7. Security, Ethical, Privacy and Other Challenges
7. Security, Ethical, Privacy and Other Challenges
7.1 Ethical Issues in Data Handling
Moral, Legal vs. Ethical
Morals: Personal beliefs about right and wrong behavior. Moral acts conform to what an individual believes to be the right thing to do.
Law: A system of rules that defines what we can do and cannot do. Laws are enforced by a set of institutions (the police, courts, law-making bodies). Legal acts are acts that conform to the law.
Ethics: Standards or codes of behavior expected of an individual by a group to which an individual belongs. Ethical behavior conforms to generally accepted social norms—many of which are almost universally accepted.
Legal vs. Ethical
• Laws do not provide a complete guide to ethical behavior. Just because an activity is defined as legal does not mean that it is ethical.
Code of Ethics
Code of Ethics: code of ethics states the principles and core values that are essential to their work and, therefore, govern their behavior. The code can become a reference point for weighing what is legal and what is ethical.
Business Ethics
•Business ethics is concerned with the numerous ethical questions that managers must confront as part of their daily business decision making.
Notice: The issues of intellectual property rights, customer and employee privacy, security of company records, and workplace safety are highlighted because they have been major areas of ethical controversy in information technology
Ethical Use of Technology
• An important ethical dimension deals specifically with the ethics of the use of any form of technology.
• An example of technology ethics involves some of the health risks of using computer workstations for extended periods in high-volume data entry job positions. • Many organizations display ethical behavior by scheduling work breaks and limiting the time that data entry workers stare at a computer monitor to minimize their risk of developing a variety of work-related health disorders, such as eye-sight problems/back pain.
Four Principles of Technology Ethics
• These principles can serve as basic ethical requirements that companies should meet to help ensure the ethical implementation of information technologies and information systems in business.
Ethical Guidelines
• Business and IS professionals can live up to their ethical responsibilities by following ethical guidelines which outlines the considerations inherent in the major responsibilities of an IS professional.
• For example: you can be a responsible professional by;
(1) acting with integrity
(2) increasing your professional competence
(3) setting high standards of personal performance
(4) accepting responsibility for your work
(5) advancing the health, privacy, and general welfare of the public
An example for a code of professional conduct:
• code of professional conduct of the Association of Information Technology Professionals (AITP). Its code of conduct outlines the ethical considerations inherent in the major responsibilities of an IS professional.
7.2 Privacy Issues
Information technology makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information. However, it can have a negative effect on the right to privacy of every individual.
• Violation of privacy - Accessing private e-mail and computer records to collect and sharing information about individuals gained from their visits to Internet Web sites and newsgroups
• Computer monitoring - Always knowing where a person is, especially as mobile and paging services become more closely associated with people rather than places.
• Computer matching - Using customer information gained from many sources to market additional business services
• Unauthorized personal filing/ Identity Theft - Collecting telephone numbers, e-mail addresses, credit card numbers, and other personal information to build individual customer profiles
Privacy and Fairness in Information Use
The opposite of the privacy is;
• freedom of information
• freedom of speech
• freedom of the press
Privacy Laws
• U.S. Electronic Communications Privacy Act & Computer Fraud and Abuse Act, prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems.
• Children’s Online Privacy Protection Act (COPPA),
• requires websites that collect information about children under the age of 13 to post a privacy policy & adhere to certain information-sharing restrictions.
• U.S. Health Insurance Portability and Accountability Act (HIPAA), intended to create safeguards against the unauthorized use, disclosure, or distribution of an individual’s health-related information without their specific consent or authorization.
Individual Efforts to Protect Privacy
•Find out what is stored about you in existing databases.
•Be careful when you share information about yourself.
•Be proactive in protecting your privacy.
•Take extra care when purchasing anything from a Web site.
7.3.1 Security Threats and Attacks
Why Computer Incidents Are So Prevalent:
• Increasing complexity increases vulnerability
• Higher computer user expectations
• Expanding and changing systems introduce new risks
• Increased prevalence of bring your own device (byod) policies
• Growing reliance on commercial software with known vulnerabilities
• Increasing sophistication of those who would do harm
Computer Crime
• Computer crime is defined by the Association of Information Technology Professionals (AITP) as including;
(1) The unauthorized use, access, modification, and destruction of hardware, software, data, or network resources
(2) The unauthorized release of information
(3) The unauthorized copying of software
(4) Denying an end user access to his or her own hardware, software, data, or network resources
(5) Using or conspiring to use computer or network resources to obtain information or tangible property illegally . This definition was promoted by the AITP in a Model Computer Crime Act and is reflected in many computer crime laws.
Perpetrators of Computer Crime
Common Hacking Tactics & Security Exploits
• Denial of Service
• Vulnerability Scan
• Packet Sniffer
• Spoofing (Phishing)
• Trojan Horse
• Back Doors
• Malicious Applets
• War Dialing
• Logic Bombs
• Buffer Overflow
• Password Crackers
• Social Engineering
• Dumpster Diving
Types of Exploits
• Ransomware: Malware that stops you from using your computer or accessing your data until you meet certain demands such as paying a ransom or sending photos to the attacker.
