Security, Ethics and Other IS Issues

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 9 months ago)

76 views

Security, Ethics and Other IS Issues

Rev: Feb, 2012




Euiho

(David)
Suh
, Ph.D.


POSTECH Strategic Management of Information and Technology Laboratory

(POSMIT: http://posmit.postech.ac.kr)

Dept. of Industrial & Management Engineering

POSTECH

Contents



Discussion Questions

1

Information System Ethical

2

Information System Security

3

Electronic Commerce

Security

4

Other IS Issues

5

Case Study

3

Discussion Questions


Find
a potential
security problem by using internet, intranet or extranet in business.
How can we prevent it?



Pick
one ethical crisis in business, today.
How can IT or IS help companies to
overcome unethical issue?



What are the pros and cons of using Social Network Service?

4

Introduction


IT Security, Ethics, and
Society








Information

Technology

Beneficial
effects

Detrimental
effects

Striving to
optimize

the beneficial
effects

Managing

work activities

to minimize

the detrimental
effects

1. Information System
Ethical

5

Business Ethics










Categories of Ethical Business Issues


Information technology has caused ethical controversy in the areas.






Ethical responsibilities

of business professionals

Promote ethical uses of information technology

Accept the ethical responsibilities of your job

Properly perform your role as a human resource

Consider the ethical dimensions of activities and decisions

1. Information System
Ethical

Equity

Rights

Honesty

Exercise of Corporate Power

Executive salaries

Comparable

worth

Product pricing

Intellectual property
rights

Noncompetitive
agreements

Corporate due process

Employee health screening

Customer privacy

Employee privacy

Sexual harassment

Affirmative

action

Equal employment
opportunity

Shareholder interests

Employment at will

Whistle
-
blowing


Employee conflicts

of
interest

Security of company
information

Inappropriate gifts

Advertising content

Government contract issues

Financial and cash
management procedures

Questionable business
practices in foreign
countries

Product safety

Environmental issues

Disinvestment

Corporate contributions

Social issues raised by religious
organizations

Plant/facility closures and
downsizing

Political action committees

Workplace safety

6

Corporate Social Responsibility Theories


Social Contract
Theory

Companies have an ethical responsibility to all
members of society

Stakeholder
Theory

Managers have an ethical responsibility to manage
a firm for the
benefit of
all its stakeholders

Stockholder
Theory

Managers are agents of stockholders. Their ethical
responsibility is to increase profits without violating
laws or engaging in fraud

1. Information System
Ethical

7

Principles of Technology Ethics

Principles of Technology Ethics

Proportionality

The good

achieved by the technology must outweigh the harm
or risk. Moreover, there must be no alternative that achieves the
same or comparable benefits with less harm or risk.

Informed

Consent

Those

affected by the technology should understand and accept
the risks.

Justice

The benefits and burdens of the technology should be
distributed fairly. Those who

benefit should bear their fair share
of the risks, and those who do not benefit should not suffer a
significant increase in risk.

Minimized Risk

Even if judged acceptable by the other three guidelines, the
technology must be implemented so as to avoid

all unnecessary
risk.

1. Information System
Ethical

8

Computer Crime


Defined by the association

of Information Technology Professionals(AITP) as including


2. Information System Security

The unauthorized use, access, modification,
or

destruction
of hardware, software, data, or network
resources

The unauthorized release of
information

The unauthorized copying of
software

Denying an end user access

to
his/her own hardware, software, data, or network
resources

Using or conspiring to use computer or
network
resources

illegally
to obtain information or tangible
property

9

Type of Computer Crime (1/3)


Hacking and Cracker

Hacking

The obsessive use of computers

Unauthorized access/use of networked computers

Breaking and Entering

Hacking into a computer system and reading files, but
neither stealing nor damaging anything

Cracker

A malicious or criminal hacker who maintains

knowledge of vulnerabilities found for private advantage

2. Information System Security

10

Type of Computer
Crime (2/3)


Cyber Theft

Many computer crimes involve theft of money

Most are “inside jobs” that involve unauthorized network
entry and alteration of databases to cover the tracks of the
employees involved

Many attacks occur through the Internet

Most companies don’t reveal that they have been targets
or victims of cyber crime

2. Information System Security

11

Type of Computer
Crime (3/3)


Cyberterrorism


The
leveraging of an organization’s or government’s computers and information


Particularly through the Internet


To cause physical, real
-
world harm or severe disruption of
infrastructure



Can have serious, large
-
scale influence


Can weaken a country’s economy


Can affect Internet
-
based businesses

Examples of
Cyberterrorism

No successful attacks reported yet in the U.S.

