Chapter Four
Ethics and Information Security – MIS
Business Concerns
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
CHAPTER FOUR OVERVIEW
SECTION 4.1 – Ethics
• Information Ethics
• Developing Information Management Policies
SECTION 4.2 – Information Security
• Protecting Intellectual Assets
• The First Line of Defense - People
• The Second Line of Defense - Technology
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECTION 4.1
ETHICS
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECTION 4.1 LEARNING OUTCOMES
1. Explain the ethical issues in the use of the
information age
2. Identify the six epolicies an organization
should implement to protect themselves
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION ETHICS1
Ethics – The principles and
standards that guide our behavior
toward other people
Information ethics – Govern the
ethical and moral issues arising
from the development and use of
information technologies, as well
as the creation, collection,
duplication, distribution, and
processing of information itself
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION ETHICS2
Business issues related
to information ethics
• Intellectual property
• Copyright
• Pirated software
• Counterfeit software
• Digital rights
management
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Intellectual property - Intangible creative work that is embodied
in physical form
https://ethicsunwrapped.utexas.edu/case-study/digitaldownloads
Copyright - The legal protection afforded an expression of an
idea, such as a song, video game, and some types of proprietary
documents
Fair use doctrine - In certain situations, it is legal to use
copyrighted material
Pirated software - The unauthorized use, duplication,
distribution, or sale of copyrighted software
Counterfeit software - Software that is manufactured to look like
the real thing and sold as such
Digital rights management – A technological solution that allows
publishers to control their digital media to discourage, limit, or
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
NAPSTER CASE:
Digital Downloads
Copyright laws exist to protect authors’ and publishers’
rights, but also to balance that protection with access and
innovation. In 1999, two teenagers created the file-sharing
program Napster. Within its first year, the service
surpassed 20 million users. Many Napster users shared
music files with each other, but without any compensation
to the artists and producers who made the music, sparking
a series of legal battles over copyright and distribution. In
2001, an appellate panel upheld a previous ruling that
Napster violated copyright laws, stating that, “Repeated
and exploitative unauthorized copies of copyrighted works
were made to save the expense of purchasing authorized
copies.”
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
NAPSTER CASE:
Artists were divided on the benefits and harms of Napster.
Over 70 artists formed “Artists Against Piracy” in coalition
with major record companies to combat the piracy
occurring on Napster and other peer-to-peer internet
services. In contrast, some established artists such as Neil
Young saw piracy as the “new radio” and applauded the
potential to reach larger audiences and drive additional
sales through increased popularity. Seeing both the
benefits and detriments of piracy, singer Norah Jones
stated, “If people hear it I’m happy…it’s great that young
people who don’t have a lot of money can listen to music
and be exposed to new things… But I also understand it’s
not ideal for the record industry, and a lot of young artists
who won’t make any [money] off their album sales, but at
least they can tour.”
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Although court rulings forced Napster to terminate its filesharing business, Napster’s innovations stimulated
payment-based services, such as iTunes, Pandora, and
many others. But the availability of such services has not
put an end to the debate surrounding artist compensation
with digital music, as seen with Taylor Swift’s open letter to
Apple in 2015. Swift’s albums, along with the music of
many other artists, were going to be streamed at no cost to
new Apple Music customers over the first three months of
service without any compensation to the artists. In her open
letter, Swift stated, “I’m not sure you know that Apple Music
will not be paying writers, producers, or artists for those
three months. I find it to be shocking, disappointing, and
completely unlike this historically progressive and generous
company.” Within a few hours, Apple responded by
changing the terms of its agreement in order to
compensate artists at a reduced rate
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
1. Artists generally agree that piracy causes financial harm,
but some artists recognize that piracy creates exposure for
the artist and access for the listener. Do you think the
benefits of piracy outweigh the harms done? Why or why
not?
2. Along with other file-sharing services, Napster helped to
stimulate payment-based services such as iTunes,
Pandora, and many others. Do you think this positive
outcome justifies Napster’s illegal activities? Why or why
not?
3. If Apple had not agreed to compensate artists in
response to Swift’s open letter, do you think it would be
ethically questionable to subscribe to their service? Are
you, as a consumer, more likely to subscribe as a result of
Apple’s response? Why or why not?
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION ETHICS3
Privacy is a major ethical issue
• Privacy – The right to be left
alone when you want to be, to
have control over your own
personal possessions, and not to
be observed without your
consent
• Confidentiality – the assurance
that messages and information
are available only to those who
are authorized to view them
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION ETHICS4
Individuals form the only ethical
component of MIS
• Individuals copy, use , and distribute
software
• Search organizational databases for
sensitive and personal information
• Individuals create and spread viruses
• Individuals hack into computer systems
to steal information
• Employees destroy and steal information
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
What is Technology Ethics?
