KEMBAR78
Chapter 3-Notes | PDF | Computer Security | Security
0% found this document useful (0 votes)
11 views21 pages

Chapter 3-Notes

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
11 views21 pages

Chapter 3-Notes

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Subject: Management Information system Semester: VII

COMPUTER ETHICS, PRIVACY AND SECURITY


Computer Ethics
• Computers are involved to some extent in almost every aspect of our lives
• They often perform life-critical tasks
• Computer science is not regulated to the extent of medicine, air travel, or construction zoning
• Therefore, we need to carefully consider the issues of ethics
Ethics
• Ethics are standards of moral conduct
• Standards of right and wrong behavior
• A gauge of personal integrity
• The basis of trust and cooperation in relationships with others
Ethical Principals
• Ethical principals are tools which are used to think through difficult situations.
• Three useful ethical principals:
• An act is ethical if all of society benefits from the act.
• An act is ethical if people are treated as an end and not as a means to an end.
• An act is ethical if it is fair to all parties involved.
Computer Ethics
• Computer ethics are morally acceptable use of computers
• i.e. using computers appropriately
• Standards or guidelines are important in this industry, because technology changes are
outstripping the legal system’s ability to keep up
Computer Ethics
• Four primary issues
• Privacy – responsibility to protect data about individuals
• Accuracy - responsibility of data collectors to authenticate information and ensure its accuracy
• Property - who owns information and software and how can they be sold and exchanged
• Access - responsibility of data collectors to control access and determine what information a person
has the right to obtain about others and how the information can be used
Problems with Large Databases
• Spreading information without consent
• Some large companies use medical records and credit records as a factor in important personnel
Decisions
• Spreading inaccurate information
• Mistakes in one computer file can easily migrate to others
• Inaccurate data may linger for years
Private Networks
• Employers may legally monitor electronic mail
• In 2001, 63% of US companies monitored employee Internet connections including about two
thirds of the 60 billion electronic messages sent by 40 million e-mail users.
• Most online services reserve the right to censor content
• These rights lead to contentious issues over property rights versus free speech and privacy

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

The Internet and the Web


• Most people don’t worry about email privacy on the Web due to illusion of anonymity
• Each e-mail you send results in at least 3 or 4 copies being stored on different computers.
• Web sites often load files on your computer called cookies to record times and pages visited and
other personal information
• Spyware - software that tracks your online movements, mines the information stored on your
computer, or uses your computer for some task you know nothing about.
E-Mail Netiquette
• Promptly respond to messages.
• Delete messages after you read them if you don’t need to save the information.
• Don’t send messages you wouldn’t want others to read.
• Keep the message short and to the point.
• Don’t type in all capital letters.
• Be careful with sarcasm and humor in your message.
Internet Content & Free Speech Issues
• Information on internet includes hate, violence, and information that is harmful for children
• How much of this should be regulated?
• Do filters solve problems or create more?
• Is web site information used for course work and research reliable?
Information Ownership Issues
• Illegal software copying (pirating)
• Infringement of copyrights by copying of pictures or text from web pages
• Plagiarism by copying text from other sources when original work is expected
Terms
• INTELLECTUAL PROPERTY:
• Creations protected by law
• TRADE SECRET:
• Work or products belonging to a business, not in public domain
• COPYRIGHT:
• Protecting intellectual property from copying by others for 28 years
• PATENT:
• Legal document granting owner exclusive monopoly on an invention for 17 years
Copyright Laws
Software developers (or the companies they work for) own their programs.
Software buyers only own the right to use the software according to the license agreement.
No copying, reselling, lending, renting, leasing, or distributing is legal without the software
owner’s permission.
Software Licenses
There are four types of software licenses:
Public Domain
Freeware
Shareware
All Rights Reserved
Public Domain License
Prof. Rushikesh R. Nikam Department Computer Engineering
Subject: Management Information system Semester: VII

Public domain software has no owner and is not protected by copyright law.
It was either created with public funds, or the ownership was forfeited by the creator.
Can be copied, sold, and/or modified
Often is of poor quality/unreliable
Freeware License
Freeware is copyrighted software that is licensed to be copied and distributed without charge.
Freeware is free, but it’s still under the owner’s control.
Shareware License
• A shareware software license allows you to use the software for a trial period, but you must pay a
registration fee to the owner for permanent use.
• Some shareware trials expire on a certain date
• Payment depends on the honor system
• Purchasing (the right to use) the software may also get you a version with more powerful features
and published documentation.
All Rights Reserved License
May be used by the purchaser according the exact details spelled out in the license agreement.
You can’t legally use it--or even possess it-- without the owner’s permission.
Open Source
• What is Open Source?
• Source code is free to look at.
• Compiled application is (typically) free to use.
• Licensed under one of many OSS licenses.
• Licenses are typically GPL compatible.
• GPL
• GNU General Public License v3
• Created by Richard Stallman
• Fundamental example of an open-source license.
• Highly restrictive.

