Wa0002.

Download as pdf or txt
Download as pdf or txt
You are on page 1of 123

Chapter 3: Ethical Issues and Privacy

ILO BE – Management Information System


Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

1
Leena Ladge
Chapter 3: Ethical Issues and Privacy

1. Kelly Rainer, Brad Prince, “Management Information Systems”,


Wiley.
2. Rainer & Cegielski,”Introduction to Information Systems-
Supporting & Transforming Business”, 3rd edition, Wiley.

2
Leena Ladge
Lecture No 20:

Ethics & Information Technology

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

3
Leena Ladge
Learning Objectives:

• Describe ethics, its three fundamental tenets, and the four


categories of ethical issues related to information technology.

• Describe the major ethical issues related to information


technology and identify situations in which they occur.

4
Leena Ladge
Introduction
• In 1998 when hackers took control
of the U.S.-German ROSAT X-ray
satellite.
• Hacking into computers at the
Goddard Space Flight Center in
Maryland.
• Instructed the satellite to aim its
solar panels directly at the sun.
• This effectively fried its batteries
and rendered the satellite useless.
https://cdn.mos.cms.futurecdn.net/m67APYunbhKcsLvNwhPezh-970-80.jpg
5
Leena Ladge
Introduction
• In 2002, attackers penetrated the computer network at the Marshall
Space Flight Center and stole secret data on rocket engine designs.
• In 2004, attackers compromised computers at NASA’s Ames
Research Center in Silicon Valley. The attackers had apparently
cracked an employee’s password at the Goddard Center in Maryland
and used it to hack into the Ames Research Center.
• In April 2005, an intruder installed a malignant software program
inside the digital network of NASA’s Kennedy Space Center and
gathered data from computers in the Vehicle Assembly Building
where the Space Shuttle is maintained.
6
Leena Ladge
Introduction
The lessons learned

• The security breaches at NASA address the three major issues :


Ethics, Privacy, and Security.
• Each of these issues is closely related to IT and raises significant
questions.

7
Leena Ladge
Introduction
The lessons learned

✓ Information technologies, properly used, can have enormous


benefits for individuals, organizations, and entire societies.
✓ Information technologies can also be misused, often with
devastating consequences. Consider the following:
• Individuals can have their identities stolen.
• Organizations can have customer information stolen, leading
to financial losses, erosion of customer confidence, and legal
action.
• Countries face the threat of cyber-terrorism and cyber-
warfare.

8
Leena Ladge
Ethical Issues
Ethical Frameworks

There are many sources for ethical standards. The four major standards
are as below.
1. The utilitarian approach- An ethical action provides the most
good or does the least harm to customers, employees, shareholders,
the community, and the physical environment.
2. The rights approach- An ethical action best protects and respects
the moral rights of the of customers, employees, shareholders,
business partners, and even competitors. (Moral rights - the rights
to make one’s own choices about what kind of life to lead, to be
told the truth, not to be injured, and to enjoy a degree of privacy)

9
Leena Ladge
Ethical Issues
Ethical Frameworks

3. The fairness approach- The ethical actions treat all human beings
equally, or, if unequally, then fairly, based on some defensible
standard. For example, most people might believe it is fair to pay
people.
4. The common good approach- Believes that Respect and
compassion for all others is the basis for ethical actions. It
emphasizes the common conditions like a system of laws, effective
police and fire departments, healthcare, a public educational
system, and even public recreation areas, which are important to
the welfare of everyone.

10
Leena Ladge
Ethical Issues
Ethical Frameworks

Combine these four standards, a general framework for ethics (or


ethical decision making) is developed. This framework consists of five
steps:
1. Recognize an ethical issue:
Could this decision or situation damage someone or some group?
Does this decision involve a choice between a good and a bad
alternative? Does this issue involve more than simply legal
considerations? If so, then in what way?

11
Leena Ladge
Ethical Issues
Ethical Frameworks

2. Get the facts:


What are the relevant facts of the situation? Do I have sufficient
information to make a decision? Which individuals and/or groups
have an important stake in the outcome? Have I consulted all
relevant persons and groups?
3. Evaluate alternative actions:
Which option will produce the most good and do the least harm? Which
option best respects the rights of all stakeholders? Which option treats
people equally or proportionately? Which option best serves the
community as a whole, and not just some members?

12
Leena Ladge
Ethical Issues
Ethical Frameworks

4. Make a decision and test it:


Considering all the approaches, which option best addresses the
situation?
5. Act and reflect on the outcome of your decision:
How can I implement my decision with the greatest care and
attention to the concerns of all stakeholders? How did my decision
turn out, and what did I learn from this specific situation?

13
Leena Ladge
Ethical Issues
Ethics in the Corporate Environment

• Ethics refers to the principles of right and wrong that individuals


use to make choices to guide their behaviors.
• Many companies and professional organizations develop their own
codes of ethics.
• A code of ethics is a collection of principles that is intended to
guide decision making by members of the organization.

