Information and
Ethics, Information
Security and Malicious
Programs
BSAD 141
Dave Novak
Topics Covered
Information and ethics
 Information security

Incidental, intentional or accidental loss of
data, data integrity or data confidentiality
 Intellectual property

Discussion of Viruses
 How does encryption work?
 What is a digital signature?

Ethics and Information

Ethics – The principles and standards that
guide our behavior toward other people

Information ethics – Govern the ethical and
moral issues arising from the development
and use of information technologies, as well
as the creation, collection, duplication,
distribution, and processing of information
Ethics and Information

Business issues related to information ethics


Intellectual property

Copyright

Pirated software

Counterfeit software
Are ethical standards
the same across
cultures?
Ethics and Information

Privacy is a major ethical issue in the US

Privacy – The right to be left alone when
you want to be, to have control over your
own personal possessions, and not to be
observed without your consent

Confidentiality – the assurance that
messages and information are available
only to those who are authorized to view
them
Ethics and Information

Individuals form the only ethical component
of MIS
Software and hardware do not engage in
ethical or unethical behavior
 Information does not care how it is used

• Will not stop itself from sending spam, viruses, or
highly-sensitive information

Information-based ethical policies therefore
focus on the behavior and choices of
individuals using various technologies
Ethics and Information

Ethical Issues
Copying, using, and distributing software
 Searching organizational databases for
sensitive and personal information
 Creating and/or spreading viruses or other
malicious programs
 Viewing and/or stealing information
 Destroying information

Legal versus Ethical
Ethical
Legal = Laws
Ethical = Values
Legal
Not Legal
Not Ethical
Organizational Information
Management Policies

Organizations strive to build a corporate
culture based on ethical principles that
employees can understand and implement
1) Computer use policy
 2) Information privacy policy
 3) Acceptable use policy
 4) Email privacy policy
 5) Social media policy
 6) Workplace monitoring policy

1) Computer Use Policy

General principles to guide computer user
behavior

The ethical computer user policy ensures:

all users are informed of the
rules, and

by agreeing to use the
system on that basis,
consent to abide by the
rules
2) Information Privacy
Policy

General principles regarding information
privacy

The unethical use of information typically
occurs “unintentionally” when it is used for new
purposes

Who decides how an
organization uses
information and exactly what
information they use?
3) Acceptable Use Policy

Set of rules that restricts how a particular
technological resource may be used

Requires a user to agree to follow the policy
to access to the resource (corporate email,
information systems, and the Internet)

Nonrepudiation – A contractual stipulation
to ensure that ebusiness participants do not
deny their online actions
4) Email Privacy Policy

Details the extent to which email messages
may be read by others

Organizations can mitigate the risks of email
and instant messaging communication tools
by implementing and adhering to an email
privacy policy

Extends well beyond spam…
4) Email Privacy Policy

Can the government read your private emails?

http://people.howstuffworks.com/storedemail.htm
5) Social Media Policy

Guidelines or principles governing
employee online communications –
extends beyond email

There is no such thing as a private
or truly restricted social media site


http://socialmediagovernance.com
/policies.php
http://www.robertbeadle.com/2011
/02/25/6-reasons-why-yourcompany-needs-a-social-mediapolicy/
6) Workplace Monitoring
Policy

Addresses organization’s policies
regarding monitoring employee behavior
both in and out of work

The dilemma surrounding employee
monitoring in the workplace is that an
organization is placing itself at risk if it
fails to monitor its employees; however,
some people feel that monitoring
employees is unethical or goes “too far”
6) Workplace Monitoring
Policy


“A 2007 survey by the American Management Association and the
ePolicy Institute found that two-thirds of employers monitor their
employees' web site visits in order to prevent inappropriate surfing.
And 65% use software to block connections to web sites deemed off
limits for employees. This is a 27% increase since 2001 when the
survey was first conducted. Employers are concerned about
employees visiting adult sites with sexual content, as well as games,
social networking, entertainment, shopping and auctions, sports, and
external blogs. Of the 43% of companies that monitor e-mail, nearly
three-fourths use technology to automatically monitor e-mail. And 28%
of employers have fired workers for e-mail misuse.
Close to half of employers track content, keystrokes, and time spent at
the keyboard. And 12% monitor blogs to see what is being written
about the company. Another 10% monitor social networking sites”.
source: quote directly from: https://www.privacyrights.org/fs/fs7-work.htm#2a
6) Workplace Monitoring
Policy

Employee monitoring policy – Explicitly
state how, when, and where the company
monitors its employees

Key logger or key trapper software

Cookie

Adware

Spyware

Web log

Clickstream
6) Workplace Monitoring
Policy

What can my employer monitor?

https://www.privacyrights.org/fs/fs7work.htm#2a
Protecting Intellectual
Assets

Organizational information is intellectual
capital - it must be protected

Information security – protection of
information from accidental loss of access,
intentional misuse of or lost confidence in the
integrity of data and information systems

Downtime – Refers to a period of time when
a system is unavailable
Threats Caused by Hackers
and Viruses

Virus - Software / code written to replicate
and may have malicious intent





Backdoor program
Polymorphic virus
Trojan-horse virus
Worm
Denial-of-service attack (DoS) – floods a
computer or site with requests
Primary Difference Between
Viruses and Worms?
How Viruses Spread
Threats Caused by Hackers
and Viruses