• Virus: A piece of programming code, usually disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner.
• Worm: A harmful program that resides in the active memory of the computer and duplicates itself.
• Trojan Horse: A seemingly harmless program in which malicious code is hidden.
• Logic Bomb: A form of Trojan horse malware that executes when it is triggered by a specific event.
• Rootkit: A set of programs that enables its user to gain administrator level access to a computer without the end user’s consent or knowledge.
• Advanced Persistent Threat (APT): A network attack in which an intruder gains access to a network and stays there—undetected—with the intention of stealing data over a long period of time.
• Phishing: The act of fraudulently using email to try to get the recipient to reveal personal data.
•Identity Theft: The theft of personal information, which is then used without the owner’s permission, often to commit fraud or other crimes.
• Data Breach: The unintended release of sensitive data or the access of sensitive data by unauthorized individuals.
Federal Laws for Prosecuting Computer Attacks
7.3.2 Information System Security Planning and Management
•The goal of security management is the accuracy, integrity, and
safety of all information system processes and resources.
•Effective security management can minimize errors, fraud, and
losses in the information systems.
Implementing Secure, & Reliable Computing
A strong security system begins by assessing threats to the networks,
computers, identifying actions that addresses the most serious
vulnerabilities, educating end users about the risks involved and the actions
they must take to prevent a security incident. If an intrusion occurs, there
must be a clear reaction plan that addresses until recovery.
• Risk Assessment
• Detection, Response & Prevention
• Establish Security Policy
• Educating Employees and Contract Workers
Risk Assessment
• The process of assessing security-related risks to an organization’s
computers and networks from both internal and external threats.
• Step 1: Identify the set of IS assets about which the organization is most
concerned. Priority is typically given to those assets that support the
organization’s mission and the meeting of its primary business goals.
• Step 2: Identify the loss events or the risks or threats that could occur,
such as a distributed denial-of-service attack or insider fraud.
• Step 3: Assess the frequency of events or the likelihood of each potential
threat; some threats, such as insider fraud, are more likely to occur than
others.
• Step 4: Determine the impact of each threat occurring. Would the threat have a minor
impact on the organization, or could it keep the organization from carrying out its mission for a lengthy period of time?
• Step 5: Determine how each threat can be mitigated so that it becomes much less likely to occur or, if it does occur, has less of an impact on the organization.
• Step 6: Assess the feasibility of implementing the mitigation options.
• Step 7: Perform a cost-benefit analysis to ensure that your efforts will be cost effective.
• Step 8: Make the decision on whether or not to implement a particular countermeasure. If you decide against implementing a particular countermeasure, you need to reassess if the threat is truly serious and, if so, identify a less costly countermeasure.
Detection
Intrusion Detection System (IDS):
Software and/or hardware that monitors system and network resources and activities and notifies network security personnel when it detects network traffic that attempts to circumvent the security measures of a networked computer
environment.
Response
•Incident Notification
•Protection of Evidence and Activity Logs
•Incident Containment
•Eradication
•Incident Follow-Up
Prevention
•Implementing a Corporate Firewall
• Utilizing a Security Dashboard
•Installing Antivirus Software on Personal Computers
•Implementing Safeguards against Attacks by Malicious Insiders
•Addressing the Most Critical Internet Security Threats
• Conducting Periodic IT Security Audits
Establish a Security Policy
Security policy: A statement that defines an organization’s security requirements, as well as the controls and sanctions needed to meet those requirements.
•Security policy delineates responsibilities and the behavior expected from employees of the organization.
Tools of Security Management
Inter-networked Security Defenses Encryption
•Encryption of data has become an important way to protect data and other computer network resources, especially on the Internet, intranets, and extranets.
•Encryption involves using special mathematical algorithms, or keys, to transform digital data into an encoding before they are transmitted, and then to decode the data when they are received.
Encryption
I
Inter-networked Security Defenses
Firewall
•A firewall serves as a gatekeeper system that protects a company’s intranets and other computer networks from intrusion by providing a filter and safe transfer point for access to and from the Internet and other networks.
Other Security Measures
•Anti-virus Software
•Security Codes
•Backup Files
•Security Monitors
•Biometric Security
• Computer Failure Controls
•Fault-Tolerant Systems
• Disaster Recovery
7.4 Ergonomics
•Ergonomics (human factors engineering) is a solution to some health problems. The science of designing machines, products, and systems to maximize the safety, comfort, and efficiency of the people who use them. The goal of ergonomics is to design a healthy working environment thus increasing employee morale and productivity
Health Concerns
Avoiding Health and Environmental Problems
Example: Properly seating at a correctly positioned keyboard:
• Your elbows are near your body in an open angle to allow circulation to the lower arms and hands.
• Your arms are nearly perpendicular to the floor.
• Your wrists are nearly straight.
• The height of the surface holding your keyboard and mouse is 1 or 2 inches above your thighs.
• The keyboard is centered in front of your body.
• The monitor is about one arm’s length (20 to 26 inches) away.
• The top of your monitor is at eye level.
• Your chair has a backrest that supports the curve of your lower (lumbar) back.
Ergonomics Factors