Technology ethics is the application of ethical thinking to
the practical concerns of technology. The
reason technology ethics is growing in prominence is that
new technologies give us more power to act, which
means that we have to make choices we didn't have to
make before
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Student Tracking Software
Universities are increasingly using predictive analytics
to—essentially—stalk a candidate. Some college
websites use software that reveals the name, age,
ethnicity, address and contact information of a
candidate, as well as which specific college sub-pages
he/she visited and how long was spent on each web
page. The college then uses these factors to determine
an “affinity score” that decides how likely a candidate is
to accept an offer from the college. But, Baron says,
when colleges assign scores to students based on
income and interest, it strips applications of much of
their context and it also discriminates against lowincome students or those without dedicated Internet
access. The analytics have the potential to harm a
prospective student’s college admission based on an
algorithm that assumes ideal candidates.
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Class Dojo and Classroom Surveillance
ClassDojo is a popular online tool that, through
recording in the classroom, scores children on their
behavior, and then shares that with the class, as well as
parents. The system’s company says it is meant to foster
positive behavior in the classroom, but pundits raise
more than a few concerns, including: 1) can the
information be hacked; 2) how is good behavior
quantified/defined?; and 3) does it promote
anxiety/shame among students?
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION ETHICS5
Acting ethically and legally are not always the same
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION DOES NOT HAVE ETHICS, PEOPLE DO
Information does not care how it is used, it will not stop
itself from sending spam, viruses, or highly-sensitive
information
Tools to prevent information misuse
• Information management
• Information governance
• Information compliance
• Information Secrecy
• Information Property
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
DEVELOPING INFORMATION
MANAGEMENT POLICIES
Organizations strive to build a corporate culture based
on ethical principles that employees can understand
and implement
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
ETHICAL COMPUTER USE POLICY
Ethical computer use policy – Contains general
principles to guide computer user behavior
The ethical computer user policy ensures all users are
informed of the rules and, by agreeing to use the
system on that basis, consent to abide by the rules
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
INFORMATION PRIVACY POLICY
The unethical use of information typically occurs
“unintentionally” when it is used for new purposes
Information privacy policy - Contains general principles
regarding information privacy
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
ACCEPTABLE USE POLICY
Acceptable use policy (AUP) –
Requires a user to agree to follow it
to be provided access to corporate
email, information systems, and the
Internet
Nonrepudiation – A contractual
stipulation to ensure that ebusiness
participants do not deny their online
actions
Internet use policy – Contains
general principles to guide the
proper use of the Internet
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
EMAIL PRIVACY POLICY1
Organizations can mitigate the risks of email and
instant messaging communication tools by
implementing and adhering to an email privacy policy
Email privacy policy – Details the extent to which
email messages may be read by others
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
EMAIL PRIVACY POLICY2
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
EMAIL PRIVACY POLICY3
Spam – Unsolicited email
Anti-spam policy – Simply states that email
users will not send unsolicited emails (or spam)
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SOCIAL MEDIA POLICY
Social media policy – Outlines the corporate
guidelines or principles governing employee
online communications
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
WORKPLACE MONITORING POLICY1
Workplace monitoring is a concern
for many employees
Organizations can be held financially
responsible for their employees’
actions
The dilemma surrounding employee
monitoring in the workplace is that
an organization is placing itself at risk
if it fails to monitor its employees,
however, some people feel that
monitoring employees is unethical
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
WORKPLACE MONITORING POLICY2
Information technology monitoring – Tracks
people’s activities by such measures as number of
keystrokes, error rate, and number of transactions
processed
Employee monitoring policy – Explicitly state how,
when, and where the company monitors its employees
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Monitoring Employee email: Efficient
Workplaces Vs. Employee Privacy
Does a company have the right to monitor employee email?
Does a company have the right to monitor personal email
used on a corporate device or corporate network?
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
WORKPLACE MONITORING POLICY3
Common monitoring technologies include:
• Key logger or key trapper software
• Hardware key logger
• Cookie
• Adware
• Spyware
• Web log
• Clickstream
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Key logger, or key trapper software A program that, when
installed on a computer, records every keystroke and mouse click
Hardware key logger A hardware device that captures keystrokes
on their journey from the keyboard to the motherboard.
Cookie A small file deposited on a hard drive by a website
containing information about customers and their Web activities.
Cookies allow websites to record the comings and goings of
customers, usually without their knowledge or consent
Adware Software generates ads that install themselves on a
computer when a person downloads some other program from
the Internet.