Terms to be familiar with:
Elevation of privilege
 Packet tampering
 Sniffer
 Spoofing
 Spyware

Anti-Virus and Anti-Spy Ware
Software

An easy and effective way to protect yourself
(to some degree) is to install anti-virus and
anti-spy ware software


There is no reason not to do this…
Use common sense
People: 1st Line of Defense

To function, organizations must enable
employees, customers, and partners to access
information electronically

The biggest issue surrounding information
security is not a technical issue, but a people
issue

Insiders

Social engineering

Dumpster diving
Technology: 2nd Line of
Defense

There are three primary information
technology security areas

1) Authentication and authorization

2) Prevention and resistance

3) Detection and response
1) Authentication and
Authorization

Authentication –Confirming users’ identities

Authorization – The process of giving someone
permission to do or have something

The most secure type of authentication involves

Something the user knows

Something the user has

Something that is part of the user
Something the User Knows:

Username and password is the most
common way to identify individual users

Also the most ineffective form of
authentication

Over 50 percent of help-desk calls are
password related

http://www.youtube.com/watch?v=hOxxTaBP3xs
Something the User Has:

Smart cards and tokens are more
effective than a user ID and a
password

Tokens – Small electronic devices that
change user passwords automatically

Smart card – A device that is around the
same size as a credit card, containing
embedded technologies that can store
information and small amounts of
software to perform some limited
processing
Something That is Part of
the User:

Biometrics – using physical characteristics
such as a fingerprint, iris, face, voice, or
handwriting to obtain access

Unfortunately, this method can be costly
and intrusive

If your fingerprint is compromised, how do
you change it?
Securing Data
Communications

Encryption involves the conversion of
plain text into code

Both sender and receiver would have to
translate the code to read the message

Encryption

Public key encryption (PKE)

Certificate authority

Digital certificate
Securing Data
Communications

Encryption – two basic forms

Symmetric or Private key encryption

Asymmetric or Public key encryption (PKE)

http://www.youtube.com/watch?v=ERp8420ucGs
•
http://www.wimp.com/howencryption/
•
http://www.youtube.com/watch?v=4GyP4vkOQM0
Public Key Encryption
An unpredictable (typically
large and random) number is
used to begin generation of
an acceptable pair of keys
suitable for use by an
asymmetric key algorithm
Source: Public-key cryptography [online] downloaded on 11/29/2010
http://en.wikipedia.org/wiki/Asymmetric_encryption
Public key encryption
In an asymmetric key
encryption scheme, anyone
can encrypt messages
using the public key, but
only the holder of the
paired private key can
decrypt.
Security depends on the
secrecy of that private key.
Source: Public-key cryptography [online] downloaded on 11/29/2010
http://en.wikipedia.org/wiki/Asymmetric_encryption
Public key encryption
In some related signature
schemes, the private key is
used to sign a message (using
a digital signature); but anyone
can check the signature using
the public key.
Validity depends on private
key security.
Source: Public-key cryptography [online] downloaded on 11/29/2010
http://en.wikipedia.org/wiki/Asymmetric_encryption
Digital Signature
Used to ensure that an electronic
document is authentic (i.e. an email is
actually from the person you think it is
from)
 A verifiable “stamp” of authenticity

Digital Signature
Requires the ability to obtain a public key
from a reputable and known 3rd party
 You need to be certain that the public key
used for decryption actually belongs to
the entity you think it belongs to


Certificate Authority
Digital Signature

1) Hashing – transform message into
shorter, fixed length value that represents
the original message

Highly unlikely that hashing other
messages produces the same value
2) Message Digest – the output from
hashing a message
 3) Encrypting message digest with
private key yields a digital signature

Digital Signature
Plaintext
Figure recreated from
Kroenke (2008), Experiencing MIS
Figure CE23-2, page 587
1. Hash plaintext, creating a message
digest – this is not digital signature
Message Digest
2. Encrypt message digest with sender’s
private key  creates digital signature
Digital Signature
3. Combine plaintext and digital signature
to create signed message and transmit both
Digital Signature Plaintext
VERIFY DIGITAL SIGNATURE
Digital Signature Plaintext
5. Hash received plaintext msg with same
hashing algorithm sender used  gives
message digest
6. Decrypt digital signature with sender’s
public key  gives message digest
7. Compare the two message digests
Digital Signature
Plaintext
Message Digest
=?
Message Digest
Certificate Authority
As the trusted provider of Internet infrastructure services for
the networked world, VeriSign, Inc. provides authentication
and verification of businesses worldwide. Billions of times
each day, VeriSign helps companies and consumers all
over the world to engage in trusted communications and
commerce.
Detection and Response
Intrusion detection software – Network
monitoring tools that search for patterns and
anomalies in network traffic to identify possible
security problems


Numerous incorrect login attempts on a
computer

Unexplained shutdowns and reboots

Incoming traffic from an unidentified source

Attempted access to specific ports
Summary
What are ethical issues with respect to
information technology and systems?
 6 types of Information policies that are used?
 Viruses
 Details of 1st and 2nd Lines of Defense

People
 Technology
 Focus on public key encryption and digital
signature