14
Leena Ladge
Ethical Issues
Ethics

Fundamental principles of ethics include


• Responsibility means that you accept the consequences of your
decisions and actions.
• Accountability refers to determining who is responsible for actions
that were taken.
• Liability is a legal concept that gives individuals the right to recover
the damages done to them by other individuals, organizations, or
systems.
• What is unethical is not necessarily illegal.
• Ethical decisions may have serious consequences for individuals,
organizations, or society at large.
15
Leena Ladge
Ethical Issues
Ethics

• Computing processing power doubles about every 15-18 months-


organizations are more dependent than ever before on their information
systems.
• Increasing amounts of data can be stored at decreasing cost -
organizations can store more data on individuals for longer amounts of
time.
• Computer networks- enable organizations to collect, integrate, and
distribute enormous amounts of information on individuals, groups, and
institutions.
• Ethical problems are arising about the appropriate use of customer
information, personal privacy, and the protection of intellectual property.
16
Leena Ladge
Ethical Issues
Ethics and Information Technology

All employees have a responsibility to encourage ethical uses of information


and Information Technology.
Many business decisions may have an ethical dimension.
• Should organizations monitor employees’ Web surfing and e-mail?
• Should organizations sell customer information to other companies?
• Should organizations audit employees’ computers for unauthorized
software or illegally downloaded music or video files?

17
Leena Ladge
Ethical Issues
Ethics and Information Technology

Ethical Issues
A variety of ethical issues exists due to the diversity and ever-expanding use of
IT applications.
Four general categories: privacy, accuracy, property, and accessibility.
1. Privacy issues involve collecting, storing, and disseminating information
about individuals.
2. Accuracy issues involve the authenticity, fidelity, and accuracy of
information that is collected and processed.
3. Property issues involve the ownership and value of information.
4. Accessibility issues revolve around who should have access to information
and whether they should have to pay for this access.
18
Leena Ladge
Ethical Issues
Ethics and Information Technology

A Framework for Ethical Issues

19
Leena Ladge
Ethical Issues
Ethics and Information Technology

A Framework for Ethical Issues

20
Leena Ladge
Ethical Issues
Ethics and Information Technology

A Framework for Ethical Issues

21
Leena Ladge
Ethical Issues
Ethics and Information Technology

A Framework for Ethical Issues

22
Leena Ladge
Lecture No 21:

Privacy & Electronic Surveillance

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

23
Leena Ladge
Learning Objectives:

• Describe Privacy & Information Privacy.

• Discuss Electronic Surveillance.

24
Leena Ladge
Privacy
• Privacy- It is the right to be left alone and to be free of unreasonable
personal intrusions.
• Information Privacy is the right to determine when, and to what
extent, information about you can be gathered and/or communicated
to others.
• Privacy rights apply to individuals, groups, and institutions.
• Court decisions in many countries have followed two rules:
1. The right of privacy is not absolute. Privacy must be
balanced against the needs of society.
2. The public’s right to know supersedes the individual’s right
of privacy.

25
Leena Ladge
Privacy
• On an average day, one generates data about oneself in many ways:
surveillance cameras on toll roads, in public places, and at work;
credit card transactions; telephone calls; banking transactions;
queries to search engines; and government records.
• These data can be integrated to produce a Digital Dossier, which is
an electronic description of a person and his/her habits.
• The process of forming a digital dossier is called Profiling.
• Data aggregators, such as LexisNexis, ChoicePoint and Acxiom are
good examples of profiling.
• These companies sell these dossiers to law enforcement agencies
and companies conducting background checks on potential
employees and also to companies that want to know their customers
better.
26
Leena Ladge
Privacy
Electronic Surveillance

- According to the American Civil Liberties Union (ACLU), tracking


people’s activities with the aid of IT has become a major privacy-
related problem.
- The electronic surveillance, is rapidly increasing, with the
emergence of new technologies and is conducted by employers, the
government, and other institutions.

27
Leena Ladge
Privacy
Electronic Surveillance

https://pbs.twimg.com/media/DZZ7ngwXkAAOU90?format=jpg&name=large
28
Leena Ladge
Privacy
Electronic Surveillance- Geotagging

https://static.bhphotovideo.com/explora/sites/default/files/styles/top_shot/public/25359-ts.jpg?itok=Ek5slJbD
29
Leena Ladge
Privacy
Electronic Surveillance- Facial Recognition Technology

https://2oqz471sa19h3vbwa53m33yj-wpengine.netdna-ssl.com/wp-content/uploads/2020/05/Facial-Recognition-World-Map-1200px.jpg
30
Leena Ladge
Privacy
Electronic Surveillance- Photo Tagging (Why important?)

https://www.androidpolice.com/wp-content/themes/ap2/ap_resize/ap_resize.php?src=https%3A%2F%2Fwww.androidpolice.com%2Fwp-
content%2Fuploads%2F2019%2F11%2Fgoogle-photos-manual-tagging.png&w=728
31
Leena Ladge
Privacy
Electronic Surveillance- URL Filtering

https://www.gajshield.com/images/urlflitering.png

Why it is needed?

To stop the users of an organization from accessing those websites during working hours that:

• Drain their productivity.

• Let’s them view objectionable content from their workplace.

• Are bandwidth intensive and hence create a strain on resources.

