Embed Size (px)
Citation preview
Selected Issues in Information Technology
LECTURE TEN
Computer securityComputer Fraud or CrimeNeed for ControlsErgonomicsEthical responsibilities◦Privacy Issues and social challenges of
Information Technology IS management, and professionals and
career paths
3
◦Provision of Protection from Vandalism (Physical Security)◦Preserving data and protecting its validity as
well as keeping the secrets secret◦Protection against data thieves and network
attackers◦Considerations for business continuity◦Security is policies, procedures and technical
measures used to prevent unauthorized access, alternation, theft, or physical damage to information systems.
What is Computer Security?What is Computer Security?
4
Protect the confidentiality of data◦Confidentiality models are primarily intended to assure that
no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible
Preserve the integrity of data◦ Integrity models keep data pure and trustworthy by protecting
system data from intentional and accidental changes Promote the availability of data for authorized use◦Availability models keep data and resources available for
authorized use
5
6
Three Security Goals: Related termsThree Security Goals: Related terms Identification◦Who do you say you are?
Authentication◦How do I know it is really you?
Authorization◦Now that you are here, what are you allowed to do?
Accountability◦Who did what, and, perhaps, who pays the bill?
Threat - it’s a possible danger to the system or an event that can cause harm or destruction to an asset. The harm is caused through the impacts of destruction, modification, disclosure and/or denial of service.◦ Threats can be either human-based, intentional or unintentional
(internal or external). ◦ Threats can be natural events, such as floods or lightening.
Threats to computers and communications systems security include the following:◦ Errors and Accidents◦Natural and other hazards ◦Crime against computers and communications◦Worms and viruses
8
In general, errors and accidents in computer systems may be classified as human errors, procedural errors, software errors, electromechanical problems, and "dirty data" problems.◦ Human errors – unexpected things human beings do – unintended
effects of technology.◦ Procedural errors – failures occurring because the procedure is not
flowed.◦ Software errors – failures due to software glitches or software bugs.
Errors in a program that makes it not work properly.◦ Electromechanical problems – errors in systems such as printer, and
circuit boards. They may be faultily constructed, get dirty or overheated, wear out, or become damaged – power surges can burn out equipment.
◦ Dirty data problems – entry of incomplete, outdated, or otherwise inaccurate data
9
Some disasters can wreck the entire system.. Included are natural hazards, and civil strife and terrorism.◦Natural hazards: Include fires, floods, earthquakes,
tornadoes, hurricanes, blizzards etc. They inflict damage over a wide area.
◦Civil strife and terrorism: Included are wars, riots and terrorism damage that destroy systems.
10
A computer crime has been defined by the United Stated Department of Justice as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation or prosecution.
Cyber Crime – Cybercrime is criminal activity done using computers and the Internet.
Netcrime refers to criminal exploitation of the Internet
Fraud occurs when an organization suffers intentional financial loss as a result of illegitimate actions within the organization.
Typically, fraud is the theft of resources usually financial, aided or concealed by manipulation of the financial records. Most companies have now adopted computerized accounting systems and any manipulation of the financial records is likely to involve computer-processed data. In this note, the following are some of well-known classification of computer related crimes:
Salami technique – this involves software manipulation for rounding off fractions such as on interest and payroll calculations and transferring the results to the perpetrator’s account.
Hacking – this is probably the most publicized computer crime. It involves obtaining illegal access to computer systems by cracking access codes.
Data diddling – this technique does not involve the computer itself but manipulations of input or output data.
12
Money theft – ranging from complex organizations fraud to simple falsification or records that allow money to be misappropriated.
Service theft – use of computer services for ones personal benefit (for example, using computer time or storage files).
Data alteration – including illegally altering credit information, motor vehicle records, and even student grades.
Data destruction – deliberate destruction of files or data basis of organizations or individuals
Program and data theft – misappropriating programs and/or data for personal benefit (often involves trade secrets).
