Ethics in Information

Technology, Second Edition

Chapter 3
Computer and Internet Crime
 Objectives
• What key trade-offs and ethical issues are
associated with the safeguarding of data and
information systems?

• Why has there been a dramatic increase in the

number of computer-related security incidents in
recent years?

• What are the most common types of computer

security attacks?
Ethics in Information Technology, Second Edition 2
 Objectives (continued)
• What are some characteristics of common computer
criminals, including their objectives, available
resources, willingness to accept risk, and frequency
of attack?

• What are the key elements of a multilayer process

for managing security vulnerabilities, based on the
concept of reasonable assurance?

• What actions must be taken in response to a security

incident?
Ethics in Information Technology, Second Edition 3
 IT Security Incidents: A Worsening
Problem
• Security of information technology is of utmost
importance
– Protect confidential data
• Safeguard private customer and employee data
– Protect against malicious acts of theft or disruption
– Must be balanced against other business needs and
issues
• Number of IT-related security incidents is
increasing around the world

Ethics in Information Technology, Second Edition 4

 IT Security Incidents: A Worsening
Problem (continued)
• Computer Emergency Response Team
Coordination Center (CERT/CC)
– Established in 1988 at the Software Engineering
Institute (SEI)
– Charged with
• Coordinating communication among experts
during computer security emergencies
• Helping to prevent future incidents

Ethics in Information Technology, Second Edition 5

 Increasing Complexity Increases
Vulnerability
• Computing environment is enormously complex
- Continues to increase in complexity every day.
- Number of possible entry points to a network
expands continuously as more devices are added,
increasing the possibility of security breaches.

Ethics in Information Technology, Second Edition 6

 Higher Computer User Expectations
• Computer help desks
– Under intense pressure to provide fast responses to
users’ questions
– Sometimes forget to
• Verify users’ identities
• Check whether users are authorized to perform
the requested action
• Computer users share login IDs and passwords

Ethics in Information Technology, Second Edition 7

 Expanding and Changing Systems
Introduce New Risks
• Network era
– Personal computers connect to networks with
millions of other computers
– All capable of sharing information
• Information technology has become
– Ubiquitous (universal) and
– Necessary tool for organizations to achieve goals
– Increasingly difficult to keep up with the pace of
technological change

Ethics in Information Technology, Second Edition 8

 Increased Reliance on Commercial
Software with Known Vulnerabilities
• Exploit
– Attack on information system
– Takes advantage of a particular system vulnerability
– Due to poor system design or implementation
• Patch
– “Fix” to eliminate the problem
– Users are responsible for obtaining and installing
patches
– Delays in installing patches expose users to security
breaches

Ethics in Information Technology, Second Edition 9

 Increased Reliance on Commercial Software
with Known Vulnerabilities (continued)

• Zero-day attack
– Takes place before a vulnerability is discovered or
fixed
U.S. companies rely on commercial software with
known vulnerabilities, where many corporate IT
organizations prefer to use already installed software

Ethics in Information Technology, Second Edition 10

 Number of Vulnerabilities Reported to
CERT/CC

Ethics in Information Technology, Second Edition 11

 Types of Attacks
• Most frequent attack is on a networked computer
from an outside source
• Types of attacks
– Virus
– Worm
– Trojan horse
– Denial of service

Ethics in Information Technology, Second Edition 12

 Viruses
• Pieces of programming code
• Usually disguised as something else
• Cause unexpected and usually undesirable events
• Often attached to files

Deliver a “payload” or malicious software that
causes the computer to perform in an unexpected
way. For example, the virus may be programmed to
display a certain message on the computer’s
screen, delete or modify a certain document, or
reformat the hard drive.

