TJX: The Worst Data Breach Ever? - MIS315-05

advertisement
Information Technology Foundations-BIT 112
CHAPTER 3
Ethics, Privacy and
Information Security
Information Technology Foundations-BIT 112
Chapter Outline
• 3.1 Ethical Issues
• 3.2 Threats to Information Security
• 3.3 Protecting Information Resources
2
Information Technology Foundations-BIT 112
Learning Objectives
• Describe the major ethical issues related to
information technology and identify situations in
which they occur.
• Describe the many threats to information security.
• Understand the various defense mechanisms used to
protect information systems.
• Explain IT auditing and planning for disaster
recovery.
3
Information Technology Foundations-BIT 112
TJX: The Worst Data Breach Ever?
• 2007
• 46 Million customer accounts compromised.
4
Information Technology Foundations-BIT 112
Ethics Defined
• Ethics
– A branch of philosophy that deals with what is considered
to be right and wrong.
• A Code of Ethics
– A code of ethics is a collection of principles intended as a
guide for members of a company or organization.
5
Information Technology Foundations-BIT 112
Fundamental Tenets of Ethics
• Responsibility
– means that you accept the consequences of your decisions
and actions.
• Accountability
– means a determination of who is responsible for actions that
were taken.
• Liability
– a legal concept meaning that individuals have the right to
recover the damages done to them by other individuals,
organizations, or systems.
6
Information Technology Foundations-BIT 112
Ethical Issue Frameworks
• The diversity and ever expanding use of IT
applications have created a variety of ethical issues.
• These issues fall into four general categories:
– 1. Privacy issues involve collecting, storing, and
disseminating information about individuals.
– 2. Accuracy issues involve the authenticity, fidelity, and
accuracy of information that is collected and processed.
– 3. Property issues involve the ownership and value of
information.
– 4. Accessibility issues revolve around who should have
access to information and whether they should have to pay
for this access.
7
Information Technology Foundations-BIT 112
Unethical vs. Illegal
• What is unethical is not necessarily illegal.
•
Ethics scenarios
8
Information Technology Foundations-BIT 112
ethical? legal? File Sharing case
• You have recently bought some graphic design software
that is a far superior product, you believe, to its
competitors on the market. The price is rather high, but the
purchase was authorised by your boss for work related
purposes. The software is delivered on a single CD ROM.
You believe that many of your friends who work for other
companies would benefit if they were able to use this
software – and that the software developer would benefit
as well through additional sales. From an ethical
perspective, you believe that it would be unethical to keep
this information to yourself, given its likely value for your
friends, so you decide to share it with them. You make 10
copies on CD ROM and send it to them as a gift.
• Is this action legal? Is it ethical?
• What would you do?
9
Information Technology Foundations-BIT 112
Freedom of Speech; Censorship;
National Interest
• Your country is current at war with a powerful neighbor.
The government is urging all citizens to support the
government and the armed forces, since a lack of
consensus can only act to weaken the country and reduce
the likelihood of victory.
• As an investigative journalist, you stumble upon a
startling, classified government report: 30% of the senior
officials in the government have vested interests in the
war via their connections with private companies, some of
which have been secretly arming the enemy for the last
few years. This material is clearly in the public interest,
yet publication is likely to bring about the fall of the
government, and possible defeat in the war.
• What should you do?
10
Information Technology Foundations-BIT 112
ethical? legal? Cybersquatting
• Cybersquatting is the practice of buying domain
names on the Internet and then holding them for your
own purposes. You might keep the site empty –no
content – and wait for someone to offer you a good
price. Alternatively, you might choose to put your
own content on the site. This has the potential to
misrepresent other individuals and organizations when
your domain name is very similar to the name of a
real organization.
• Do you think that cybersquatting should be illegal – or
that it is no more than an extension to the right to own
property? Can anyone “own” the word “ten”? Or
“whitehouse”?
11
Information Technology Foundations-BIT 112
The Four Categories of Ethical Issues
• The diversity and ever expanding use of IT
applications have created a variety of ethical issues.
• These issues fall into one or more of the following
four general categories:
– 1. Privacy issues involve collecting, storing, and
disseminating information about individuals.
– 2. Accuracy issues involve the authenticity, fidelity, and
accuracy of information that is collected and processed.
