Ethical & Social Implications

guideflannelServers

Dec 4, 2013 (3 years and 6 months ago)

87 views

Ethical & Social Implications


Information Security

Overview


The security environment in which the
information systems will operate
includes assets, threats, and security
measures.



There are four basic categories of
corporate assets: physical, intellectual
(software), personnel, transactions and
services.

What is Security?


Authentication


Is someone who he or she says he or she
is?


Is some object (such as a program) what it
says it is?


Does a message come from where it says
it comes from?


Can someone deny something he or she
did (nonrepudiation)?

What is Security?


Authorization


What is a specific person or group of
people allowed to do?


What is a specific program allowed to do?


What is Security?


Encryption


Who is allowed to see what information?


What is Security?


System Protection



Virus protection


Firewalls and proxies


DOS


Minimize accidental failures


Industry with most threats


Database software developers in the
banking and finance industries reported
more security breaches than database
developers in any other industry polled
in a recent survey.

Most vulnerable industries:


27 percent of the developers surveyed in the
banking and financial services industries said
they had experienced a security breach in
the past year.


18 percent in the medical and health care
industry and telecommunications database
developers said they had experienced a
security breach.


12% in electronic commerce and other
internet companies experienced breaches.


9% in the government and military sector.


Top Vulnerabilities That Affect
All Systems



Default installs of operating systems and
applications


Accounts with No Passwords or Weak
Passwords


Non
-
existent or Incomplete Backups


Large number of open ports


Not filtering packets for correct incoming and
outgoing addresses


Non
-
existent or incomplete logging

Types of security breaches


Security breaches are classified under
three general definitions: a computer
virus, a human error, or an
unauthorized break
-
in.

Types of Security Breaches


Theft of assets


Improper use of assets


Use of assets for other than business
purposes


Unauthorized disclosure of information


Intentional corruption of intellectual
assets

Computer viruses


Computer viruses caused companies an
average of $61,729 last year, according
to the Computer Security Institute.
Denial of service attacks cost companies
an average of $108,717. The total
annual loss last year for all forms of
computer crime? More than $265
million.

Types of Threats


Internal


Intentional


Unintentional


External


Most people believe that the origin of
security events and loss comes from evil
hackers, but by far the largest number and
impact of security
-
related events originate
within the organization.


Human threats are caused by:


careless people who leave the password to peer or use
easy
-
to
-
crack passwords, insert incorrect data to a
database or programs


dishonest people who insert false, incorrect information
to the information system and computer programs, take
advantage of flaws in manual or computerized
procedures, take advantage of access to privileged
information, infect the information infrastructure with
viruses.


disgruntled employees who destroy computer programs,
pass user password to strangers, corrupt system
information.


hackers who read sensitive information through remote
access to information, replicate and disseminate
sensitive information, intercept sensitive information
and infect information with viruses.

Example: Theft and distribution
to unauthorized persons

According to court document, Turner and Williams each admitted that while
employed by Chase Financial Corporation they knowingly and with the intent
to further a scheme to defraud Chase Manhattan Bank and Chase Financial
Corporation, accessed one or more computer systems without authorization
or in excess of their authorized access on said computer systems, thereby
obtaining credit card account numbers and other customer account
information pertaining to approximately 68 accounts, which they were not
authorized to access in connection with their duties at Chase Financial
Corporation. They admitted that the aggregate credit limits for the targeted
accounts totaled approximately $580,700.00.


They further admitted that after fraudulently obtaining said information,
they distributed and transmitted it to one or more individuals via facsimile
transmission, who, in turn, used the credit card accounts and other financial
information to fraudulently obtain goods and services valued at
approximately $99,636.08, without the knowledge or consent of the account
holders, Chase Manhattan Bank or Chase Financial Corporation.

Example: Intentional
corruption

On February 1, 2002, EITELBERG stopped working at MP. On April 11,
2002, an MP employee accessed the MP database containing customer
orders, and found that the records of all of MP's orders had disappeared.
The computer records at MP allegedly indicated that an individual accessed
the MP computer system using a password from at or about 9:21 P.M. until
at or about 9:46 P.M. on April 10, 2002, and that orders in the database
were deleted during this computer session.