• Increase risk with hosted malware. 32


Leena Ladge
Lecture No 22:

Case study discussion on how Big Data


was used to reduce Ebola Virus

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

33
Leena Ladge
Learning Objectives:

• Discuss how combining Big Data with open data was useful in
reducing the impact of Ebola Virus in West African nations.

• Identify Open data and Big Data described in the given


examples.

34
Leena Ladge
Lecture No 23:

Personal Information in Databases,


Privacy Codes & Policies & Information
Security

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

35
Leena Ladge
Learning Objectives:

• Discuss major concerns about the personal information stored in


databases.

• Study fundamentals of Privacy Codes & Policies.

• Identify the five factors that contribute to the increasing


vulnerability of information resources and specific examples of
each factor.

36
Leena Ladge
Personal Information in Databases
Institutions storing personal information- Banks & financial sectors;
cable TV, telephone, and utilities companies; employers; mortgage
companies; hospitals; schools and universities; retail establishments;
government agencies and many others.
Some of the major concerns about the information you provide are as follows:
• Do you know where the records are?
• Are the records accurate?
• Can you change inaccurate data?
• How long will it take to make a change?
• Under what circumstances will the personal data be released?
• How are the data used?
• To whom are the data given or sold?
• How secure are the data against access by unauthorized people?
37
Leena Ladge
Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
• We find electronic bulletin boards, newsgroups, electronic
discussions such as chat rooms, and social networking sites.
• A blog, short for “Weblog,” is an informal, personal journal that is
frequently updated and is intended for general public reading.
• Blogs may involve disseminating information that may be offensive
to readers or simply untrue.
• This is a difficult problem involving the conflict between freedom of
speech and privacy.
• Many Web sites contain anonymous, derogatory information on
individuals, who typically have little recourse in the matter.

38
Leena Ladge
Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
• The vast majority of the U.S. firms use the Internet in examining job
applications, including searching on Google and on social
networking sites.
• Consequently, derogatory information contained on the Internet can
harm a person’s chances of being hired.

39
Leena Ladge
Privacy Codes and Policies
• Privacy policies or Privacy codes are an organization’s guidelines
for protecting the privacy of its customers, clients, and employees.
• Senior management has started to understand that they must protect
the personal information.
• Many organizations provide customers with opt-out choices,
(informed consent) which permits the company to collect personal
information until the customer specifically requests not to collect it.
• Privacy advocates prefer the opt-in model of informed consent,
which prohibits an organization from collecting any personal
information unless the customer specifically authorizes it.

40
Leena Ladge
Privacy Codes and Policies
• One privacy tool available to consumers is the Platform for Privacy
Preferences (P3P), a protocol that automatically communicates
privacy policies between an electronic commerce Web site and
visitors to that site.
• P3P enables visitors to determine the types of personal data that can
be extracted by the sites they visit. It also allows visitors to compare
a site’s privacy policy to the visitors’ preferences or to other
standards, such as the Federal Trade Commission’s (FTC) Fair
Information Practices Standard or the European Directive on Data
Protection.
• Despite privacy codes & policies, and opt-out and opt-in models,
guarding whatever is left of one’s privacy is becoming increasingly
difficult.
41
Leena Ladge
Privacy Codes and Policies
Privacy Policy Guidelines

Data Collection
- Data should be collected on individuals only for the purpose of
accomplishing a legitimate business objective.
- Data should be adequate, relevant, and not excessive in relation to
the business objective.
- Individuals must give their consent before data pertaining to them
can be gathered.
- Such consent may be implied from the individual’s actions (e.g.,
applications for credit, insurance, or employment).

42
Leena Ladge
Privacy Codes and Policies
Privacy Policy Guidelines

Data Accuracy
- Sensitive data gathered on individuals should be verified before they
are entered into the database.
- Data should be kept current, where and when necessary.
- The file should be made available so that the individual can ensure
that the data are correct.
- In any disagreement about the accuracy of the data, the individual’s
version should be noted and
- included with any disclosure of the file.

43
Leena Ladge
Privacy Codes and Policies
Privacy Policy Guidelines

Data Confidentiality
- Computer security procedures should be implemented to ensure
against unauthorized disclosure of data. These procedures should
include physical, technical, and administrative security measures.
- Third parties should not be given access to data without the
individual’s knowledge or permission, except as required by law.
- Disclosures of data, other than the most routine, should be noted and
maintained for as long as the data are maintained.
- Data should not be disclosed for reasons incompatible with the
business objective for which they are collected.

44
Leena Ladge
International Aspects of Privacy
• As the number of online users has increased globally, governments
throughout the world have enacted a large number of inconsistent
privacy and security laws.
• Approximately 80-100 countries have some form of data protection
laws, but these laws conflict with those of other countries, or they
require specific security measures. Other countries have no privacy
laws at all.
• The absence of consistent or uniform standards for privacy and
security obstructs the flow of information among countries
(transborder data flows).

45
Leena Ladge
International Aspects of Privacy
• In 1998 the European Community Commission (ECC) issued
guidelines to all of its member countries regarding the rights of
individuals to access information about themselves. The EU data
protection laws are stricter than the U.S. laws and therefore could
create problems for the U.S.-based multinational corporations,
which could face lawsuits for privacy violations.
• To bridge the different privacy approaches, the U.S. Department of
Commerce, in consultation with the European Union, developed a
“safe harbor” framework to regulate the way that the U.S.
companies export and handle the personal data (e.g., names and
addresses) of European citizens.

