Ethics, Privacy and Information Security

1
CHAPTER 3

• Ethics, Privacy and Information Security

2
CHAPTER OUTLINE

• 3.1 Ethical Issues
• 3.2 Threats to Information Security
• 3.3 Protecting Information Resources

3
Ethical Issues

• Ethics
• Code of Ethics

4
Fundamental Tenets of Ethics

• Responsibility
• Accept consequences of actions
• Accountability
• Who is responsible for actions
• Liability
• Right to recover damages

5
The Four Categories of Ethical Issues

• Privacy Issues
• Accuracy Issues
• Property Issues
• Accessibility Issues
• See Table 3.1

6
Privacy Issues
How much privacy do we have left?
7
Privacy

• Privacy. The right to be left alone and to be
  free of unreasonable personal intrusions.
• Court decisions have followed two rules
• (1) The right of privacy is not absolute.
  Your privacy must be balanced against the needs
  of society.
• (2) The publics right to know is superior
  to the individuals right of privacy.

8
Threats to Privacy

• Data aggregators, digital dossiers, and profiling
• Electronic Surveillance
• Personal Information in Databases
• Information on Internet Bulletin Boards,
  Newsgroups, and Social Networking Sites

9
Electronic Surveillance

• See "The State of Surveillance" article in
  BusinessWeek
• See the surveillance slideshow
• See additional surveillance slides
• And you think you have privacy? (video)

10
Personal Information in Databases

• Banks
• Utility companies
• Government agencies
• Credit reporting agencies

11
Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
12
Social Networking Sites Can Cause
You Problems

• Anyone can post derogatory information about you
  anonymously.
• (See this Washington Post article.)
• You can also hurt yourself, as this article
  shows 35 of employers do Google searchers and
  23 search on social networks

13
What Can You Do?

• First, be careful what information you post on
  social networking sites.
• Second, a company, ReputationDefender, says it
  can remove derogatory information from the Web.

14
Protecting Privacy

• Privacy Codes and Policies
• Opt-out Model collect info until you request
  otherwise
• Opt-in Model collect info only after you
  authorize it

15
3.2 Threats to Information Security
16
Factors Increasing the Threats to Information
Security

• Todays interconnected, interdependent,
  wirelessly-networked business environment
• Government legislation HIPAA
• Smaller, faster, cheaper computers and storage
  devices
• Decreasing skills necessary to be a computer
  hacker

17
Factors Increasing the Threats to Information
Security (continued)

• International organized crime turning to
  cybercrime
• Downstream liability
• Increased employee use of unmanaged devices
  Wi-Fi networks
• Lack of management support

18
Key Information Security Terms

• Threat danger to system of exposure
• Exposure harm, loss, damage due to threat
• Vulnerability possibility of suffering harm by
  threat
• Risk Likelihood that a threat will occur
• Information system controls preventive measures

19
Security Threats (Figure 3.1)
20
Human Errors

• Tailgating
• Shoulder surfing
• Carelessness with laptops and portable computing
  devices
• Opening questionable e-mails
• Careless Internet surfing
• Poor password selection and use
• And more

21
Anti-Tailgating Door
22
Shoulder Surfing
23
Most Dangerous Employees

• Human resources and MIS

Remember, these employees hold ALL the information
24
Social Engineering

• 60 Minutes Interview with Kevin Mitnick, the
  King of Social Engineering
• Kevin Mitnick served several years in a federal
  prison. Upon his release, he opened his own
  consulting firm, advising companies on how to
  deter people like him,
• See his company here

25
Deliberate Acts (continued)

• Software attacks see table 3.4, pp. 77
• Virus
• Worm
• 1988 first widespread worm, created by Robert T.
  Morris, Jr.
• (see the rapid spread of the Slammer worm)

26
Deliberate Acts (continued)

• Software attacks (continued)
• Phishing attacks
• Phishing example
• Distributed denial-of-service attacks
• See botnet demonstration

27
Deliberate Acts (continued)

• Software attacks (continued)
• Can you be Phished?

28
Deliberate Acts (continued)

• Alien Software
• Spyware (see video)
• Spamware
• Cookies
• Cookie demo

29
Deliberate Acts (continued)

• Supervisory control and data acquisition (SCADA)
  attacks

Wireless sensor
30
A Successful (Experimental) SCADA
Attack

• Video of an experimental SCADA attack
• that was successful

31
3.3 Protecting Information Resources
32
Risk!
There is always risk!
33
And then there is real risk!
34
Risk Mitigation Strategies

• Risk Acceptance pay no attention
• Risk limitation minimize impact
• Risk transference buy insurance

35
Risk Optimization
36
Controls

• Physical controls
• Access controls
• Communications (network) controls
• Application controls

37
Where Defense Mechanisms (Controls) Are Located
38
Access Controls

• Authentication
• Something the user is (biometrics)
• The Raytheon Personal Identification Device
• Something the user has
• Something the user does
• Something the user knows
• passwords
• passphrases

39
Basic Home Firewall (top) and Corporate Firewall
(bottom)
40
How Digital Certificates Work
41
Virtual Private Network and Tunneling
42
Business Continuity Planning, Backup, and Recovery

• Hot Site
• Warm Site
• Cold Site

43
Information Systems Auditing

• Types of Auditors and Audits
• Internal
• External

44
IS Auditing Procedure

• Auditing around the computer
• Auditing through the computer
• Auditing with the computer