Ethics in Information Technology, Second Edition 13

 Viruses (continued)
• Does not spread itself from computer to computer
– Must be passed on to other users through
• Infected e-mail document attachments
• Programs on diskettes
• Shared files
• Macro viruses
– Most common and easily created viruses
– Created in an application macro language
– Infect documents and templates

Ethics in Information Technology, Second Edition 14

 Worms
• Harmful programs
– Reside in active memory of a computer
• Duplicate themselves
– Can propagate without human intervention
• Negative impact of virus or worm attack
– Lost data and programs
– Lost productivity
– Effort for IT workers

Ethics in Information Technology, Second Edition 15

 Cost Impact of Worms

Ethics in Information Technology, Second Edition 16

 Trojan Horses
• Program that a hacker secretly installs on a computer
to steal password, personal information or spy on users
• Users are tricked into installing it
• Logic bomb
is a Trojan horse that executes under specific conditions
triggered by change in particular file or by a specific time or
date
Botnet
a large group of computers controlled from one or more
remote locations by hackers, without the knowledge or
consent of their owners. Frequently used to distribute spam
and malicious code.
Ethics in Information Technology, Second Edition 17
 Denial-of-Service (DoS) Attacks
• Is one in which malicious hacker takes over computers
on the Internet and causes them to flood a target site
with demands for data and other small tasks
– The computers that are taken over are called zombies

• Does not involve a break-in at the target computer

– Target machine is busy responding to a stream of
automated requests.
– Legitimate users cannot get in

• Spoofing generates a false return address on packets

Ethics in Information Technology, Second Edition 18

 Denial-of-Service (DoS) Attacks
(continued)
• Ingress filtering - When Internet service providers
(ISPs) prevent incoming packets with false IP
addresses from being passed on
• Egress filtering - Ensuring spoofed packets don’t
leave a network

Ethics in Information Technology, Second Edition 19

 Perpetrators
• Motives are the same as other criminals
• Different objectives and access to varying
resources
• Different levels of risk to accomplish an objective

Ethics in Information Technology, Second Edition 20

 Classifying Perpetrators of Computer
Crime

Ethics in Information Technology, Second Edition 21

 Hackers and Crackers
• Hackers
Test limitations of systems out of intellectual curiosity to see
whether they can gain access and how far they can go.
• Crackers
– Cracking is a form of hacking
– Clearly criminal activity
- break into other people’s networks and systems to
cause harm by defacing Web pages
Rootkit
- set of programs that enables its user to gain administrator
level access to a computer without the end user’s consent
or knowledge.

Ethics in Information Technology, Second Edition 22

 Malicious Insiders
• Top security concern for companies
• Estimated 85 percent of all fraud is committed by
employees
• Usually due to weaknesses in internal control
procedures
• Collusion is cooperation between an employee and
an outsider
• Insiders are not necessarily employees
– Can also be consultants and contractors
• Extremely difficult to detect or stop
– Authorized to access the very systems they abuse

Ethics in Information Technology, Second Edition 23

 Industrial Spies
• Illegally obtain trade secrets from competitors
• Trade secrets are protected by the Economic
Espionage Act of 1996
• Competitive intelligence
– Uses legal techniques
– Gathers information available to the public
• Industrial espionage
– Uses illegal means
– Obtains information not available to the public

Ethics in Information Technology, Second Edition 24

 Cybercriminals
• Hack into corporate computers and steal or
• Engage in all forms of computer fraud
• Chargebacks are disputed transactions
• Loss of customer trust has more impact than fraud
• To reduce the potential for online credit card fraud
sites:
– Use encryption technology
– Verify the address submitted online against the
issuing bank
– Request a card verification value (CVV)
– Use transaction-risk scoring software

Ethics in Information Technology, Second Edition 25

 Cybercriminals (continued)
• Smart cards
– Contain a memory chip
– Are updated with encrypted data every time the card
is used
– Used widely in Europe
– Not widely used in the U.S.

