Chapter 9 Security, Privacy, and Ethical Issues in Information Systems and the Internet

1
Chapter 9Security, Privacy, and Ethical Issues
in Information Systems and the Internet
Updated 03/22/05
2
Objectives

• Computer waste and mistakes
• Computer crime
• Privacy
• The work environment

3
What is Computer Waste?

• Discard technology (software and hardware)
• Unused systems (complex systems not/under
  utilized)
• Personal (games, Internet, emails)
• Spam (junk email/faxes)
• Primary reason - poor management of system

4
What are Computer Related Mistakes?

• Computers rarely make mistakes!!!!!
• Hardware inadequate/poorly configured
• Software - inadequate or incorrect, errors in
  application
• Users - not trained, data entry errors, deleting
  files, copying files over existing files
• System administrator - formatting a disk by
  mistake, poor planning, backup and recovery
  plans, security plan

5
Preventing Computer Related Waste and Mistakes

• Policies and Procedures

Establish
Review
Implement
Monitor
6
Useful Policies to Eliminate Waste and Mistakes

• Someone in charge of system
• Policies and procedures in-place and enforced
• System security measures
• System monitoring tools
• Users trained
• Periodic reviews and updates
• Hardware
• Software
• Users

7
Computer Crime
8
What is Computer Crime?

• Any unauthorized invasion of a computer system
  for the intent of causing damage. (Carpenter,
  2004)
• Purpose steal money, steal data, cause
  confusion, just for fun.
• Result go to jail!

9
Who Monitors Computer Crime?

• Computer Emergency Team Coordination Center
  (CERT/CC) http//www.cert.org/
• Located at Software Engineering Institute (SEI)
• Carnegie Mellon Research Center, Pittsburg, PA
• Funded by federal government
• Purpose coordinate communication during
  computer security emergencies.
• Additionally - study Internet security
  vulnerabilities, offer training, and provide
  recommendations.
• Site to look at
• http//www.cert.org/present/cert-overview-trends/m
  odule-4.pdf

10
Number of Incidents Reported to CERT
11
Summary of Key Data from 2002 Computer Crime and
Security Survey
Source Data from Richard Power, 2002 CSI/FBI
Computer Crime and Survey, Computer Security
Issues and Trends, vol 8, no. 1, spring 2002, p.
4.
12
The Computer as a Tool to Commit Crime

• Social engineering giving up your password
• Dumpster diving going through the garbage in an
  attempt to find relevant information
• Identity theft individual obtains and uses
  personal information
• Cyberterrorism intimidation or coercion for
  some personal or group gain

13
Computers as Objects of Crime

• Illegal access and use
• Hackers
• Crackers
• Information and equipment theft
• Software and Internet piracy
• Computer-related scams
• International computer crime

14
How to Respond to a Security Incident

• Follow policies and procedures for computer
  security incident
• Contact responsible people ASAP
• Inform others following Chain of Command
• Dont talk about incident
• Make backups of damaged/altered files
• Designate one person to secure potential evidence
• Make copies of intruder files (code, log file,
  etc) and store off-line
• Secure backups and printouts one person has
  access
• Involve CERT if necessary or desired
• Unsure seek help ask questions

15
Data Alteration and Destruction
16
The Six Computer Incidents with the Greatest
Worldwide Economic Impact
17
Top Viruses July 2002
18
Preventing Computer-Related Crime

• Crime prevention by state and federal agencies
• Crime prevention by corporations
• Public Key Infrastructure (PKI)
• Biometrics
• Anti-virus programs

19
Preventing Computer-Related Crime

• Intrusion Detection Software monitors and
  alerts network security when sensed.
• Managed Security Service Providers (MSSPs)
  company that manages hardware/software for other
  companies.
• Internet Laws for Libel and Protection of Decency
  -

20
Preventing Crime on the Internet

• Develop effective Internet and security policies
• Use a stand-alone firewall with network
  monitoring capabilities
• Monitor managers and employees
• Use Internet security specialists to perform
  audits

21
Common Methods Used to Commit Computer Crimes
22
How to Protect Data from Hackers

• System protection
• Install antivirus/firewall software on all
  computers.
• Frequently check and install latest security
  patches, which are often available at vendors
  Internet site.
• Logon capabilities
• Install strong user authentication and encryption
  capabilities on your firewall.
• Disable guest accounts and null user accounts
  that let intruders access the network without a
  password
• Do not provide overfriendly log-in procedures for
  remote users (e.g., an organization that used the
  word welcome on their initial log-on screen found
  they had difficulty prosecuting a hacker.
• System Configuration
• Give an application (email, file transfer
  protocol, and domain name server) its own
  dedicated server.
• Restrict physical access to the server and
  configure it so that breaking into one server
  wont compromise the whole network.
• Turn on audit trails..
• Conduct regular IS security audits
• Verify and exercise frequent data backups for
  critical data.

23
Privacy
24
Privacy Issues

• Privacy and the Federal Government
• Privacy at work
• E-mail privacy
• Privacy and the Internet

25
The Right to Know and the Ability to Decide
26
Federal Privacy Laws and Provisions
27
The Work Environment
28
Health Concerns

• Potential problems
• Repetitive motion disorder/Repetitive stress
  injury (RSI)
• Carpal tunnel syndrome (CTS)
• Ergonomics
• What to do
• Maintain good posture and positioning.
• Do not ignore pain or discomfort.
• Use stretching and strengthening exercises.
• Find a good physician who is familiar with RSI
  and how to treat it.
• After treatment, start back slowly and pace
  yourself.

29
Medical Topics on the Internet
30
Summary

• Computer waste - the inappropriate use of
  computer technology and resources in both the
  public and private sectors
• Identity theft - a crime in which an imposter
  obtains key pieces of personal identification
  information in order to impersonate someone else
• Software and Internet piracy - represent the most
  common computer crime