Upload
wendy-bond
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
BUS 311: Fall 2003BUS 311: Fall 2003 11
Security, Privacy, and Ethical Security, Privacy, and Ethical Issues in Information Issues in Information
Systems and the InternetSystems and the Internet
Chapter 9Chapter 9
BUS 311: Fall 2003BUS 311: Fall 2003 22
Social Issues in Information Social Issues in Information SystemsSystems
Computer Waste & MistakesComputer Waste & Mistakes Computer CrimeComputer Crime PrivacyPrivacy Health ConcernsHealth Concerns Ethical IssuesEthical Issues Patent and copyright violationsPatent and copyright violations
BUS 311: Fall 2003BUS 311: Fall 2003 33
Computer WasteComputer Waste
Discarding technology that still has Discarding technology that still has valuevalue
Unused systemsUnused systems Personal use of corporate time and Personal use of corporate time and
technologytechnology SpamSpam Time spent configuring / “optimizing” Time spent configuring / “optimizing”
computerscomputers
BUS 311: Fall 2003BUS 311: Fall 2003 44
Preventing Computer Waste Preventing Computer Waste and Mistakesand Mistakes
Policies and Procedures should bePolicies and Procedures should be EstablishedEstablished ImplementedImplemented MonitoredMonitored Reviewed Reviewed
BUS 311: Fall 2003BUS 311: Fall 2003 55
Types of Computer-Related Types of Computer-Related MistakesMistakes
Data entry or capture errorsData entry or capture errors Errors in computer programsErrors in computer programs Errors in file handling – copying old file over new Errors in file handling – copying old file over new
one, deleting a file by mistakeone, deleting a file by mistake Mishandling of computer outputMishandling of computer output Inadequate planning for and control of equipment Inadequate planning for and control of equipment
malfunctionmalfunction Inadequate planning for and control of Inadequate planning for and control of
environmental difficulties (electrical, humidity, environmental difficulties (electrical, humidity, etc.)etc.)
Installing inadequate computer capacityInstalling inadequate computer capacity
BUS 311: Fall 2003BUS 311: Fall 2003 66
Useful Policies to Eliminate Useful Policies to Eliminate Waste and MistakesWaste and Mistakes
Tightly control changes to corporate Tightly control changes to corporate web site – ensure information is timelyweb site – ensure information is timely
Have user manuals availableHave user manuals available Every report should clearly specify its Every report should clearly specify its
general content and time period general content and time period coveredcovered
Implement proper procedures to ensure Implement proper procedures to ensure correct input data (to avoid “garbage correct input data (to avoid “garbage in, garbage out”)in, garbage out”)
BUS 311: Fall 2003BUS 311: Fall 2003 88
Number of Incidents Reported to Number of Incidents Reported to CERTCERT
BUS 311: Fall 2003BUS 311: Fall 2003 99
Computer Crime and Security Computer Crime and Security SurveySurvey
Source: http://www.gocsi.com/press/20020407.jhtml?_requestid=449980
(1996: 16%)
BUS 311: Fall 2003BUS 311: Fall 2003 1010
Fastest Growing Fastest Growing Crime in the USCrime in the US??
