Information Systems

Security, Computer Crime,

and Ethics
Components of an Information System

• Information System (IS) is entire set of

software, hardware, data, people, procedures,
and networks necessary to use information as
a resource in the organization
 Computer Security
• Computer Security – precautions taken to
keep computers and the information they
contain safe from unauthorized access
• Information security: a “well-informed sense
of assurance that the information risks and
controls are in balance.” —Jim Anderson,
Inovant (2002)
 What is Security?
• “The quality or state of being secure—to be
free from danger”
• A successful organization should have multiple
layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
 What is Information Security?

• The protection of information and its critical

elements, including systems and hardware that
use, store, and transmit that information
• Necessary tools: policy, awareness, training,
education, technology
• C.I.A. triangle was standard based on
confidentiality, integrity, and availability
• C.I.A. triangle now expanded into list of critical
characteristics of information
 Critical Characteristics of Information

• The value of information comes from the

characteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
 Computer Security
• Recommended Safeguards
– Implement a security plan to prevent break-ins
– Have a plan if break-ins do occur
– Make backups!
– Only allow access to key employees
– Change passwords frequently
– Keep stored information secure
– Use antivirus software
– Use biometrics for access to computing resources
– Hire trustworthy employees
 Computer Security
• Virus prevention
– Install antivirus software
– Make backups
– Avoid unknown sources of shareware
– Delete e-mails from unknown sources
– If your computer gets a virus…
 Computer Security
• How to maintain your privacy online
– Choose Web sites monitored by privacy advocates
– Avoid “cookies”
– Visit sites anonymously
– Use caution when requesting confirming e-mail
 Computer Security
• Avoid getting conned in cyberspace
– Internet auctions
– Internet access
– International modem dialing
– Web cramming
– Multilevel marketing (pyramid schemes)
– Travel/vacations
– Business opportunities
– Investments
– Health-care products
 Computer Security
• Encryption – the process of encoding
messages before they enter the network or
airwaves, then decoding them at the
receiving end of the transfer
 Computer Security
• How encryption works
– Symmetric secret key system
• Both sender and recipient use the same key
• Key management can be a problem
– Public key technology
• A private key and a public key
– Certificate authority
• To implement public-key encryption on a busy Web site,
requires a more sophisticated solution. A third party, called
certificate authority, is used.
• A trusted middleman verifies that a Web site is a trusted site
(provides public keys to trusted partners)
• Secure socket layers (SSL), developed by Netscape, is a
popular public-key encryption method
 Computer Security
• Internet Security
– Firewall – hardware and software designed to keep
unauthorized users out of network systems
Computer Security
Figure 1-5 – Subject and Object
of Attack
 Balancing Information Security and
Access
• Impossible to obtain perfect security—it is a
process, not an absolute

• Security should be considered balance

between protection and availability

• To achieve balance, level of security must allow

reasonable access, yet protect against threats
Figure 1-6 – Balancing Security
and Access
 Approaches to Information Security
Implementation: Bottom-Up Approach
• Grassroots effort: systems administrators
attempt to improve security of their systems
• Key advantage: technical expertise of individual
administrators
• Seldom works, as it lacks a number of critical
features:
– Participant support
– Organizational staying power
 Approaches to Information Security
Implementation: Top-Down Approach
• Initiated by upper management
– Issue policy, procedures and processes
– Dictate goals and expected outcomes of project
– Determine accountability for each required
action
• The most successful also involve formal
development strategy referred to as systems
development life cycle
 The Systems Development Life Cycle
• Systems development life cycle (SDLC) is methodology
and design for implementation of information security
within an organization
• Methodology is formal approach to problem-solving
based on structured sequence of procedures
• Using a methodology
– ensures a rigorous process
– avoids missing steps
• Goal is creating a comprehensive security
posture/program
• Traditional SDLC consists of six general phases
 The Security Systems Development
Life Cycle
• The same phases used in traditional SDLC
may be adapted to support specialized
implementation of an IS project

• Identification of specific threats and creating

controls to counter them

• SecSDLC is a coherent program rather than a

series of random, seemingly unconnected
actions
 Security Professionals and the
Organization
• Wide range of professionals required to
support a diverse information security program

