Security & Ethical Challenges

Business/ IT security, ethics and society

Ethical Responsibility


Business Ethics


Basic categories of ethical issues

  

Employee privacy Security of company records Workplace safety

Ethical Responsibility (continued)



Technology Ethics


Four Principles


Proportionality
 

Good must outweigh any harm or risk Must be no alternative that achieves the same or comparable benefits with less harm or risk

Ethical Responsibility (continued)



Technology Ethics (continued)



Informed consent


Those affected should understand and accept the risks Benefits and burdens should be distributed fairly Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk
5

Justice


Minimized Risk


Ethical Guidelines

Ethical Guidelines (continued)



Responsible end users

    

Act with integrity Increase their professional competence Set high standards of personal performance Accept responsibility for their work Advance the health, privacy, and general welfare of the public

Computer Crime


Association of Information Technology Professionals (AITP) definition includes



  

The unauthorized use, access, modification, and destruction of hardware, software, data, or network resources Unauthorized release of information Unauthorized copying of software Denying and end user access to his or her own hardware, software, data or network resources Using or conspiring to use computer or network resources to illegally obtain information
8

Who commits computer crime?

Computer Crime


Hacking


The obsessive use of computers, or the unauthorized access and use of networked computer systems Involves unauthorized network entry and the fraudulent alteration of computer databases
9

Cyber Theft


Computer Crime (continued)



Unauthorized use at work

 

Also called time and resource theft May range from doing private consulting or personal finances, to playing video games, to unauthorized use of the Internet on company networks

10

Computer Crime (continued)



Piracy of intellectual property



Software Piracy


Other forms of intellectual property covered by copyright laws

     

Unauthorized copying of software



Music Videos Images Articles Books Other written works

Software is intellectual property protected by copyright law and user licensing agreements

11

Computer Crime (continued)



Computer viruses and worms



Virus


A program that cannot work without being inserted into another program A distinct program that can run unaided

Worm


12

Privacy Issues


IT makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information quickly and easily.


Benefit increases efficiency and effectiveness But, may also have a negative effect on individuals right to privacy

13

Privacy Issues (continued)



Privacy on the Internet



 

Users of the Internet are highly visible and open to violations of privacy Unsecured with no real rules Cookies capture information about you every time you visit a site That information may be sold to third parties

14

Privacy Issues (continued)



Privacy on the Internet (continued)



Protect your privacy by

 

Encrypting your messages Post to newsgroups through anonymous remailers Ask your ISP not to sell your information to mailing list providers and other marketers Decline to reveal personal data and interests online
15

Privacy Issues (continued)




Computer Matching
Computer profiling and matching personal data to that profile Mistakes can be a major problem

16

Privacy Issues (continued)



Privacy laws


 

Attempt to enforce the privacy of computer-based files and communications Electronic Communications Privacy Act Computer Fraud and Abuse Act

17

Privacy Issues (continued)



Computer Libel and Censorship



The opposite side of the privacy debate

 

 

Right to know (freedom of information) Right to express opinions (freedom of speech) Right to publish those opinions (freedom of the press) Spamming Flaming
18

Other Challenges


Employment


New jobs have been created and productivity has increased, yet there has been a significant reduction in some types of jobs as a result of IT.

19

Other Challenges (continued)



Computer Monitoring


Concerns workplace privacy

  

 

Monitors individuals, not just work Is done continually. May be seen as violating workers privacy & personal freedom Workers may not know that they are being monitored or how the information is being used May increase workers stress level May rob workers of the dignity of their work
20

Other Challenges (continued)



Working Conditions


Individuality


IT has eliminated many monotonous, obnoxious tasks, but has created others

Computer-based systems criticized as impersonal systems that dehumanize and depersonalize activities Regimentation

21

Health Issues
     

Job stress Muscle damage Eye strain Radiation exposure Accidents Some solutions


Ergonomics (human factors engineering)



Goal is to design healthy work environments 22

Health Issues (continued)

23

Societal Solutions


Beneficial effects on society



Solve human and social problems

      

Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement Crime control Job placement
24

Section II

Security Management

Tools of Security Management

Goal


Minimize errors, fraud, and losses in the e-business systems that interconnect businesses with their customers, suppliers, and other stakeholders

26

27

Internetworked Security Defenses



Encryption


Passwords, messages, files, and other data is transmitted in scrambled form and unscrambled for authorized users Involves using special mathematical algorithms to transform digital data in scrambled code Most widely used method uses a pair of public and private keys unique to each individual

28

Internetworked Security Defenses (continued)



Firewalls


Serves as a gatekeeper system that protects a companys intranets and other computer networks from intrusion
 

Provides a filter and safe transfer point Screens all network traffic for proper passwords or other security codes

29

Internetworked Security Defenses (continued)



Denial of Service Defenses



These assaults depend on three layers of networked computer systems

  

Victims website Victims ISP Sites of zombie or slave computers

Defensive measures and security precautions must be taken at all three levels
30

Internetworked Security Defenses (continued)



E-mail Monitoring


Spot checks just arent good enough anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.