Identity theftIdentity theft Use someone else’s identity to obtain credit, Use someone else’s identity to obtain credit,
conduct crimes etcconduct crimes etc Necessary info: SSN, Name, (Date of Birth)Necessary info: SSN, Name, (Date of Birth) How often do you get a credit card application How often do you get a credit card application
with your name on it?with your name on it? Largest Identity theft case in US historyLargest Identity theft case in US history
http://www.computerworld.com/securitytopics/securityhttp://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76252,00.html/cybercrime/story/0,10801,76252,00.html
Identity theft survival guideIdentity theft survival guide http://money.cnn.com/2002/11/26/pf/saving/q_identity/http://money.cnn.com/2002/11/26/pf/saving/q_identity/
BUS 311: Fall 2003BUS 311: Fall 2003 1111
Recent Cybercrime Recent Cybercrime HeadlinesHeadlines
11/6/03: FTC Blocks Pop-Up Spammers 11/6/03: FTC Blocks Pop-Up Spammers 11/5/03: Microsoft Puts a Price on Hackers' Heads 11/5/03: Microsoft Puts a Price on Hackers' Heads 11/3/03: E-Mail Under Attack Again as Mimail Virus Spreads 11/3/03: E-Mail Under Attack Again as Mimail Virus Spreads 10/24/03: Microsoft Patches Its Patches10/24/03: Microsoft Patches Its Patches
Source: Daily cybercrime report Source: Daily cybercrime report ((http://www.newsfactor.com/perl/section/cybercrime/)http://www.newsfactor.com/perl/section/cybercrime/)
BUS 311: Fall 2003BUS 311: Fall 2003 1212
The Computer as a Tool to The Computer as a Tool to Commit CrimeCommit Crime
Social engineeringSocial engineering Posing as someone else to gain trust of user to give out Posing as someone else to gain trust of user to give out
passwordpassword Dumpster divingDumpster diving
Search garbage for clues on how to gain access to a Search garbage for clues on how to gain access to a systemsystem
Shoulder SurfingShoulder Surfing Stand next to someone in a public place to get vital Stand next to someone in a public place to get vital
informationinformation Install keyboard loggerInstall keyboard logger
Record every keystroke and send back to criminalRecord every keystroke and send back to criminal CyberterrorismCyberterrorism
E.g. Distributed Denial-of-service (DDOS) attackE.g. Distributed Denial-of-service (DDOS) attack
BUS 311: Fall 2003BUS 311: Fall 2003 1313
Computers as Objects of Computers as Objects of CrimeCrime
Illegal access and useIllegal access and use Hackers Hackers
‘‘Hacking’ away at programming and using a computer to Hacking’ away at programming and using a computer to its fullest capabilitiesits fullest capabilities
Crackers (criminal hacker)Crackers (criminal hacker)
Information and equipment theftInformation and equipment theft Software and Internet piracySoftware and Internet piracy Computer-related scamsComputer-related scams
Nigerian 419Nigerian 419 International computer crimeInternational computer crime
BUS 311: Fall 2003BUS 311: Fall 2003 1414
Data Alteration and Data Alteration and DestructionDestruction
VirusVirus WormWorm Logic bombLogic bomb Trojan horseTrojan horse
© Hal Mayforth 2003
BUS 311: Fall 2003BUS 311: Fall 2003 1515
Virus elementsVirus elements
Distribution VectorDistribution Vector How does it move from one computer to the next?How does it move from one computer to the next? Virus: Attaches to other program, user must take Virus: Attaches to other program, user must take
action to spreadaction to spread Worm: Self-propagatesWorm: Self-propagates
PayloadPayload What does it do when it gets there?What does it do when it gets there?
Ability to mutateAbility to mutate Makes it harder to detect, like the AIDS virusMakes it harder to detect, like the AIDS virus
BUS 311: Fall 2003BUS 311: Fall 2003 1616
Virus CharacteristicsVirus Characteristics Similar to biological virusesSimilar to biological viruses
Replicates on its ownReplicates on its own May mutateMay mutate Can be benign or maliciousCan be benign or malicious Attaches to a ’host’ programAttaches to a ’host’ program
Constructed by a Constructed by a programmerprogrammer
Types of damage (payload)Types of damage (payload) Destruction of data, programs Destruction of data, programs
or hardwareor hardware Loss of productivityLoss of productivity AnnoyanceAnnoyance
Top 10 last month:Top 10 last month:http://http://www.sophos.com/www.sophos.com/virusinfo/topten/virusinfo/topten/
BUS 311: Fall 2003BUS 311: Fall 2003 1717
Virus DistributionVirus Distribution EmailEmail
Executable attachment that masquerades as image file (”Click to Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”)see picture of Anna Kournikova!”)
