Ethical & Social Implications
The security environment in which the
information systems will operate
includes assets, threats, and security
There are four basic categories of
corporate assets: physical, intellectual
(software), personnel, transactions and
What is Security?
Is someone who he or she says he or she
Is some object (such as a program) what it
says it is?
Does a message come from where it says
it comes from?
Can someone deny something he or she
What is Security?
What is a specific person or group of
people allowed to do?
What is a specific program allowed to do?
What is Security?
Who is allowed to see what information?
What is Security?
Firewalls and proxies
Minimize accidental failures
Industry with most threats
Database software developers in the
banking and finance industries reported
more security breaches than database
developers in any other industry polled
in a recent survey.
Most vulnerable industries:
27 percent of the developers surveyed in the
banking and financial services industries said
they had experienced a security breach in
the past year.
18 percent in the medical and health care
industry and telecommunications database
developers said they had experienced a
12% in electronic commerce and other
internet companies experienced breaches.
9% in the government and military sector.
Top Vulnerabilities That Affect
Default installs of operating systems and
Accounts with No Passwords or Weak
existent or Incomplete Backups
Large number of open ports
Not filtering packets for correct incoming and
existent or incomplete logging
Types of security breaches
Security breaches are classified under
three general definitions: a computer
virus, a human error, or an
Types of Security Breaches
Theft of assets
Improper use of assets
Use of assets for other than business
Unauthorized disclosure of information
Intentional corruption of intellectual
Computer viruses caused companies an
average of $61,729 last year, according
to the Computer Security Institute.
Denial of service attacks cost companies
an average of $108,717. The total
annual loss last year for all forms of
computer crime? More than $265
Types of Threats
Most people believe that the origin of
security events and loss comes from evil
hackers, but by far the largest number and
impact of security
related events originate
within the organization.
Human threats are caused by:
careless people who leave the password to peer or use
crack passwords, insert incorrect data to a
database or programs
dishonest people who insert false, incorrect information
to the information system and computer programs, take
advantage of flaws in manual or computerized
procedures, take advantage of access to privileged
information, infect the information infrastructure with
disgruntled employees who destroy computer programs,
pass user password to strangers, corrupt system
hackers who read sensitive information through remote
access to information, replicate and disseminate
sensitive information, intercept sensitive information
and infect information with viruses.
Example: Theft and distribution
to unauthorized persons
According to court document, Turner and Williams each admitted that while
employed by Chase Financial Corporation they knowingly and with the intent
to further a scheme to defraud Chase Manhattan Bank and Chase Financial
Corporation, accessed one or more computer systems without authorization
or in excess of their authorized access on said computer systems, thereby
obtaining credit card account numbers and other customer account
information pertaining to approximately 68 accounts, which they were not
authorized to access in connection with their duties at Chase Financial
Corporation. They admitted that the aggregate credit limits for the targeted
accounts totaled approximately $580,700.00.
They further admitted that after fraudulently obtaining said information,
they distributed and transmitted it to one or more individuals via facsimile
transmission, who, in turn, used the credit card accounts and other financial
information to fraudulently obtain goods and services valued at
approximately $99,636.08, without the knowledge or consent of the account
holders, Chase Manhattan Bank or Chase Financial Corporation.
On February 1, 2002, EITELBERG stopped working at MP. On April 11,
2002, an MP employee accessed the MP database containing customer
orders, and found that the records of all of MP's orders had disappeared.
The computer records at MP allegedly indicated that an individual accessed
the MP computer system using a password from at or about 9:21 P.M. until
at or about 9:46 P.M. on April 10, 2002, and that orders in the database
were deleted during this computer session.
Phone records indicated that between February 27, 2002, more than three
weeks after EITELBERG stopped work at MP, and April 10, 2002, the phone
line registered to the wife of EITELBERG, and located at the EITELBERG
residence was used to call MP's modem connection approximately 13 times,
including the call made at or about 9:24 P.M. on April 10, 2002.
As CTO, BLUM had access to all computer system passwords and information
necessary to operate Askit's computer networks. Shortly after BLUM's
departure from the company, Askit began to experience computer and
telephone voicemail problems.
In addition, the President received an e
greeting card containing an image of
a box which displayed a voodoo doll with skeleton
like features. The doll had
pins stuck through the doll's body and was wearing a name tag which
identified the doll as being the President.
In April 2002, messages were posted on the portion of Askit's web site
devoted to answering customer questions containing statements such as "You
are doomed!" and "die." The message "die" was posted from an e
address associated with the defendant. On April 29, 2002, Askit's President
received an e
mail message from a person not known to him telling the
President to "say goodbye to anyone who pretends to care about you” and
this message was traced to a computer at BLUM's present place of
Example: “Melissa” creator
David L. Smith, 34,was ordered to serve three years of supervised release
after completion of his prison sentence and was fined $5,000. U.S. District
Judge Greenaway further ordered that, upon release, Smith not be involved
with computer networks, the Internet or Internet bulletin boards unless
authorized by the Court and he must serve 100 hours of community service
that would somehow put Smith's technology experience to beneficial use.
Example: Program corruption
A former computer network administrator was sentenced to 41
months in prison for unleashing a $10 million "time bomb" that deleted all
the production programs of a New Jersey
and control instruments manufacturer.
At the time of conviction, the case was believed to be one of the most
expensive computer sabotage cases in U.S. Secret Service history.
Software issues: Buffer
The security holes exploited by Code Red and
Nimda, worms that experts said had the
potential to knock the entire Internet offline,
standing vulnerabilities in
Microsoft IIS Web Server caused by an error
made through poor code writing: the buffer
Buffer overflow occurs when the amount of
memory assigned to a specific application or
task is flooded, often with unpredictable
Database security is critical, but strong
application security is equally important.
Application security flaws are usually
introduced early in the design cycle.
Top 10 application security
Log storage/retrieval issues
Solutions for application
Stop depending solely on firewalls
Education of application developers.
Get outside help, outsourcing.
Solutions for security:
Security Infrastructure investment
Protect against internal threats
Control physical access to your server room
Seeks to identify potential threats by
discovering weak areas in the existing
Once identified, the controls can be
tightened and the potential threat
Tracking innocent mistakes can give
you an early warning that more user
training is required or that the new
software applications themselves need
to be reviewed and possibly revised.
Acceptable Use Policy
Database Credentials Coding Policy
in Access Policy
Password Protection Policy
Risk Assessment Policy
Passive network sniffer
Attack your network from the outside
Hire an outside consulting firm to
perform a vulnerability assessment on
Protect against internal threats
Valuation of protected information
A temporary accounts
Eliminate opportunities for inside hackers
Control physical access to your
Physical access to the server room
should be monitored and controlled.
Keyless lock or electronic code entrances
Access control cards
Data and people are two of an
organization’s most important assets
YOU ARE TRUSTED with these assets