46
Leena Ladge
Lecture No 25:

Information Security and


Types of Threats

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

47
Leena Ladge
Learning Objectives:

• Identify the five factors that contribute to the increasing


vulnerability of information resources and specific examples of
each factor.

• Discuss major two types of threats to Information Security.

• Discuss Unintentional threats in detail.

48
Leena Ladge
Information Security
• It is difficult, if not impossible, for organizations to provide perfect
security for their data.
• There is a growing danger that countries are engaging in economic
cyberwarfare among themselves.
• It appears that it is impossible to secure the Internet. (our personally
identifiable, private data is not secure)
• Large organizations have greater resources to resolve and survive
the problem.
• But small businesses have fewer resources and therefore can be
destroyed by a data breach.

49
Leena Ladge
Information Security
• For large companies, the average cost of a data breach was almost
$4 million in 2015.
• The annual global cost of cybercrime is estimated to be
approximately $400 billion.
• Employee negligence causes many of the data breaches.

50
Leena Ladge
Introduction to Information Security
• Security can be defined as the degree of protection against criminal
activity, danger, damage, and/or loss.
• Information Security refers to all of the processes and policies
designed to protect an organization’s information and information
systems (IS) from unauthorized access, use, disclosure, disruption,
modification, or destruction.
• Threat to an information resource is any danger to which a system
may be exposed.
• Exposure of an information resource is the harm, loss, or damage
that can result if a threat compromises that resource.
• An information resource’s vulnerability is the possibility that the
system will be harmed by a threat.

51
Leena Ladge
Introduction to Information Security
Key factors contributing to the increasing vulnerability of
organizational information resources
1. Today’s interconnected, interdependent, wirelessly networked
business environment
2. Smaller, faster, cheaper computers and storage devices.
3. Decreasing skills necessary to be a computer hacker.
4. International organized crime taking over cybercrime.
5. Lack of management support

52
Leena Ladge
Categories of Threats
1. Unintentional Threats - acts performed without malicious
intent that nevertheless represent a serious threat to
information security.

2. Deliberate Threats - acts performed with malicious intent


causes a serious threat to information security.

53
Leena Ladge
Unintentional
Threats to
Information Systems

http://docshare01.docshare.tips/files/31709/317098453.pdf
54
Leena Ladge
Types of Unintentional Threats
1. Human Errors

- Employees span from clerks to CEO across all the departments.


- Higher the level of employees, the greater the threat, as they have
greater access to corporate data, and greater privileges on
organizational information systems.
- Two departments pose more threats: Human Resources(HR) and
Information Systems (IS). HR employees have access to sensitive
personal information about all employees. IS employees have access
to sensitive organizational data, and they can also control it.

55
Leena Ladge
Types of Unintentional Threats
1. Human Errors

- Human Resources(HR) - https://www.hrmsworld.com/hr-data-security-threats.html

1. Bring Your Own Device (BYOD)


2. Mobile applications
3. Compliance
4. Risk of litigation exposure
5. Lack of Awareness

56
Leena Ladge
Types of Unintentional Threats
1. Human Errors

- Other employees include contract labor, consultants who are


frequently overlooked.
- Janitors and guards are frequently ignored.
- Human errors are typically the result of laziness, carelessness, or a
lack of awareness concerning information security.
- This lack of awareness arises from poor education and training
efforts by the organization.

57
Leena Ladge
Types of Unintentional Threats
1. Human Errors

http://docshare01.docshare.tips/files/31709/317098453.pdf
58
Leena Ladge
Types of Unintentional Threats
2. Social Engineering

- It is an attack in which the perpetrator


uses social skills to trick or manipulate
legitimate employees into providing
confidential company information
such as passwords.
- The attacker claims he forgot his https://www.dogana-project.eu/images/Pixelettere/Social-Engineering-hacks-
humans-not-machines-eng---Daniela-Orr.png
password and asks the legitimate
employee to give him a password to
use.
- Other common tricks include posing
as an exterminator, an air-conditioning
technician, or a fire marshal.

59
Leena Ladge
Types of Unintentional Threats
2. Social
Engineering

Tailgating is a technique
designed to allow the
perpetrator to enter
restricted areas that are
controlled with locks or
card entry.

https://image.slidesharecdn.com/piggybacking-180501121540/95/piggy-backing-tailgating-security-24-
638.jpg?cb=1525177000

60
Leena Ladge
Types of Unintentional Threats
2. Social Engineering

https://www.noidentitytheft.com/wp-content/uploads/2016/02/shoulder-surfing.png

Shoulder surfing occurs when a perpetrator watches an employee’s


computer screen over the employee’s shoulder.

61
Leena Ladge
https://www.verisign.com/

62
Leena Ladge
Lecture No 26:

Deliberate Threats

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

63
Leena Ladge
Learning Objectives:

• Discuss Deliberate threats in detail.

