Chapter 3

ETHICAL ISSUES AND

PRIVACY
Introduction to Information Security

 Security can be defined as the degree of protection against criminal

activity, danger, damage, and/or loss.
 Information security refers to all of the processes and policies
designed to protect an organization’s information and information
systems (IS) from unauthorized access, use, disclosure, disruption,
modification, or destruction.
 A threat to an information resource is any danger to which a system
may be exposed.
 An information resource’s vulnerability is the possibility that the
system will be harmed by a threat.
Five key factors contributing to the increasing
vulnerability of organizational information resources

 Today’s interconnected, interdependent, wirelessly networked

business environment;
 Smaller, faster, cheaper computers and storage devices;
 Decreasing skills necessary to be a computer hacker;
 International organized crime taking over cybercrime;
 Lack of management support

Above five key factors are contributing to the increasing vulnerability of

organizational information resources, making it much more difficult to
secure them
Threats to Information system

 The two major categories of threats are unintentional threats and

deliberate threats.
 Unintentional threats are acts performed without malicious intent that
nevertheless represent a serious threat to information security.
 A major category of unintentional threats is human error.
 Human errors or mistakes by employees pose a large problem as the result
of laziness, carelessness, or a lack of awareness concerning information
security.
 This lack of awareness comes from poor education and training efforts by
the organization.
Human errors/mistakes
Unintentional Threats to Information Systems
Deliberate Threats to Information Systems

 Espionage or trespass
 Information extortion
 Sabotage or vandalism
 Theft of equipment or information
 Identity theft
 Compromises to intellectual property
 Software attacks
 Alien software
 Supervisory control and data acquisition (SCADA) attacks
 Cyberterrorism and cyberwarfare
Deliberate Threats to Information Systems contd..

 Espionage or trespass occurs when an unauthorized individual attempts to gain

illegal access to organizational information.
 Information extortion occurs when an attacker either threatens to steal, or
actually steals, information from a company.
 Sabotage and vandalism are deliberate acts that involve defacing an
organization’s Web site, possibly damaging the organization’s image and causing
its customers to lose faith
 Identity theft is the deliberate assumption of another person’s identity, usually
to gain access to his or her financial information or to frame him or her for a
crime
 Intellectual property is the property created by individuals or corporations that
is protected under trade secret, patent, and copyright laws.
Deliberate Threats to Information Systems contd..

 Alien software is clandestine software that is installed on your computer through

duplicitous methods. It can report on your Web surfing habits and other personal
behavior
 SCADA systems are used to monitor or to control chemical, physical, and transport
processes such as those used in oil refineries, water and sewage treatment plants,
electrical generators, and nuclear power plants.
 SCADA systems consist of multiple sensors, a master computer, and communications
infrastructure.
 If attackers gain access to the network, they can cause serious damage, such as disrupting the
power grid over a large area or upsetting the operations of a large chemical or nuclear plant.
 Cyberterrorism and cyberwarfare refer to malicious acts in which attackers use a
target’s computer systems, particularly via the Internet, to cause physical, real-world
harm or severe disruption
 Software Attacks
Software Attacks
What Organizations Are Doing to Protect
Information Resources?

 Organizations spend a great deal of time and money protecting their information
resources.
 Before doing so, they perform risk management.
 A risk is the probability that a threat will impact an information resource.
 The goal of risk management is to identify, control, and minimize the impact of
threats.
 Risk management consists of three processes: risk analysis, risk mitigation, and
controls evaluation.
1.Risk analysis

Organizations perform risk analyses to ensure that their IS security

programs are cost effective.

Risk analysis involves three steps:

(1) assessing the value of each asset being protected,
(2) estimating the probability that each asset will be compromised,
(3) comparing the probable costs of the asset’s being compromised with
the costs of protecting that asset.

The organization then considers how to mitigate the risk.