Ethics in Information Technology, Second Edition 26

 Legal Overview:
The Check Clearing for the 21st Century Act

• Requires that banks accept paper documents

– In lieu of original paper checks
– Speeds clearing of checks
• New opportunities for check fraud
– Bankers don’t fully realize the extent of possible
increased fraud

Ethics in Information Technology, Second Edition 27

 Cyberterrorists
• Intimidate or coerce governments to advance
political or social objectives
• Launch computer-based attacks
• Seek to cause harm
– Rather than gather information
• Many experts believe terrorist groups pose only a
limited threat to information systems

Ethics in Information Technology, Second Edition 28

 Reducing Vulnerabilities
• Security
– System and network security is a combination of
technology, policy, and people
– Requires a wide range of activities to be effective
Strong security program begins by:
• Assessing threats to an organization’s computers
and network
• Identify actions that address the most serious
vulnerabilities
• Educate users
• Monitor to detect a possible intrusion
• Create a clear reaction plan
Ethics in Information Technology, Second Edition 29
 Risk Assessment
• An organization’s review of:
– Potential threats to its computers and network and the
– Probability of threats occurring
• Identify investments that can best protect an organization
from the most likely and serious threats
• Reasonable assurance is a concept that recognizes that
managers must use their judgment to ensure that the
cost of control does not exceed the system’s benefits or
the risks involved:
Improve security in areas with:
– Highest estimated cost
– Poorest level of protection

Ethics in Information Technology, Second Edition 30

 Risk Assessment for a Hypothetical
Company

Ethics in Information Technology, Second Edition 31

 Establishing a Security Policy
• A security policy defines
– Organization’s security requirements
– Controls and sanctions needed to meet the
requirements
• Delineates responsibilities and expected behavior
• Outlines what needs to be done
– Not how to do it
• Automated system policies should mirror written
policies

Ethics in Information Technology, Second Edition 32

Educating Employees, Contractors, and
Part-Time Workers
• Educate users about the importance of security
– Motivate them to understand and follow security
policy
• Discuss recent security incidents that affected the
organization
• Help protect information systems by:
– Guarding passwords
– Not allowing others to use passwords
– Applying strict access controls to protect data
– Reporting all unusual activity

Ethics in Information Technology, Second Edition 33

 Prevention
• Implement a layered security solution
– Make computer break-ins harder
• Firewall
– Limits network access based on organization’s access
policy.
– firewalls cannot protect against denial-of-service
attacks, or worms disguised in e-mail attachments.
• Antivirus software
– Scans for a specific sequence of bytes
• Known as the virus signature
– Norton Antivirus
– Dr. Solomon’s Antivirus from McAfee
Ethics in Information Technology, Second Edition 34
 Firewall Protection

Ethics in Information Technology, Second Edition 35

 Popular Firewall Software for Personal
Computers

Ethics in Information Technology, Second Edition 36

 Prevention (continued)

• Antivirus software
– Continually updated with the latest virus detection
information
• Called definitions
• Departing employees
– Promptly delete computer accounts, login IDs, and
passwords
• Carefully define employee roles
• Create roles and user accounts

Ethics in Information Technology, Second Edition 37

 Prevention (continued)
• Keep track of well-known vulnerabilities
– SANS (System Administration, Networking, and
Security) Institute
– CERT/CC (Computer Emergency Response
Team/Coordination Center)
• Back up critical applications and data regularly
• Perform a security audit

Ethics in Information Technology, Second Edition 38

 Detection

• Detection systems
– Catch intruders in the act
• Intrusion detection system
– Monitors system, network resources and activities
– Notifies the proper authority when it identifies
• Possible intrusions from outside the organization
• Misuse from within the organization

Ethics in Information Technology, Second Edition 39

 Detection (continued)
– Knowledge-based approach: contain information
about specific attacks and system vulnerability
and watch for attempt to exploit the
vulnerabilities, such as repeated failed login
attempt or recurring attempt to download
program to a server.