64
Leena Ladge
Deliberate Threats to Information Systems
Top 10 Deliberate Threats are as below.

1. Espionage or trespass
2. Information extortion
3. Sabotage or vandalism
4. Theft of equipment or information
5. Identity theft
6. Compromises to intellectual property
7. Software attacks
8. Alien software
9. Supervisory Control And Data Acquisition (SCADA)
attacks
10. Cyberterrorism and cyberwarfare
65
Leena Ladge
Types of Deliberate Threats
1. Espionage or trespass

- Occurs when an unauthorized individual attempts


to gain illegal access to organizational
information.
- Competitive Intelligence consists of legal
information-gathering techniques, such as
studying a company’s Web site and press
releases, attending trade shows, and similar
actions.
- In contrast, Industrial Espionage crosses the
legal boundary. https://en.pimg.jp/011/273/867/1/11273867.jpg

66
Leena Ladge
Types of Deliberate Threats
2. Information Extortion

https://blog.malwarebytes.com/wp-content/uploads/2020/04/Extortion-email-scaled.jpg

- Occurs when an attacker either threatens to steal, or actually steals,


information from a company.
- The perpetrator demands payment for not stealing the information,
for returning stolen information, or for agreeing not to disclose the
information.

67
Leena Ladge
Types of Deliberate Threats
3. Sabotage or Vandalism

https://3.bp.blogspot.com/-xNR6d_-
hZX8/Tf0OHHQHNHI/AAAAAAAAAB0/x5X9CAZdp7o/w1200-h630-p-k-no-nu/hackers11.jpg

- Deliberate acts that involve defacing an organization’s Web site,


potentially damaging the organization’s image and causing its
customers to lose faith.
- Hacktivist or Cyberactivist operation.

68
Leena Ladge
Types of Deliberate Threats
4. Theft of Equipment or Information

- Laptops, personal digital assistants,


smartphones, digital cameras, thumb
drives, iPods). As a result, these devices
are becoming easier to steal and easier for
attackers to use to steal information.
- Dumpster diving - rummaging through
commercial or residential trash to find
discarded information. https://encrypted-
tbn0.gstatic.com/images?q=tbn%3AANd9GcQ3_zF1yEr4A2XzvyyV
4_Fyi1ZevWVdhBpnfQ&usqp=CAU

69
Leena Ladge
Types of Deliberate Threats
5. Identity Theft

- Deliberate assumption of another person’s


identity, to gain access to his or her https://www.northcountrysavings.bank/files/styles/960x640/public/ide
ntity-theft.jpg?itok=i3DWYH1T

financial information or to frame him or


her for a crime.
- Techniques for illegally obtaining personal information include the
following:
• Stealing mail or dumpster diving
• Stealing personal information in computer databases
• Infiltrating organizations that store large amounts of personal information (e.g.
Acxiom)
• Impersonating a trusted organization in an electronic communication
(phishing)

70
Leena Ladge
Types of Deliberate Threats
5. Identity Theft

- Recovering is costly, time consuming, and


burdensome. https://www.northcountrysavings.bank/files/styles/960x640/public/ide
ntity-theft.jpg?itok=i3DWYH1T

- Victims have problems in obtaining credit


and obtaining or holding a job, as well as
adverse effects on insurance or credit rates.
- Identity can be uncovered just by
examining your searches in a search
engine.

71
Leena Ladge
Types of Deliberate Threats
6. Compromises to Intellectual Property

- Intellectual property is the property created by individuals or


corporations that is protected under trade secret, patent, and copyright
laws.
- A trade secret is an intellectual work, such as a business plan, that is
a company secret and is not based on public information.
- A patent is an official document that grants the holder exclusive
rights on an invention or a process for a specified period of time.
- Copyright is a statutory grant that provides the creators or owners of
intellectual property with ownership of the property, for a designated
period.

72
Leena Ladge
Types of Deliberate Threats
7. Software Attacks

- When attackers used malicious soft ware


(called malware) to infect as many https://2.bp.blogspot.com/-
Mr41NxmQfWQ/UWmiNMJrvNI/AAAAAAAAAAc/esmfD2zcFpw/

computers worldwide as possible, to the s1600/Malicious-Software-Attacks-Computerized-Industrial-


Equipment.jpg

profit-driven, Web-based attacks of today.


- Modern cybercriminals use sophisticated,
blended malware attacks, typically via the
Web, to make money.

73
Leena Ladge
Types of Deliberate Threats
7. Software Attacks

http://docshare01.docshare.tips/files/31709/317098453.pdf

74
Leena Ladge
Types of Deliberate Threats
7. Software Attacks

http://docshare01.docshare.tips/files/31709/317098453.pdf
75
Leena Ladge
Types of Deliberate Threats
8. Alien Software (Pestware)

• Secret software that is installed on your


computer through tricky methods.
• It typically is not as malicious as viruses,
worms, or Trojan horses, but it does use up
valuable system resources.
• It can enable other parties to track your
Web surfing habits and other personal
behaviors.
• Many of them are Adware—software that
causes pop-up advertisements to appear on
your screen.(3%-5%).