31

Internetworked Security Defenses (continued)



Virus Defenses


Protection may accomplished through



Centralized distribution and updating of antivirus software Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies

32

Other Security Measures



Security codes


Multilevel password system

  

Log onto the computer system Gain access into the system Access individual files

33

Other Security Measures (continued)



Backup Files
  

Duplicate files of data or programs File retention measures Sometimes several generations of files are kept for control purposes

34

Other Security Measures (continued)



Security Monitors


Programs that monitor the use of computer systems and networks and protect them from unauthorized use, fraud, and destruction

35

Other Security Measures (continued)



Biometric Security


Measure physical traits that make each individual unique

      

Voice Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition and Genetic pattern analysis
36

Other Security Measures (continued)



Computer Failure Controls



 

Preventive maintenance of hardware and management of software updates Backup computer system Carefully scheduled hardware or software changes Highly trained data center personnel

37

Other Security Measures (continued)



Fault Tolerant Systems



Computer systems that have redundant processors, peripherals, and software

  

Fail-over Fail-safe Fail-soft

38

Other Security Measures (continued)



Disaster Recovery


Disaster recovery plan



Which employees will participate and their duties What hardware, software, and facilities will be used Priority of applications that will be processed

39

System Controls and Audits



Information System Controls



Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities Designed to monitor and maintain the quality and security of input, processing, and storage activities

40

System Controls and Audits (continued)



Auditing Business Systems



Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented Testing the integrity of an applications audit trail

41

CYBERTERRORISM

Cyber Threats
Out-of-the-box

Linux PC hooked to Internet, not

announced:
[30 [1

seconds] First service probes/scans detected

hour] First compromise attempts detected

Cyber Threats (continued)

[12

hours] PC fully compromised: Administrative access obtained Event logging selectively disabled System software modified to suit intruder Attack software installed PC actively probing for new hosts to intrude
Clear

the disk and try again!

44

Attack Sophistication vs. Intruder Technical Knowledge

High

Auto Coordinated Cross site scripting

Tools
Staged

stealth / advanced scanning techniques packet spoofing denial of service sniffers

Intruder Knowledge

sweepers

distributed attack tools www attacks automated probes/scans GUI

back doors disabling audits network mgmt. diagnostics hijacking burglaries sessions Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code

Low
1980

password guessing

Intruders
1995 2000

1985

1990

Vulnerability Exploit Cycle

Novice Intruders Use Crude Exploit Tools Crude Exploit Tools Distributed Advanced Intruders Discover New Vulnerability Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits

Definitions
Cyberterror:

The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons.
Cyber-utilization:

The use of on-line networks or data by terrorist organizations for supportive purposes.
Cybercrime:

The deliberate misuse of digital data or information flows.

Sophistication of Cybercrime
Simple

Unstructured: Individuals or groups working with little structure, forethought or preparation Structured: Groups working with some structure, but little forethought or preparation Coordinated: Groups working with advance preparation with specific targets and objectives.

Advanced

Complex

Example: Zapatista Cyberstrike

Mid-1990s

rebellion in Mexico

Military

situation strongly favored Mexican Army

of influence circulated rumors of Peso instability

Peso

Agents

crash forced government to negotiating table by intrusions into Mexican logistics

Compounded

Pakistani/Indian Defacements

More
1/00 4/00 10/00 4/01

10/99

7/00

1/01

Well written

Juvenile

No mention of terrorist organizations Mentions terrorist organizations

Cyber Trends
CERT/CC Year 2000 - 21,756 Incidents 16,129 Probes/Scans 2,912 Information Requests 261 Hoaxes, false alarms, vul reports, unknown 2454 Incidents with substantive impact on target Profiled 851 incidents, all active during July-Oct 2000 (plus some preliminary June data, profiling work is ongoing) Many different dimensions for analysis and trend generation (analysis work is ongoing)

Summary
Majority Cyber
   

of on-line threat is cybercrime

terror is still emerging

Evolving threat Integrating critical missions with general Internet Increasing damage/speed of attacks Continued vulnerability of off-the-shelf software

Much

confusion of descriptions and definitions viewed as critical weakness of Western nations

Widely

ERGONOMICS

The science of fitting the job to the worker

MULTIDISCIPLINARY NATURE OF ERGONOMICS

     

Anatomy and physiology Engineering Psychology Engineering Medicine Anthropology Biomechanics

Benefits of Ergonomics


Decreased injury risk Increased productivity Decreased mistakes/rework Increased efficiency

Decreased lost work days Decreased turnover Improved morale

EROGONOMIC CONCEPTS
Tool design Workstation Design Material handling limits Visual and auditory task design

DESIGN AND DISEASE

POSTURE Standing Sitting Reaching Head Bent Back Trunk Bent Forward DISCOMFORT Legs, Feet, Back Neck, Back, Shoulders Shoulders, Upper Arms Cervical Region Lumbar Region

WORKSTATION GUIDELINES
Reduce static component and allow worker to use optimal posture Optimal posture usually at midpoint of limbs range of motion Avoid muscular insufficiency Avoid forward reaches in excess of 16 Elbows down close to the body flexor angle around 90 degrees

WORKSTATION GUIDELINES (continued)

Sit-Stand preferred but rarely seen Use gravity do not work against it Avoid the need for excessive head movement Avoid compression Ischemia

WORKPLACE INDICATORS
  

Performance deteriorationEngineering Quality Control problems Absenteeism and turn-overHuman Resources Musculoskeletal disordersOSHA Logs WC reports Complaints of fatigue and discomfort

Types of Injuries
     

Muscle pain Joint pain Swelling Numbness Restricted motion Repetitive stress injury

Repetitive motion injury Cumulative trauma disorder Musculoskeletal disorder

Ergonomic Risk Factors

   

Repetition Awkward posture Forceful exertion Static posture

 

Mechanical contact stress Temperature Vibration

Ergonomic Controls
  

Engineering Administrative Work Practices

CONTROL TECHNOLOGY
      

Tool redesign Workstation redesign Job methods Early detection Job rotation Machine pacing Medical surveillance

ADMINISTRATIVE CONTROLS HAZARD PREVENTION AND CONTROL

     

Rest-pause Increase number of employees Job rotation Physical conditioning Relief personnel Medical management

Ergonomics Program Elements



Management leadership and employee participation Hazard information and reporting

  

Job hazard analysis and control Training MSD management Program evaluation

THANK YOU

67