HTML code that executes automatically in email program (esp. HTML code that executes automatically in email program (esp. Outlook and Outlook Express)Outlook and Outlook Express)
WormWorm Spreads directly from computer to computerSpreads directly from computer to computer Often exploiting ’open ports’ or other vulnerabilitiesOften exploiting ’open ports’ or other vulnerabilities
Trojan Horse / Logic BombTrojan Horse / Logic Bomb Virus disguised inside other programVirus disguised inside other program
Greeting Cards (or other web sites)Greeting Cards (or other web sites) Clicking link may cause nasty things to happenClicking link may cause nasty things to happen
HoaxHoax Email about a ‘false’ threat. May ask user to delete important Email about a ‘false’ threat. May ask user to delete important
system file and forward email to other userssystem file and forward email to other users
BUS 311: Fall 2003BUS 311: Fall 2003 1818
Virus Example: SoBig Email Virus Example: SoBig Email virusvirus
Distribution vector: EmailDistribution vector: Email Arrives in email message, installs own SMTP engine (allows for Arrives in email message, installs own SMTP engine (allows for
sending email without using installed email program)sending email without using installed email program) Sends itself to all email addresses in address booksSends itself to all email addresses in address books Forges Sender address, so the person that the email appears Forges Sender address, so the person that the email appears
to come from may not be infected (“email spoofing”)to come from may not be infected (“email spoofing”) User must execute attachment to be infectedUser must execute attachment to be infected Tried to copy itself to Windows shares (unsuccessful, due to Tried to copy itself to Windows shares (unsuccessful, due to
bugs)bugs) Payload: None (except for extra traffic)Payload: None (except for extra traffic)
Might download malicious software from web siteMight download malicious software from web site Expired September 10, 2003Expired September 10, 2003
Source: Source: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@http://securityresponse.symantec.com/avcenter/venc/data/[email protected] mm.html
BUS 311: Fall 2003BUS 311: Fall 2003 1919
Symantec’s Virus guidelinesSymantec’s Virus guidelines Turn off and remove unneeded services. By default, many operating Turn off and remove unneeded services. By default, many operating
systems install auxiliary services that are not critical, such as an FTP systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch attack and you have fewer services to maintain through patch updates. updates.
If a blended threat exploits one or more network services, disable, or If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the your organization. Perform a forensic analysis and restore the computers using trusted media. computers using trusted media.
Train employees not to open attachments unless they are expecting Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser compromised Web site can cause infection if certain browser vulnerabilities are not patched. vulnerabilities are not patched.
BUS 311: Fall 2003BUS 311: Fall 2003 2020
The Six Computer Incidents with The Six Computer Incidents with the Greatest Worldwide the Greatest Worldwide
Economic ImpactEconomic Impact
ILOVEYOU was started by student in Philippines who had a project rejected by a teacher!
BUS 311: Fall 2003BUS 311: Fall 2003 2121
Measures of ProtectionMeasures of Protection
General controlsGeneral controls Physical Physical
A guard in front of a locked door can prevent A guard in front of a locked door can prevent many problems...many problems...
Biometric controlsBiometric controls fingerprint, hand print, retina scan, voice, ...fingerprint, hand print, retina scan, voice, ...
Data security controlData security control confidentiality, access control, data integrityconfidentiality, access control, data integrity
BUS 311: Fall 2003BUS 311: Fall 2003 2222
Measures of ProtectionMeasures of Protection
Network Protection and FirewallsNetwork Protection and Firewalls Access controlAccess control EncryptionEncryption Firewalls: Most cost-effective defense, but not 100% Firewalls: Most cost-effective defense, but not 100%
effectiveeffective ZoneAlarm (personal software firewall)ZoneAlarm (personal software firewall) Hardware firewall protects all computers on LANHardware firewall protects all computers on LAN
Intrusion Detection SoftwareIntrusion Detection Software How can you protect yourself if you don’t know you were How can you protect yourself if you don’t know you were
attacked?attacked? Protection can be assured by conducting an auditProtection can be assured by conducting an audit Perhaps even hiring a hacker…Perhaps even hiring a hacker… Managed Security Service Providers (MSSPs)Managed Security Service Providers (MSSPs)
Outsource the whole thing!Outsource the whole thing!
BUS 311: Fall 2003BUS 311: Fall 2003 2323
Common Computer Crime Common Computer Crime MethodsMethods
BUS 311: Fall 2003BUS 311: Fall 2003 2424
What can You Do What can You Do Personally?Personally?