• Senior management is key component; also,

additional administrative support and technical
expertise required to implement details of IS
program
 Senior Management
• Chief Information Officer (CIO)
– Senior technology officer
– Primarily responsible for advising senior
executives on strategic planning
• Chief Information Security Officer (CISO)
– Primarily responsible for assessment,
management, and implementation of IS in the
organization
– Usually reports directly to the CIO
 Information Security Project Team
• A number of individuals who are experienced in
one or more facets of technical and non-
technical areas:
– Champion
– Team leader
– Security policy developers
– Risk assessment specialists
– Security professionals
– Systems administrators
– End users
 Data Ownership

• Data Owner: responsible for the security and

use of a particular set of information

• Data Custodian: responsible for storage,

maintenance, and protection of information

• Data Users: end users who work with

information to perform their daily jobs
supporting the mission of the organization
 Information Systems Ethics
• Computer Literacy
– Knowing how to use a computer
• Digital Divide
– That gap between those with computer access and
those who don’t have it
• Computer Ethics
– Standards of conduct as they pertain to the use of
information systems
 Information Systems Ethics
• Privacy
– Protecting one’s personal information
• Identity theft
– Stealing of another’s social security number, credit
card number, or other personal information
Information Systems Ethics

• Information accuracy
– Deals with authentication and fidelity of information
• Information property
– Deals with who owns information about individuals
and how information can be sold and exchanged
 Information Systems Ethics
• Information accessibility
– Deals with what information a person has the right to
obtain about others and how the information can be used
• Issues in information accessibility
– Carnivore: software application designed to be connected
to Internet Service Providers’ computers and eavesdrops
on all communications.
– Electronic Communications Privacy Act (ECPA): it offered
stronger support for voice mail than it did for e-mail. No
other laws at federal or state levels protect e-mail privacy
– Monitoring e-mail
 Information Systems Ethics
• The need for a code of ethical conduct
– Business ethics
– Plagiarism
– Cybersquatting: registering a domain name and
then trying to sell the name for big bucks to a
person, company. Domain names are a scarce
resource – one of the few scarce resources in
cyberspace
 Computer Crime
• Definition: the act of using a computer to
commit an illegal act
– Authorized and unauthorized computer access
– Examples
• Stealing time on company computers
• Breaking into government Web sites
• Stealing credit card information
 Crime
• Computers make crimes
– easier to commit
– more devastating
– harder to detect
– doable from long distances
 The Extent of Cybercrime
• Not all cybercrime is committed for
financial gain
– Criminal mischief
• creating/transmitting malicious forms of
programming code
• Nonmalicious Hacking
• No harm is done
• Service - exposes security weaknesses
• Help create need for tougher security
• Information wants to be free
• Some companies are ripping us off
Fraud Holiday Fraud
Identity Theft Dating Fraud
Phishing Scams Bullying
Viruses Pension Fraud
Revenge Porn
Hacking
Online Hate Crime
Online Extremism
Grooming
Stalking Child Sexual
Exploitation

…and this is just the tip of the iceberg

 High Technology and Criminal
Opportunity
• Routes to illegitimate access to
computerized information
– Direct access
– Computer trespass
• Cybercrime
– any violation of a federal or state
computer-crime statute

continued on next slide

 High Technology and Criminal
Opportunity
• Types of cybercrime
– Internal cybercrimes
– Internet/telecommunications crimes
– Support of criminal enterprises
– Computer-manipulation crimes
– Hardware, software, and information
theft
• Money today is information
 The Extent of Cybercrime
• Phishing
– An Internet-based scam that uses
official-looking e-mail messages to steal
valuable information
– May threaten the viability of
e-commerce
• Software piracy
– The unauthorized and illegal copying of
software programs
continued on next slide
• Software piracy
– North America – 25%
– Western Europe – 34%
– Asia / Pacific – 51%
– Mid East / Africa – 55%
– Latin America – 58%
– Eastern Europe – 63%
 Cybercrime and the Law
• Computer-related crime
– Any illegal act for which knowledge of
computer technology is involved for its
investigation, perpetration, or
prosecution
• Computer abuse
– Any incident associated with computer
technology in which a victim suffered or
could have suffered loss and perpetrator
intentionally gained or could have gained
 Computer Crime
• Laws
– Stealing or compromising data
– Gaining unauthorized computer access
– Violating data belonging to banks
– Intercepting communications
– Threatening to damage computer systems
– Disseminating viruses
 Computer Crime
• Hacking and Cracking
– Hacker – one who gains unauthorized computer
access, but without doing damage
– Cracker – one who breaks into computer systems
for the purpose of doing damage
 Hacking

• Hactivism
– …is the use of hacking expertise to promote a
political cause.
• This kind of hacking can range from mild to destructive
activities.
• Some consider hactivism as modern-age civil
disobedience.
• Others believe hactivism denies others their freedom of
speech and violates property rights.

