BUS 311: Fall 2003BUS 311: Fall 2003 11

Security, Privacy, and Ethical Security, Privacy, and Ethical Issues in Information Issues in Information

Systems and the InternetSystems and the Internet

Chapter 9Chapter 9

BUS 311: Fall 2003BUS 311: Fall 2003 22

Social Issues in Information Social Issues in Information SystemsSystems

Computer Waste & MistakesComputer Waste & Mistakes Computer CrimeComputer Crime PrivacyPrivacy Health ConcernsHealth Concerns Ethical IssuesEthical Issues Patent and copyright violationsPatent and copyright violations

BUS 311: Fall 2003BUS 311: Fall 2003 33

Computer WasteComputer Waste

Discarding technology that still has Discarding technology that still has valuevalue

Unused systemsUnused systems Personal use of corporate time and Personal use of corporate time and

technologytechnology SpamSpam Time spent configuring / “optimizing” Time spent configuring / “optimizing”

computerscomputers

BUS 311: Fall 2003BUS 311: Fall 2003 44

Preventing Computer Waste Preventing Computer Waste and Mistakesand Mistakes

Policies and Procedures should bePolicies and Procedures should be EstablishedEstablished ImplementedImplemented MonitoredMonitored Reviewed Reviewed

BUS 311: Fall 2003BUS 311: Fall 2003 55

Types of Computer-Related Types of Computer-Related MistakesMistakes

Data entry or capture errorsData entry or capture errors Errors in computer programsErrors in computer programs Errors in file handling – copying old file over new Errors in file handling – copying old file over new

one, deleting a file by mistakeone, deleting a file by mistake Mishandling of computer outputMishandling of computer output Inadequate planning for and control of equipment Inadequate planning for and control of equipment

malfunctionmalfunction Inadequate planning for and control of Inadequate planning for and control of

environmental difficulties (electrical, humidity, environmental difficulties (electrical, humidity, etc.)etc.)

Installing inadequate computer capacityInstalling inadequate computer capacity

BUS 311: Fall 2003BUS 311: Fall 2003 66

Useful Policies to Eliminate Useful Policies to Eliminate Waste and MistakesWaste and Mistakes

Tightly control changes to corporate Tightly control changes to corporate web site – ensure information is timelyweb site – ensure information is timely

Have user manuals availableHave user manuals available Every report should clearly specify its Every report should clearly specify its

general content and time period general content and time period coveredcovered

Implement proper procedures to ensure Implement proper procedures to ensure correct input data (to avoid “garbage correct input data (to avoid “garbage in, garbage out”)in, garbage out”)

BUS 311: Fall 2003BUS 311: Fall 2003 77

Computer CrimeComputer Crime

BUS 311: Fall 2003BUS 311: Fall 2003 88

Number of Incidents Reported to Number of Incidents Reported to CERTCERT

BUS 311: Fall 2003BUS 311: Fall 2003 99

Computer Crime and Security Computer Crime and Security SurveySurvey

Source: http://www.gocsi.com/press/20020407.jhtml?_requestid=449980

(1996: 16%)

BUS 311: Fall 2003BUS 311: Fall 2003 1010

Fastest Growing Fastest Growing Crime in the USCrime in the US??

Identity theftIdentity theft Use someone else’s identity to obtain credit, Use someone else’s identity to obtain credit,

conduct crimes etcconduct crimes etc Necessary info: SSN, Name, (Date of Birth)Necessary info: SSN, Name, (Date of Birth) How often do you get a credit card application How often do you get a credit card application

with your name on it?with your name on it? Largest Identity theft case in US historyLargest Identity theft case in US history

http://www.computerworld.com/securitytopics/securityhttp://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,76252,00.html/cybercrime/story/0,10801,76252,00.html

Identity theft survival guideIdentity theft survival guide http://money.cnn.com/2002/11/26/pf/saving/q_identity/http://money.cnn.com/2002/11/26/pf/saving/q_identity/