13
Software theft - Computer programs are valuable property and thus are the subject of theft from computers systems. However, unauthorized copying of software, or software piracy, is also a major form of software theft.
Sabotage and Vandalism - are intentional damage to computer facilities. The crime is normally committed by people who are aggrieved and are seeking revenge. Such acts include pouring liquid onto the keyboard or printer or destroying a part of the system without which it cannot function properly, or planting a logic bomb/virus on computer software.
Virus – program that attaches itself to users installed programs and propagates copies of itself to other programs
Trojan horse – Program that contains unexpected additional functions e.g. where a program is hidden within another program often set up to erase all evidence of illegal access.
14
A Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do.◦ Virus – program that attaches itself to users installed programs and
propagates copies of itself to other programs◦ Worm: program that propagates copies of itself to other computers◦ Trojan horse – Program that contains unexpected additional
functions e.g. where a program is hidden within another program often set up to erase all evidence of illegal access.
◦ Logic bomb: Triggers action when condition occurs◦ Backdoor: Program modification that allows unauthorized access to
functionality◦ Exploits: code specific to a single vulnerability or a set of
vulnerabilities
Controls are all methods, policies, and organizational procedures that ensure the safety of the organization assets, the accuracy and reliability of accounting records, and operational adherence to management standards.
The control systems should:a. Prevent all possible erroneous and fraudulent data
processing.b. Detect the occurrence of such errors and fraud.c. Minimize the extent of loss to the organization that arise.d. Facilitate recovery from such losses, errors and frauds.e. Provide a frame work for investigating cause of errors, how
they can be effectively prevented from occurring, detected when they occur and strategies for addressing them effectively.
Controls needed include: Procedure controls; physical facility controls; and information systems controls.
16
Procedure controls - are methods that specify how an organizational computer and network resources should be operated for maximum security. ◦ Included are: the use of standard procedures and documentation; review of
requests for systems development and program changes; disaster recovery procedures (plans); and controls for end-user computing.
Physical facility controls - are methods that protect organizational computing and network facilities and their content from loss or destruction. Included are network security; encryption; firewalls; biometrics; and computer failure controls.
Information systems controls - are methods and devices that attempt to ensure accuracy and validity of information system activities. Include are proper data entry; processing techniques; storage methods; and information output.
17
Defense in depth as a strategy◦Security implemented in overlapping layers that provide the
three elements needed to secure assets: i. prevention, ii. detection, and iii. response
◦The weaknesses of one security layer are offset by the strengths of two or more layers
Need for Controls: Security StrategiesNeed for Controls: Security Strategies
Prevention◦Means that an attack will fail◦E.g. If one tries to access a computer via the Internet but the
computer is not connected then the attack has been prevented.
◦Prevention mechanism can be cumbersome that they may result to denial of service
◦Some accepted preventive mechanisms are sue of passwords. These prevent unauthorised users from accessing the system
18
Detection◦ It useful where an attack cannot be prevented◦Detection mechanisms accept an attack will occur and aim to
monitor and report it◦ Intrusion response requires careful thought and
planning e.g. a database/system administrator can be notified when a user enter a wrong password 3 times
◦ Intrusion detection is a form of auditing Anomaly detection looks for unexpected events Misuse detection looks for what is known to be
bad
19
Recovery◦ It has two forms:-
i. Stop an attackii. Repair any damage caused by an attack
◦E.g. If attacker deletes a file, it can be restored from backups
◦Recovery is complex because nature of attacks are different◦Recovery involves identification and fixing vulnerabilities
used by the attacker to enter the system◦ It can involver counter-attack or taking legal action
20
21
Ergonomics: This involves whether the computer system “is human factor engineered" i.e. created with the user in mind, if it is it user-friendly designed to be safe, comfortable, and easy to use.
IT creates environmental and mental-health problems among other problems.
