External
IS Auditing Procedure
Auditing around the computer means verifying processing by checking for known outputs or specific inputs.
Auditing through the computer means inputs, outputs and processing are checked.
Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware