Chapter
13
Security and Ethical Challenges
McGraw-Hill/Irwin
Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved.
Learning Objectives
• Identify several ethical issues regarding how
the use of information technologies in
business affects employment, individuality,
working conditions, privacy, crime, health,
and solutions to societal problems.
• Identify several types of security management
strategies and defenses and explain how they
can be used to ensure the security of
business applications of information
technology.
13-2
Learning Objectives
• Propose several ways that business
managers and professionals can help lessen
the harmful effects and increase the
beneficial effects of the use of information
technology.
13-3
RWC 1: Ethics, IT and Compliance
• IT Challenges
–
–
–
–
Technical functionality
Business requirements
Ethical standards
Correct behaviors
• 2 views of Corporate Ethics
– Set of legal and minimum standards
– Set of values integral to doing business
• Most companies have ethics and
compliance programs
• Few can truly execute an ethical agenda
13-4
IT Security, Ethics, and Society
13-5
Categories of Ethical Business Issues
13-6
Corporate Social Responsibility Theories
• Stockholder Theory
– Managers are agents of the stockholders
– Only responsible to increase profits without
violating the law or fraud
• Social Contract Theory
– Responsible to all of society
• Stakeholder Theory
– Responsible to anyone affected by company
13-7
Principles of Technology Ethics
• Proportionality
– Good must outweigh the harm or risk
• Informed Consent
– Those affected should understand and accept
risks
• Justice
– Benefits and burdens distributed fairly
• Minimized Risk
– Avoid all unnecessary risk
13-8
AITP Standards of Professional Conduct
13-9
Security from Cyber Crime
13-10
Hacking
• Obsessive use of computers
• Unauthorized access and use of networked
computer systems
• Electronic Breaking and Entering
– Accessing without stealing nor damaging
• Cracker (black hat or darkside hacker)
– Maintains knowledge of vulnerabilities for private
advantage
• Common Hacking Tactics
– Figure 13.7
13-11
Cyber Theft
• Most involve theft of money
• “Inside jobs”
• Unauthorized activity
• Attacks through the Internet
• Most companies don’t report
13-12
Cyberterrorism
• Use IT to attack electronic infrastructure,
exchange information or make threats
• Terror related
– More political motivation than criminal
• Examples
– Attempt to disrupt life support at Antarctic
research station
– Release of untreated sewage in Australia
– Shut down of government network and banks in
Estonia
– Non-deliberate shut down of systems at nuclear
reactor
13-13
Unauthorized Use at Work
• Time and resource theft
– Doing private consulting
–
–
–
–
–
–
Doing personal finances
Playing video games
Unauthorized use of the Internet or networks
Recreational surfing
Racist or offensive e-mail
Pornographic sites
• Sniffers
– Monitor network traffic or capacity
– Find evidence of improper use
13-14
Internet Abuses in the Workplace
•
•
•
•
•
•
•
•
•
•
•
General email abuses
Unauthorized usage and access
Copyright infringement/plagiarism
Newsgroup postings
Transmission of confidential data
Pornography
Hacking
Non-work-related download/upload
Leisure use of the Internet
Use of external ISPs
Moonlighting
13-15
Software Piracy
• Unauthorized copying of computer
programs
• Licensing
– Purchase – payment for fair use
– Site license – allows a certain number of copies
– Shareware – allows copies
– Public Domain – not copyrighted
• Software industry losses
– ⅓ to ½ of revenues
– Millions of copies in educational market
– 90% pirated software in China
• Sales negligible
13-16
Theft of Intellectual Property
• Intellectual Property
– Copyrighted material
– Music, videos, images, articles, books, software
• Copyright Infringement is Illegal
– Easy to trade pirated intellectual property
• Publishers Offer Inexpensive Online Music
– Illegal downloading is declining
13-17
Viruses and Worms
• Viruses must be inserted into another
program
• Worms can run unaided
• Spread annoying or destructive routines
• Commonly transmitted through
–
–
–
–
Internet and online services
Email and file attachments
Disks from contaminated computers
Shareware
• Top 5 Virus Families of all time
– Figure 13.9
• Cost of Top 5 Virus Families
– Figure 13.9
13-18
Adware and Spyware
• Adware
– Useful software allows ads without consent
• Spyware
–
–
–
–
–
–
–
–
Type of Adware
Can steal private information
Add advertising links to Web pages
Redirect affiliate payments
Change a users home page and search settings
Make modem call premium-rate numbers
Leave security holes that let Trojans in
Degrade system performance
• Removal often not completely successful
13-19
Privacy Issues
• IT capability can create negative affect on
privacy
– Personal information is collected
– Confidential information stolen or misused
• Opt-In
– Explicitly consent to allow data to be compiled
– Default in Europe
• Opt-Out
– Must request data is not collected
– Default in the U.S.