2. Risk mitigation
In risk mitigation, the organization takes concrete actions against risks.
 Risk mitigation has two functions:
(1) implementing controls to prevent identified threats from occurring,
(2) developing a means of recovery if the threat becomes a reality.
 There are several risk mitigation strategies that organizations can adopt.
 The three most common are risk acceptance, risk limitation, and risk transference.
 Risk acceptance: Accept the potential risk, continue operating with no controls,
and absorb any damages that occur.
 Risk limitation: Limit the risk by implementing controls that minimize the impact of
the threat.
 Risk transference: Transfer the risk by using other means to compensate for the
loss, such as by purchasing insurance.
3. Controls evaluation

 Finally, in controls evaluation, the organization examines the costs of

implementing adequate control measures against the value of those
control measures.

 If the costs of implementing a control are greater than the value of

the asset being protected, the control is not cost effective
Information Security Controls
 To protect their information assets, organizations implement controls, or
defense mechanisms (also called countermeasures).
 These controls are designed to protect all of the components of an information
system, including data, software, hardware, and networks.
 Controls are intended to prevent accidental hazards, deter intentional acts,
detect problems as early as possible, enhance damage recovery, and correct
problems
 Three major types of controls:
1. Physical controls
2. Access controls
3. Communications controls/ Network controls
Information Security Controls
Physical controls
 Physical controls prevent unauthorized individuals from gaining access to
a company’s facilities.
 Common physical controls include walls, doors, fencing, gates, locks,
badges, guards, and alarm systems.
 More sophisticated physical controls include pressure sensors, temperature
sensors, and motion detectors.
 Organizations also implement physical security measures that limit
computer users to acceptable login times and locations.
Access controls

 Access controls restrict unauthorized individuals from using information

resources.
 These controls involve two major functions:
 Authentication and authorization.
 Authentication confirms the identity of the person requiring access.
After the person is authenticated (identified), the next step is
authorization.
 Authorization determines which actions, rights, or privileges the person
has, based on his or her verified identity.
Communications controls
 Communications controls (also called network controls) secure the
movement of data across networks.
 Communications controls consist of firewalls, anti-malware systems,
whitelisting and blacklisting, encryption, virtual private networks (VPNs),
secure socket layer (SSL), and employee monitoring systems
Communications controls contd..
 A Firewall is a system that prevents a specific type of information from
moving between untrusted networks, such as the Internet, and private
networks, such as your company’s network
 Server located in DMZ [demilitarized zone] typically handle Web page
requests and e-mail.
 Any messages designated for the company’s internal network (e.g., its intranet)
must pass through the internal firewall, again with its own defined security
rules, to gain access to the company’s private network.
 Anti-malware systems, also called antivirus, or AV, software, are software
packages that attempt to identify and eliminate viruses and worms, and
other malicious software
Communications controls contd..

 Whitelisting is a process in which a company identifies the software that it

will allow to run on its computers.
 Whitelisting permits acceptable software to run, and it either prevents any
other software from running or it lets new software run in a quarantined
environment until the company can verify its validity.
 Blacklisting allows everything to run unless it is on the blacklist. A
blacklist, then, includes certain types of software that are not allowed to
run in the company environment.
 For example, a company might blacklist peer-to-peer file sharing on its
systems.
 In addition to software, people, devices, and Web sites can also be whitelisted
and blacklisted.
Communications controls contd..
 Encryption is the process of converting an original message into a form that cannot be read
by anyone except the intended receiver.
 The majority of encryption systems use public-key encryption.
 A third party, called a certificate authority, acts as a trusted intermediary between the
companies.
 The certificate authority issues digital certificates and verifies the integrity of the certificates.
 A virtual private network is a private network that uses a public network (usually the
Internet) to connect users.
 They are created by using log-ins, encryption, and other techniques to enhance the user’s privacy.
 Secure socket layer, now called transport layer security (TLS), is an encryption standard
used for secure transactions such as credit card purchases and online banking.
 TLS encrypts and decrypts data between a Web server and a browser end to end
 Employee monitoring systems, monitor their employees’ computers, e-mail activities, and
Internet surfing activities.
 Maintain cyber security

 Keeping software up to date at all times.

 Often businesses include important security patches and upgrades in software updates. Using outdated
software naturally increases the risk of a breach.

 Create good passwords.

