html5-img
1 / 0

Chapter 3 - Outline

Chapter 3 - Outline. Lessons from TJX Ethics & Privacy issues in use of IT Information Security Vulnerability Software attacks Risk management Protecting information assets. Ethics & Information Technology. IT use and ethical issues Data collection and storage How much How long Where

stan
Download Presentation

Chapter 3 - Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 3 - Outline Lessons from TJX Ethics & Privacy issues in use of IT Information Security Vulnerability Software attacks Risk management Protecting information assets
  2. Ethics & Information Technology IT use and ethical issues Data collection and storage How much How long Where Networked systems Distributed data & responsibilities IT use for all business activities
  3. Ethical Issues Ethics A branch of philosophy that deals with what is considered to be right and wrong Code of Ethics A collection of principles that are intended to guide decision making by members of an organization What is unethical is not necessarily illegal
  4. Fundamental Tenets of Ethics Responsibility Accept the consequences of your decisions and actions Accountability A determination of who is responsible for actions that were taken Liability A legal concept meaning that individuals have the right to recover the damages done to them by other individuals, organizations, or systems
  5. The Four Categories of Ethical Issues Privacy Issues Collecting, storing and disseminating information about individuals Accuracy Issues The authenticity, fidelity and accuracy of information that is collected and processed Property Issues The ownership and value of information Accessibility Issues Who should have access to information and whether they should have to pay for this access
  6. Privacy Privacy The right to be left alone and to be free of unreasonable personal intrusions. Court decisions have followed two rules The right of privacy is not absolute. Your privacy must be balanced against the needs of society. The public’s right to know is superior to the individual’s right of privacy. Some threats to information privacy Data aggregators, digital dossiers, and profiling Personal Information in Databases Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites
  7. Threats to Privacy Data aggregators Companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers. Digital dossier An electronic description of you and your habits. Profiling Process of creating a digital dossier.
  8. Personal Information in Databases Banks Utility companies Government agencies Credit reporting agencies
  9. Social Networking Sites & Postings Problems caused by postings Anyone can post derogatory information about you anonymously. You can also hurt your professional opportunities by your postings What you can do Be careful what information you post on social networking sites. Some companies (e.g., ReputationDefender) say they can remove derogatory information from the Web.
  10. Protecting Privacy – Organizational Responsibility? Privacy Codes and Policies Opt-out Model Informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected Opt-in Model Informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it. Preferred by privacy advocates.
  11. Factors Increasing the Threats to Information Security Today’s interconnected, interdependent, wirelessly-networked business environment Government legislation Smaller, faster, cheaper computers and storage devices Decreasing skills necessary to be a computer hacker
  12. Factors Increasing the Threats to Information Security International organized crime turning to cybercrime Downstream liability Occurs when Company A’s systems are attacked and taken over by the perpetrator. Company A’s systems are then used to attack Company B. Company A could be sued successfully by Company B, if Company A cannot prove that it exercised due diligence in securing its systems. Increased employee use of unmanaged devices Lack of management support Insufficient funding, technological obsolescence, and lack of attention
  13. Key Information Security Terms Threat Any danger to which a system or an information resource may be exposed Exposure The harm, loss or damage that can result if a threat compromises that resource Vulnerability The possibility that the system will suffer harm by a threat Risk The likelihood that a threat will occur Information system controls The procedures, devices, or software aimed at preventing a compromise to the system
  14. Security Threats (Figure 3.1)
  15. Categories of Threats to Information Systems Unintentional acts Natural disasters Technical failures Management failures Deliberate acts (from Whitman and Mattord, 2003)
  16. Unintentional Acts Human errors Tailgating Shoulder surfing Carelessness with laptops and portable computing devices Opening questionable e-mails Careless Internet surfing Poor password selection and use Deviations in quality of service by service providers (e.g., utilities) Environmental hazards (e.g., dirt, dust, humidity)
  17. Social Engineering Social engineering is an attack where the attacker uses social skills to trick a legitimate employee into providing confidential company information such as passwords. Typically unintentional human error on the part of an employee, but it is the result of a deliberate action on the part of an attacker Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him
  18. Deliberate Acts Espionage or trespass Competitive intelligence consists of legal information-gathering techniques. Industrial espionage crosses the legal boundary. Information extortion Sabotage or vandalism Theft of equipment or information For example, dumpster diving
  19. Software Attacks Virus A segment of computer code that performs malicious actions by attaching to another computer program. Worm A segment of computer code that spreads by itself and performs malicious actions without requiring another computer program. Trojan horse A software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse. Logic bomb A segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.
  20. Software Attacks Phishing attacks Use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages Distributed denial-of-service attacks The attacker first takes over many computers. These computers are called zombies or bots. Together, these bots form a botnet, which is used to send massive amounts of request to web servers to crash them Usually a prelude to more serious crime, such as stealing of data
  21. Alien Software Spyware Collects personal information about users without their consent. Keystroke loggers record your keystrokes and your Web browsing history. Screen scrapers record a continuous “movie” of what you do on a screen. Spamware Alien software that is designed to use your computer as a launchpad for spammers Cookies Small amounts of information that Web sites store on your computer
  22. Risk Management Risk The probability that a threat will impact an information resource. Risk management. To identify, control and minimize the impact of threats. Risk analysis To assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it. Risk mitigation When the organization takes concrete actions against risk: Implement controls to prevent identified threats from occurring Develop means of recovery should the threat become a reality.
  23. Risk Optimization Spies Among Us by Ira Winkler (page 37, Figure 2.3).
  24. Controls Physical controls Access controls Restriction of unauthorized user access to computer resources Biometrics and passwords controls for user identification Communications (network) controls Application controls
  25. Where Defense Mechanisms (Controls) Are Located
  26. Access Controls Something the User Is Also known as biometrics, these access controls examine a user's innate physical characteristics. Something the User Has These access controls include regular ID cards, smart cards, and tokens. Something the User Does These access controls include voice and signature recognition. Something the User Knows These access controls include passwords and passphrases.
  27. Communication or Network Controls Firewalls System that enforces access-control policy between two networks. Anti-malware systems Whitelisting & Blacklisting Intrusion Detection Systems Designed to detect all types of malicious network traffic and computer usage that cannot be detected by a firewall. Encryption
  28. Public Key Encryption
  29. Digital Certificates
  30. Business Continuity Planning, Backup, and Recovery Hot Site A fully configured computer facility, with all services, communications links, and physical plant operations. Warm Site Provides many of the same services and options of the hot site, but it typically does not include the actual applications the company runs. Cold Site Provides only rudimentary services and facilities and so does not supply computer hardware or user workstations.
  31. Information Systems Auditing Information systems auditing Examination of information systems, their inputs, outputs and processing to ensure that information systems work properly. Types of Auditors and Audits Internal & External Auditing Process Auditing around the computer means verifying processing by checking for known outputs or specific inputs. Auditing through the computer means inputs, outputs and processing are checked. Auditing with the computer means using a combination of client data, auditor software, and client and auditor hardware.
More Related