BUS 311: Fall 2003BUS 311: Fall 2003 1111

Recent Cybercrime Recent Cybercrime HeadlinesHeadlines

11/6/03: FTC Blocks Pop-Up Spammers 11/6/03: FTC Blocks Pop-Up Spammers 11/5/03: Microsoft Puts a Price on Hackers' Heads 11/5/03: Microsoft Puts a Price on Hackers' Heads 11/3/03: E-Mail Under Attack Again as Mimail Virus Spreads 11/3/03: E-Mail Under Attack Again as Mimail Virus Spreads 10/24/03: Microsoft Patches Its Patches10/24/03: Microsoft Patches Its Patches

Source: Daily cybercrime report Source: Daily cybercrime report ((http://www.newsfactor.com/perl/section/cybercrime/)http://www.newsfactor.com/perl/section/cybercrime/)

BUS 311: Fall 2003BUS 311: Fall 2003 1212

The Computer as a Tool to The Computer as a Tool to Commit CrimeCommit Crime

Social engineeringSocial engineering Posing as someone else to gain trust of user to give out Posing as someone else to gain trust of user to give out

passwordpassword Dumpster divingDumpster diving

Search garbage for clues on how to gain access to a Search garbage for clues on how to gain access to a systemsystem

Shoulder SurfingShoulder Surfing Stand next to someone in a public place to get vital Stand next to someone in a public place to get vital

informationinformation Install keyboard loggerInstall keyboard logger

Record every keystroke and send back to criminalRecord every keystroke and send back to criminal CyberterrorismCyberterrorism

E.g. Distributed Denial-of-service (DDOS) attackE.g. Distributed Denial-of-service (DDOS) attack

BUS 311: Fall 2003BUS 311: Fall 2003 1313

Computers as Objects of Computers as Objects of CrimeCrime

Illegal access and useIllegal access and use Hackers Hackers

‘‘Hacking’ away at programming and using a computer to Hacking’ away at programming and using a computer to its fullest capabilitiesits fullest capabilities

Crackers (criminal hacker)Crackers (criminal hacker)

Information and equipment theftInformation and equipment theft Software and Internet piracySoftware and Internet piracy Computer-related scamsComputer-related scams

Nigerian 419Nigerian 419 International computer crimeInternational computer crime

BUS 311: Fall 2003BUS 311: Fall 2003 1414

Data Alteration and Data Alteration and DestructionDestruction

VirusVirus WormWorm Logic bombLogic bomb Trojan horseTrojan horse

© Hal Mayforth 2003

BUS 311: Fall 2003BUS 311: Fall 2003 1515

Virus elementsVirus elements

Distribution VectorDistribution Vector How does it move from one computer to the next?How does it move from one computer to the next? Virus: Attaches to other program, user must take Virus: Attaches to other program, user must take

action to spreadaction to spread Worm: Self-propagatesWorm: Self-propagates

PayloadPayload What does it do when it gets there?What does it do when it gets there?

Ability to mutateAbility to mutate Makes it harder to detect, like the AIDS virusMakes it harder to detect, like the AIDS virus

BUS 311: Fall 2003BUS 311: Fall 2003 1616

Virus CharacteristicsVirus Characteristics Similar to biological virusesSimilar to biological viruses

Replicates on its ownReplicates on its own May mutateMay mutate Can be benign or maliciousCan be benign or malicious Attaches to a ’host’ programAttaches to a ’host’ program

Constructed by a Constructed by a programmerprogrammer

Types of damage (payload)Types of damage (payload) Destruction of data, programs Destruction of data, programs

or hardwareor hardware Loss of productivityLoss of productivity AnnoyanceAnnoyance

Top 10 last month:Top 10 last month:http://http://www.sophos.com/www.sophos.com/virusinfo/topten/virusinfo/topten/

BUS 311: Fall 2003BUS 311: Fall 2003 1717

Virus DistributionVirus Distribution EmailEmail

Executable attachment that masquerades as image file (”Click to Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”)see picture of Anna Kournikova!”)

