590 likes | 756 Views
Selected Issues in Information Technology. LECTURE TEN. Lecture Objectives. Computer security Computer Fraud or Crime Need for Controls Ergonomics Ethical responsibilities Privacy Issues and social challenges of Information Technology IS management, and professionals and career paths.
E N D
Selected Issues in Information Technology • LECTURE TEN
Lecture Objectives • Computer security • Computer Fraud or Crime • Need for Controls • Ergonomics • Ethical responsibilities • Privacy Issues and social challenges of Information Technology • IS management, and professionals and career paths
What is Computer Security? • Provision of Protection from Vandalism (Physical Security) • Preserving data and protecting its validity as well as keeping the secrets secret • Protection against data thieves and network attackers • Considerations for business continuity • Security is policies, procedures and technical measures used to prevent unauthorized access, alternation, theft, or physical damage to information systems.
Three Security Goals (CIA triad) • Protect the confidentiality of data • Confidentiality models are primarily intended to assure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible
Three Security Goals cont. • Preserve the integrity of data • Integrity models keep data pure and trustworthy by protecting system data from intentional and accidental changes • Promote the availability of data for authorized use • Availability models keep data and resources available for authorized use
Three Security Goals: Related terms • Identification • Who do you say you are? • Authentication • How do I know it is really you? • Authorization • Now that you are here, what are you allowed to do? • Accountability • Who did what, and, perhaps, who pays the bill?
Threats to Computer Security • Threat - it’s a possible danger to the system or an event that can cause harm or destruction to an asset. The harm is caused through the impacts of destruction, modification, disclosure and/or denial of service. • Threats can be either human-based, intentional or unintentional (internal or external). • Threats can be natural events, such as floods or lightening. • Threats to computers and communications systems security include the following: • Errors and Accidents • Natural and other hazards • Crime against computers and communications • Worms and viruses
Errors and Accidents In general, errors and accidents in computer systems may be classified as human errors, procedural errors, software errors, electromechanical problems, and "dirty data" problems. Human errors – unexpected things human beings do – unintended effects of technology. Procedural errors – failures occurring because the procedure is not flowed. Software errors – failures due to software glitches or software bugs. Errors in a program that makes it not work properly. Electromechanical problems – errors in systems such as printer, and circuit boards. They may be faultily constructed, get dirty or overheated, wear out, or become damaged – power surges can burn out equipment. Dirty data problems – entry of incomplete, outdated, or otherwise inaccurate data
Natural and other hazards Some disasters can wreck the entire system.. Included are natural hazards, and civil strife and terrorism. Natural hazards: Include fires, floods, earthquakes, tornadoes, hurricanes, blizzards etc. They inflict damage over a wide area. Civil strife and terrorism: Included are wars, riots and terrorism damage that destroy systems.
Computer Fraud or Crime A computer crime has been defined by the United Stated Department of Justice as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation or prosecution. Cyber Crime – Cybercrime is criminal activity done using computers and the Internet. Netcrime refers to criminal exploitation of the Internet Fraud occurs when an organization suffers intentional financial loss as a result of illegitimate actions within the organization.
Computer Fraud or Crime Typically, fraud is the theft of resources usually financial, aided or concealed by manipulation of the financial records. Most companies have now adopted computerized accounting systems and any manipulation of the financial records is likely to involve computer-processed data. In this note, the following are some of well-known classification of computer related crimes: Salami technique – this involves software manipulation for rounding off fractions such as on interest and payroll calculations and transferring the results to the perpetrator’s account. Hacking – this is probably the most publicized computer crime. It involves obtaining illegal access to computer systems by cracking access codes. Data diddling – this technique does not involve the computer itself but manipulations of input or output data.
Computer Fraud or Crime Money theft – ranging from complex organizations fraud to simple falsification or records that allow money to be misappropriated. Service theft – use of computer services for ones personal benefit (for example, using computer time or storage files). Data alteration – including illegally altering credit information, motor vehicle records, and even student grades. Data destruction – deliberate destruction of files or data basis of organizations or individuals Program and data theft – misappropriating programs and/or data for personal benefit (often involves trade secrets).