– 3. Property issues involve the ownership and value of
information.
– 4. Accessibility issues revolve around who should have
access to information and whether they should have to pay
for this access.
12
Information Technology Foundations-BIT 112
Privacy Issues
How much privacy
do we have left?
13
Information Technology Foundations-BIT 112
Privacy Defined
• Privacy. The right to be left alone and to be free of
unreasonable personal intrusions.
• Court decisions have followed two rules:
– (1) The right of privacy is not absolute. Your privacy must
be balanced against the needs of society.
– (2) The public’s right to know is superior to the individual’s
right of privacy.
14
Information Technology Foundations-BIT 112
Threats to Privacy
• Data aggregators, digital dossiers, and profiling.
• Electronic Surveillance.
• Personal Information in Databases.
• Information on Internet Bulletin Boards, Newsgroups,
and Social Networking Sites.
15
Information Technology Foundations-BIT 112
Threats to Privacy: Data Aggregators,
Digital Dossiers, and Profiling
• Data aggregators
– companies that collect public data (e.g., real estate records,
telephone numbers) and nonpublic data (e.g., social security
numbers, financial data, police records, motor vehicle records)
and integrate them to produce digital dossiers.
• Digital dossier
– is an electronic description of you and your habits.
• Profiling
– is the process of creating a digital dossier.
16
Information Technology Foundations-BIT 112
Threats to Privacy: Electronic
Surveillance
• The tracking of people‘s
activities, online or
offline, with the aid of
computers.
• The image demonstrates
that many people are
blissfully unaware that
they can be under
electronic surveillance
while they are using
their computers.
17
Information Technology Foundations-BIT 112
Electronic Surveillance
• See "The State of
Surveillance"
article in
BusinessWeek
18
Information Technology Foundations-BIT 112
Electronic Surveillance
• See the surveillance slideshow
• See additional surveillance slides
• And you think you have privacy? (video)
• Sense-through-the-Wall
19
Information Technology Foundations-BIT 112
Threats to Privacy: Personal Information
in Databases
• Banks
• Utility companies
• Government agencies
• Credit reporting agencies
20
Information Technology Foundations-BIT 112
Threats to Privacy: Personal Information
on Social Networking Sites
21
Information Technology Foundations-BIT 112
Social Networking Sites Can Cause
You Problems
Anyone can post derogatory information about you
anonymously.
(See this Washington Post article.)
You can also hurt yourself, as this article shows.
22
Information Technology Foundations-BIT 112
What Can You Do?
• First, be careful what information you post on social
networking sites.
• Second, a company, ReputationDefender, says it can
remove derogatory information from the Web.
23
Information Technology Foundations-BIT 112
Protecting Privacy
• Privacy Codes and Policies
– An organization’s guidelines with respect to protecting the
privacy of customers, clients, and employees.
• Two Models
– Opt-out Model of Informed Consent
• Permits the company to collect personal information
until the customer specifically requests that the data not
be collected.
– Opt-in Model of Informed Consent
• Means that organizations are prohibited from collecting
any personal information unless the customer
specifically authorizes it. (Preferred by privacy
advocates.)
24
Information Technology Foundations-BIT 112
Key Information Security Terms
• Threat
– Is any danger to which a system/information resource may be
exposed.
• Exposure
– Is the harm, loss or damage that can result if a threat
compromises an information resource.
• Vulnerability
– Is the possibility that the system/information resource will suffer
harm by a threat.
• Risk
– Is the likelihood that a threat will occur.
• Information system controls
– Are the procedures, devices, or software aimed at preventing a
compromise to a system.
25
Information Technology Foundations-BIT 112
Factors Increasing the Threats to
Information Security
• Today’s interconnected, interdependent, wirelesslynetworked business environment
• Government legislation
• Smaller, faster, cheaper computers and storage
devices
• Decreasing skills necessary to be a computer hacker.