HTML code that executes automatically in email program (esp. HTML code that executes automatically in email program (esp. Outlook and Outlook Express)Outlook and Outlook Express)

WormWorm Spreads directly from computer to computerSpreads directly from computer to computer Often exploiting ’open ports’ or other vulnerabilitiesOften exploiting ’open ports’ or other vulnerabilities

Trojan Horse / Logic BombTrojan Horse / Logic Bomb Virus disguised inside other programVirus disguised inside other program

Greeting Cards (or other web sites)Greeting Cards (or other web sites) Clicking link may cause nasty things to happenClicking link may cause nasty things to happen

HoaxHoax Email about a ‘false’ threat. May ask user to delete important Email about a ‘false’ threat. May ask user to delete important

system file and forward email to other userssystem file and forward email to other users

BUS 311: Fall 2003BUS 311: Fall 2003 1818

Virus Example: SoBig Email Virus Example: SoBig Email virusvirus

Distribution vector: EmailDistribution vector: Email Arrives in email message, installs own SMTP engine (allows for Arrives in email message, installs own SMTP engine (allows for

sending email without using installed email program)sending email without using installed email program) Sends itself to all email addresses in address booksSends itself to all email addresses in address books Forges Sender address, so the person that the email appears Forges Sender address, so the person that the email appears

to come from may not be infected (“email spoofing”)to come from may not be infected (“email spoofing”) User must execute attachment to be infectedUser must execute attachment to be infected Tried to copy itself to Windows shares (unsuccessful, due to Tried to copy itself to Windows shares (unsuccessful, due to

bugs)bugs) Payload: None (except for extra traffic)Payload: None (except for extra traffic)

Might download malicious software from web siteMight download malicious software from web site Expired September 10, 2003Expired September 10, 2003

Source: Source: http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html mm.html

BUS 311: Fall 2003BUS 311: Fall 2003 1919

Symantec’s Virus guidelinesSymantec’s Virus guidelines Turn off and remove unneeded services. By default, many operating Turn off and remove unneeded services. By default, many operating

systems install auxiliary services that are not critical, such as an FTP systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch attack and you have fewer services to maintain through patch updates. updates.

If a blended threat exploits one or more network services, disable, or If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the your organization. Perform a forensic analysis and restore the computers using trusted media. computers using trusted media.

Train employees not to open attachments unless they are expecting Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser compromised Web site can cause infection if certain browser vulnerabilities are not patched. vulnerabilities are not patched.

BUS 311: Fall 2003BUS 311: Fall 2003 2020

The Six Computer Incidents with The Six Computer Incidents with the Greatest Worldwide the Greatest Worldwide

Economic ImpactEconomic Impact

ILOVEYOU was started by student in Philippines who had a project rejected by a teacher!

BUS 311: Fall 2003BUS 311: Fall 2003 2121

Measures of ProtectionMeasures of Protection

General controlsGeneral controls Physical Physical

A guard in front of a locked door can prevent A guard in front of a locked door can prevent many problems...many problems...

Biometric controlsBiometric controls fingerprint, hand print, retina scan, voice, ...fingerprint, hand print, retina scan, voice, ...

Data security controlData security control confidentiality, access control, data integrityconfidentiality, access control, data integrity

BUS 311: Fall 2003BUS 311: Fall 2003 2222

Measures of ProtectionMeasures of Protection

Network Protection and FirewallsNetwork Protection and Firewalls Access controlAccess control EncryptionEncryption Firewalls: Most cost-effective defense, but not 100% Firewalls: Most cost-effective defense, but not 100%

effectiveeffective ZoneAlarm (personal software firewall)ZoneAlarm (personal software firewall) Hardware firewall protects all computers on LANHardware firewall protects all computers on LAN

Intrusion Detection SoftwareIntrusion Detection Software How can you protect yourself if you don’t know you were How can you protect yourself if you don’t know you were

attacked?attacked? Protection can be assured by conducting an auditProtection can be assured by conducting an audit Perhaps even hiring a hacker…Perhaps even hiring a hacker… Managed Security Service Providers (MSSPs)Managed Security Service Providers (MSSPs)

Outsource the whole thing!Outsource the whole thing!

BUS 311: Fall 2003BUS 311: Fall 2003 2323

Common Computer Crime Common Computer Crime MethodsMethods

BUS 311: Fall 2003BUS 311: Fall 2003 2424

What can You Do What can You Do Personally?Personally?