Install security patchesInstall security patches For windows: For windows: www.windowsupdate.comwww.windowsupdate.com
Use a virus scannerUse a virus scanner Take backupTake backup Protect your password (beware of Protect your password (beware of social engineeringsocial engineering)) Install a FirewallInstall a Firewall Encrypt sensitive dataEncrypt sensitive data Don’t use IM chat software for sensitive Don’t use IM chat software for sensitive
communication communication (see (see http://news.com.com/2100-1023-976068.htmlhttp://news.com.com/2100-1023-976068.html) ) Changing: Vendors coming out with ‘corporate’ versions Changing: Vendors coming out with ‘corporate’ versions
Visit Visit www.grc.comwww.grc.com to make sure your Shields are Up to make sure your Shields are Up
BUS 311: Fall 2003BUS 311: Fall 2003 2626
Privacy IssuesPrivacy Issues
Privacy and the GovernmentPrivacy and the Government Privacy at workPrivacy at work E-mail privacyE-mail privacy Privacy and the InternetPrivacy and the Internet
BUS 311: Fall 2003BUS 311: Fall 2003 2727
Privacy DilemmaPrivacy Dilemma
People’s right to privacy – not be People’s right to privacy – not be monitoredmonitored
Employers need to monitor activity on Employers need to monitor activity on their premisestheir premises Discourage time-wasting behaviorDiscourage time-wasting behavior Prevent criminal activity on networkPrevent criminal activity on network
Law enforcement needs to solve crimesLaw enforcement needs to solve crimes Anonymity makes some people more Anonymity makes some people more
criminal/amoralcriminal/amoral
BUS 311: Fall 2003BUS 311: Fall 2003 2828
The Right to Know and the The Right to Know and the Ability to DecideAbility to Decide
BUS 311: Fall 2003BUS 311: Fall 2003 2929
Email PrivacyEmail Privacy
Work email is not privateWork email is not private Employers have right to read employee emailEmployers have right to read employee email Can be used as evidence in courtCan be used as evidence in court Companies need to have a policy for storing Companies need to have a policy for storing
emailemail Can also cause problems for elected officialsCan also cause problems for elected officials
Recently Oshkosh School Board was ‘discovered’ Recently Oshkosh School Board was ‘discovered’ to delete messagesto delete messages
Violates open meeting lawsViolates open meeting laws
BUS 311: Fall 2003BUS 311: Fall 2003 3131
Health ConcernsHealth Concerns
Repetitive Motion Disorder (Repetitive Stress Injury; Repetitive Motion Disorder (Repetitive Stress Injury; RSI)RSI) An injury that can be caused by working with computer An injury that can be caused by working with computer
keyboards and other equipmentkeyboards and other equipment Carpal Tunnel Syndrome (CTS)Carpal Tunnel Syndrome (CTS)
The aggravation of the pathway for nerves that travel The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel)through the wrist (the carpal tunnel)
Current research says computers do not cause Current research says computers do not cause permanentpermanent damage damage a few months without computer will helpa few months without computer will help Research is still being conductedResearch is still being conducted
Technology can also remove dangerous work Technology can also remove dangerous work situationssituations
BUS 311: Fall 2003BUS 311: Fall 2003 3232
ErgonomicsErgonomics
The study of designing and positioning The study of designing and positioning computer equipment for employee health computer equipment for employee health and safetyand safety How high should your monitor be?How high should your monitor be? Where should keyboard, mouse be?Where should keyboard, mouse be? Good ways of working to minimize risksGood ways of working to minimize risks
Web sites on ergonomics:Web sites on ergonomics: http://www.ics.uci.edu/~abaker/ergo/http://www.ics.uci.edu/~abaker/ergo/ http://ergo.human.cornell.edu/ergoguide.html http://ergo.human.cornell.edu/ergoguide.html http://www.pao.gov.ab.ca/health/ergonomics/http://www.pao.gov.ab.ca/health/ergonomics/
computer/computer/
BUS 311: Fall 2003BUS 311: Fall 2003 3333
That’s itThat’s it
ThursdayThursday Rest of lectureRest of lecture Time to work on DB Project implementation. Time to work on DB Project implementation.
Suggested design solution will be availableSuggested design solution will be available TuesdayTuesday
Web design/development lecture/demonstrationWeb design/development lecture/demonstration Learn to create your own web pageLearn to create your own web page
ThursdayThursday Lab to work on web page (IT Problem 4)Lab to work on web page (IT Problem 4)