Ethics, Privacy and Information Security
Ethics, Privacy and Information Security
n Ethics
deals with what is considered to be right and wrong
n Code of Ethics
A collection of principles that are intended to guide decision making by members of an organization.
Fundamental Tenets of Ethics
n Responsibility
means that you accept the consequences of your decisions and actions.
n Accountability
a determination of who is responsible for actions that were taken
n Liability
a legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems
Consider the following decisions:
n Should organizations monitor employees’ Web surfing?
n Should organizations sell customers’ information to other companies?
n Should organizations audit employees’ computers for unauthorized software or illegal downloaded music or video files?
The Four Categories of Ethical Issues
1. Privacy Issues
Privacy is the right to be left alone and to be free of unreasonable personal intrusions.
Information Privacy: the right to determine when, and to what extent, information about yourself can be gathered and/or communicated
The right of privacy is not absolute !.
Ø Your privacy must be balanced against the needs of society.
Ø The public’s right to know is superior to the individual’s right
of privacy.
involve collecting, storing and disseminating information about individuals
2. Accuracy Issues
involve the authenticity, fidelity and accuracy of information that is collected and processed
3. Property Issues
involve the ownership and value of information.
4. Accessibility Issues
revolve around who should have access to information and whether they should have to pay for this access.
Threats to Privacy
n Data aggregators
companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers
n Digital dossiers
an electronic description of you and your habits
n Profiling
use of computers to combine data from multiple sources and create digital dossiers of detailed information on individuals
n Electronic Surveillance
The tracking of people‘s activities ,online or offline,
with the aid of computers.
Ø Cookies
Ø URL filtering
n Privacy Codes and Policies
An organization’s guidelines with respect to protecting the privacy of customers, clients, and employees.
n Opt-out Model
informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.
n Opt-in Model
informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it.
P3P Platform for Privacy Preferences Project
• Industry standard designed to give users more control over personal information
3.2 Threats to Information Security
Security: the degree of protection against criminal activity, danger, damage and loss.
Information Security: all the process and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification or destruction.
Today’s interconnected, interdependent, wirelessly-networked business environment
untrusted network: any network external to your organization
Smaller, faster, cheaper computers and storage devices (flash drives)
Decreasing skills necessary to be a computer hacker
International organized crime turning to cybercrime
iDefense
Downstream liability
occurs when Company A’s systems are attacked and taken over by the perpetrator. Company A’s systems are then used to attack Company B. Company A could be sued successfully by Company B, if Company A cannot prove that it exercised due diligence in securing its systems
Due diligence means that a company takes all necessary security precautions, as judged by commonly accepted best practices.
Key Information Security Terms
Threat: any danger to which a system may be exposed
Exposure: the harm, loss or damage that can result if a threat compromises that resource
Vulnerability: the possibility that the system will suffer harm by a threat
Risk: the likelihood that a threat will occur
Information system controls: the procedures, devices, or software aimed at preventing a compromise to the system.
Categories of Threats to Information Systems
Unintentional acts
Human errors
Tailgating: it occurs when an unauthorized person slips in through a door before it closes
Shoulder surfing: it occurs when the attacker watches another person’s computer screen over that person’s shoulder
Carelessness with laptops and portable computing devices
Opening questionable e-mails
Careless Internet surfing
Poor password selection
Unintentional acts
Social Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords
Reverse Social Engineering: the employees approach the attacker
Social Data Mining / Buddy Mining: the attacker seeks to learn who knows who in an organization and how.
Natural disasters
Floods, earthquakes
Lightning, tornadoes
Technical failures
Crash of a hard disk drive
Software bugs
Management failures
Lack of funding
Lack of leadership
Deliberate acts
Espionage or trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information
Information extortion: occurs when an attacker either threatens to steal or actually steals information from a company
Sabotage or vandalism: defacing an organization's website
Deliberate acts
Theft of equipment or information
Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information
Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded
Identity theft : assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime
Deliberate acts
Compromises to Intellectual Property (IP)
Trade secret: an intellectual work such as business plan, that is a company secret and not based on public information
Patent: a document that grants the holder exclusive rights on an invention or process for 20 years.
Copyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years
Piracy: the illegal copying of software
Software attacks
Virus: a segment of computer code that performs malicious actions by attaching to another computer program.
Worm: a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program
Trojan horse: a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.
Logic Bomb: a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
Alien Software
Ø Keystroke loggers: record your keystrokes and your Web browsing history
Ø Screen scrapers: record a continuous “movie” of what you do on a screen
Spamware: alien software that is designed to use your computer as a launchpad for spammers. Spam is unsolicited (unwanted) e-mail
Cookies
3.3 Protecting Information Resources
Risk: the probability that a threat will impact an information resource
Risk management: to identify, control and minimize the impact of threats.
Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:
(1) implement controls to prevent identified threats from occurring
(2) develop a means of recovery should the threat become a reality
Risk Acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.
Risk limitation: Limit the risk by implementing controls that minimize the impact of threat.
Risk transference: Transfer the risk by using other means to compensate for the loss, such as purchasing insurance and having off-site backups
Controls
Controls evaluation
Is the control cost effective?
Physical controls: physical protection of computer facilities and resources (Guards, doors, alarm systems)
Access controls: restriction of unauthorized user access to computer resources
Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.
Application controls: protect specific applications
Communication / Network Controls
Whitelisting: a process in which a company identifies the software that it will allow to run and does not try to recognize malware
Blacklisting: a process in which a company allows all software to run unless it is on the blacklist
Intrusion detection systems: designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall
How Digital Certificates Work?
Digital Certificate: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format
Certificate authorities: trusted intermediaries between two organizations, issue digital certificates
Virtual private networking (VPN) : a private network that uses a public network (usually the Internet) to connect users
Secure Socket Layer now called transport layer security (TLS): is an encryption standard used for secure transactions such as credit card purchases and online banking.
Vulnerability management systems: (also called security on demand) extend the security perimeter that exists for the organization’s managed devices, to unmanaged, remote devices.
Information Systems Auditing
Information systems auditing: Independent or unbiased observers task to ensure that information systems work properly.
Audit: Examination of information systems, their inputs, outputs and processing.
Types of Auditors and Audits:
Ø Internal: Performed by corporate internal auditors.
Ø External: Reviews internal audit as well as the inputs, processing and outputs of information systems.
ليست هناك تعليقات:
إرسال تعليق