Lecture 2: ETHICS privacy

and information security

SWE 477
Dr. Sarah Almoaiqel

From: Introduction to Information Systems:

Supporting and Transforming Business
By R. Kelly Rainer, Efraim Turban
CHAPTER
OUTLINE
1. Ethical Issues
2. Threats to Information Security
3. Protecting Information Resources
LEARNING
OBJECTIVES
■ Describe the major ethical issues related to
information technology and identify situations
in which they occur.
■ Describe the many threats to information
security.
■ Understand the various defense mechanisms
used to protect information systems.
■ Explain IT auditing and planning for disaster
recovery.
NASA Loses Secret
Information for
Years
Ethical
Issues

■ Ethics
■ Code of Ethics
Fundamental Tenets of
Ethics

■ Responsibility
■ Accountability
■ Liability
 Unethical vs.
Illegal

What is unethical is not necessarily illegal.

Ethics scenarios
The Four Categories of Ethical
Issues

■ Privacy Issues
■ Accuracy Issues
■ Property Issues
■ Accessibility Issues
Privacy Issues

How much privacy

do we have left?
You Be the Judge

Terry Childs: Guilty

or not Guilty?
 Privacy

Court decisions have followed two rules:

(1)The right of privacy is not absolute.

Your privacy must be balanced against the
needs of society.
(2)The public’s right to know is superior to the
individual’s right of privacy.
 Threats to
Privacy
■ Data aggregators, digital dossiers, and
profiling
■ Electronic Surveillance
■ Personal Information in Databases
■ Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
Data Aggregators, Digital
Dossiers, and Profiling
Electronic
Surveillance
Electronic
Surveillance
■ See "The State of Surveillance" article in
BusinessWeek
■ See the surveillance slideshow
■ See additional surveillance slides
■ And you think you have privacy?
(video)
■ Sense-through-the-Wall
Personal Information in
Databases
■ Banks
■ Utility companies
■ Government agencies
■ Credit reporting agencies
Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
 Social Networking Sites
Can Cause You
Problems
Anyone can post derogatory information about
you anonymously.
(See this Washington Post article.)

You can also hurt yourself, as this article

shows.
 What Can You
Do?
First, be careful what information you post on
social networking sites.

Second, a company, ReputationDefender, says

it can remove derogatory information from the
Web.
Protecting
Privacy

■ Privacy Codes and Policies

■ Opt-out Model
■ Opt-in Model
3.2 Threats to Information
Security
Factors Increasing the Threats to
Information Security

■ Today’s interconnected, interdependent,

wirelessly-networked business environment
■ Government legislation
■ Smaller, faster, cheaper computers and
storage devices
■ Decreasing skills necessary to be a computer
hacker
Decreasing Skill Necessary to be a
Hacker
New & Easier Attack Tools
Increasing Sophistication of Attacks
Attack Sophistication
High

WiGLE.ne t

Low
1980 2005

Knowledge Required by Intruder

New & Easier Tools make it

very easy to attack the Network
Factors Increasing the Threats to
Information Security (continued)

■ International organized crime turning to

cybercrime
■ Downstream liability
■ Increased employee use of unmanaged
devices
■ Lack of management support
A Look at Unmanaged
Devices

Wi-Fi at McDonalds Hotel Business Center

Wi-Fi at Starbucks
Key Information Security
Terms
■ Threat
■ Exposure
■ Vulnerability
■ Risk
■ Information system controls
Security Threats (Figure
3.1)
Categories of Threats to Information
Systems

■ Unintentional acts
■ Natural disasters
■ Technical failures
■ Management failures
■ Deliberate acts
(from Whitman and Mattord, 2003)

Example of a threat (video)

 Unintentional
Acts

■ Human errors
■ Deviations in quality of service by service providers
(e.g., utilities)
■ Environmental hazards (e.g., dirt, dust, humidity)
 Human
Errors
■ Tailgating
■ Shoulder surfing
■ Carelessness with laptops and portable
computing devices
■ Opening questionable e-mails
■ Careless Internet surfing
■ Poor password selection and use
■ And more
Anti-Tailgating
Door
Shoulder
Surfing
Most Dangerous
Employees
Human resources and MIS

Remember, these employees hold ALL the information

Social
Engineering

■ 60 Minutes Interview with Kevin Mitnick, the

“King of Social Engineering”

■ Kevin Mitnick served several years in a

federal prison. Upon his release, he
opened his own consulting firm, advising
companies on how to deter people like him,
■ See his company here
Natural
Disasters
Deliberate
Acts
■ Espionage or trespass
■ Information extortion
■ Sabotage or vandalism
■ Theft of equipment or information
■ For example, dumpster diving
Deliberate Acts
(continued)