13-20
Privacy Issues
• Violation of Privacy
– Accessing conversations and records
– Collecting and sharing visits to websites
• Computer Monitoring
– Mobile and paging services can track people
• Computer Matching
– Market additional business services
• Unauthorized Access of Personal Files
– Build profiles of contact and credit information
13-21
Protecting Your Privacy on the Internet
• Encrypt email
• Send anonymous postings
• Ask your ISP not to sell your information
• Don’t reveal personal data and interests
13-22
Privacy Laws
• Electronic Communications Privacy Act
and Computer Fraud and Abuse Act
– Prohibit intercepting data communications
messages, stealing or destroying data, or
trespassing in federal-related computer systems
• U.S. Computer Matching and Privacy Act
– Regulates the matching of data held in
federal agency files to verify eligibility
for federal programs
13-23
Privacy Laws
• Sarbanes-Oxley
– Positive – strengthens accounting controls
– Negative – overly complex and regulatory
• Health Insurance Portability and
Accountability Act (HIPAA)
– Safeguards for health-related information
• Gramm-Leach-Bliley
• USA Patriot Act
• California Security Breach Law
• Securities and Exchange Commission Rule
17a-4
13-24
Computer Libel and Censorship
• The opposite side of the privacy debate…
– Freedom of information, speech, and press
• Biggest battlegrounds
– Bulletin boards
– Email boxes
– Online files of Internet and public networks
• Weapons used in this battle
–
–
–
–
Spamming
Flame mail
Libel laws
Censorship
13-25
Cyberlaw
• Regulate activities electronic communications
– Wide variety of legal and political issues
– Intellectual property, privacy, freedom of
expression, and jurisdiction
• Body of law emerged 1996
• Controversy
– Some feel the Internet should not be regulated
• Encryption and cryptography make regulation
difficult
– Websites work around censorship
– Applicability of legal principles
• Better laws to come
13-26
Other Challenges
• Employment
– Job opportunities changing
• Computer Monitoring
– Effective but controversial
• Working Conditions
– Eliminated monotonous or obnoxious tasks
– Eliminated some skilled jobs
• Individuality
– Dehumanizes and depersonalizes
13-27
Health Issues
• Cumulative Trauma Disorders (CTDs)
– Disorders caused by fast-paced repetitive
keystroke jobs
• Carpal Tunnel Syndrome
– Painful, crippling ailment of the hand and wrist
– Typically requires surgery to cure
• Ergonomics
– Designing healthy work environments
13-28
Ergonomics Factors
13-29
13-29
Societal Solutions
• Use IT to solve human and social
problems
– Medical diagnosis
– Computer-assisted instruction (CAI)
– Computer based training (CBT)
– Governmental program planning
– Environmental quality control
– Law enforcement
– Job placement
• Detrimental effects
– Actions without ethical responsibility
13-30
Security Management of IT
• Security is number 1 problem with the
Internet
– Internet was developed for inter-operability, not
impenetrability
– Users responsible for security, quality, and
performance
– Resources must be protected
• Goal of security management
– Accuracy, integrity, and safety of all information
system processes and resources
13-31
RWC 2: End-Point Security
• Security a complex, moving target
• Delicate balance between access and security
• Two approaches
– Secure devices
– Secure data wherever it lives
• Encryption
• HIPAA regulations
• Classify data, set policies
• Smartphones ongoing challenges
– Balance personal and business use
• BlackBerries have management infrastructure
• Phones not secured yet
13-32
Public/Private Key Encryption
13-33
Internet and Intranet Firewalls
13-34
Denial of Service Attacks
• Depend on three layers of networked
computer systems
– The victim’s website
– The victim’s Internet service provider
– Zombie or slave computers commandeered by
cybercriminals
• Defense
– At Zombie Machines
• Set and enforce security policies
• Scan for vulnerabilities
– At the ISP
• Monitor and block traffic spikes
– At the Victim’s Website
• Create backup servers and network connections
13-35
Internetworked Security Defenses
•
•
•
•
•
•
•
•
Email Monitoring
Virus Defenses
Security Codes
Backup Files
Security Monitors
Biometrics
Computer Failure Controls
Disaster recovery plan
13-36
Information System Controls
• Methods and devices to ensure accuracy,
validity, and propriety
• IT Security Audits
– Performed by internal or external auditors
– Review and evaluation of security measures
and management policies
– Goal: Ensure proper and adequate measures and
policies are in place
13-37
Protecting Yourself from Cybercrime
13-38
RWC 3: Challenges of Working in IT
• IT presents ethical challenges and
dilemmas.
• To hold workers accountable
– Must set ethical policies and guidelines
– Make sure that employees know and understand
them
13-39
RWC 4: Worry About What Goes Out
• Leakage of sensitive customer data or
proprietary information is a new priority
• Focus on keeping sensitive information
• Deploy outbound content management tools
–
–
–
–
–
–
–
e-mail messages,
Alternative communication mechanisms
Including instant messaging
Blogs
FTP transfers
Web mail
Message boards
13-40