Computer Fraud or Crime Software theft - Computer programs are valuable property and thus are the subject of theft from computers systems. However, unauthorized copying of software, or software piracy, is also a major form of software theft. Sabotage and Vandalism - are intentional damage to computer facilities. The crime is normally committed by people who are aggrieved and are seeking revenge. Such acts include pouring liquid onto the keyboard or printer or destroying a part of the system without which it cannot function properly, or planting a logic bomb/virus on computer software. Virus – program that attaches itself to users installed programs and propagates copies of itself to other programs Trojan horse – Program that contains unexpected additional functions e.g. where a program is hidden within another program often set up to erase all evidence of illegal access.
Malware: A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do. Virus – program that attaches itself to users installed programs and propagates copies of itself to other programs Worm: program that propagates copies of itself to other computers Trojan horse – Program that contains unexpected additional functions e.g. where a program is hidden within another program often set up to erase all evidence of illegal access. Logic bomb: Triggers action when condition occurs Backdoor: Program modification that allows unauthorized access to functionality Exploits: code specific to a single vulnerability or a set of vulnerabilities
Need for Controls Controls are all methods, policies, and organizational procedures that ensure the safety of the organization assets, the accuracy and reliability of accounting records, and operational adherence to management standards. The control systems should: Prevent all possible erroneous and fraudulent data processing. Detect the occurrence of such errors and fraud. Minimize the extent of loss to the organization that arise. Facilitate recovery from such losses, errors and frauds. Provide a frame work for investigating cause of errors, how they can be effectively prevented from occurring, detected when they occur and strategies for addressing them effectively. Controls needed include: Procedure controls; physical facility controls; and information systems controls.
Need for Controls Procedure controls - are methods that specify how an organizational computer and network resources should be operated for maximum security. Included are: the use of standard procedures and documentation; review of requests for systems development and program changes; disaster recovery procedures (plans); and controls for end-user computing. Physical facility controls - are methods that protect organizational computing and network facilities and their content from loss or destruction. Included are network security; encryption; firewalls; biometrics; and computer failure controls. Information systems controls - are methods and devices that attempt to ensure accuracy and validity of information system activities. Include are proper data entry; processing techniques; storage methods; and information output.
Need for Controls: Security Strategies • Defense in depth as a strategy • Security implemented in overlapping layers that provide the three elements needed to secure assets: • prevention, • detection, and • response • The weaknesses of one security layer are offset by the strengths of two or more layers
Security Strategies • Prevention • Means that an attack will fail • E.g. If one tries to access a computer via the Internet but the computer is not connected then the attack has been prevented. • Prevention mechanism can be cumbersome that they may result to denial of service • Some accepted preventive mechanisms are sue of passwords. These prevent unauthorised users from accessing the system
Security Strategies • Detection • It useful where an attack cannot be prevented • Detection mechanisms accept an attack will occur and aim to monitor and report it • Intrusion response requires careful thought and planning e.g. a database/system administrator can be notified when a user enter a wrong password 3 times • Intrusion detection is a form of auditing • Anomaly detection looks for unexpected events • Misuse detection looks for what is known to be bad
Security Strategies • Recovery • It has two forms:- • Stop an attack • Repair any damage caused by an attack • E.g. If attacker deletes a file, it can be restored from backups • Recovery is complex because nature of attacks are different • Recovery involves identification and fixing vulnerabilities used by the attacker to enter the system • It can involver counter-attack or taking legal action
Ergonomics Ergonomics: This involves whether the computer system “is human factor engineered" i.e. created with the user in mind, if it is it user-friendly designed to be safe, comfortable, and easy to use. IT creates environmental and mental-health problems among other problems. Environmental problems Manufacturing by-products: toxins from semiconductor industries causing health harmful effects Disposal of by-products: What to do with the hundreds of millions of obsolete or broken PCs, monitors, printers, cellphones, TVs, etc Electricity demand: The digital economy is putting a severe strain on electric utilities. Environmental blight: The visual pollution represented by the forest of wireless towers, roof antennas, satellite dishes, and electric poles etc. Health problems and ergonomics Health matters include eyestrain and headaches, back and neck pains, repetitive strain injury to neck, wrist, hand etc and noise from printers. Good ergonomic design considers tools, tasks, the work station, and environment.