if( use_gpl_code ) {
distribute_changes_as_gpl();
distribute_linked_apps_as_gpl_compatible();
}

Open Source
• LGPL
• GNU Lesser General Public License
• Can be linked to by non-GPL compatible software.
• Can be distributed with your software…

if( modify_lgpl_program ) {
Prof. Rushikesh R. Nikam Department Computer Engineering
Subject: Management Information system Semester: VII

distribute_changes_as_lgpl();
} else {
distribute_however_you_like();
}

Open Source
• MIT License
• Only 20 lines!
• Liberal terms.
• Use this code however you like...

if( modify_mit_program ) {
sublicense_however();
give_attribution();
} else {
distribute_with_mit_license();
}

Computer Crime
• Computer criminals -using a computer to commit an illegal act
• Who are computer criminals?
• Employees – disgruntled or dishonest --the largest category
• Outside users - customers or suppliers
• “Hackers” and “crackers” - hackers do it “for fun” but crackers have malicious intent
• Organized crime - tracking illegal enterprises,
forgery, counterfeiting
Types of Computer Crime
• Damage to computers, programs or files
• Viruses - migrate through systems attached to files and programs
• Worms - continuously self-replicate
• Theft
• Of hardware, software, data, computer time
• Software piracy - unauthorized copies of copyrighted material
• View/Manipulation
• “Unauthorized entry” and “harmless message” still illegal

The ACM Code of Conduct


• According to the Association for Computing Machinery (ACM) code, a computing professional:
• Contributes to society and human well-being
• Avoids harm to others
• Is honest and trustworthy
• Is fair and takes action not to discriminate
• Honors property rights, including copyrights and patents
• Gives proper credit when using the intellectual property of others
Prof. Rushikesh R. Nikam Department Computer Engineering
Subject: Management Information system Semester: VII

• Respects other individuals’ rights to privacy


• Honors confidentiality

Personal Responsibility of Users


• Conserve
• Turn computers off at end of work day
• Use screen savers
• Recycle
• Most of the paper we use is eligible
• Dispose of old parts via recycling programs – most computer parts are dangerous in landfills
• Educate
• Know the facts about ecological issues
Ethical & Security Issues in Information System
Information systems have made many businesses successful today. Some companies such
as Google, Facebook, EBay, etc. would not exist without information technology. However,
improper use of information technology can create problems for the organization and employees.
Criminals gaining access to credit card information can lead to financial loss to the owners
of the cards or financial institute. Using organization information systems
i.e. posting inappropriate content on Facebook or Twitter using a company account can lead
to lawsuits and loss of business.
The challenges that are posed by information systems and what can be done to minimize or
eliminate the risks.

Cyber-crime
Cyber-crime refers to the use of information technology to commit crimes. Cyber- crimes can
range from simply annoying computer users to huge financial losses and even the loss of human life.
The growth of smartphones and other high-end Mobile devices that have access to the internet have
also contributed to the growth of cyber-crime.

Types of cyber-crime Identity theft


Identity theft occurs when a cyber-criminal impersonates someone else identity to practice
malfunction. This is usually done by accessing personal details of someone else. The details used in
such crimes include social security numbers, date of birth, credit and debit card numbers, passport
numbers, etc.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Once the information has been acquired by the cyber-criminal, it can be used to make
purchases online while impersonating himself to be someone else. One of the ways that cyber-
criminals use to obtain such personal details is phishing. Phishing involves creating fake websites
that look like legitimate business websites or emails.
For example, an email that appears to come from YAHOO may ask the user to confirm their
personal details including contact numbers and email password. If the user falls for the trick and
updates the details and provides the password, the attacker will have access to personal details and
the email of the victim.
If the victim uses services such as PayPal, then the attacker can use the account to make
purchases online or transfer funds.
Other phishing techniques involve the use of fake Wi-Fi hotspots that look like legitimate
ones. This is common in public places such as restaurants and airports. If an unsuspecting user logons
into the network, then cyber-crimes may try to gain access to sensitive information such as
usernames, passwords, credit card numbers, etc.
According to the US Department of Justice, a former state department employee used email
phishing to gain access to email and social media accounts of hundreds of women and accessed
explicit photos. He was able to use the photos to extort the women and threatened to make the photos
public if they did not give in to his demands.
Copyright infringement
Piracy is one of the biggest problems with digital products. Websites such as the pirate bay
are used to distribute copyrighted materials such as audio, video, software, etc. Copyright
infringement refers to the unauthorized use of copyrighted materials.
Fast internet access and reducing costs of storage have also contributed to the growth of
copyright infringement crimes.
Click fraud
Advertising companies such as Google AdSense offer pay per click advertising services.
Click fraud occurs when a person clicks such a link with no intention of knowing more about the
click but to make more money. This can also be accomplished by using automated software that
makes the clicks.
Advance Fee Fraud
An email is sent to the target victim that promises them a lot of money in favor of helping
them to claim their inheritance money.
In such cases, the criminal usually pretends to be a close relative of a very rich well- known
person who died. He/she claims to have inherited the wealth of the late rich person and needs help