Environmental problems◦ Manufacturing by-products: toxins from semiconductor industries causing
health harmful effects◦ Disposal of by-products: What to do with the hundreds of millions of
obsolete or broken PCs, monitors, printers, cellphones, TVs, etc◦ Electricity demand: The digital economy is putting a severe strain on electric
utilities. ◦ Environmental blight: The visual pollution represented by the forest of
wireless towers, roof antennas, satellite dishes, and electric poles etc. Health problems and ergonomics◦ Health matters include eyestrain and headaches, back and neck pains,
repetitive strain injury to neck, wrist, hand etc and noise from printers. Good ergonomic design considers tools, tasks, the work station,
and environment.
22
Tools include computer hardware and software. The tools design should lead to reduced mechanical stress effects on human tissues.
Tasks are jobs. Jobs should be designed to accommodate job rotation, shifts and work breaks. The objective is to reduce employee contact time with computers.
Workstation and environment should be conducive to employee job performance. ◦ Working environment consideration should involve air-conditioning,
heating, and ventilation. ◦ Lighting should also be adequate to avoid problems affecting the eyes. ◦ Workstation should be equipped with furniture well designed with
capability of adjustments when user needs so as to work safely, comfortably and with ease.
◦ Work surfaces on which the devices that are used are placed should also be designed for end-user safety, comfort and ease of use.
23
Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behavior. What is unethical may not necessarily be illegal, and what is legal may not necessarily be ethical.
Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group
Laws are rules adopted and enforced by governments to codify expected behavior in modern society
Key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks of doing so.
—Immanuel Kant
24
Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behavior. What is unethical may not necessarily be illegal, and what is legal may not necessarily be ethical.
Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group
Laws are rules adopted and enforced by governments to codify expected behavior in modern society
Key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
In law a man is guilty when he violates the rights of others. In ethics he is guilty if he only thinks of doing so.
—Immanuel Kant
25
Information technology also raises ethical challenges that anyone using computer systems needs to be aware of.
Whether we are in an ethical crisis or not is a subject of debate. But what is not debatable is that we are in the midst of an information revolution, in which information technology has dramatically magnified our ability to acquire information
As a future managerial end user, it will be your responsibility to make decisions about business activities and the use of IT, which may have an ethical dimension that must be considered.◦ For example, should you electronically monitor your employees’ work
activities and electronic mail? ◦ Should you let employee use their work computers for private
business or take home copies of software for their personal use? ◦ Should you electronically access your employees’ personnel records
or workstation files? ◦ Should you sell customer information extracted from transaction
processing systems to other companies?
26
The use of information technology in business has major impacts on society, and thus raises serious ethical considerations in areas such as privacy, crime, health, working conditions, individually, employment, and the search for societal solutions through IT.
For example, computerizing a production process may have the adverse effect of eliminating jobs, and the beneficial effect of improving the working conditions and job satisfaction of employees that remain, while producing products of higher quality at less cost.
Another way to understand the ethical dimensions of IT is to consider the basic ethical issues that arise from its use of gather, process, store, and distribute information.
27
Richard Mason has posed four basic ethical issues that deal with the vulnerability of people to this aspect of information technology. It is based on the concept of information from the intellectual capital of individual beings.
However, information systems can rob people of their intellectual capital. For example, people’s information can be used without compensation and without their permission. People can also be denied access to information or be exposed to erroneous information.
The widespread use of the Internet by businesses and consumers has brought many of these issues to the forefront. Mason summarizes these four ethical issues with the acronym PAPA privacy, accuracy, property, and accessibility.
a)Privacy – what information about ones self or ones association must a person reveal to others, under what conditions and with what safeguards? What things can people keep to themselves and not be forced to reveal to others?
28
b) Accuracy. Who is responsible for the authenticity, fidelity and accuracy of information? Similarly, who is to be held accountable for errors in information and how is the injured party to be made whole?
c) Property. Who owns information? What are the just and fair prices for its exchange? Who owns the channels, especially the airways, through which information is transmitted? How should access to these scarce resources be allocated?
d) Accessibility. What information does a person or an organization have a right or a privilege to obtain, under what conditions, and with what safeguards?