Ergonomics Tools include computer hardware and software. The tools design should lead to reduced mechanical stress effects on human tissues. Tasks are jobs. Jobs should be designed to accommodate job rotation, shifts and work breaks. The objective is to reduce employee contact time with computers. Workstation and environment should be conducive to employee job performance. Working environment consideration should involve air-conditioning, heating, and ventilation. Lighting should also be adequate to avoid problems affecting the eyes. Workstation should be equipped with furniture well designed with capability of adjustments when user needs so as to work safely, comfortably and with ease. Work surfaces on which the devices that are used are placed should also be designed for end-user safety, comfort and ease of use.
Ethics Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behavior. What is unethical may not necessarily be illegal, and what is legal may not necessarily be ethical. Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group Laws are rules adopted and enforced by governments to codify expected behavior in modern society Key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks of doing so. —Immanuel Kant
Ethics Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behavior. What is unethical may not necessarily be illegal, and what is legal may not necessarily be ethical. Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group Laws are rules adopted and enforced by governments to codify expected behavior in modern society Key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks of doing so. —Immanuel Kant
Ethical and Societal Challenges of IT Information technology also raises ethical challenges that anyone using computer systems needs to be aware of. Whether we are in an ethical crisis or not is a subject of debate. But what is not debatable is that we are in the midst of an information revolution, in which information technology has dramatically magnified our ability to acquire information As a future managerial end user, it will be your responsibility to make decisions about business activities and the use of IT, which may have an ethical dimension that must be considered. For example, should you electronically monitor your employees’ work activities and electronic mail? Should you let employee use their work computers for private business or take home copies of software for their personal use? Should you electronically access your employees’ personnel records or workstation files? Should you sell customer information extracted from transaction processing systems to other companies?
Ethical and Societal Dimensions of IT The use of information technology in business has major impacts on society, and thus raises serious ethical considerations in areas such as privacy, crime, health, working conditions, individually, employment, and the search for societal solutions through IT. For example, computerizing a production process may have the adverse effect of eliminating jobs, and the beneficial effect of improving the working conditions and job satisfaction of employees that remain, while producing products of higher quality at less cost. Another way to understand the ethical dimensions of IT is to consider the basic ethical issues that arise from its use of gather, process, store, and distribute information.
Ethical and Societal Dimensions of IT Richard Mason has posed four basic ethical issues that deal with the vulnerability of people to this aspect of information technology. It is based on the concept of information from the intellectual capital of individual beings. However, information systems can rob people of their intellectual capital. For example, people’s information can be used without compensation and without their permission. People can also be denied access to information or be exposed to erroneous information. The widespread use of the Internet by businesses and consumers has brought many of these issues to the forefront. Mason summarizes these four ethical issues with the acronym PAPA privacy, accuracy, property, and accessibility. a) Privacy – what information about ones self or ones association must a person reveal to others, under what conditions and with what safeguards? What things can people keep to themselves and not be forced to reveal to others?
Ethical and Societal Dimensions of IT b) Accuracy. Who is responsible for the authenticity, fidelity and accuracy of information? Similarly, who is to be held accountable for errors in information and how is the injured party to be made whole? c) Property. Who owns information? What are the just and fair prices for its exchange? Who owns the channels, especially the airways, through which information is transmitted? How should access to these scarce resources be allocated? d) Accessibility. What information does a person or an organization have a right or a privilege to obtain, under what conditions, and with what safeguards?
Ethical and Societal Dimensions of IT A frequent criticism of information technology concerns its negative effect on the individuality of people. Computer –based system are criticized as impersonal systems that dehumanize and depersonalize activities that have been computerized, However, the widespread use of personal computers and the Internet has dramatically improved the development of people oriented end user and workgroup information systems. Even everyday products and service have been improved through microprocessor-powered “smart” products The power of information technology to store and retrieve information can have a negative effect on the right to privacy of every individual for example; confidential E-mail messages by employees are monitored by many companies. Personal information is being collected about individuals every time they visit a site on the World Wide Web. Confidential information on individuals contained in centralized computer databases by credit bureaus, government agencies and private business firms has been stolen or misused, resulting in the invasion of privacy, fraud and other injustices. The unauthorized use of such information has seriously damaged the privacy of individuals. Errors in such database could seriously hurt the credit standing or reputation of an individual.