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

to claim the inheritance. He/she will ask for financial assistance and promise to reward later. If the
victim sends the money to the scammer, the scammer vanishes and the victim loses the money.

Hacking
Hacking is used to by-pass security controls to gain unauthorized access to a system. Once
the attacker has gained access to the system, they can do whatever they want. Some of the common
activities done when system is hacked are;
• Install programs that allow the attackers to spy on the user or control their system
remotely
• Deface websites
• Steal sensitive information. This can be done using techniques such as SQL Injection,
exploiting vulnerabilities in the database software to gain access, social engineering techniques that
trick users into submitting ids and passwords, etc.

Computer virus
Viruses are unauthorized programs that can annoy users, steal sensitive data or be used to
control equipment that is controlled by computers.

Information system Security


MIS security refers to measures put in place to protect information system resources from
unauthorized access or being compromised. Security vulnerabilities are weaknesses in a computer
system, software, or hardware that can be exploited by the attacker to gain unauthorized access or
compromise a system.
People as part of the information system components can also be exploited using social
engineering techniques. The goal of social engineering is to gain the trust of the users of the system.
Let's now look at some of the threats that information system face and what can be done to
eliminate or minimize the damage if the threat were to materialize.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Computer viruses – these are malicious programs as described in the above section. The
threats posed by viruses can be eliminated or the impact minimized by using Anti-Virus software
and following laid down security best practices of an organization.
Unauthorized access – the standard convention is to use a combination of a username and a
password. Hackers have learnt how to circumvent these controls if the user does not follow security
best practices. Most organizations have added the use of mobile devices such as phones to provide
an extra layer of security.
Let's take Gmail as an example, if Google is suspicious of the login on an account, they will
ask the person about to login to confirm their identity using their android powered mobile devices or
send an SMS with a PIN number which should supplement the username and password.
If the company does not have enough resources to implement extra security like Google, they
can use other techniques. These techniques can include asking questions to users during signup such
as what town they grew up in, the name of their first pet, etc. If the person provides accurate answers
to these question, access is granted into the system.
Data loss – if the data center caught fire or was flooded, the hardware with the data can be
damaged, and the data on it will be lost. As a standard security best practice, most organizations keep
backups of the data at remote places. The backups are made periodically and are usually put in more
than one remote area.
Biometric Identification – this is now becoming very common especially with mobile devices
such as smartphones. The phone can record the user fingerprint and use it for authentication purposes.
This makes it harder for attackers to gain unauthorized access to the mobile device. Such technology
can also be used to stop unauthorized people from getting access to your devices.

Information system Ethics


Ethics refers to rules of right and wrong that people use to make choices to guide their
behaviors. Ethics in MIS seek to protect and safeguard individuals and society by using information
systems responsibly. Most professions usually have defined a code of ethics or code of conduct
guidelines that all professionals affiliated with the profession must adhere to.
In a nutshell, a code of ethics makes individuals acting on their free will responsible and
accountable for their actions. An example of a Code of Ethics for MIS professionals can be found on
the British Computer Society (BCS) website.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Information Communication Technology (ICT) policy


An ICT policy is a set of guidelines that defines how an organization should use information
technology and information systems responsibly. ICT policies usually include guidelines on;
• Purchase and usage of hardware equipment and how to safely dispose them
• Use of licensed software only and ensuring that all software is up to date with latest
patches for security reasons
• Rules on how to create passwords (complexity enforcement), changing passwords,
etc.
• Acceptable use of information technology and information systems
• Training of all users involved in using ICT and MIS

Summary:
With great power comes great responsibility. Information systems bring new opportunities
and advantages to how we do business but they also introduce issues that can negatively affect society
(cybercrime). An organization needs to address these issues and come up with a framework (MIS
security, ICT policy, etc.) that addresses them.

