Ethics 03

Objectives
What key trade-offs and ethical issues are

Ethics in Information associated with the safeguarding of data and
information systems?
Technology, Second Edition
Why has there been a dramatic increase in the
number of computer-related security incidents in
recent years?
Chapter 3
Computer and Internet Crime What are the most common types of computer
security attacks?
Ethics in Information Technology, Second Edition 2
IT Security Incidents: A Worsening

Objectives (continued)
Problem
What are some characteristics of common computer Security of information technology is of utmost
criminals, including their objectives, available importance
resources, willingness to accept risk, and frequency
Protect confidential data
of attack?
Safeguard private customer and employee data
Protect against malicious acts of theft or disruption
What are the key elements of a multilayer process Must be balanced against other business needs and
for managing security vulnerabilities, based on the issues
concept of reasonable assurance?
Number of IT-related security incidents is
increasing around the world
What actions must be taken in response to a security
incident?
Ethics in Information Technology, Second Edition 3 Ethics in Information Technology, Second Edition 4
IT Security Incidents: A Worsening Increasing Complexity Increases
Problem (continued) Vulnerability
Computer Emergency Response Team Computing environment is enormously complex
Coordination Center (CERT/CC) Continues to increase in complexity
Established in 1988 at the Software Engineering Number of possible entry points to a network
Institute (SEI) expands continuously
Charged with
Coordinating communication among experts
during computer security emergencies
Helping to prevent future incidents
Expanding and Changing Systems

Higher Computer User Expectations
Introduce New Risks
Computer help desks Network era
Under intense pressure to provide fast responses to Personal computers connect to networks with
users questions millions of other computers
Sometimes forget to All capable of sharing information
Verify users identities Information technology
Check whether users are authorized to perform Ubiquitous
the requested action Necessary tool for organizations to achieve goals
Computer users share login IDs and passwords Increasingly difficult to keep up with the pace of
technological change
Increased Reliance on Commercial
Increased Reliance on Commercial
Software with Known Vulnerabilities
Software with Known Vulnerabilities
(continued)
Exploit Zero-day attack
Attack on information system Takes place before a vulnerability is discovered or
Takes advantage of a particular system vulnerability fixed
Due to poor system design or implementation U.S. companies rely on commercial software with
Patch known vulnerabilities
Fix to eliminate the problem
Users are responsible for obtaining and installing
patches
Delays in installing patches expose users to security
breaches
Number of Vulnerabilities Reported to

Types of Attacks
CERT/CC
Most frequent attack is on a networked computer
from an outside source
Types of attacks
Virus
Worm
Trojan horse
Denial of service
Viruses Viruses (continued)
Pieces of programming code Does not spread itself from computer to computer
Usually disguised as something else Must be passed on to other users through
Cause unexpected and usually undesirable events Infected e-mail document attachments
Often attached to files Programs on diskettes
Deliver a payload Shared files
Macro viruses
Most common and easily created viruses
Created in an application macro language
Infect documents and templates
Worms Cost Impact of Worms
Harmful programs
Reside in active memory of a computer
Duplicate themselves
Can propagate without human intervention
Negative impact of virus or worm attack
Lost data and programs
Lost productivity
Effort for IT workers
Trojan Horses Denial-of-Service (DoS) Attacks
Program that a hacker secretly installs Malicious hacker takes over computers on the
Users are tricked into installing it Internet and causes them to flood a target site with
demands for data and other small tasks
Logic bomb The computers that are taken over are called
Executes under specific conditions zombies
Does not involve a break-in at the target computer
Target machine is busy responding to a stream of
automated requests
Legitimate users cannot get in
Spoofing generates a false return address on
packets
Denial-of-Service (DoS) Attacks

Perpetrators
(continued)
Ingress filtering - When Internet service providers Motives are the same as other criminals
(ISPs) prevent incoming packets with false IP Different objectives and access to varying
addresses from being passed on resources
Egress filtering - Ensuring spoofed packets dont Different levels of risk to accomplish an objective
leave a network
Classifying Perpetrators of Computer
Crime Hackers and Crackers
Hackers
Test limitations of systems out of intellectual curiosity
Crackers
Cracking is a form of hacking
Clearly criminal activity
Malicious Insiders Industrial Spies

Top security concern for companies Illegally obtain trade secrets from competitors
Estimated 85 percent of all fraud is committed by Trade secrets are protected by the Economic
employees Espionage Act of 1996
Usually due to weaknesses in internal control Competitive intelligence
procedures
Uses legal techniques
Collusion is cooperation between an employee and
an outsider Gathers information available to the public
Insiders are not necessarily employees Industrial espionage
Can also be consultants and contractors Uses illegal means
Extremely difficult to detect or stop Obtains information not available to the public
Authorized to access the very systems they abuse
Cybercriminals Cybercriminals (continued)
Hack into corporate computers and steal Smart cards
Engage in all forms of computer fraud Contain a memory chip
Chargebacks are disputed transactions Are updated with encrypted data every time the card
Loss of customer trust has more impact than fraud is used
To reduce the potential for online credit card fraud Used widely in Europe
sites: Not widely used in the U.S.
Use encryption technology
Verify the address submitted online against the
issuing bank
Request a card verification value (CVV)
Use transaction-risk scoring software
Legal Overview:
The Check Clearing for the 21st Cyberterrorists
Century Act
Intimidate or coerce governments to advance
Requires that banks accept paper documents
political or social objectives
In lieu of original paper checks
Launch computer-based attacks
Speeds clearing of checks
Seek to cause harm
New opportunities for check fraud
Rather than gather information
Bankers dont fully realize the extent of possible
increased fraud Many experts believe terrorist groups pose only a
limited threat to information systems
Reducing Vulnerabilities Risk Assessment
Security Organizations review of:

Combination of technology, policy, and people Potential threats to computers and network
Requires a wide range of activities to be effective Probability of threats occurring
Assess threats to an organizations computers and Identify investments that can best protect an
network organization from the most likely and serious
Identify actions that address the most serious threats
vulnerabilities Reasonable assurance
Educate users Improve security in areas with:
Monitor to detect a possible intrusion Highest estimated cost
Create a clear reaction plan Poorest level of protection
Risk Assessment for a Hypothetical

Establishing a Security Policy
Company
A security policy defines
Organizations security requirements
Controls and sanctions needed to meet the
requirements
Delineates responsibilities and expected behavior
Outlines what needs to be done
Not how to do it
Automated system policies should mirror written
policies
Establishing a Security Policy Educating Employees, Contractors,
(continued) and Part-Time Workers
Trade-off between Educate users about the importance of security
Ease of use Motivate them to understand and follow security
Increased security policy
Areas of concern Discuss recent security incidents that affected the
E-mail attachments organization
Wireless devices Help protect information systems by:
VPN uses the Internet to relay communications but Guarding passwords
maintains privacy through security features
Not allowing others to use passwords
Additional security includes encrypting originating
and receiving network addresses Applying strict access controls to protect data
Reporting all unusual activity
Prevention Firewall Protection

Implement a layered security solution
Make computer break-ins harder
Firewall
Limits network access
Antivirus software
Scans for a specific sequence of bytes
Known as the virus signature
Norton Antivirus
Dr. Solomons Antivirus from McAfee
Popular Firewall Software for Personal
Prevention (continued)
Computers
Antivirus software
Continually updated with the latest virus detection
information
Called definitions
Departing employees
Promptly delete computer accounts, login IDs, and
passwords
Carefully define employee roles
Create roles and user accounts
Prevention (continued) Detection
Keep track of well-known vulnerabilities Detection systems

SANS (System Administration, Networking, and Catch intruders in the act
Security) Institute Intrusion detection system
CERT/CC Monitors system and network resources and
Back up critical applications and data regularly activities
Perform a security audit Notifies the proper authority when it identifies
Possible intrusions from outside the organization
Misuse from within the organization
Knowledge-based approach
Behavior-based approach
Detection (continued) Detection (continued)
Intrusion prevention systems (IPSs) Honeypot

Prevent attacks by blocking Provides would-be hackers with fake information
Viruses about the network
Malformed packets Decoy server
Other threats Well-isolated from the rest of the network
Sits directly behind the firewall Can extensively log activities of intruders
Response Response (continued)
Response plan Incident notification defines

Develop well in advance of any incident Who to notify
Approved by Who not to notify
Legal department Security experts recommend against releasing
Senior management specific information about a security compromise in
Primary goals public forums
Regain control Document all details of a security incident
Limit damage All system events
Specific actions taken
All external conversations
Response (continued) Response (continued)
Act quickly to contain an attack Review
Eradication effort Determine exactly what happened
Collect and log all possible criminal evidence from Evaluate how the organization responded
the system
Capture the perpetrator
Verify necessary backups are current and complete
Consider the potential for negative publicity
Create new backups
Legal precedent
Follow-up
Hold organizations accountable for their own IT
Determine how security was compromised
security weaknesses
Prevent it from happening again
Summary Summary (continued)
Ethical decisions regarding IT security include Perpetrators include:

determining which information systems and data Hackers
most need protection Crackers
65-fold increase in the number of reported IT Industrial spies
security incidents from 1997 to 2003 Cybercriminals
Most incidents involve a: Cyberterrorists
Virus
Worm
Trojan horse
Denial-of-service
Summary (continued)
Key elements of a multilayer process for managing
security vulnerabilities include:
Assessment
User education
Response plan
Ethics in Information Technology, Second Edition 49

Ethics 03

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ethics 03

Încărcat de

Drepturi de autor:

Formate disponibile

Objectives

What key trade-offs and ethical issues are

IT Security Incidents: A Worsening

Expanding and Changing Systems

Number of Vulnerabilities Reported to

Worms Cost Impact of Worms

Denial-of-Service (DoS) Attacks

Malicious Insiders Industrial Spies

Security Organizations review of:

Risk Assessment for a Hypothetical

Prevention Firewall Protection

Prevention (continued) Detection

Keep track of well-known vulnerabilities Detection systems

Intrusion prevention systems (IPSs) Honeypot

Response Response (continued)

Response plan Incident notification defines

Summary Summary (continued)

Ethical decisions regarding IT security include Perpetrators include:

Ethics in Information Technology, Second Edition 49

S-ar putea să vă placă și