Privacy • Privacy is the power to control what other people know about you: • Information about you that has been revealed to the public (poorly protected). • Information about you that has been kept private (quite well protected). • Privacy rights are not explicitly secured in the Constitution or the Bill of Rights. • They are usually derived from– the right against unreasonable searches and seizures.
Privacy • Societal and technological advances have changed the nature of privacy in three ways: • Scale of information gathered. • Kind of information gathered. • Scale of exchange of information gathered. “We can collect, store, manipulate, exchange, and retain practically infinite quantities of data.” – ‘Computer Ethics’, Deborah G. Johnson, 2001
Privacy – The Growing Threat? • Is our society turning into ‘Big Brother’? • Huge quantities of personal information are stored in multiple government and corporate databases. • Abuses of private data are not unheard of. • Many examples of unauthorized intrusions (hacking) into government and private databases containing names, addresses, credit card numbers, SSNs, medical information, etc. • Many examples of hacking into PCs. • Trojans, keystroke loggers, spyware etc. “As automation increasingly invades modern life, the potential for Orwellian mischief grows.” – Supreme Court Justice Ginsberg.
Privacy – The Growing Threat? • What information is out there about you? • Financial data: bank transactions, credit history, mortgage, salary etc. • Interaction with government(s): SSN(PIN), driver’s license, taxes, visa applications, criminal record. • Medical information: medical history, doctor’s visits, medication, operations, health issues. • Communications data: landline and cell phone usage (including location!), e-mail messages, websites visited, online shopping. • Financial transactions: credit card transactions, purchases (often with details), deposits and withdrawals etc. • Travel details: places visited, means of transportation, routes etc. • Miscellaneous: All sorts of other info, including reading habits, hobbies etc.
Privacy – The Growing Threat? • What could all this information reveal? • Your whereabouts over different periods of time (hours, days, months, years). • Your financial situation. • Your personal life. • Your daily habits and routine. • Your preferences, likes and dislikes. • If all the data were centrally collected it would be SCARY!!!
Securing Privacy • Much has been done to protect privacy – legislation, advocacy and practical measures. • Privacy legislation: • Fair Credit Reporting Act of 1970 • Privacy Act of 1974 • Privacy Protection Act of 1980 • Electronic Communications Privacy Act of 1986 • Right to Financial Privacy Act • Federal Records Act • Health Information Portability and Accountability Act (HIPAA) of 1996 • Gramm-Leach-Bliley Act of 1999 • Myriad state privacy laws (California’s SB 1386 Privacy Law)
Securing Privacy • Key Privacy Issues (reflected in most privacy laws): • Databases or data collection should not exist in secret. • Individuals must be able to find out what information is being stored about them and how it is being used. • Individuals should be able to prevent information stored for one purpose being used for another. • Individuals should be able to correct inaccurate information stored about them. • Organizations collecting information must make efforts to check the reliability of their information and prevent its misuse.
Privacy vs. Security • There has always been a delicate balance between privacy and security. • The balance has to be re-negotiated whenever political, societal or technological factors change. • Government measures to improve security include: • Legislation • Increased Surveillance of communications and public places • Collection of personal information from multiple government and private databases in search of terrorist patterns. • Terrorist Watch Lists • Are these measures eroding civil liberties and freedom? Congressional and public opposition.
The Case for Security • Terrorists have the upper hand on the Internet – anonymity (re-mailer, encryption, steganography). • Terrorists use the Internet (and other communications systems) to recruit, spread propaganda, plan and coordinate attacks, and, perhaps soon, to launch attacks. • Criminals (and organized crime groups) use the same security holes to commit fraud, identity theft, and other online offenses. • Collecting data has other benefits, such as improving government efficiency and services, or private sector services, and fighting crime.