Need Of Information Security


Information system means to consider available countermeasures or controls stimulated through
uncovered vulnerabilities and identify an area where more work is needed. The purpose of data
security management is to make sure business continuity and scale back business injury by
preventing and minimizing the impact of security incidents. The basic principle of Information
Security is:
• Confidentially
• Authentication
• Non-Repudiation
• Integrity

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Description of new generation Threats:

Security Controls can be classified into three categories


Administrative Controls which include

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

• Developing and publishing of policies, standards, procedures, and guidelines.


• Screening of personnel.
• Conducting security-awareness training and Implementing change control procedures.
Technical or Logical Controls which include
• Implementing and maintaining access control mechanisms.
• Password and resource management.
• Identification and authentication methods
• Security devices and
• Configuration of the infrastructure.

Physical Controls which include

• Controlling individual access into the facility and different departments


• Locking systems and removing unnecessary floppy or CD-ROM drives
• Protecting the perimeter of the facility
• Monitoring for intrusion and
• Environmental controls.

The Elements of Security


Vulnerability

• It is a software, hardware, or procedural weakness that may provide an attacker the open door
he is looking for to enter a computer or network and have unauthorized access to resources
within the environment.
• Vulnerability characterizes the absence or weakness of a safeguard that could be exploited.
• E.g.: a service running on a server, unpatched applications or operating system software,
unrestricted modem dial-in access, an open port on a firewall, lack of physical security etc.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Threat

• Any potential danger to information or systems.


• A threat is a possibility that someone (person, s/w) would identify and exploit the
vulnerability.
• The entity that takes advantage of vulnerability is referred to as a threat agent. E.g.: A threat
agent could be an intruder accessing the network through a port on the firewall

Risk
• Risk is the likelihood of a threat agent taking advantage of vulnerability and the
corresponding business impact.
• Reducing vulnerability and/or threat reduces the risk.
• E.g.: If a firewall has several ports open, there is a higher likelihood that an intruder will use
one to access the network in an unauthorized method.

Exposure
• An exposure is an instance of being exposed to losses from a threat agent.
• Vulnerability exposes an organization to possible damages.
• E.g.: If password management is weak and password rules are not enforced, the company is
exposed to the possibility of having users' passwords captured and used in an unauthorized
manner.

Describe the categories of ethical issues related to information technology.


Information Technology specifies to the components that are used to store, fetch and manipulate
the information at the minimum level with the server having an operating system. Information

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Technology have a wide area of applications in education, business, health, industries, banking sector
and scientific research at a large level. With the leading advancement in information technology, it
is necessary to have the knowledge of security issues, privacy issues and main negative impacts of
IT. To deal with these issues in IT society it is important to find out the ethical issues.
Some of the major ethical issues faced by Information Technology (IT) are:

1. Personal Privacy
2. Access Right
3. Harmful Actions
4. Patents
5. Copyright
6. Trade Secrets
7. Liability
8. Piracy
These are explained with their affects as following below:
1. Personal Privacy:
It is an important aspect of ethical issues in information technology. IT facilitates the users having
their own hardware, operating system and software tools to access the servers that are connected to
each other and to the users by a network. Due to the distribution of the network on a large scale, data
or information transfer in a big amount takes place which leads to the hidden chances of disclosing
information and violating the privacy of any individuals or a group. It is a major challenge for IT
society and organizations to maintain the privacy and integrity of data.
Accidental disclosure to inappropriate individuals and provisions to protect the accuracy of data also
comes in the privacy issue.
2. Access Right:
The second aspect of ethical issues in information technology is access right. Access right becomes
a high priority issue for the IT and cyberspace with the great advancement in technology. E-
commerce and Electronic payment systems evolution on the internet heightened this issue for various
corporate organizations and government agencies. Network on the internet cannot be made secure
from unauthorized access. Generally, the intrusion detection system is used to determine whether the
user is an intruder or an appropriate user.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

3. Harmful Actions:
Harmful actions in the computer ethics refers to the damage or negative consequences to the IT such
as loss of important information, loss of property, loss of ownership, destruction of property and
undesirable substantial impacts. This principle of ethical conduct restricts any outsiders from the use
of information technology in manner which leads to any loss to any of the users, employees,
employers and the general public.
Typically, these actions comprise of the intentional destruction or alteration of files and program
which drives a serious loss of resources. To recover from the harmful actions extra time and efforts
are required to remove the viruses from the computer systems.

4. Patents:
It is more difficult to deal with these types of ethical issues. A patent can preserve the unique and
secret aspect of an idea. Obtaining a patent is very difficult as compared with obtaining a copyright.
A thorough disclosure is required with the software. The patent holder has to reveal the full details
of a program to a proficient programmer for building a program.