29
A frequent criticism of information technology concerns its negative effect on the individuality of people. Computer –based system are criticized as impersonal systems that dehumanize and depersonalize activities that have been computerized,
However, the widespread use of personal computers and the Internet has dramatically improved the development of people oriented end user and workgroup information systems. Even everyday products and service have been improved through microprocessor-powered “smart” products
The power of information technology to store and retrieve information can have a negative effect on the right to privacy of every individual for example; confidential E-mail messages by employees are monitored by many companies. Personal information is being collected about individuals every time they visit a site on the World Wide Web.
Confidential information on individuals contained in centralized computer databases by credit bureaus, government agencies and private business firms has been stolen or misused, resulting in the invasion of privacy, fraud and other injustices. The unauthorized use of such information has seriously damaged the privacy of individuals. Errors in such database could seriously hurt the credit standing or reputation of an individual.
Privacy is the power to control what other people know about you:◦ Information about you that has been revealed to the
public (poorly protected).◦ Information about you that has been kept private (quite
well protected). Privacy rights are not explicitly secured in the
Constitution or the Bill of Rights. They are usually derived from– the right against
unreasonable searches and seizures.
Societal and technological advances have changed the nature of privacy in three ways:◦ Scale of information gathered.◦Kind of information gathered.◦ Scale of exchange of information gathered.
“We can collect, store, manipulate, exchange, and retain practically infinite quantities of data.”
– ‘Computer Ethics’, Deborah G. Johnson, 2001
Is our society turning into ‘Big Brother’?◦ Huge quantities of personal information are stored in multiple
government and corporate databases.◦ Abuses of private data are not unheard of.◦ Many examples of unauthorized intrusions (hacking) into
government and private databases containing names, addresses, credit card numbers, SSNs, medical information, etc.
◦ Many examples of hacking into PCs.◦ Trojans, keystroke loggers, spyware etc.
“As automation increasingly invades modern life, the potential for Orwellian mischief grows.” – Supreme Court Justice Ginsberg.
What information is out there about you?◦ Financial data: bank transactions, credit history, mortgage, salary
etc.◦ Interaction with government(s): SSN(PIN), driver’s license, taxes,
visa applications, criminal record.◦ Medical information: medical history, doctor’s visits, medication,
operations, health issues.◦ Communications data: landline and cell phone usage (including
location!), e-mail messages, websites visited, online shopping.◦ Financial transactions: credit card transactions, purchases (often
with details), deposits and withdrawals etc.◦ Travel details: places visited, means of transportation, routes etc.◦ Miscellaneous: All sorts of other info, including reading habits,
hobbies etc.
What could all this information reveal?◦Your whereabouts over different periods of time (hours,
days, months, years).◦Your financial situation.◦Your personal life.◦Your daily habits and routine.◦Your preferences, likes and dislikes.
If all the data were centrally collected it would be SCARY!!!
Much has been done to protect privacy – legislation, advocacy and practical measures.
Privacy legislation:◦ Fair Credit Reporting Act of 1970◦ Privacy Act of 1974◦ Privacy Protection Act of 1980◦ Electronic Communications Privacy Act of 1986◦ Right to Financial Privacy Act◦ Federal Records Act◦ Health Information Portability and Accountability Act (HIPAA) of
1996◦ Gramm-Leach-Bliley Act of 1999◦ Myriad state privacy laws (California’s SB 1386 Privacy Law)
Key Privacy Issues (reflected in most privacy laws):◦Databases or data collection should not exist in secret.◦ Individuals must be able to find out what information is
being stored about them and how it is being used.◦ Individuals should be able to prevent information stored
for one purpose being used for another.◦ Individuals should be able to correct inaccurate
information stored about them.◦Organizations collecting information must make efforts to
check the reliability of their information and prevent its misuse.
