Chapter 3 Notes.doc

Chapter 3 Ethics, privacy and information security Ethical Issues: - ethics refers to the principles of right and wrong that individuals use to make choices to guide their behaviors - code of ethics: collection of principles intended to guide decision making by members of the organization - tenets of ethics include responsibility, accountability and liability - Responsibility: you accept the consequence of your decision and actions - Accoutability: provides for a determination of who is responsible for actions that were taken - Liability: lgal concept implying that individuals have the right to recover the damages done to them by other individuals, organizations or systems - improvements in information technologies are causing an increasing number of ethical problems - problems such as appropriate use of customer information, personal privacy and the protection of intellectual property - diversity and ever expanding use of IT applications have created a variety of ethical issues. These fall into four categories: privacy, accuracy, property and accessibility - 1. Privacy issues: involves the collection, storage and dissemination of information about individuals - What information about oneself should an individual be required to reveal to others? 2. Accuracy issues: involve the authenticity, integrity, and accuracy of information that is collected and processed - Who is responsible for the authenticity, integrity, and accuracy of the information collected? 3. Property Issues: involve the ownership and value of information - who own the information? 4. Accessibility issues: revolve around who should have access to information and whether they should have to pay for this access - who is allowed to access information? Protecting Privacy - privacy: is the right to be left alone and to be free of unreasonable personal intrusion - information privacy: is the right to determine when, and to what extent, information about yourself can be gathered or communicated to others - privacy rights apply to individuals, groups and institutions - definition of privacy can be interpreted quite broadly. However court decisions in many countries have followed two rules fairly closely: 1. the right of privacy is not absolute. Privacy must be balanced against the needs of society. 2. the publics right to know supersedes the individuals right of privacy - rapid advances in information technologies have made it much easier to collect, store and integrate data on individuals in large data bases - data is generated in many ways on any given day: surveillance camarasa in public places and work, credit card transactions, telephone calls, banking transactions etc - this data can be integrated to produce a digital dossier, which is an electronic descriptions of a person’s habits - the process of forming a digital dossier is called Profiling - this information also helps companies know their customers better, to achieve customer intimacy Electronic Surveillance - is rapidly increasing, particularly with the mergence of new technologies, monitoring is done by employers, the government and other institutions - employees have very limited protection against surveillance by employers - law supports their right of employers to read their employees’ email and other electronic documents and monitor their internet use - organizations also use software to block connections to inappropriate websites, practice called URL filtering - also install monitoring and filtering software to enhance security by stopping malicious software and improve employee productivity by discouraging employees from wasting time - surveillance also concern for private individuals regardless of whether it is coducted by corporations, government bodies, or criminals Personal Information In Databases - credit reporting agencies, banks and financial institutions, cable TV, telephone and utilities companies, employers, mortgage companies, hospitals, schools, univerisities, retail establishments, government agencies etc. - several questions about the information you provide due to the security Information On Internet Bulletin Boards, Newsgroups, And Social Networking Sites - every day we see more and more electronic bulletin boards, newsgroups, electronic discussion sites such as chat rooms, and social networking sites - these sites appear on the internet within corporate intranets and blogs - Blog: short for weblog, an informal personal journal that is frequently updated and intended for general public reading - no better illustration of the conflict between free speech and privacy than the internet Privacy Codes and Policies - are an organizations guidelines with respect to protecting the privacy of customers, clients and employees - Opt out model: of informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected - privacy advocates prefer the Opt In Model: of informed consent, where a business is prohibited from collecting any personal information unless the customer specifically authorizes it - The Platform of Privacy Preferences (P3P) was developed by the World Wide Web consortium, a group that creates standards for the web - P3P automatically communicates privacy policies between an electronic commerce websites and visitors to that site - P3P enables visitors to determine the types of personal data that can be extracted by the websites they visit - it also allows visitors to compare a websites privacy policy to the visitors preferences or to other standards such as the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information or the European Union Directive on Data Protection - Canada’s Privacy legislation is called the Personal Information Protection and Electronic Documents Act (PIPEDA) - based upon principles in the Canadian Standards Association Model Code - as part of the legislation, organizations are required to establish a privacy policy, as well as procedures to ensure that the policy is adhered to Privacy Policy Guidelines: A Sampler Data Collection: - data should be collected on individuals only for the purpose of accomplishing a legitimate business objective - data should be adequate, relevant, and not excessive in relation to the business objective - individuals must give their consent before data pertaining to them can be gathered. Such consent may be implied from the individuals actions (for instance, in applications for credit, insurance, or employment) Data Accuracy: - sensitive data gathered on individuals should verified before it is entered into the databases - data should, where and when necessary be kept current - the file should be made available so the individual