• International organized crime turning to cybercrime
• Downstream liability
• Increased employee use of unmanaged devices
• Lack of management support
26
Information Technology Foundations-BIT 112
A Look at Unmanaged Devices
Wi-Fi at McDonalds
Hotel Business Center
Wi-Fi at Starbucks
27
Information Technology Foundations-BIT 112
Security Threats (Figure 3.1)
28
Information Technology Foundations-BIT 112
Categories of Threats to Information
Systems
• Unintentional acts
• Natural disasters
• Technical failures
• Management failures
• Deliberate acts
(from Whitman and Mattord, 2003)
• Example of a threat (video)
29
Information Technology Foundations-BIT 112
Categories of Threats: Unintentional Acts
• Human errors
• Deviations in quality of service by service providers
(e.g., utilities)
• Environmental hazards (e.g., dirt, dust, humidity)
30
Information Technology Foundations-BIT 112
Human Errors
• Tailgating
• Shoulder surfing
• Carelessness with laptops and portable computing
devices
• Opening questionable e-mails
• Careless Internet surfing
• Poor password selection and use
• And more
31
Information Technology Foundations-BIT 112
Anti-Tailgating Door
• To deter tailgating,
many companies have
anti-tailgating doors
protecting the entrance
into high-security areas.
• Note that only one
person at a time can go
through this door.
32
Information Technology Foundations-BIT 112
Shoulder Surfing
• Occurs when the attacker watches another
person’s computer screen over that
person’s shoulder. Particularly dangerous
in public areas such as airports, commuter
trains, and on airplanes.
33
Information Technology Foundations-BIT 112
Most Dangerous Employees
• The biggest threat to the
security of an organization’s
information assets are the
company’s employees.
• In fact, the most dangerous
employees are those in
human resources and IT.
– HR employees have access to
sensitive personal data on all
employees.
– IT employees not only have
access to sensitive personal
data, but control the means to
create, store, transmit, and
modify these data.
Remember,
employees hold ALL
the information
34
Information Technology Foundations-BIT 112
Social Engineering
• An attack where the attacker uses social skills to trick a
legitimate employee into providing confidential company
information such as passwords.
• Social engineering is a typically unintentional human error
on the part of an employee, but it is the result of a
deliberate action on the part of an attacker.
• 60 Minutes Interview with Kevin Mitnick, the “King of
Social Engineering”
• Kevin Mitnick served several years in a federal prison.
Upon his release, he opened his own consulting firm,
advising companies on how to deter people like him,
– See his company here
35
Information Technology Foundations-BIT 112
Categories of Threats: Natural Disasters
36
Information Technology Foundations-BIT 112
Categories of Threats: Deliberate Acts
• Espionage or trespass
– Competitive intelligence consists of legal informationgathering techniques. Espionage crosses the legal boundary.
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
– For example, dumpster diving
37
Information Technology Foundations-BIT 112
Deliberate Acts (continued)
• Compromises to intellectual property
– Intellectual property. Property created by individuals or
corporations which is protected under trade secret, patent,
and copyright laws.
• Trade secret. Intellectual work, such as a business plan,
that is a company secret and is not based on public
information.
• Patent. Document that grants the holder exclusive rights
on an invention or process for 20 years.
• Copyright. Statutory grant that provides creators of
intellectual property with ownership of the property for
life of the creator plus 70 years.
– Piracy. Copying a software program without making
payment to the owner.
38
Information Technology Foundations-BIT 112
Deliberate Acts (continued)
• Software attacks
– Virus
• a segment of computer code that performs malicious actions by
attaching to another computer program.
– Worm
• 1988: first widespread worm, created by Robert T. Morris, Jr.
• (see the rapid spread of the Slammer worm)
• a segment of computer code that spreads by itself and performs
malicious actions without requiring another computer program.
– Trojan horse
• a software program that hides in other computer programs and
reveal its designed behavior only when it is activated. A typical
behavior of a Trojan horse is to capture your sensitive information
(e.g., passwords, account numbers, etc.) and send them to the
creator of the Trojan horse.
– Logic Bomb
• a segment of computer code that is embedded within an
organization’s existing computer programs and is designed to
activate and perform a destructive action at a certain time and date.
39
Information Technology Foundations-BIT 112
Deliberate Acts (continued)
• Software attacks (continued)
– Phishing attacks
• use deception to acquire sensitive personal information
by masquerading as official-looking e-mails or instant
messages.
– Distributed denial-of-service attacks
• attacker first takes over many computers. These
computers are called zombies or bots. Together, these
bots form a botnet.