76
Leena Ladge
Types of Deliberate Threats
8. Alien Soft ware (Pestware)

• Spyware is software that collects personal information about users


without their consent.
• Two common types of spyware:

a. Keystroke loggers, also called keyloggers, record both your


individual keystrokes and your Internet Web browsing history.
(captcha)
b. Screen scrapers or Screen grabbers - This software records a
continuous “movie” of a screen’s contents rather than simply
recording keystrokes.

77
Leena Ladge
Types of Deliberate Threats
8. Alien Soft ware (Pestware)

• Spamware- uses your computer as a launch pad for spammers.


• Spam is unsolicited e-mail, usually advertising for products and
services.
• When your computer is infected with spamware, e-mails from
spammers are sent to everyone in your e-mail address book, but they
appear to come from you.

78
Leena Ladge
Types of Deliberate Threats
8. Alien Soft ware (Pestware)

• Cookies - small amounts of information that Web sites store on your


computer, temporarily or more or less permanently.
• In many cases, cookies are useful and innocuous (passwords & user
IDs, for online shopping)
• Tracking Cookies

79
Leena Ladge
Types of Deliberate Threats
9. Supervisory Control and Data Acquisition Attacks
(SCADA)

• SCADA refers to a large-scale, distributed measurement and control


system.
• Used to monitor or to control chemical, physical, and transport
processes such as those used in oil refineries, water and sewage
treatment plants, electrical generators, and nuclear power plants.
• They provide a link between the physical world and the electronic
world.
• Consist of multiple sensors, a master computer, and communications
infrastructure.
• Attackers can cause serious damage, such as disrupting the power grid
over a large area or upsetting the operations of a large chemical or
nuclear plant resulting in catastrophic effects.
80
Leena Ladge
Types of Deliberate Threats
10. Cyberterrorism and Cyberwarfare

• It refer to malicious acts in which attackers use a target’s computer


systems, particularly via the Internet, to cause physical, real-world
harm or severe disruption, often to carry out a political agenda.
• In 2016, the U.S. government considers the Sony hack to be an
example of cyberwarfare committed by North Korea.
• These actions range from gathering data to attacking critical
infrastructure (e.g., via SCADA systems).
• Cyberterrorism typically is carried out by individuals or groups.
• Cyberwarfare is carried out by nation states or non-state actors such
as terrorists.

81
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
• Difficulties in Protecting Information Resources

http://docshare01.docshare.tips/files/31709/317098453.pdf
82
Leena Ladge
Lecture No 27:

Risk Management, Information Security


Controls

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

83
Leena Ladge
Learning Objectives:

• Describe the risk mitigation strategies and examples of each one


in the context of owning a home.
• Identify the major types of controls that organizations can use to
protect their information resources.

84
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
• Another reason is that the online commerce industry is not
particularly willing to install safeguards that would make
completing transactions more difficult or complicated.
• It is extremely difficult to catch perpetrators.
• Organizing an appropriate defense system is one of the major
responsibilities of any sensible CIO as well as of the functional
managers who control information resources.
• Organizations spend much time and money protecting their
information resources after performing Risk Management.

85
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
About Risk

• Concerns future happenings


- change actions today, create an opportunity for different and
better situation tomorrow
• It involves change
- changes of mind, opinion, actions or places
• Involves choice & uncertainty
- might or might not happen
• A Risk is the probability that a threat will impact an information
resource.
• Characteristics of Risk – Uncertainty and Loss
86
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management

• Who does it ?
- every one involved in the process.
• Importance
- being prepared to avoid or manage risks is a key of good
project management
• Strategies – Reactive and Proactive

87
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management

• The goal is to identify, control, and minimize the impact of threats.


• It seeks to reduce risk to acceptable levels.
• Consists of three processes: Risk Analysis, Risk Mitigation, and
Controls Evaluation.

88
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management

• Risk Analysis ensures that IS security programs are cost effective.


• Risk analysis involves three steps:
1. assessing the value of each asset being protected
2. estimating the probability that each asset will be compromised
3. comparing the probable costs of the asset’s being compromised
with the costs of protecting that asset. The organization then
considers how to mitigate the risk.

89
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management
• In Risk Mitigation, the organization takes concrete actions against
risks and it has following two functions.
1. implementing controls to prevent identified threats from occurring
2. developing a means of recovery if the threat becomes a reality.
• There are several risk mitigation strategies that organizations can
adopt.
a. Risk acceptance: Accept the potential risk, continue operating with no
controls, and absorb any damages that occur.
b. Risk limitation: Limit the risk by implementing controls that minimize the
impact of the threat.
c. Risk transference: Transfer the risk by using other means to compensate
for the loss, such as by purchasing insurance.
90
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management

• In Controls Evaluation, the organization examines the costs of


implementing adequate control measures against the value of those
control measures.
• If the costs of implementing a control are greater than the value of
the asset being protected, the control is not cost effective.

91
Leena Ladge
Information Security Controls

• Organizations implement controls, or defense mechanisms (also


called countermeasures) to protect all of the components of an
information system, including data, software, hardware, and
networks.
• Organizations utilize layers of controls, or defense-in-depth.
• Controls are intended to prevent accidental hazards, deter intentional
acts, detect problems as early as possible, enhance damage recovery,
and correct problems.
• The single most valuable control is user education and training.

