IT Security and Ethics

Digital Security Risks

• A digital security risk is any event or action

that could cause a loss of or damage to a
computer or mobile device hardware,
software, data, information, or processing
capability.

• Any illegal act involving the use of a computer or

related devices generally is referred to as a
computer crime

• A cybercrime is an online or Internet-based

illegal act
Digital Security Risks
 Internet and Network Attacks

Information transmitted over networks has a higher

degree of security risk than information kept on an
organization’s premises

Malware, short for malicious software, consists of

programs that act without a user’s knowledge and
deliberately alter the operations of computers and
mobile devices
 Internet and Network Attacks

BotNet
It is a group of compromised computers or mobile
devices connected to a network.
–A compromised computer or device is known as
a zombie

DoS
A denial of service attack (DoS attack) disrupts
computer access to an Internet service
–Distributed DoS attack (DDoS attack)
 Internet and Network Attacks

Backdoor
It is a program or set of instructions in a program that
allow users to bypass security controls

Spoofing
It is a technique intruders use to make their network or
Internet transmission appear legitimate.

6
Internet and Network Attacks
 VIRUS
1. Vital Information Resource Under Siege
2. A program which can replicate itself
without infecting any host program.
3. A program that duplicates itself by infecting
other programs.

8
 Worms – similar to a rogue software except that it
replicates as a separate program rather than infecting and
hiding in other programs. A worm is common in network
installations where it can attach to several computers
connected to the network.
 Viruses – are created by very good programmers and this
may make you wonder why people with such talent create
a destructive program like a virus. Two main reasons: For
revenge and for fame.

9
 Randomly-triggered – viruses are designed to attack at
random. E.g. Ambulance Car Virus.
 Date-activated – viruses wait for a pre-defined date before
it strikes. E.g. Michael Angelo – March 6
 Boot-count – viruses will count the number of times the
computer is booted. E.g. Telecom Virus
 Time-since – viruses attacks after the computer is left
open for a specified period of time. E.g. Jerusalem.
 Keystroke-triggered – viruses will activate itself after a
predefined number of keystrokes. E.g. Finger Virus.

10
 System Slowdown
 Unexpected display of messages
 Unexpected graphics on screen
 Unexpected file date or time change
 Unexpected music
 Corruption of system and data files.

11
12
Organizations take several measures to help prevent
unauthorized access and use
–Acceptable use policy
–Disable file and printer sharing

13
Access controls define who can access a computer,
device, or network; when they can access it; and
what actions they can take while accessing it.

The computer, device, or network should maintain

an audit trail that records in a file both successful
and unsuccessful access attempts
–User name
–Password

14
A passphrase is a private combination of words,
often containing mixed capitalization and
punctuation, associated with a user name that allows
access to certain computer resources.

A PIN (personal identification number),

sometimes called a passcode, is a numeric
password, either assigned by a company or selected
by a user.

15
A possessed object is any item that you must
possess, or carry with you, in order to gain access to
a computer or computer facility.

A biometric device authenticates a person’s identity

by translating a personal characteristic into a digital
code that is compared with a digital code in a
computer or mobile device verifying a physical or
behavioral characteristic.

16
17
Two-step verification uses two separate methods, one
after the next, to verify the identity of a use

18
Digital forensics is the discovery, collection, and analysis of
evidence found on computers and networks

Many areas use digital forensics

19
Software theft occurs when someone:

20
Many manufacturers incorporate an activation
process into their programs to ensure the software
is not installed on more computers than legally
licensed

During the product activation, which is conducted

either online or by phone, users provide the
software product’s identification number to
associate the software with the computer or mobile
device on which the software is installed

21
A license agreement is the right to use software

22
Information theft occurs when someone steals
personal or confidential information

Encryption is a process of converting data that is

readable by humans into encoded characters to
prevent unauthorized access

23
24
A digital signature is an encrypted code that a
person, website, or organization attaches to an
electronic message to verify the identity of the
message sender

It is often used to ensure that an impostor is not

participating in an Internet transaction.

25
A digital certificate is a notice that guarantees a
user or a website is legitimate

A website that uses encryption techniques to

secure its data is known as a secure site

26
27
28
29
A backup is a duplicate of a file, program, or media that
can be used if the original is lost, damaged, or destroyed

To back up a file means to make a copy of it.

Off-site backups are stored in a location separate from

the computer or mobile device site

30
Wireless access poses
additional security risks.

Some perpetrators connect

to other’s wireless networks
to gain free Internet access
or confidential data

Others connect to a
network through an
unsecured wireless access
point (WAP) or combination
router/WAP
31
Wireless access poses
additional security risks.

Some perpetrators connect

to other’s wireless networks
to gain free Internet access
or confidential data

Others connect to a
network through an
unsecured wireless access
point (WAP) or combination
router/WAP
32
Wireless access poses
additional security risks.