There has always been a delicate balance between privacy and security.
The balance has to be re-negotiated whenever political, societal or technological factors change.
Government measures to improve security include:◦ Legislation◦ Increased Surveillance of communications and public places◦Collection of personal information from multiple
government and private databases in search of terrorist patterns.
◦ Terrorist Watch Lists Are these measures eroding civil liberties and
freedom? Congressional and public opposition.
Terrorists have the upper hand on the Internet – anonymity (re-mailer, encryption, steganography).
Terrorists use the Internet (and other communications systems) to recruit, spread propaganda, plan and coordinate attacks, and, perhaps soon, to launch attacks.
Criminals (and organized crime groups) use the same security holes to commit fraud, identity theft, and other online offenses.
Collecting data has other benefits, such as improving government efficiency and services, or private sector services, and fighting crime.
Who cares whether this data is stored about me if I haven’t done anything wrong?◦Out of principle people have a right to privacy in a free
society.◦ The information could be accessed by unauthorized
people/organizations.◦ The information could be altered.◦Many important decision are made every year based on this
information (loans, credit cards, mortgages, employment, housing, health care, law enforcement, national security).
◦ Personal privacy fosters trusting relationships.
So much data is already collected – can we build in safeguards that let us use it AND protect our freedoms?◦Legislation – would harmonizing state laws (and
international privacy laws) offer additional safeguards?◦Technology – cryptography can help protect some sensitive
online transactions and data, anonymizers can protect one’s online identity, and security tools can block access to databases.
◦Responsible government – in times of crisis, people look to government for leadership. Government must act responsibly and not abuse power. Oversight to ensure they don’t!
41
Key difference between policy and law is that ignorance of policy is an acceptable defense; therefore policies must be:
◦Distributed to all individuals who are expected to comply with them
◦Readily available for employee reference
◦Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees
◦Acknowledged by the employee, usually by means of a signed consent form
42
Information security student is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework
However, those employed in the area of information security may be expected to be more articulate about the topic than others in the organization
◦Often must withstand a higher degree of scrutiny
43
◦ Thou shalt not use a computer to harm other people◦ Thou shalt not interfere with other people's computer work◦ Thou shalt not snoop around in other people's computer files◦ Thou shalt not use a computer to steal◦ Thou shalt not use a computer to bear false witness◦ Thou shalt not copy or use proprietary software for which you have
not paid◦ Thou shalt not use other people's computer resources without
authorization or proper compensation◦ Thou shalt not appropriate other people's intellectual output◦ Thou shalt think about the social consequences of the program you are
writing or the system you are designing◦ Thou shalt always use a computer in ways that ensure consideration
and respect for your fellow humans◦ NB: Read on IT Code of Ethics (BY SANS).