Life
-
support at Antarctic research station turned off

Release of untreated sewage into waterways

Nonessential systems shut down in nuclear power plants

Estonian government ministry and banks knocked offline

2. Information System Security

12

Security
Management (1/5)


The goal of
security management is
the
accuracy
, integrity,
and
safety
of all
information
system
processes and resources



Internetworked Security
Defenses


Encryption


Data is transmitted in scrambled form


It is unscrambled by computer systems

for
authorized users only


The most widely used method uses a pair

of public and private keys unique to each

individual


2. Information System Security

13

Security
Management (2/5)


Public/Private Key Encryption

2. Information System Security

14

Security
Management (3/5)


Internetworked Security Defenses

Firewalls

Gatekeeper system that protects a company’s
intranets and other computer networks

from intrusion

Provides a filter and safe transfer point for access
to/from the Internet and other networks

Important for individuals who connect to the
Internet with DSL or cable modems

Can deter hacking, but can’t prevent it

2. Information System Security

15

Security
Management (4/5)


Internet and Intranet Firewalls

2. Information System Security

16

Security
Management (5/5)


Security Management for Internet Users


“Use antivirus and firewall software, and update it often to keep destructive programs off your
computer.”


“Don’t allow online merchants to store your credit card information for future purchases.”


“Use a hard
-
to
-
guess password that contains a mix of numbers and letters, and change it
frequently.”


“Use different passwords for different websites and applications to keep hackers guessing.”


“Install all operating system patches and upgrades.”


“Use the most up
-
to
-
date version of your Web browser, e
-
mail software, and other programs.”


“Send credit card numbers only to secure sites; look for a padlock or key icon at the bottom of
the browser.”


“Use a security program that gives you control over ‘cookies’ that send information back to
websites.”


“Install firewall software to screen traffic if you use DSL or a cable modem to connect to the
Net.”


“Don’t open e
-
mail attachments unless you know the source of the incoming message.”

2. Information System Security

17

What is
Electronic Commerce(EC)
Security?


S
pecial
case of network
security



S
pecial
case of client server
security



E
volving
area of computer science


Digital cash


Internet banking


Store fronts versus Store reality


International market place




Still an area of immense temptation for the criminal element


3. Electronic Commerce
Security

18

Possible threats of EC (1/2)


The
traditional threats apply


Confidentiality, Integrity, Availability, Accountability


Malicious code


Network vulnerabilities


Others



Additional
privacy concerns surface (
ethics
concerns)


Cookies


Buying
habits and profiling


Shared
databases


Short
term and long term storage of sensitive data


Others


3. Electronic Commerce
Security

19

Possible threats of EC
(2/2
)


Authentication takes on a new role


Who is the buyer?


Who is the seller?


Is the seller real?


Where is the seller?


Non
-
repudiation is important


Accountability for seller and buyer actions



Availability


loss of access equals loss of revenue


recovery procedures are very important


The greatest threat to E
-
Commerce today (arguable perhaps…)


3. Electronic Commerce
Security

20

A Simple View


E
-
Commerce
protection must include data in
transit;
data
in processing; and, data in storage


over an open network


in a client server environment


Server

Client

3. Electronic Commerce
Security

21

Security Requirements & Client Side Security


Security Requirements


Transaction
integrity


Confidentiality of the transaction


Mutual authentication of all parties (customer, store, bank)


Non
-
repudiation


Timely service


Record keeping


Protection of the systems against
intrusion



Client Side Security


Essentially “web browser” security


Two main risks have emerged


Vulnerabilities in the Web Browser software


Risk of Active Content


Active Content (mobile code)


Java and Java Applets


Active X controls


Push technology


MS Macros


Plugin’s


3. Electronic Commerce
Security

22

Secure Transport & Web Server Side


Secure Transport


Secure
Channels


Secure Sockets Layer (SSL)


Secure HTTP (S
-
HTTP)


Smart Cards carrying a private key for encryption


E
-
Cash
protocols



Web Server Side


Typically a front end web server, backend database, and interface software (e.g., CGI scripts).


Firewalls are most useful here
-

but varying degrees of strength and responsiveness


Operating system security an issue (for both the network OS and the server OS)


3. Electronic Commerce
Security

23

Solution
Sets


Encryption plays a very big role


SSL, S
-
HTTP


Digital Signatures


Certificates (X.509
-

PKI)


PGP



Firewalls


Trusted OS and products


Disaster recovery plans


Education and awareness


Law

3. Electronic Commerce
Security

24

Public Key Infrastructure


Enables the Use of Public Key
Technology



Parts


Certificate
Maintenance


Issuance
, Reissuance, Revocation


Certificate Availability


Interoperations



Answer : Public
Key
Infrastructure


Getting
public
-
key
materials


Where they are needed


When
they are needed


Jane Doe

Acme

public

private

3. Electronic Commerce
Security

25

Doing Business With Keys


Internet

PKI

for

Dummies

4417 5712 1238 51961

PKI

for

Dummies

Xyl?wk
$

public

But where did the

key

come from?

private

amazon.com

4417 5712 1238 51961

Sold

3. Electronic Commerce
Security

26

Certificate: ID? Or ATM Card?