Some perpetrators connect

to other’s wireless networks
to gain free Internet access
or confidential data

Others connect to a
network through an
unsecured wireless access
point (WAP) or combination
router/WAP
33
Spyware blockers
Pop-up blockers
Secure e-mail
Anonymous remailers
Anonymous surfing
Cookie managers
Disk/file erasing programs
Policy generators
Public key encryption
34
35
 Operating system security enhancements
 Upgrades, patches

 Anti-virus software
 Easiest and least expensive way to prevent threats to system
integrity
 Requires daily updates

36
 Know the computer that you are using.
 Keep your password secured.
 Avoid just letting anyone use your computer.
 Check storage devices such as diskettes, flash drives,
memory cards before using them.
 Use an anti-virus
 Update your computer
 Routinely scan your system and connected devices

37
Ethics
 Define ETHICS

Ethics – is derived from the Greek term “ethos”

meaning character or custom
 Study of morality of human actions
 Focuses on the care for the soul
 Deals with man’s pursuit of “good life”
 Study and philosophy of human conduct with
emphasis on the determination of right and
wrong
 Basic principles of right action
 Ethics
Computer Ethics simply refers
to the guiding precepts and
norms that are adopted and
applied to regulate and control
the use of computers and its
applications.

Technology ethics are the

moral guidelines that govern
the use of computers, mobile
devices, information systems,
and related technologies
 Understanding Ethical, Social, and Political Issues

Internet, like other technologies, can:

Enable new crimes
Affect environment
Threaten social values
 Analyzing Ethical Dilemmas
Process for analyzing ethical dilemmas:
1. Identify and clearly describe the facts
2. Define the conflict or dilemma and identify the
higher-order values involved
3. Identify the stakeholders
4. Identify the options that you can reasonably
take
5. Identify the potential consequences of your
options
 Privacy Issues

Privacy
“the right to be left alone when you want
to be”

Information privacy
“right to be forgotten”

Information privacy refers to the right of individuals and

companies to deny or restrict the collection, use, and
dissemination of information about them
 Information Privacy

Information privacy refers to the right of individuals and

companies to deny or restrict the collection, use, and
dissemination of information about them.

Huge databases store data online

Websites often collect data about you, so that they can

customize advertisements and send you personalized email
messages

Some employers monitor your computer usage and email

messages
 Information Privacy
Claims
oCertain information should not be collected at all
oIndividuals should control the use of whatever
information is collected about them
oBehavioral tracking on the Internet, social sites, and mobile
devices

Threats to privacy
oPersonal information collected by commercial Web sites
oPersonal information collected by government authorities
oImpact of mobile devices
oTracking people's locations and movements
oTracking personal behavior
 Information Privacy
A cookie is a small text file that a web server stores on your
computer

Websites use cookies for a variety of reasons:

 Privacy Issues
Data collected includes
Personally identifiable information (PII)
Anonymous information

Types of data collected

Name, address, phone, e-mail, social security
Bank and credit accounts, gender, age, occupation,
education
Preference data, transaction data, clickstream data,
browser type
 Information Privacy
Phishing is a scam in which a perpetrator sends an
official looking email message that attempts to
obtain your personal and/or financial information

With clickjacking, an object that can be tapped or

clicked on a website contains a malicious program `
 Information Privacy
Spyware is a program placed on a computer or mobile device
without the user’s knowledge that secretly collects information
about the user and then communicates the information it
collects to some outside source while the user is online

Adware is a program that displays an online advertisement in

a banner or pop-up window on webpages, email messages,
or other Internet services
 Information Privacy

Social engineering is defined as gaining unauthorized

access to or obtaining confidential information by taking
advantage of the trusting human nature of some victims and
the naivety of others
 Information Privacy
Employee monitoring involves the use of computers, mobile
devices, or cameras to observe, record, and review an
employee’s use of a technology, including communications
such as email messages, keyboard activity (used to measure
productivity), and websites visited

Many programs exist that easily allow employers to monitor

employees. Further, it is legal for employers to use these
programs
 Information Privacy

Content filtering is the process of restricting access to

certain material
–Many businesses use content filtering

Web filtering software restricts access to specified websites

 Mobile and Location-Based Privacy Issues

Smartphone apps

Funnel personal information to mobile advertisers

for targeting ads
Track and store user locations
Track users’ use of other apps
 Profiling and Behavioral Targeting

Profiling
Creation of digital images that characterize online
individual and group behavior
Anonymous profiles
Personal profiles

Advertising networks
Track consumer and browsing behavior on Web
Dynamically adjust what user sees on screen
Build and refresh profiles of consumers
 Profiling and Behavioral Targeting

Business perspective:
Increases effectiveness of advertising, subsidizing free
content
Enables sensing of demand for new products and services

Critics' perspective:
Undermines expectation of anonymity and privacy
 Legal Protections

In the Bill of Rights or Article III of the 1987 Philippine

Constitution. Under Section 3 of the Philippine Charter,
communication privacy is inviolable except upon lawful order
of the court, or when public safety or order, by law, requires
otherwise. Evidence obtained outside of these procedures is
inadmissible for any purpose.
 Legal Protections
Data Privacy Act 2012 (Republic Act 10173)
“to protect the fundamental human right of privacy, of
communication while ensuring free flow of information to promote
innovation and growth.”