Identity theft video

Compromises to intellectual property

 Deliberate Acts
(continued)
■ Software attacks
■ Virus
■ Worm
■ 1988: first widespread worm, created by Robert T.
Morris, Jr.
■ (see the rapid spread of the Slammer worm)
■ Trojan horse
■ Logic Bomb
 Deliberate Acts
(continued)

■ Software attacks (continued)

■ Phishing attacks
■ Phishing slideshow
■ Phishing quiz
■ Phishing example
■ Phishing example
■ Distributed denial-of-service attacks
■ See botnet demonstration
Deliberate Acts
(continued)

■ Software attacks (continued)

Can you be Phished?

How to Detect a Phish E-mail
Is the email really from eBay,
or
PayPal, or a bank?

As Spammers get better, their emails look

more genuine. How do you tell if it’s a scam
and phishing for personal information?
Here’s how ...
Is the email really from eBay, or PayPal,
or a bank?
As an example, here is what the email said:
■Return-path: <[email protected]>
■From: "PayPal"<[email protected]>
■Subject: You have 1 new Security Message Alert !

Note that they even give advice in the right

column about security
Example Continued – bottom of the
email
 How to see what is
happening View
Source
■ In Outlook, right click on email, click ‘view source’
■ In GroupWise, open email and click on the Message Source tab
■ In Mozilla Thunderbird, click on View, and Source.
■ Below is the part of the text that makes the email look official –
the images came from the PayPal website.
 View Source – The Real
Link

■ In the body it said, “If you are traveling, “Travelling

Confirmation Here”
■ Here is where you are really being sent
■ href=3Dftp:llfutangiu:[email protected]
dex.htm
■ Notice that the link is not only not PayPal, it is an
IP address, 2 giveaways of a fraudulent link.
Another Example –
Amazon

View Source
Deliberate Acts
(continued)
■ Alien Software
■ Spyware (see video)
■ Spamware
■ Cookies
■ Cookie demo
Keystroke Logger

Plugs in
between
monitor and
computer
Example of
CAPTCHA
Deliberate Acts
(continued)
■ Supervisory control and data acquisition
(SCADA) attacks

Wireless sensor
What if a SCADA attack were
successful?

Northeastern
U.S. power
outage in 2003
Results of the power outage in
NYC
More results of power outage in
NYC
 (Experiment
al) SCADA
Attack
Video of an experimental SCADA attack
that was successful
 Example of Cyber
Warfare

See video of cyber warfare directed at Estonia

3.3 Protecting Information
Resources
Risk!

There is
always
risk!
And then there is real
risk!
Risk
Management

■ Risk
■ Risk management
■ Risk analysis
■ Risk mitigation
Risk Mitigation
Strategies

■ Risk Acceptance
■ Risk limitation
■ Risk transference
Risk
Optimization
Control
s

■ Physical controls
■ Access controls
■ Communications (network) controls
■ Application controls
Where Defense
Mechanisms
(Controls) Are Located
Access
Controls
■ Authentication
■ Something the user is (biometrics powerpoints)
■ Video on biometrics
■ The latest biometric: gait recognition
■ The Raytheon Personal Identification Device
■ Something the user has
■ Something the user does
■ Something the user knows
■ passwords
■ passphrases
Access Controls
(continued)

■ Authorization
■ Privilege
■ Least privilege
Communication or Network
Controls
■ Firewalls
■ Anti-malware systems

■ Whitelisting and Blacklisting

■ Intrusion detection systems
■ Encryption
Basic Home Firewall (top)
and
Corporate Firewall (bottom)
How Public Key
Encryption
Works
How Digital Certificates
Work
Communication or Network
Controls
(continued)
■Virtual private networking
■Secure Socket Layer (now transport layer
security)
■Vulnerability management systems
■Employee monitoring systems
Virtual Private Network and
Tunneling
Popular Vulnerability Management
Systems
Popular Employee Monitoring
Systems
Employee Monitoring
System
Business Continuity Planning,
Backup, and Recovery

■ Hot Site
■ Warm Site
■ Cold Site
Information Systems
Auditing

■ Types of Auditors and Audits

■ Internal
■ External
IS Auditing
Procedure

■ Auditing around the computer

■ Auditing through the computer
■ Auditing with the computer
Chapter Closing
Case
References
Rainer, R. K. (2008). Introduction to information systems: supporting and transforming business. Hoboken, NJ: Wiley.