Identity Card


Something you have


Something you are



ATM Card


Something you have


Something you
know



A Certificate is Three Things





An ID Card

Jane
Doe

Acme

public



A Notarized Signature



A Scrambling Device

plaintext

X&8uj*l.

Mississippi


Jane Doe

105 Lee Street

Anywhere, MS 39759


3. Electronic Commerce
Security

27

Doing Business With Certificates


amazon.com

Internet

PKI

for

Dummies

4417 5712 1238 51961

PKI

for

Dummies

Xyl?wk$

public

But where did the

certificate

come from?

private

Jane
Doe

Acme

public

4417 5712 1238 51961

Sold!

3. Electronic Commerce
Security

28

Certifying Authorities


Public Key technology is powerful
-

but you can’t keep everyone’s public key on your
hard drive


H
undreds
of thousands of users globally


E
xpiration
and maintenance
issues



More practical to rely on trusted “third parties”
-

Certifying
authorities



C
ommercial
enterprise that vouches for the identities of individuals and organizations.



Browsers have public keys of well known CA’s built in.



Certificates are (for most practical purposes) viewed as “
untamperable
” and

unforgeable




VeriSign, AT&T, BBN,
CeriSign
, and others (check your browser)


3. Electronic Commerce
Security

29

A Process for Secure EC & Assessing Risk


A Process for Secure EC


Assess
your risks


Secure the Infrastructure


Secure your Internet Connections


Secure Electronic Commerce


Disaster
Recovery



Assessing Risk


Conduct a Threat and Vulnerability Analysis


What are the threats to your information assets


How vulnerable are each of those threats


What would be the business impact if each of the threats were to occur


What controls are available/needed to mitigate the threats



Identify and Prioritize (...and build a plan)


A
ddress
the threats and vulnerabilities


I
nsure
plan is consistent with business objectives and cost


Plan
fits with organizational culture?


3. Electronic Commerce
Security

30

Secure the Infrastructure &
Internet
Connection


Secure the Infrastructure


Concerned
with OS security, external connectivity, & network security ...



Develop an Information Security Architecture


“…a structure for implementing security across an enterprise”


D
efines
the organization of the information security program


T
he
foundation of a solid information security program



Secure Internet Connection


Based
on Firewall protection primarily


Recall
-

firewalls vary in trust and capability


Defense in depth is suggested


Tradeoff between security and ease of access is a business and risk decision


There is no cookbook solution


3. Electronic Commerce
Security

31

Disaster
Recovery


Disaster Recovery


Continuity of operation plans


Written down, practiced, realistic and implementable


Backups


Hot/Cold sites


Usually overlooked


Finding out what happened.



3. Electronic Commerce
Security

32

Other Security Issues


Software Piracy


Unauthorized copying of computer
programs



Licensing


Purchasing software is really a payment
for
a license for fair use


Site license allows a certain number of copies


Public domain software is not
copyrighted




Intellectual
Property


Copyrighted material


Includes music, videos, images, articles, books,
and software



Copyright Infringement is Illegal


Peer
-
to
-
peer networking techniques have made
it
easy to trade pirated intellectual
property



Publishers Offer Inexpensive Online Music


Illegal downloading of music and video is
down
and continues to
drop

A third of the software industry’s revenues are lost to piracy

4
. Other IS Issues

33

Viruses and Worms


Viruses


Program
that cannot work without being inserted into another
program



Worm


Distinct
program that can run unaided



These
programs copy annoying or destructive routines into networked computers


Copy routines spread the virus



Commonly transmitted through


The Internet and online services


Email and file attachments


Disks from contaminated computers


Shareware


4
. Other IS Issues

34

Adware and Spyware












Spyware
Problems


S
teal
private
information


Add advertising links to Web pages


Redirect affiliate payments


Change a users home page and search settings


Degrade system
performance


Spyware often can’t be eliminated

Adware

1.
Software that purports to
serve a
useful purpose, and
often does

2.
Allows advertisers to display pop
-
up and banner ads
without the consent of the computer user

Spyware

1. Adware that
uses
an Internet connection in the
background, without the user’s permission
or
knowledge

2.

Captures information about the user and sends it over
the Internet

4
. Other IS Issues

35

Case study


36

Reference


O’Brien &
Marakas
, “Introduction to Information Systems


Fifteenth Edition”,

McGraw


Hill, Chapter 11, pp. 453~$502



David Dampier, “Electronic Commerce Security (PPT Slides)”, Department of Computer
Science & Engineering