Why Worry About Privacy? • Who cares whether this data is stored about me if I haven’t done anything wrong? • Out of principle people have a right to privacy in a free society. • The information could be accessed by unauthorized people/organizations. • The information could be altered. • Many important decision are made every year based on this information (loans, credit cards, mortgages, employment, housing, health care, law enforcement, national security). • Personal privacy fosters trusting relationships.
Finding the Privacy Balance • So much data is already collected – can we build in safeguards that let us use it AND protect our freedoms? • Legislation – would harmonizing state laws (and international privacy laws) offer additional safeguards? • Technology – cryptography can help protect some sensitive online transactions and data, anonymizers can protect one’s online identity, and security tools can block access to databases. • Responsible government – in times of crisis, people look to government for leadership. Government must act responsibly and not abuse power. Oversight to ensure they don’t!
Policy versus Law • Key difference between policy and law is that ignorance of policy is an acceptable defense; therefore policies must be: • Distributed to all individuals who are expected to comply with them • Readily available for employee reference • Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees • Acknowledged by the employee, usually by means of a signed consent form
Ethical Concepts In Information Security • Information security student is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework • However, those employed in the area of information security may be expected to be more articulate about the topic than others in the organization • Often must withstand a higher degree of scrutiny
The Ten Commandments of Computer Ethics(from The Computer Ethics Institute) • Thou shalt not use a computer to harm other people • Thou shalt not interfere with other people's computer work • Thou shalt not snoop around in other people's computer files • Thou shalt not use a computer to steal • Thou shalt not use a computer to bear false witness • Thou shalt not copy or use proprietary software for which you have not paid • Thou shalt not use other people's computer resources without authorization or proper compensation • Thou shalt not appropriate other people's intellectual output • Thou shalt think about the social consequences of the program you are writing or the system you are designing • Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans • NB: Read on IT Code of Ethics (BY SANS).
Differences In Ethical Concepts • Studies reveal that individuals of different nationalities have different perspectives on the ethics of computer use • Difficulties arise when one nationality’s ethical behavior does not correspond to that of another national group • Differences in computer use ethics are not exclusively cultural • Found among individuals within the same country, same social class, same company • Key studies reveal that overriding factor in leveling ethical perceptions within a small population is education
Deterring Unethical and Illegal Behavior : Ethics And Education • Employees must be trained and kept up to date on information security topics, including the expected policy, edubehaviors of an ethical employee • Responsibility of information security personnel to do everything in their power to deter unethical and illegal acts, using cation, training, and technology as controls or safeguards to protect the information and systems • Many security professionals understand technological means of protection but underestimate the value of policy
Deterring Unethical and Illegal Behavior (Continued) • Three general categories of unethical behavior that organizations and society should seek to eliminate: • Ignorance • Accident • Intent • Deterrence is the best method for preventing an illegal or unethical activity • Example: laws, policies, and technical controls
Deterring Unethical and Illegal Behavior (Continued) • Generally agreed that laws, policies and their associated penalties only deter if three conditions are present: • Fear of penalty • Probability of being caught • Probability of penalty being administered
The Legal Environment • Information security professionals and managers must possess a rudimentary grasp of the legal framework within which their organizations operate • This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates
Types Of Law • Civil law: pertains to relationships between and among individuals and organizations • Tort law: subset of civil law which allows individuals to seek recourse against others in the event of personal, physical, or financial injury • Criminal law: addresses violations harmful to society and actively enforced/prosecuted by the state • Private law: regulates relationships among individuals and among individuals and organizations • Encompasses family law, commercial law, and labor law • Public law: regulates structure and administration of government agencies and their relationships with citizens, employees, and other governments • Includes criminal, administrative, and constitutional law
Computer Fraud and Abuse Act of 1986 • Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related federal laws and enforcement efforts • Amended October 1996 by National Information Infrastructure Protection Act of 1996 to increase penalties for selected crimes • CFA Act was further modified by the USA Patriot Act of providing law enforcement with broader latitude to combat terrorism-related activities