Ethical & Social Implications


Dec 4, 2013 (4 years and 4 months ago)


Ethical & Social Implications

Information Security


The security environment in which the
information systems will operate
includes assets, threats, and security

There are four basic categories of
corporate assets: physical, intellectual
(software), personnel, transactions and

What is Security?


Is someone who he or she says he or she

Is some object (such as a program) what it
says it is?

Does a message come from where it says
it comes from?

Can someone deny something he or she
did (nonrepudiation)?

What is Security?


What is a specific person or group of
people allowed to do?

What is a specific program allowed to do?

What is Security?


Who is allowed to see what information?

What is Security?

System Protection

Virus protection

Firewalls and proxies


Minimize accidental failures

Industry with most threats

Database software developers in the
banking and finance industries reported
more security breaches than database
developers in any other industry polled
in a recent survey.

Most vulnerable industries:

27 percent of the developers surveyed in the
banking and financial services industries said
they had experienced a security breach in
the past year.

18 percent in the medical and health care
industry and telecommunications database
developers said they had experienced a
security breach.

12% in electronic commerce and other
internet companies experienced breaches.

9% in the government and military sector.

Top Vulnerabilities That Affect
All Systems

Default installs of operating systems and

Accounts with No Passwords or Weak

existent or Incomplete Backups

Large number of open ports

Not filtering packets for correct incoming and
outgoing addresses

existent or incomplete logging

Types of security breaches

Security breaches are classified under
three general definitions: a computer
virus, a human error, or an
unauthorized break

Types of Security Breaches

Theft of assets

Improper use of assets

Use of assets for other than business

Unauthorized disclosure of information

Intentional corruption of intellectual

Computer viruses

Computer viruses caused companies an
average of $61,729 last year, according
to the Computer Security Institute.
Denial of service attacks cost companies
an average of $108,717. The total
annual loss last year for all forms of
computer crime? More than $265

Types of Threats





Most people believe that the origin of
security events and loss comes from evil
hackers, but by far the largest number and
impact of security
related events originate
within the organization.

Human threats are caused by:

careless people who leave the password to peer or use
crack passwords, insert incorrect data to a
database or programs

dishonest people who insert false, incorrect information
to the information system and computer programs, take
advantage of flaws in manual or computerized
procedures, take advantage of access to privileged
information, infect the information infrastructure with

disgruntled employees who destroy computer programs,
pass user password to strangers, corrupt system

hackers who read sensitive information through remote
access to information, replicate and disseminate
sensitive information, intercept sensitive information
and infect information with viruses.

Example: Theft and distribution
to unauthorized persons

According to court document, Turner and Williams each admitted that while
employed by Chase Financial Corporation they knowingly and with the intent
to further a scheme to defraud Chase Manhattan Bank and Chase Financial
Corporation, accessed one or more computer systems without authorization
or in excess of their authorized access on said computer systems, thereby
obtaining credit card account numbers and other customer account
information pertaining to approximately 68 accounts, which they were not
authorized to access in connection with their duties at Chase Financial
Corporation. They admitted that the aggregate credit limits for the targeted
accounts totaled approximately $580,700.00.

They further admitted that after fraudulently obtaining said information,
they distributed and transmitted it to one or more individuals via facsimile
transmission, who, in turn, used the credit card accounts and other financial
information to fraudulently obtain goods and services valued at
approximately $99,636.08, without the knowledge or consent of the account
holders, Chase Manhattan Bank or Chase Financial Corporation.

Example: Intentional

On February 1, 2002, EITELBERG stopped working at MP. On April 11,
2002, an MP employee accessed the MP database containing customer
orders, and found that the records of all of MP's orders had disappeared.
The computer records at MP allegedly indicated that an individual accessed
the MP computer system using a password from at or about 9:21 P.M. until
at or about 9:46 P.M. on April 10, 2002, and that orders in the database
were deleted during this computer session.