Phone records indicated that between February 27, 2002, more than three
weeks after EITELBERG stopped work at MP, and April 10, 2002, the phone
line registered to the wife of EITELBERG, and located at the EITELBERG
residence was used to call MP's modem connection approximately 13 times,
including the call made at or about 9:24 P.M. on April 10, 2002.

Example: Disgruntled
Employee

As CTO, BLUM had access to all computer system passwords and information
necessary to operate Askit's computer networks. Shortly after BLUM's
departure from the company, Askit began to experience computer and
telephone voicemail problems.

In addition, the President received an e
-
greeting card containing an image of
a box which displayed a voodoo doll with skeleton
-
like features. The doll had
pins stuck through the doll's body and was wearing a name tag which
identified the doll as being the President.

In April 2002, messages were posted on the portion of Askit's web site
devoted to answering customer questions containing statements such as "You
are doomed!" and "die." The message "die" was posted from an e
-
mail
address associated with the defendant. On April 29, 2002, Askit's President
received an e
-
mail message from a person not known to him telling the
President to "say goodbye to anyone who pretends to care about you” and
this message was traced to a computer at BLUM's present place of
employment.

Example: “Melissa” creator

David L. Smith, 34,was ordered to serve three years of supervised release
after completion of his prison sentence and was fined $5,000. U.S. District
Judge Greenaway further ordered that, upon release, Smith not be involved
with computer networks, the Internet or Internet bulletin boards unless
authorized by the Court and he must serve 100 hours of community service
that would somehow put Smith's technology experience to beneficial use.

Example: Program corruption

NEWARK
-

A former computer network administrator was sentenced to 41
months in prison for unleashing a $10 million "time bomb" that deleted all
the production programs of a New Jersey
-
based high
-
tech measurement
and control instruments manufacturer.

At the time of conviction, the case was believed to be one of the most
expensive computer sabotage cases in U.S. Secret Service history.

Software issues: Buffer
overflow


The security holes exploited by Code Red and
Nimda, worms that experts said had the
potential to knock the entire Internet offline,
attacked long
-
standing vulnerabilities in
Microsoft IIS Web Server caused by an error
made through poor code writing: the buffer
overflow.


Buffer overflow occurs when the amount of
memory assigned to a specific application or
task is flooded, often with unpredictable
results.

Application Security


Database security is critical, but strong
application security is equally important.


Application security flaws are usually
introduced early in the design cycle.

Top 10 application security
defects:


Session replay/hijacking


Password Controls


Buffer overflows


File/application enumeration


Weak encryption


Password sniffing


Cookie manipulation


Administrative Channels


Log storage/retrieval issues


Error Codes

Solutions for application
security


Stop depending solely on firewalls


Education of application developers.


Engage management.


Get outside help, outsourcing.

Solutions for security:



Vulnerability testing


Track changes


Security Policy


Security Infrastructure investment


Protect against internal threats


Government resources


Control physical access to your server room

Vulnerability testing



Seeks to identify potential threats by
discovering weak areas in the existing
controls.


Once identified, the controls can be
tightened and the potential threat
averted.

Track changes



Tracking innocent mistakes can give
you an early warning that more user
training is required or that the new
software applications themselves need
to be reviewed and possibly revised.


Audit Trail


Event Log

Security Policy



Acceptable Use Policy


Anti
-
Virus Process


Audit Policy


Database Credentials Coding Policy


Dial
-
in Access Policy


Extranet Policy


Password Protection Policy


Risk Assessment Policy

Security Infrastructure
investment


Risk assessment


Passive network sniffer


Attack your network from the outside


Regular briefings


Hire an outside consulting firm to
perform a vulnerability assessment on
key areas

Protect against internal threats



Valuation of protected information


Background checks


Security education


Separate servers


PGP encryption


A temporary accounts


Eliminate opportunities for inside hackers

Control physical access to your
server room


Physical access to the server room
should be monitored and controlled.


Keyless lock or electronic code entrances


Access control cards

Government resources



Cybercrime.gov

Closing Remarks


Data and people are two of an
organization’s most important assets


YOU ARE TRUSTED with these assets