 It’s important not to simply use one’s birthday and initials on every account they own. Instead, create
strong, diverse passwords in order to keep information safe. There are also programs that help users
organize and keep track of passwords so that they’re less likely to be forgotten or confused.

 Be on guard for scams.

 It’s important to never click on a link or download if it isn’t clear what source it’s coming from. In
addition, it’s a good idea to never give personal information over the phone or via text when it’s an
unknown number. Finally, never give personal information when receiving an automated phone call. If it
seems important, call back and speak to a human representative after researching the number.
 Examples of cyberbullying include sending hurtful texts or instant messages, posting embarrassing
photos or video on social media, and spreading mean rumors online or with cell phones.
 THREATS TO INFORMATION SECURITY

• A threat is an object, person, or other entity that

represents a constant danger to an asset.
• The Management should ensure that information is
given sufficient protection through policies, proper
training and proper equipment.
• Consistent reviews andBetter information security can
be provided by recognizing and ranking the threats to
the information.
• Checks also help and Surveys also help in keeping
information safe
 TYPES OF THREATS TO
INFORMATION

1. Inadvertent Acts
2. Deliberate Acts
3. Natural Disaster (Natural Forces)
4. Technical Failures
5. Management Failure
 INADVERTENT ACTS

• These are the acts that happen by mistake. They are not
deliberate
• The attacker does not have any ill will or malicious intent or
his attack is not proven in categories of theft.
• Acts of Human error and failure, Deviation from service
quality, communication error, are examples of inadvertent acts
 DELIBERATE ACTS

• These acts are done by people of organizations to

harm the information.
• The attackers have a malicious intent and wish to
steal or destroy the data.
• Acts of espionage, Hacking, Cracking, come under
deliberate acts.
 NATURAL DISASTERS

• Forces of nature are dangerous because they are

unexpected and come without very little warning.
• They disrupt lives of individuals but also causes damage
to information that is stored within computers.
• These threats can be avoided but the management
must have the necessary precautions.
 TECHNICAL FAILURES
• Technical failures are classified into two types :
• Technical Hardware Failure
• Technical Software Failure
• Technical Hardware Failure: It occurs when
manufacturer distributes equipment with flaws that
may be known or unknown to the manufacturer
• Technical Software Failure: These can cause the system
to perform in an undesirable or unexpected way. Some
of these are unrecoverable while some occur
periodically
 MANAGEMENT FAILURE

• Management must always be updated

about recent developments and
technology.
• Proper planning must be done by the
management for good protection of the
information.
• IT professionals must help the management
in protecting the information, by helping
the management upgrade to the latest
technology.
 MALWARE

• It is any malicious software designed to harm a

computer without the user’s consent.
• Eg. VIRUS, Worm, Trojan, Spyware
 VIRUS (VITAL INFORMATION RESOURCE
UNDER SIEGE )
• It is a computer program designed to copy itself and attach itself
to other files stored on a computer.
• It moves from computer to computer through by attaching
itself to files or boot records of disks.
• It can be sent through a network or a removable storage
device.
 WORM
• Worm is a self replicating computer program that
uses a network to send copies of itself to other
computers on the network.
• It replicates ad eats up the computer storage.
• An example is Voyager Worm
TROJAN HORSE
• They appear to be harmless but secretly gather
information about the user.
• They upload hidden and malicious programs on the
computer without the user’s knowledge.
• It does not attempt to inject itself into other files
unlike computer virus.
 SPYWARE
• It secretly monitors internet surfing habits without user’s
knowledge.
• They perform actions like advertising vague products and
changing computer configurations. These actions are very
troublesome.
• They usually do not replicate themselves.
 PROTECTION AGAINST MALWARE

• Make sure that you have updated operating system and

antivirus software. Eg. McAfee
• Do not use pirated software, or download files from
unreliable sources.
• Perform regular hard drive scans.
• Use licensed software
 HACKING

• Hacking means finding out weaknesses in a

computer or a network and exploiting them.
• Hackers are usually motivated by profit, protest or
challenge.
 HACKER

 He/She is a person who enjoys the challenge of breaking into computers without the
knowledge of the user.