can ensure that the data is correct - if there is disagreement about the accuracy of the data, the individuals version should be noted and included with any disclosure of the file Data Confidentiality: - computer security procedures should be implemented to ensure against unauthorized disclosure of data. These procedures should include physical, technical and administrative security measures - third parties should not be given access to data without the individuals knowledge or permission, except as required by law - disclosures of data, other than the most routine, should be noted and maintained for as long as the data is maintained - data should not be disclosed for reasons incompatible with the business objective for which it is collected International Aspects of Privacy - absence of consistent or uniform standards for privacy and security obstructs the flow of information among countries - the European Community Commission (ECC) issued guidelines to all its members countries regarding the rights of individuals to access information about themselves - the transfer of data in and out of a nation without the knowledge of either the authorities or the individuals involved raises a number of privacy issues - governments must make an effort to develop laws and standards to cope with rapidly changing information technologies in order to solve some of these privacy issues Threats to Information Security - number of factors are contributing to the increasing vulnerability of organizational information assets - todays interconnected, interdependent, wirelessly networked business environment - government legislation - smaller, faster, cheaper computers and storage devices - decreasing skills necessary to be a computer hacker - international organized crime taking over cybercrime - downstream liability - increased employee use of unmanaged devices - lack of management support - internet now enables millions of computers and computer networks to freely and seamlessly communicate with one another - organizations and individuals are exposed to a world of untrusted networks and potential attackers - A trusted network: is an network within you organization that is adequately protected - A Untrusted Network: is any network external to your organization - wireless technologies enable employees to compute, communicate, and access the internet anywhere and any time - making matters worse, wireless is inherently non secure broadcast communications medium - second factor, governmental legislation dictates that many types of information must be protected by law - in Canada, PIPEDA, applies to customer information that is collected by business or non profit organiations - each province also has a health privacy act, normally called a Personal Health Information Protection Act (PHIPA) that protects medical records and other individually identifiable health inforation - third factor results from the fact that modern computers and storage devices ( such as thumb drives or flash drives) are becoming smaller, faster, cheaper and more portable with greater storage capacity - these characteristics make it easier to steal or lose a computer or storage device that contains huge amounts of sensitive information - also more people can afford powerful computers and connect inexpensively to the internet thus raising the potential of an attack on information assets - fourth factor is that the computing skills necessary to be a hacker are decreasing, reason is that the internet contains information and computer programs called scripts when even relatively unskilled users can download and use to attack any information system connected to the Internet - fifth factor, international organized crime taking over cybercrime, which refers to illegal activity taking place over computer networks , particularly internet. Cyberextortion, occurs when individuals attack an organizations website, and then demand money from the website owners to call of the attack. - sixth factor is downstream liability: if company A’s information systems were compromised by a perpetrator and used to attack company B’s systems, then company A could be liable for damages to company B. Note company B is ‘downstream’ from company A in this attack scenario - a downstream liability lawsuit would put company A’s security policies and operations on trial - contractual security obligations, particularly service level agreements (SLAs) which spell out very specific requirements might also help establish a security standard - company being sued for downstream liability will have to convince a judge or jury that its security measures were reasonable - that is, the company must demonstrate that it had practiced due diligence in information security, due diligence can be degined in part by what your competitors are doing that defines best practices - seventh factor is the increased employee use of unmanaged devices, devices that are outside the control of an organizations IT department - include customer computers, business partners mobile devices, computers in business centers of hotels etc - eighth factor is management support, for the entire organization to take security policies and procedures seriously, senior managers must set the tone - Threat: to an information resource is any danger to which a system may be exposed - Exposure: of an information resource is the harm, loss or damage, that can result if a threat compromises that resource - Systems Vulnerability: possibility that the system will suffer harm by a threat - Risk: likelihood that a threat will occur - Information systems Controls: are the procedures,, devices or software aimed at preventing a compromise to the system Threats To Information Systems - look at diagram on page 73 – good to describe threats Threats from Outside: internet, natural disasters and man made disasters (accidents) Threats from Inside: Employees, other insiders, systems software, hardware threats - Michael Whitman and Herbert Mattord classified threats into 5 general categories to enable use to better understand the complexity of the threat problem 1. unintentional acts: those acts with no malicious intent. Three types: human errors, deviations in the quality of service from service providers, and environmental hazards. Human errors are far the most serious threats to information security. Human Errors: the higher the level of employee, the greater the threat the employee poses to information security since they have greater access to corporate data and enjoy greater privileges on organizational information systems - HR employees have access to sensitive personal information about