92
Leena Ladge
Information Security Controls

http://docshare01.docshare.tips/files/31709/317098453.pdf
93
Leena Ladge
Information Security Controls

1. Physical Controls
• Prevent unauthorized individuals from gaining access to a
company’s facilities.
• Common physical controls include walls, doors, fencing, gates,
locks, badges, guards, and alarm systems.
• Pressure sensors, temperature sensors, and motion detectors.
• Guards have very difficult jobs, - boring and repetitive and not well
paid job. Also some employees harass them.
• Limit computer users to acceptable login times and locations., limit
the number of unsuccessful login attempts, and they require all
employees to log off their computers when they leave for a day.

94
Leena Ladge
Information Security Controls

2. Access Controls

• They restrict unauthorized access to information resources.


• Carry two major functions: Authentication and Authorization.
• Authentication confirms the identity of the person requiring access.
• Authorization determines which actions, rights, or privileges the
person has, based on his or her verified identity.

95
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
• Something the user is, also known as Biometrics, examines a
person’s distinctive physical characteristics.
• Common biometric applications are fingerprint scans, palm scans,
retina scans, iris recognition, and facial recognition.
• Unique Identification Project, also known as Aadhaar, which means
“the foundation” was instituted by Indian Govt. (reason??)

96
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
• Something the user has is an authentication mechanism that includes
regular identification (ID) cards, smart ID cards, and tokens.

• Something the user does is an authentication mechanism that


includes voice and signature recognition.
1. The voice recognition system matches the two voice signals.
2. Signature recognition systems also match the speed and the
pressure of the signature along with content/style.

97
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
• Something the user knows is an authentication mechanism that
includes Passwords and Passphrases. Passwords present a huge
information security problem in all organizations.(???)
• In reality, however, passwords by themselves can no longer protect
us, regardless of how unique or complex we make them.

98
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
• To identify authorized users more efficiently and effectively,
organizations are implementing a strategy known as multifactor
authentication.
• This system is particularly important when users log in from remote
locations.
• Single-factor authentication - simply a password.
• Two-factor authentication - a password plus one type of biometric
identification.
• Three-factor authentication combination of 3 authentication methods.
99
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
Fast Identity Online (FIDO) Alliance
• Here identifiers such as a person’s fingerprint, iris scan will not be
sent over the Internet.
• Rather, they will be checked locally. The only data that will be
transferred over the Internet are cryptographic keys.
• Eg.

100
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
The basic guidelines for creating strong passwords are:
• They should be difficult to guess.
• They should be long rather than short.
• They should have uppercase letters, lowercase letters, numbers, and special
characters.
• They should not be recognizable words.
• They should not be the name of anything or anyone familiar, such as family
names or names of pets.
• They should not be a recognizable string of numbers, such as a Social
Security number or a birthday.

101
Leena Ladge
Information Security Controls

2. Access Controls

Authentication
• Passphrase is a series of characters that is longer than a password
but is still easy to memorize.
• Examples of passphrases are “maytheforcebewithyoualways” and
“goaheadmakemyday.”
• It can help you create a strong password.
• You will have “gammd.”
• Then, “GaMmD.”
• Finally, “9GaMmD//*.”
• You now have a strong password that you can remember.
102
Leena Ladge
Lecture No 28:

Information Security Controls

ILO – BE – Management Information System(MIS)

Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology

103
Leena Ladge
Learning Objectives:

• Discuss about the Communications Control used to protect


Information resources.

• Discuss about Business Continuity Planning.

• Learn concepts of Information Systems Auditing.

104
Leena Ladge
Information Security Controls

2. Access Controls

Authorization.
• A process where in authenticated person is given the rights and
privileges of an organization’s systems.
• A privilege is a collection of related computer system operations
that a user is authorized to perform.
• Users can be granted the privilege for an activity only if there is a
justifiable need for them to perform that activity.

105
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


• They secure the movement of data across networks.
• Consists of firewalls, anti-malware systems, whitelisting and
blacklisting, encryption, virtual private networks (VPNs), transport
layer security (TLS), and employee monitoring systems.

Firewalls.
• It is a system that prevents a specific type of information from
moving between untrusted networks, like Internet, and private
networks.
• All messages entering or leaving your company’s network pass
through a firewall. The firewall examines each message and blocks
those that do not meet specified security rules.
Leena Ladge
106
Information Security Controls

3. Communications Controls (Network Controls)


Firewalls

http://docshare01.docshare.tips/files/31709/317098453.pdf
107
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Anti-malware Systems (Antivirus)
• They are software packages that attempt to identify and eliminate
viruses and worms, and other malicious software.(implemented at
the organizational level). They are generally reactive.
• These systems create definitions, or signatures, of various types of
malware which are updated in their products.
• The suspicious computer code is examined to find whether it
matches a known signature.
• Some are proactive as they evaluate behavior rather than relying
entirely on signature matching.
• Norton AntiVirus, McAfee VirusScan and Quick Heal.
108
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Whitelisting and Blacklisting
• Despite anti-malware systems, many companies suffered malware
attacks. One solution to this problem is whitelisting.
• Whitelisting is a process in which a company identifies the software
that it will allow to run on its computers.
• Whitelisting permits new software to run only in a quarantined
environment until the company can verify its validity.
• Blacklisting allows everything to run unless it is on the blacklist.
• It includes softwares that are not allowed to run in the company
environment. For example : software, people, devices, and Web sites
can also be whitelisted and blacklisted.
109
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Encryption
• They use a key, which is the code that scrambles and then decodes
the messages.
• The majority of encryption systems use public-key encryption.
Public-key encryption— also known as asymmetric encryption—
uses two different keys: a public key and a private key.
• The public key (locking key) and the private key (the unlocking
key) are created simultaneously using the same mathematical
formula or algorithm.