5. Copyright:
The information security specialists are to be familiar with necessary concept of the copyright law.
Copyright law works as a very powerful legal tool in protecting computer software, both before a
security breach and surely after a security breach. This type of breach could be the mishandling and
misuse of data, computer programs, documentation and similar material. In many countries,
copyright legislation is amended or revised to provide explicit laws to protect computer programs.

6. Trade Secrets:
Trade secrets is also a significant ethical issue in information technology. A trade secret secures
something of value and usefulness. This law protects the private aspects of ideas which is known
only to the discover or his confidants. Once disclosed, trade secret is lost as such and is only protected
by the law for trade secrets. The application of trade secret law is very broad in the computer range,
where even a slight head start in the advancement of software or hardware can provide a significant
competitive influence.

7. Liability:

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

One should be aware of the liability issue in making ethical decisions. Software developer makes
promises and assertions to the user about the nature and quality of the product that can be restricted
as an express warranty. Programmers or retailers possess the legitimate to determine the express
warranties. Thus, they have to be practical when they define any claims and predictions about the
capacities, quality and nature of their software or hardware. Every word they say about their product
may be as legally valid as stated in written. All agreements should be in writing to protect against
liability. A disclaimer of express warranties can free a supplier from being held responsible of
informal, speculative statements or forecasting made during the agreement stages.

8. Piracy:
Piracy is an activity in which the creation of illegal copy of the software is made. It is entirely up to
the owner of the software as to whether or not users can make backup copies of their software. As
laws made for copyright protection are evolving, also legislation that would stop unauthorized
duplication of software is in consideration. The software industry is prepared to do encounter against
software piracy. The courts are dealing with an increasing number of actions concerning the
protection of software.

Identify the five factors that contribute to the increasing vulnerability of information
resources, and provide a specific example of each one?
1. Today's interconnected, interdependent, wirelessly networked business environment. Example: The
Internet
2. Smaller, faster, cheaper computers and storage devices. Examples: Netbooks, thumb drives, iPads
3. Decreasing skills necessary to be a computer hacker.
Example: Information system hacking programs circulating on the Internet
4. International organized crime taking over cybercrime.
Example: Organized crime has formed transnational cybercrime cartels. Because it is difficult to
know exactly where cyberattacks originate, these cartels are extremely hard to bring to justice.
5. Lack of management support.
Example: Suppose that your company spent $10 million on information security countermeasures
last year, and they did not experience any successful attacks on their information resources. Short-

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

sighted management might conclude that the company could spend less during the next year and
obtain the same results. Bad idea.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

Compare and contrast human mistakes and social engineering, and provide a specific example
of each one?
Human mistakes are unintentional errors. However, employees can also make unintentional mistakes
as a result of actions by an attacker, such as social engineering.
Example: Tailgating

Social engineering is an attack through which the perpetrator uses social skills to trick or manipulate
a legitimate employee into providing confidential company information.
Example: An attacker calls an employee on the phone and impersonates a superior in the company.

Discuss 10 types of deliberate attacks.


1. Espionage or trespass - an unauthorized individual attempts to gain illegal access to organizational
information.
2. Information extortion - an attacker either threatens to steal, or actually steals, information from a
company. The perpetrator demands payment for not stealing the information, for returning stolen
information, or for agreeing not to disclose the information.
3. Sabotage and vandalism - deliberate acts that involve defacing an organization's website, possibly
causing the organization to lose its image and experience a loss of confidence by its customers.
4. Theft of equipment and information - stealing computing devices and storage devices.
5. Identity theft - deliberate assumption of another person's identity, usually to gain access to his or
her financial information or to frame him or her for a crime.
6. Compromises to intellectual property
7. Software attacks - malicious software penetrates an organization's computer system. Today, these
attacks are typically profit-driven and web-based.
8. Alien software - clandestine software that is installed on your computer through duplicitous
methods. It is typically not as malicious as viruses, worms, or Trojan horses, but it does use up
valuable system resources.
9. Supervisory control and data acquisition - large-scale distributed measurement and control system.
SCADA attacks attempt to compromise a system to cause damage to the real-world processes that
the system controls.

Prof. Rushikesh R. Nikam Department Computer Engineering


Subject: Management Information system Semester: VII

10. Cyberterrorism and cyberwarfare - attackers use a target's computer systems, particularly
thorough the Internet, to cause physical, real-world harm or severe disruption, usually to carry
out a political agenda.

Prof. Rushikesh R. Nikam Department Computer Engineering

You might also like