Phone records indicated that between February 27, 2002, more than three
weeks after EITELBERG stopped work at MP, and April 10, 2002, the phone
line registered to the wife of EITELBERG, and located at the EITELBERG
residence was used to call MP's modem connection approximately 13 times,
including the call made at or about 9:24 P.M. on April 10, 2002.

Example: Disgruntled

As CTO, BLUM had access to all computer system passwords and information
necessary to operate Askit's computer networks. Shortly after BLUM's
departure from the company, Askit began to experience computer and
telephone voicemail problems.

In addition, the President received an e
greeting card containing an image of
a box which displayed a voodoo doll with skeleton
like features. The doll had
pins stuck through the doll's body and was wearing a name tag which
identified the doll as being the President.

In April 2002, messages were posted on the portion of Askit's web site
devoted to answering customer questions containing statements such as "You
are doomed!" and "die." The message "die" was posted from an e
address associated with the defendant. On April 29, 2002, Askit's President
received an e
mail message from a person not known to him telling the
President to "say goodbye to anyone who pretends to care about you” and
this message was traced to a computer at BLUM's present place of

Example: “Melissa” creator

David L. Smith, 34,was ordered to serve three years of supervised release
after completion of his prison sentence and was fined $5,000. U.S. District
Judge Greenaway further ordered that, upon release, Smith not be involved
with computer networks, the Internet or Internet bulletin boards unless
authorized by the Court and he must serve 100 hours of community service
that would somehow put Smith's technology experience to beneficial use.

Example: Program corruption


A former computer network administrator was sentenced to 41
months in prison for unleashing a $10 million "time bomb" that deleted all
the production programs of a New Jersey
based high
tech measurement
and control instruments manufacturer.

At the time of conviction, the case was believed to be one of the most
expensive computer sabotage cases in U.S. Secret Service history.

Software issues: Buffer

The security holes exploited by Code Red and
Nimda, worms that experts said had the
potential to knock the entire Internet offline,
attacked long
standing vulnerabilities in
Microsoft IIS Web Server caused by an error
made through poor code writing: the buffer

Buffer overflow occurs when the amount of
memory assigned to a specific application or
task is flooded, often with unpredictable

Application Security

Database security is critical, but strong
application security is equally important.

Application security flaws are usually
introduced early in the design cycle.

Top 10 application security

Session replay/hijacking

Password Controls

Buffer overflows

File/application enumeration

Weak encryption

Password sniffing

Cookie manipulation

Administrative Channels

Log storage/retrieval issues

Error Codes

Solutions for application

Stop depending solely on firewalls

Education of application developers.

Engage management.

Get outside help, outsourcing.

Solutions for security:

Vulnerability testing

Track changes

Security Policy

Security Infrastructure investment

Protect against internal threats

Government resources

Control physical access to your server room

Vulnerability testing

Seeks to identify potential threats by
discovering weak areas in the existing

Once identified, the controls can be
tightened and the potential threat

Track changes

Tracking innocent mistakes can give
you an early warning that more user
training is required or that the new
software applications themselves need
to be reviewed and possibly revised.

Audit Trail

Event Log

Security Policy

Acceptable Use Policy

Virus Process

Audit Policy

Database Credentials Coding Policy

in Access Policy

Extranet Policy

Password Protection Policy

Risk Assessment Policy

Security Infrastructure

Risk assessment

Passive network sniffer

Attack your network from the outside

Regular briefings

Hire an outside consulting firm to
perform a vulnerability assessment on
key areas

Protect against internal threats

Valuation of protected information

Background checks

Security education

Separate servers

PGP encryption

A temporary accounts

Eliminate opportunities for inside hackers

Control physical access to your
server room

Physical access to the server room
should be monitored and controlled.

Keyless lock or electronic code entrances

Access control cards

Government resources

Closing Remarks

Data and people are two of an
organization’s most important assets

YOU ARE TRUSTED with these assets