110
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Encryption

http://docshare01.docshare.tips/files/31709/317098453.pdf
111
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Encryption
• For organizations with e-Businesses, require a more complex
system.
• They depend on certificate authority which issues digital
certificates and verifies the integrity of the certificates.
• A digital certificate is an electronic document attached to a file that
certifies that the file is from the organization it claims to be from
and has not been modified from its original format.
• For examples of certificate authorities, visit www.entrust.com,
www.verisign.com, www.cybertrust.com, www.secude.com, and
www.thawte.com.
112
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Encryption

http://docshare01.docshare.tips/files/31709/317098453.pdf
113
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Virtual Private Networking(VPN)

• It is a private network that uses a public network to connect users.


• It integrates the global connectivity of the Internet with the security
of a private network.
• They have no separate physical existence.
• They are created by using logins, encryption, and other techniques
to enhance the user’s privacy.

114
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Virtual Private Networking(VPN)

http://docshare01.docshare.tips/files/31709/317098453.pdf
115
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Virtual Private Networking(VPN)
Advantages
1. Allow remote users to access the company network.
2. Provide flexibility.
3. Organizations can impose their security policies through VPNs.

• To provide secure transmissions, VPNs use a process called


tunneling.
• Tunneling encrypts each data packet to be sent and places each
encrypted packet inside another packet so that it can travel across
the Internet with confidentiality, authentication, and integrity.
116
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Transport Layer Security (TLS)
• It is an encryption standard used for secure transactions such as
credit card purchases and online banking.
• TLS encrypts and decrypts data between a Web server and a
browser end to end.
• TLS is indicated by a URL that begins with “https”, displays a small
padlock icon in the browser’s status bar indicating a secure
connection.
• The browsers usually provide visual confirmation of a secure
connection.

117
Leena Ladge
Information Security Controls

3. Communications Controls (Network Controls)


Employee Monitoring Systems
• A proactive approach to protecting company’s networks against
what they view as one of their major security threats, namely,
employee mistakes.
• It scrutinize their employees’ computers, e-mail activities, and
Internet surfing activities.
• These products are useful to identify employees who spend too
much time surfing on the Internet for personal reasons, who visit
questionable Web sites, or who download music illegally.
• Eg : SpectorSoft and Websense

118
Leena Ladge
Information Security Controls

4. Business Continuity Planning(disaster recovery plan)

• A critical element in any security system


• It is the chain of events linking planning to protection and to
recovery to provide guidance to people who keep the business
operating after a disaster occurs.
• Employees use this plan to prepare for, react to, and recover from
events that affect the security of information assets to restore the
business to normal operations as quickly as possible following an
attack.

119
Leena Ladge
Information Security Controls

4. Business Continuity Planning(disaster recovery plan)

Many strategies are used for business continuity.


1. A hot site is a fully configured computer facility with all of the
company’s services, communications links, and physical plant operations.
It duplicates computing resources, peripherals, telephone systems,
applications, and workstations.(More expensive)
2. A warm site provides many of the same services and options as the hot
site. A warm site includes computing equipment such as servers, but it
often does not include user workstations.
3. A cold site provides only rudimentary services and facilities, such as a
building or a room with heating, air conditioning, and humidity control.
This type of site provides no computer hardware or user
workstations.(Least expensive)
120
Leena Ladge
Information Security Controls

5. Information Systems Auditing


• In an IS environment, an audit is an examination of information
systems, their inputs, outputs, and processing performed by by
independent and unbiased observers.
• Types of Auditors and Audits
1. Internal auditing is frequently performed by corporate internal auditors.
2. External auditing – External auditor reviews the findings of the internal
audit as well as the inputs, processing, and outputs of information systems.
• The external audit of information systems is frequently a part of the
overall external auditing performed by a certified public accounting
(CPA) firm.
• Guidelines are available from the Information Systems Audit and Control
Association. Leena Ladge
121
Information Security Controls

5. Information Systems Auditing


How Is Auditing Executed?
• Auditing around the computer means verifying processing by checking for
known outputs using specific inputs. This approach is most effective for
systems with limited outputs.
• In auditing through the computer, auditors check inputs, outputs, and
processing. They review program logic, and they test the data contained
within the system.
• Auditing with the computer means using a combination of client data,
auditor software, and client and auditor hardware. This approach enables
the auditor to perform tasks such as simulating payroll program logic
using live data.
122
Leena Ladge
Thank You!
Email : [email protected]

123
Leena Ladge

You might also like