• See botnet demonstration
40
Information Technology Foundations-BIT 112
How to Detect a Phish E-mail
41
Information Technology Foundations-BIT 112
Deliberate Acts (continued)
• Alien Software
– Spyware (see video)
• Collects personal information about users without their
consent. Two types of spyware are keystroke loggers
(keyloggers) and screen scrapers. Keystroke loggers record
your keystrokes and your Web browsing history. Screen
scrapers record a continuous “movie” of what you do on a
screen.
– Spamware
• is alien software that is designed to use your computer as a
launchpad for spammers. Spam is unsolicited e-mail.
– Cookies
• are small amounts of information that Web sites store on your
computer. The cookie demo will show you how much
information your computer sends when you connect to a Web
site.
42
Information Technology Foundations-BIT 112
Deliberate Acts (continued)
• Supervisory control and data acquisition (SCADA)
attacks.
– A large-scale, distributed, measurement and control system.
– SCADA systems are the link between the electronic world
and the physical world.
Wireless
sensor
Video of an experimental
SCADA attack that was
successful.
43
Information Technology Foundations-BIT 112
What if a SCADA attack were successful?
Northeastern
U.S. power
outage in 2003
44
Information Technology Foundations-BIT 112
3.3 Protecting Information Resources
45
Information Technology Foundations-BIT 112
Risk!
There is
always
risk!
46
Information Technology Foundations-BIT 112
And then there is real risk!
47
Information Technology Foundations-BIT 112
Risk Management
• Risk.
– The probability that a threat will impact an information resource.
• Risk management.
– To identify, control and minimize the impact of threats.
• Risk analysis.
– To assess the value of each asset being protected, estimate the
probability it might be compromised, and compare the probable
costs of it being compromised with the cost of protecting it.
• Risk mitigation
– When an organization takes concrete actions against risk. It has
two functions:
– (1) implement controls to prevent identified threats from
occurring, and
– (2) developing a means of recovery should the threat become a
reality.
48
Information Technology Foundations-BIT 112
Risk Mitigation Strategies
• Risk Acceptance.
– Accept the potential risk, continue operating with no
controls, and absorb any damages that occur.
• Risk Limitation.
– Limit the risk by implementing controls that minimize the
impact of threat.
• Risk Transference.
– Transfer the risk by using other means to compensate for
the loss, such as purchasing insurance.
49
Information Technology Foundations-BIT 112
Risk Optimization
50
Information Technology Foundations-BIT 112
Risk Limitation: Controls
• To protect their information assets, organizations
implement controls, or defense mechanisms ( also
called countermeasures).
• Controls are intended to prevent accidental hazards,
deter intentional acts, detect problems as early as
possible, enhance damage recovery, and correct
problems.
• Security controls are designed to protect all of the
components of an information system, including data,
software, hardware, and networks.
• Because there are so many diverse threats,
organizations utilize layers of controls.
51
Information Technology Foundations-BIT 112
Risk Limitation: Control Layers
• Physical controls.
– Physical protection of computer facilities and resources.
• Access controls.
– Restrict unauthorized individuals from using information
resources. These controls involve two major functions:
authentication and authorization.
• Communications (network) controls.
– Secure the movement of data across networks. Consist of
firewalls, anti malware systems, intrusion detection systems,
encryption, virtual private networking ( VPN), and vulnerability
management systems.
• Application controls
– Are security counter-measures that protect specific applications.
The three major categories of these controls are input, processing,
and output controls.
52
Information Technology Foundations-BIT 112
Where Defense Mechanisms (Controls)
Are Located
53
Information Technology Foundations-BIT 112
Access Controls
• Authentication- Major objective is proof of identity.
– Something the user is, also known as biometrics, these
access controls examine a user's innate physical
characteristics.
• The latest biometric: gait recognition
• The Raytheon Personal Identification Device
– Something the user has. These access controls include
regular ID cards, smart cards, and tokens.
– Something the user does. These access controls include
voice and signature recognition.
– Something the user knows.
• passwords
• passphrases
54
Information Technology Foundations-BIT 112
Access Controls (continued)
• Authorization
– Permission issued to individuals and groups to do certain
activities with information resources, based on verified
identity.
• Privilege
– A collection of related computer system operations that can
be performed by users of the system.
• Least privilege
– A principle that users be granted the privilege for some
activity only if there is a justifiable need to grant this
authorization.