44
Studies reveal that individuals of different nationalities have different perspectives on the ethics of computer use
Difficulties arise when one nationality’s ethical behavior does not correspond to that of another national group
Differences in computer use ethics are not exclusively cultural◦ Found among individuals within the same country, same social
class, same company Key studies reveal that overriding factor in leveling ethical
perceptions within a small population is education
45
Employees must be trained and kept up to date on information security topics, including the expected policy, edubehaviors of an ethical employee
Responsibility of information security personnel to do everything in their power to deter unethical and illegal acts, using cation, training, and technology as controls or safeguards to protect the information and systems
Many security professionals understand technological means of protection but underestimate the value of policy
46
Three general categories of unethical behavior that organizations and society should seek to eliminate:
Ignorance
Accident
Intent
Deterrence is the best method for preventing an illegal or unethical activity
◦Example: laws, policies, and technical controls
47
Generally agreed that laws, policies and their associated penalties only deter if three conditions are present:
◦Fear of penalty
◦Probability of being caught
◦Probability of penalty being administered
48
Information security professionals and managers must possess a rudimentary grasp of the legal framework within which their organizations operate
This legal environment can influence the organization to a greater or lesser extent depending on the nature of the organization and the scale on which it operates
49
Civil law: pertains to relationships between and among individuals and organizations◦ Tort law: subset of civil law which allows individuals to seek
recourse against others in the event of personal, physical, or financial injury
Criminal law: addresses violations harmful to society and actively enforced/prosecuted by the state
Private law: regulates relationships among individuals and among individuals and organizations◦ Encompasses family law, commercial law, and labor law
Public law: regulates structure and administration of government agencies and their relationships with citizens, employees, and other governments◦ Includes criminal, administrative, and constitutional law
50
Computer Fraud and Abuse Act of 1986 (CFA Act) is the cornerstone of many computer-related federal laws and enforcement efforts
Amended October 1996 by National Information Infrastructure Protection Act of 1996 to increase penalties for selected crimes
CFA Act was further modified by the USA Patriot Act of providing law enforcement with broader latitude to combat terrorism-related activities
51
Communication Act of 1934 was revised by the Telecommunications Deregulation and Competition Act of 1996, which attempts to modernize archaic terminology of older act
◦ Provides penalties for misuse of telecommunications devices, specifically telephones
In Kenya, there is The Kenya Information And
Communications Act of 2009. ◦ It has several laws regarding the Telecommunications sector,
ranging from Radio, Broadcasting, Postal and Electronic Laws.
◦Get the right certification e.g. for IS Security Certified Information Systems Security Professional (CISSP) by the
International Information Systems Security Certification Consortium (ISC). Global Information Assurance Certification (GIAC):www.giac.org
◦Consider earning a graduate degree in INFOSEC◦ Increase your disaster recovery and risk management skills◦Build a home laboratory◦Give something back to the INFOSEC community◦Get on a project working with strategic partners◦Consider an internship in IS◦ Take a second look at government jobs
Higher demand for expertly trained individuals◦U.S. Bureau of Labor Statistics
The security of computer networks will continue to increase in importance as more business is conducted over the Internet
Source: www.collegegrad.com/careers/manag30.shtml Careers in computer networking and network security abound. The U.S.
Bureau of Labor Statistics (BLS) projects that the number of jobs in computer networking and administration will likely grow by 30 percent by 2018.
Source: http://www.ehow.com/list_6787998_careers-computer-networks-security.html
◦Computerworld expects security pay to continue to outperform the market Source:
www.computerworld.com/careertopics/careers/story/0,10801,73893,00.html
Hundreds of community colleges, four-year universities, and post-graduate programs are offering degrees and certificates in emergency preparedness, counterterrorism, and security◦ The National Security Agency Centers of Academic Excellence
www.nsa.gov/ia/academia/caeiae.cfm Multidisciplinary Approach: Exposure to
nontechnical areas gives INFOSEC professionals a greater ability to address and resolve the complex problems ◦ Including probability and statistics, psychology, English, foreign
languages, philosophy, ethics, history and so on A wide range of educational experiences is a good
foundation for an INFOSEC career Information security draws upon the best practices
and experiences from multiple domains
An organization’s security posture defines its tolerance for risk and outlines how it plans to protect information and resources within its charge.
This posture is documented in standards, guidelines, and procedures that must exist long before a single program is written or a computer is installed.
A view of a typical structure and context showing where INFOSEC fits within a typical large corporation
To support business operations a number of common positions and career opportunities are needed◦Security administrators◦Access coordinators◦Security architects and network engineers◦Security consultants◦Security testers◦Policymakers and standards developers◦Compliance officers◦ Incident response team members◦Governance and vendor managers
The risks posed to networked systems remain vulnerable to attacks from within and without an organization
The explosive growth of e-commerce and the pervasive personal and business uses of the Internet have created a growing demand for IS specialists
The principles, approaches, and concepts in INFOSEC should work together to provide the harmonious mix of risk management and reward that modern business demands