Install security patchesInstall security patches For windows: For windows: www.windowsupdate.comwww.windowsupdate.com

Use a virus scannerUse a virus scanner Take backupTake backup Protect your password (beware of Protect your password (beware of social engineeringsocial engineering)) Install a FirewallInstall a Firewall Encrypt sensitive dataEncrypt sensitive data Don’t use IM chat software for sensitive Don’t use IM chat software for sensitive

communication communication (see (see http://news.com.com/2100-1023-976068.htmlhttp://news.com.com/2100-1023-976068.html) ) Changing: Vendors coming out with ‘corporate’ versions Changing: Vendors coming out with ‘corporate’ versions

Visit Visit www.grc.comwww.grc.com to make sure your Shields are Up to make sure your Shields are Up

BUS 311: Fall 2003BUS 311: Fall 2003 2525

PrivacyPrivacy

BUS 311: Fall 2003BUS 311: Fall 2003 2626

Privacy IssuesPrivacy Issues

Privacy and the GovernmentPrivacy and the Government Privacy at workPrivacy at work E-mail privacyE-mail privacy Privacy and the InternetPrivacy and the Internet

BUS 311: Fall 2003BUS 311: Fall 2003 2727

Privacy DilemmaPrivacy Dilemma

People’s right to privacy – not be People’s right to privacy – not be monitoredmonitored

Employers need to monitor activity on Employers need to monitor activity on their premisestheir premises Discourage time-wasting behaviorDiscourage time-wasting behavior Prevent criminal activity on networkPrevent criminal activity on network

Law enforcement needs to solve crimesLaw enforcement needs to solve crimes Anonymity makes some people more Anonymity makes some people more

criminal/amoralcriminal/amoral

BUS 311: Fall 2003BUS 311: Fall 2003 2828

The Right to Know and the The Right to Know and the Ability to DecideAbility to Decide

BUS 311: Fall 2003BUS 311: Fall 2003 2929

Email PrivacyEmail Privacy

Work email is not privateWork email is not private Employers have right to read employee emailEmployers have right to read employee email Can be used as evidence in courtCan be used as evidence in court Companies need to have a policy for storing Companies need to have a policy for storing

emailemail Can also cause problems for elected officialsCan also cause problems for elected officials

Recently Oshkosh School Board was ‘discovered’ Recently Oshkosh School Board was ‘discovered’ to delete messagesto delete messages

Violates open meeting lawsViolates open meeting laws

BUS 311: Fall 2003BUS 311: Fall 2003 3030

The Work EnvironmentThe Work Environment

BUS 311: Fall 2003BUS 311: Fall 2003 3131

Health ConcernsHealth Concerns

Repetitive Motion Disorder (Repetitive Stress Injury; Repetitive Motion Disorder (Repetitive Stress Injury; RSI)RSI) An injury that can be caused by working with computer An injury that can be caused by working with computer

keyboards and other equipmentkeyboards and other equipment Carpal Tunnel Syndrome (CTS)Carpal Tunnel Syndrome (CTS)

The aggravation of the pathway for nerves that travel The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel)through the wrist (the carpal tunnel)

Current research says computers do not cause Current research says computers do not cause permanentpermanent damage damage a few months without computer will helpa few months without computer will help Research is still being conductedResearch is still being conducted

Technology can also remove dangerous work Technology can also remove dangerous work situationssituations

BUS 311: Fall 2003BUS 311: Fall 2003 3232

ErgonomicsErgonomics

The study of designing and positioning The study of designing and positioning computer equipment for employee health computer equipment for employee health and safetyand safety How high should your monitor be?How high should your monitor be? Where should keyboard, mouse be?Where should keyboard, mouse be? Good ways of working to minimize risksGood ways of working to minimize risks

Web sites on ergonomics:Web sites on ergonomics: http://www.ics.uci.edu/~abaker/ergo/http://www.ics.uci.edu/~abaker/ergo/ http://ergo.human.cornell.edu/ergoguide.html http://ergo.human.cornell.edu/ergoguide.html http://www.pao.gov.ab.ca/health/ergonomics/http://www.pao.gov.ab.ca/health/ergonomics/

computer/computer/

BUS 311: Fall 2003BUS 311: Fall 2003 3333

That’s itThat’s it

ThursdayThursday Rest of lectureRest of lecture Time to work on DB Project implementation. Time to work on DB Project implementation.

Suggested design solution will be availableSuggested design solution will be available TuesdayTuesday

Web design/development lecture/demonstrationWeb design/development lecture/demonstration Learn to create your own web pageLearn to create your own web page

ThursdayThursday Lab to work on web page (IT Problem 4)Lab to work on web page (IT Problem 4)