Electronic Commerce Act of 2000 (Republic Act 8792)

An act providing for the recognition and use of electronic
commercial and non-commercial transactions and documents, penalties
for unlawful use thereof and for other purposes .
 Legal Protections
Cybercrime Prevention Act of 2012 (Republic Act 10175)
It aims to address legal issues concerning online interactions and
the Internet in the Philippines. Among the cybercrime offenses
included in the bill are cybersquatting, cybersex, child pornography,
identity theft, illegal access to data and libel.

Anti Wire-Tapping Law (Republic Act 4200)

An act to prohibit and penalize wire tapping and other related
violations of the privacy of communication, and for other purposes
 Intellectual Property Protection
Three main types of protection:
Copyright
Patent
Trademark law

Goal of intellectual property law:

Balance two competing interests—public and private

Intellectual property refers to unique and original works

such as ideas, inventions, art, writings, processes, company
and product names, and logos.

Intellectual property rights are the rights to which creators

are entitled to their work
 Copyright
A copyright protects any tangible form of expression
(but not ideas) from being copied by others for a
period of time.

In the Philippines, copyright protection for artistic,

literary and derivative works lasts during the lifetime
of the author plus 50 years after the author's death.
 Copyright
Fair use doctrine
A fair use, in its most general sense, is the act of copying of
copyrighted materials done for purposes such as
commenting, criticizing, or parodying a copyrighted work
without the permission from the copyright owner. It is used as
a defense under copyright infringement.
 Copyright
Digital rights management (DRM) is a systematic
approach to copyright protection for digital media.
The purpose of DRM is to prevent unauthorized
redistribution of digital media and restrict the ways
consumers can copy content they've purchased.

DRM.jpg
 Business Models
Spotify operates under a freemium business
model (basic services are free, while additional
features are offered via paid subscriptions).

Spotify gets its content

from major record labels
as well as independent
artists, and pays
copyright holders
royalties for streamed
music.
 Business Models
Netflix is a streaming content provider that allows subscribers
to watch TV shows, movies, documentaries and more on a
wide range of Internet-connected devices.
This video streaming on
demand company operates
on a subscription-based
model. The users pay for a
monthly subscription plan and
are given access to stream
shows, movies,
documentaries and other
content available on Netflix in
the quality (SD, HD, Ultra HD)
they pay for.
 Patents
Grant owner 20-year monopoly on ideas behind an
invention
Machines
Man-made products
Compositions of matter
Processing methods

Invention must be new, non-obvious, novel

Encourages inventors
Promotes dissemination of new techniques through
licensing
Stifles competition by raising barriers to entry
 Trademarks
Identify, distinguish goods, and indicate their source.

Purpose
Ensure consumer gets what is paid for/expected to receive
Protect owner against piracy and misappropriation

Infringement
Market confusion
Bad faith

Dilution
Behavior that weakens connection between trademark and product
 Copyright – The legal right granted to an author,
composer, playwright, publisher, or distributor to
exclusive publication, production, sale, or distribution of
a literary, musical, dramatic, or artistic work.

 Site License – an agreement through which the buyer of

the software has the right to use the program on a given
number of computers.

67
 Software Licenses

 Shrink-Wrap
 Shareware
 Freeware
 Public-Domain Software
 Open-Source

68
This license usually includes terms that (1)prohibit making
unauthorized copies, (2) prohibit any modification, (3)
prohibit resale, (4) limit use to one or a
specified number of computers, (5) limit publisher's liability.
The legal implications of a shrink wrap license are still
controversial and far from being standardized.

69
The term shareware (also known as trialware or demoware) refers
to proprietary software that is provided to users without payment
on a trial basis and is often limited by any combination
of functionality, availability, or convenience.

70
It is a computer software that is available for use at no cost or for
an optional fee, but usually with one or more restricted usage
rights.

71
 Public domain software is software that has been placed in
the public domain, in other words there is absolutely no
ownership (such as copyright) of the intellectual property that
the software represents.

72
 Open-source software (OSS) is computer software that is
available in source code form: the source code and certain
other rights normally reserved for copyright holders are
provided under a software license that permits users to study,
change, improve and at times also to distribute the software.
 E.g. Open Source Software like Ubuntu, Linux, etc.

73
Ten Commandments for Computer Ethics

 Thou shalt not use a computer to harm other

people
 Thou shalt not interfere with other people’s
computer work
 Thou shalt not snoop around in other people’s
files
 Thou shalt not use a computer to steal
 Thou shalt not use a computer to bear false
witness
Ten Commandments for Computer Ethics

 Thou shalt not use or copy a software for which

you have not paid
 Thou shalt not use other people’s computer
resources without authorization
 Thou shalt not appropriate other people’s
intellectual output
 Thou shalt think about the social consequences of
the program you write
 Thou shalt use a computer in ways that show
consideration and respect
 Code of Conduct

A code of conduct is a written guideline that helps

determine whether a specification is ethical/unethical
or allowed/not allowed
 Green Computing
Green computing involves reducing the electricity and
environmental waste while using computers, mobile
devices, and related technologies

77