 Their main aim might be to know the detail of a

 programmable system and how it works.
 Hackers are experts who see new ways to use computers.
CRACKER

• These people crack or remove the protection

mechanism of a computer system.
• Their main aim is to steal or destroy
information
without the users consent
• They are much more dangerous than
hackers.
 ANTIVIRUS

• It is a software used to prevent, detect and remove

malware.
• It runs in the background at all times.
• It should be kept updated.
• It runs computer disk scans periodically.
• Eg. McAfee, Norton, Kaspersky.
 SECURITY &
CONTROL OF
INFORMATION
SYSTEM
 Information system:
The term information system describes the organized
collection, processing, transmission, and spreading of information
in accordance with defined procedures, whether automated or
manual.
 Security:
Policies, procedures and technical measures used to
unauthorized
prevent access, alteration, theft, or physical damage
information systems to
 Controls:
Methods, policies, and organizational procedures that ensure
safety of organization’s assets; accuracy and reliability of its
accounting records; and operational adherence to management
standards

4
4
A . Confidentiality

• This principle is applied to information by enforcing

rules about who is allowed to know it. Preserving
personal privacy is one of the major objectives of
confidentiality.
• It prevents the unauthorized disclosure of information
and restricts the data access to only those who are
authorized.
• But today the world is moving towards less
authoritative structures, more informality, and fewer
rules. Such developments are creating an issue of
concern for the principle of confidentiality.
4
5
B. Integrity
In any business organization having IS, the values of data
stored and manipulated, such as maintaining the correct
signs and symbols is an important issue of concern. This
issue is referred to integrity within an
organization which is the prevention of the unauthorized
modification.
C. Availability
Availability is referred to as accessibility of information and
in usable form when and where it is required.
Sometimes it is also explained as the prevention of
unauthorized withholding of data or resources. Within any
organization today availability of resources and data is an
important issue of concern since system failure.
5
Why systems are vulnerable
O Accessibility of networks

O Hardware problems (breakdowns, configuration

errors, damage from improper use or crime)
O Software problems (programming errors, installation
errors, unauthorized changes)
O Disasters

O Use of networks/computers outside of firm’s control

O Loss and theft of portable devices 6

O Internet vulnerabilities
O Network open to anyone
O Size of Internet means abuses can have wide
impact
O Use of fixed Internet addresses with cable or DSL
modems creates fixed targets hackers
O Unencrypted VOIP
O E-mail, P2P, IM
O Interception
O Attachments with malicious software
O Transmitting trade secrets 7
 CREATING A CONTROL ENVIRONMENT

General Controls and Application Controls

General controls

• Establish framework for controlling design,

security, and use of computer programs

• Include software, hardware, computer

operations, data security, implementation,
and administrative controls

50
O Software controls
O Authorised access to systems
O Hardware controls
O Physically secure hardware
O Monitor for and fix malfunction
O Environmental systems and protection
O Backup of disk-based data

51
O Computer operations controls
O Day-to-day operations of Information Systems
O Procedures
O System set-up
O Job processing
O Backup and recovery procedures
O Data security controls
O Prevent unauthorised access, change or destruction
O When data is in use or being stored
O Physical access to terminals
O Password protection
O Data level access controls
52
O Administrative controls
 O Ensure organisational policies, procedures and standards and
enforced
 O Segregation of functions to reduce errors and fraud
 O Supervision of personal to ensure policies and procedures are
being adhered to

53
 CREATING A CONTROL ENVIRONMENT

General Controls and Application Controls

Application controls

• Unique to each computerized application

• Include input, processing, and output

controls

54
O Input controls
O Data is accurate and consistent on entry
O Direct keying of data, double entry or automated input
O Data conversion, editing and error handling
O Field validation on entry
O Input authorisation and auditing
O Checks on totals to catch errors

O Output controls
O Data is accurate, complete and properly distributed on output
O Checks on totals to catch errors
O Review processing logs
55

O Track recipients of data

O Processing controls
O Data is accurate and complete on processing
O Checks on totals to catch errors
O Compare to master records to catch errors
O Field validation on update

56