all employees - information systems employees not only have access to sensitive organizational data, but they often control the means to create, store, transmit and modify that data - Contractual labor and consultants often have access to companys network, information systems and information assets - Janitors and Guards: frequently ignored but are threats, since they are usually there when most if not all other employees have gone home, they typically have keys to every office and no body questions their presence in even the most sensitive parts of the building Human Mistake Description and Example Tailgating - technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behing a legitimate employee and when the employee gains entry, asks them to ‘hold the door’ Should Surfing - perpetrator watchs employees computer screen over the person’s shoulder Carelessness with - losing laptops, misplacing them, leaving them in taxis laptops Carelessness with - losing or misplacing these devices or using them carelessly so that Malware is introduced into an portable devices organizations network Opening - opening emails from someone unknown, or clicking on links embedded in emails questionable emails Careless internet - accessing questionable websites surfing Poor password - choosing and using weak passwords selection and use Carelessness with - unlocks desks and filing cabinets when employees go home at night, not logging off the company one’s office network when away from office for an extended period of time Carlessness using - unmanaged devices are those outside the control of an organization’s IT department and company unmanged devices security procedures. These devices include computers belonging to customers and business partners, computers in the business center of hotels, retail establishments Carelessness with - discarding old computer hardware and devices without completely wiping the memory. This discarded includes computers, cell phones, blackberry’s and digital copiers and printers. equipment 2. natural disasters 3. technical failures 4. management failures 5. deliberate acts Social Engineering and Reverse Social Engineering - Social Engineering: is an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee in providing confidential company information such as passwords - Reverse Social Engineering: employees approach the attackers example attacker gains employment at a company and informal conversations with his co workers, lets it be known that he is ‘good with computer’. When helping loads Trojan horses on the computer, which email him with their passwords and information about their machines Deviations in the Quality of Service From Service Providers - this category consists of situations in which a product or service is not delivered to the organization as expected - example, heavy equipment at a construction site severs a fibre optic line to your building or your internet servicer provider has availability problems - organizations may also experience service disruptions from various providers, such as communications, electricity, telephone, water, wastewater, garbage pickup, cable and natural gas Environmental Hazards: include dirt, dust, humidity and static electricity. These hazards are harmful to the safe operation of computing equipment Natural Disasters: include floods, earthquakes, hurricanes, tornadoes, lightning and in some cases fires - such disasters can provide loss of systems and data - to avoid such losses, companies must engage in proper planning for backup and recovery of information systems and data Technical Failures: problems with hardware and software. Most common hardware problem is crash of a hard disk drive. - common software problem is errors – bugs- in computer programs Management Failures: involve a lack of funding for information security efforts and a lack of interest in those efforts Deliberate Acts: - by employees (i.e insiders) account for a large number of information security breaches - espionage or trespass: occurs when an unauthorized person attempts to gain illegal access to organizational information Competitive Intelligence: consist of legal information gathering techniques such as studying company’s websites and media releases, attending trade shows and so on. Industrial Espionage: crosses the legal boundary and involves theft or illegal duplication of information assets - information extortion: occurs when an attacker either threatens to steal, or actually steals information from a company. The perpetrator demands payment for not stealing the information, or for returning it or for agreeing not to disclose it. - sabotage or vandalism: deliberate acts that involve defacing an organizations websites, possibly tarnishing the organizations image and causing it to experience a loss of confidence by its customers. - theft of equipment or information: uncontrolled proliferation of portable devices in companies has led to a type of attack called pod slurping, where perpetrators plug an iPod or other portable devices into a USB port on a computer and download huge amounts of information very quickly and easily - another form of theft known as dumpster diving, involves the practice of rummaging through commercial or residential garbage to find information that has been discarded - identity theft: deliberate assumption of another person’s or an organizations identity, usually to gain access to financial information and assets or to frame someone for a crime. Techniques include: stealing mail or dumpster diving, stealing personal information in computer databases, infiltrating organizations that store large amounts of personal information, impersonating a trusted organization in an electronic communication (phishing) - compromises to intellectual property: Intellectual Property: is the property created by individuals or corporations that is protected under trade secret, patent and copyright laws. Trade secret: an intellectual work, such as a business plan or private product formulation that is a company secret and is not based on public information. - Patent: is a document that grant the holder exclusive rights on an invention or process for 20 years. - Copyright: statutory grant that provides the creators of intellectual property with ownership of the property for the life of the creator plus 50 years. - in Canada, the Canadian Copyright Act protects a variety of intellectual property, including written work, a computer program is considered to be a written work - The Canadian Alliance Against Software Theft (CAAST): is an organization representing the commercial software industry that promotes legal software