– Behavior-based approach: model the normal

behavior of a system and its users. The intrusion
system compare the current activity to the model
and generate alarm if deviation is found.
Example unusual traffic at odd hour.
Ethics in Information Technology, Second Edition 40
 Detection (continued)
• Intrusion prevention systems (IPSs)
– Prevent attacks by blocking
• Viruses
• Malformed packets
• Other threats
– Sits directly behind the firewall
• Honeypot
– Provides would-be hackers with fake information about
the network by means of
– Decoy server
– Well-isolated from the rest of the network
– Can extensively log activities of intruders
Ethics in Information Technology, Second Edition 41
 Response
• A response plan should be
– Developed well in advance of any incident and
– Approved by
• Legal department
• Senior management
• The Primary goals after an attack is to:
– Regain control
– Limit damage
• Incident notification defines
– Who to notify
– Who not to notify

Ethics in Information Technology, Second Edition 42

 Response (continued)
• Security experts recommend against releasing specific
information about a security compromise in public
forums
• Document all details of a security incident
– All system events
– Specific actions taken
– All external conversations
• Act quickly to contain an attack
• Eradication effort
– Collect and log all possible criminal evidence from the
system
– Verify necessary backups are current and complete
– Create new backups
Ethics in Information Technology, Second Edition 43
 Response (continued)
• Follow-up
– Determine how security was compromised
• Prevent it from happening again
• Review
– Determine exactly what happened
– Evaluate how the organization responded
• Capture the perpetrator
• Consider the potential for negative publicity
• Legal precedent
– Hold organizations accountable for their own IT
security weaknesses

Ethics in Information Technology, Second Edition 44

 Summary
Ethical decisions regarding IT security include
determining which information systems and data
need protection most.
• 65-fold increase in the number of reported IT
security incidents from 1997 to 2003
• Most incidents involve a:
– Virus
– Worm
– Trojan horse
– Denial-of-service

Ethics in Information Technology, Second Edition 45

 Summary (continued)
• Perpetrators include:
– Hackers
– Crackers
– Industrial spies
– Cybercriminals
– Cyberterrorists

Ethics in Information Technology, Second Edition 46

 Summary (continued)
• Key elements of a multilayer process for managing
security vulnerabilities include:
– Assessment
– User education
– Response plan

Ethics in Information Technology, Second Edition 47

 Self-Assessment Questions
1. According to the “2008 CSI Computer Crime and Security
Survey,” which of the following was the most common security
incident?
a. instant messaging abuse
b. distributed denial-of-service attacks
c. laptop theft
d. virus attack
2. A virus does not spread itself from computer to computer but must
be spread through infected e-mail document attachments, infected
programs, or infected Web sites. True or False?
3. An attack on an information system that takes advantage of a
vulnerability is called a(n)_________________.

Ethics in Information Technology, Second Edition 48

 Self-Assessment Questions cont.
4. A group of computers controlled centrally from one or more remote
locations by hackers without the knowledge of their owners is called
a(n) _________________.
5. A set of programs that enables a hacker to gain administrative level
access to a computer without the end user’s consent or knowledge is called
a(n):
a. Trojan horse
b. logic bomb
c. rootkit
d. worm
6. _________________ forces unwanted and often objectionable
materials into e-mail boxes, detracts from the ability of Internet users
to communicate effectively, and costs Internet users and service
providers millions of dollars annually.
Ethics in Information Technology, Second Edition 49
 Self-Assessment Questions cont.
7. To date, there are no documented cases of cyberterrorism. True or
False?
8. A type of attacker that is extremely difficult to detect or stop
because he or she is often authorized to access the very systems being
abused is called a(n) _________________.
9. Concern over potential cyberterrorism began well before the attacks
of 9/11. True or False?
10. The process of assessing security-related risks from both internal
and external threats to an organization’s computers and networks is
called a(n) _________________.
11.The written statement that defines an organization’s security
requirements as well as the controls and sanctions used to meet those
requirements is known as a: (a) risk assessment, (b) security policy (c)
firewall (d). none of the above

Ethics in Information Technology, Second Edition 50

 Self-Assessment Questions cont.
12. Implementation of a strong firewall provides adequate security for
almost any network. True or False?
13. A device that works to prevent an attack by blocking viruses,
malformed packets, and other threats from getting into the company
network is called a(n):
a. firewall
b. honeypot
c. intrusion prevention system
d. intrusion detection system

Ethics in Information Technology, Second Edition 51