Q: Argue the case that hactivism is ethical.

 Hacking
• Catching Hackers
– … requires law enforcement to recognize and respond to
myriad hacking attacks.
– Computer forensics tools may include:
• Undercover agents,
• Honey pots (sting operations in cyberspace),
• Archives of online message boards,
• Tools for recovering deleted or coded information.
– Computer forensics agencies and services include:
• Computer Emergency Response Team (CERT),
• National Infrastructure Protection Center (NIPC),
• Private companies specializing in recovering deleted files and e-
mail, tracking hackers via Web site and telephone logs, etc..

Q: What computer forensics tools or agencies have been in the news lately?
 Hacking
• Security can be improved by:
• Ongoing education and training to recognize the
risks.
• Better system design.
• Use of security tools and systems.
• Challenging “others” to find flaws in systems.
• Writing and enforcing laws that don’t stymie
research and advancement.

Q: Does weak security justify intrusion?

 Computer viruses and
destructive code
• Computer viruses and destructive code
– Virus – a destructive program that disrupts the normal
functioning of computer systems
– Types:
• Worm: usually does not destroy files; copies itself
• Trojan horses: Activates without being detected;
does not copy itself
• Logic or time bombs: A type of Trojan horse that
stays dormant for a period of time before activating
Fraud, Embezzlement, Sabotage,
Identity Theft, and Forgery
• Some Causes of Fraud
– Credit-Card
• Stolen receipts, mailed notices, and cards.
• Interception of online transaction or weak e-commerce security.
• Careless handling by card-owner.
– ATM
• Stolen account numbers and PINs.
• Insider knowledge.
• A counterfeit ATM.
– Telecommunications
• Stolen long-distance PINs.
• Cloned phones.

Q: What is the legal definition of fraud? Embezzlement? Sabotage? Theft?

Fraud, Embezzlement, Sabotage,
Identity Theft, and Forgery
• Embezzlement and Sabotage
– Some Causes
• Insider information.
• Poor security.
• Complex financial transactions.
• Anonymity of computer users.
– Some Defenses
• Rotate employee responsibility.
• Require use of employee ID and password .
• Implement audit trails.
• Careful screening and background checks of
employees.
 Computer Crime
• Other Types of computer crime
– Data diddling: modifying data
– Salami slicing: skimming small amounts of money
– Phreaking: making free long distance calls
– Cloning: cellular phone fraud using scanners
– Carding: stealing credit card numbers online
– Piggybacking: stealing credit card numbers by spying
– Social engineering: tricking employees to gain access
– Dumpster diving: finding private info in garbage cans
– Spoofing: stealing passwords through a false login page
 Computer Crime
• Who commits computer crime?
 Defending Against Dishonest
Employees
• Rotate responsibilities of employees with access
to sensitive systems
• Unique ID and password
• Limit access to system
• Audit trails
• Screening and background checks of employees
• Good security policies, whatever that is
 Communities Of Interest

• Group of individuals united by similar

interest/values in an organization

– Information Security Management and

Professionals

– Information Technology Management and

Professionals

– Organizational Management and Professionals

 Key Terms
• Access • Security Blueprint
• Asset • Security Model
• Attack • Security Posture or
• Control, Safeguard or Security Profile
Countermeasure • Subject
• Exploit • Threats
• Exposure • Threat Agent
• Hacking • Vulnerability
• Object
• Risk
 Summary
• Information security is a “well-informed sense of
assurance that the information risks and controls are
in balance.”
• Successful organizations have multiple layers of
security in place: physical, personal, operations,
communications, network, and information. Security
should be considered a balance between protection
and availability
• Information security must be managed similar to any
major system implemented in an organization using
a methodology like SecSDLC
 Summary

• Security should be considered a balance

between protection and availability

• Information security must be managed

similar to any major system implemented
in an organization using a methodology
like SecSDLC