55
Information Technology Foundations-BIT 112
Communication or Network Controls
• Firewalls
– System that enforces access-control policy between two networks.
• Anti-malware systems (also called antivirus software)
– Software packages that attempt to identify and eliminate viruses, worms, and other
malicious software. The logos show three anti-malware companies. Clicking on the
link will take you to each company’s homepage.
• Whitelisting
– A process in which a company identifies the software that it will allow to run and
does not try to recognize malware.
• Blacklisting
– A process in which a company allows all software to run unless it is on the blacklist.
• Intrusion Detection Systems
– Designed to detect all types of malicious network traffic and computer usage that
cannot be detected by a firewall.
• Encryption.
– Process of converting an original message into a form that cannot be read by anyone
except the intended receiver.
56
Information Technology Foundations-BIT 112
Basic Home Firewall (top) and Corporate
Firewall (bottom)
57
Information Technology Foundations-BIT 112
Basic Home Firewall and Corporate
Firewall
• A basic home firewall can be implemented as
software on the home computer.
• A corporate firewall has the following components:
– (1) external firewall facing the Internet
– (2) a demilitarized zone (DMZ) located between the two
firewalls; the DMZ contains company servers that typically
handle Web page requests and e-mail.
– (3) an internal firewall that faces the company network
58
Information Technology Foundations-BIT 112
How Public Key Encryption Works
59
Information Technology Foundations-BIT 112
How Digital Certificates Work
• A digital certificate is an electronic document attached to a file
certifying that the file is from the organization that it claims to
be from and has not been modified from its original format.
• Certificate authorities, which are trusted intermediaries
between two organizations, issue digital certificates.
60
Information Technology Foundations-BIT 112
Communication or Network Controls
(continued)
• A Virtual Private Network is a private network that uses a
public network (usually the Internet) to connect users.
• Secure Socket Layer (SSL), now called Transport Layer
Security (TLS), is an encryption standard used for secure
transactions such as credit card purchases and online
banking.
• Vulnerability Management Systems (also called Security
On Demand) extend the security perimeter that exists for
the organization’s managed devices, to unmanaged,
remote devices.
• Employee Monitoring Systems monitor employees’
computers, e-mail activities, and Internet surfing
activities.
61
Information Technology Foundations-BIT 112
Virtual Private Network and Tunneling
• Tunneling encrypts each data packet that is sent and
places each encrypted packet inside another packet.
62
Information Technology Foundations-BIT 112
Popular Vulnerability Management
Systems
63
Information Technology Foundations-BIT 112
Employee Monitoring System
• This image provides a demonstration of how an employee
monitoring system looks to the network administrator. He
or she sees the screens that everyone is on, and can “zoom
in” on any one person’s screen.
64
Information Technology Foundations-BIT 112
Popular Employee Monitoring
Systems
65
Information Technology Foundations-BIT 112
Finally…
66
Information Technology Foundations-BIT 112
Business Continuity Planning, Backup,
and Recovery
• A Business Continuity Plan is also known as a
Disaster Recovery Plan.
• Purpose is to keep the business operating after a
disaster occurs. Three levels/types of continuity
facilities:
– A Hot Site is a fully configured computer facility, with all
services, communications links, and physical plant
operations.
– A Warm Site provides many of the same services and
options of the hot site, but it typically does not include the
actual applications the company runs.
– A Cold Site provides only rudimentary services and
facilities and so does not supply computer hardware or user
workstations.
67
Information Technology Foundations-BIT 112
Information Systems Auditing
• Companies implement security controls to ensure that
Systems are working properly. Independent or
unbiased observers are tasked to “Audit”/examine the
information systems, their inputs, outputs and
processing.
• Types of Auditors and Audits
– Internal. Performed by corporate internal auditors.
– External. Reviews internal audit as well as the inputs,
processing and outputs of information systems.
68
Information Technology Foundations-BIT 112
Auditing Procedure
• Auditing around the computer
– Means verifying processing by checking for known outputs
using specific inputs.
• Auditing through the computer
– Means inputs, outputs and processing are checked.
Auditors review program logic and test data.
• Auditing with the computer
– Means using a combination of client data, auditor software,
and client and auditor hardware. Allows the auditor to
perform tasks such as simulating payroll program logic
using live data.
69
Information Technology Foundations-BIT 112
Chapter Closing Case
70
Download