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Spyware (sneakware or stealthware) Software that comes
hidden in free downloadable software and tracks online
movements, mines the information stored on a computer, or
uses a computer’s CPU and storage for some task the user knows
nothing about
Web log Consists of one line of information for every visitor to a
website and is usually stored on a Web server
Clickstream Records information about a customer during a Web
surfing session such as what websites were visited, how long the
visit was, what ads were viewed, and what was purchased
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECTION 4.2
INFORMATION SECURITY
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECTION 4.2 LEARNING OUTCOMES
3. Describe the relationships and differences
between hackers and viruses
4. Describe the relationship between
information security policies and an
information security plan
5. Provide an example of each of the three
primary security areas: (1) authentication
and authorization, (2) prevention and
resistance, and (3) detection and response
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
https://www.youtube.com/watch?v=_GzE99AmAQU&t=172s
PROTECTING INTELLECTUAL ASSETS1
Organizational information is
intellectual capital - it must be
protected
https://www.aclu.org/ordering-pizza
Information security – The
protection of information from
accidental or intentional misuse by
persons inside or outside an
organization
Downtime – Refers to a period of
time when a system is unavailable
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Do you agree that information requires protection?
What happens if all sales information for a business falls into the
hands of its customers?
What happens if all employee pay rates and bonus information
are distributed to all employees?
What happens if customer credit card numbers are posted to a
website for anyone to view?
These are a few of the reasons why it is critical that information
must be highly-protected
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PROTECTING INTELLECTUAL ASSETS2
Sources of Unplanned Downtime
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PROTECTING INTELLECTUAL ASSETS3
How Much Will Downtime Cost Your Business?
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY THREATS CAUSED BY HACKERS
AND VIRUSES1
Hacker – Experts in technology who use their knowledge
to break into computers and computer networks,
either for profit or just motivated by the challenge
• Black-hat hacker
• Cracker
• Cyberterrorist
• Hactivist
• Script kiddies or script bunnies
• White-hat hacker
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
White-hat hackers—work at the request of the system owners
to find system vulnerabilities and plug the holes
Black-hat hackers—break into other people’s computer systems
and may just look around or may steal and destroy information
Hactivists—have philosophical and political reasons for breaking
into systems and will often deface the website as a protest
Script kiddies or script bunnies—find hacking code on the
Internet and click-and-point their way into systems to cause
damage or spread viruses
Cracker—a hacker with criminal intent
Cyberterrorists—seek to cause harm to people or to destroy
critical systems or information and use the Internet as a
weapon of mass destruction
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY THREATS CAUSED BY HACKERS
AND VIRUSES2
Virus - Software written with malicious intent to
cause annoyance or damage
•
Worm
•
Malware
•
Adware
•
Spyware
•
Ransomware
•
Scareware
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Worm—a type of virus that spreads itself, not only from file to
file, but also from computer to computer.
The primary difference between a virus and a worm is that a
virus must attach to something, such as an executable file, in
order to spread. Worms do not need to attach to anything to
spread and can tunnel themselves into computers.
• Malware - Software that is intended to damage or disable
computers and computer systems
Adware is software that, although purporting to serve some
useful function and often fulfilling that function, also allows
Internet advertisers to display advertisements without the
consent of the computer user.
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Spyware is a special class of adware that collects data about the
user and transmits it over the Internet without the user’s
knowledge or permission.
Ransomware is a form of malicious software that infects your
computer and asks for money.
Scareware is a type of malware designed to trick victims into
giving up personal information to purchase or download
useless and potentially dangerous software.
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY THREATS CAUSED BY HACKERS
AND VIRUSES3
Virus - Software written with malicious intent to cause
annoyance or damage
• Backdoor program
• Denial-of-service attack (DoS)
• Distributed denial-of-service attack (DDoS)
• Polymorphic virus
• Trojan-horse virus
• Worm
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Denial-of-service attack (DoS)—floods a website with so many
requests for service that it slows down or crashes the site
Distributed denial-of-service attack (DDoS)—attacks from
multiple computers that flood a website with so many requests
for service that it slows down or crashes. A common type is the
Ping of Death, in which thousands of computers try to access a
website at the same time, overloading it and shutting it down.
Trojan-horse virus—hides inside other software, usually as an
attachment or a downloadable file
Backdoor programs—viruses that open a way into the network
for future attacks
Polymorphic viruses and worms—change their form as they
propagate
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY THREATS CAUSED BY HACKERS
AND VIRUSES4
How Computer Viruses Spread
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY THREATS CAUSED BY HACKERS
AND VIRUSES5
Security threats to ebusiness include
• Elevation of privilege
• Hoaxes
• Malicious code
• Packet tampering
• Sniffer
• Spoofing
• Splogs
• Spyware
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Elevation of privilege is a process by which a user misleads a
system into granting unauthorized rights, usually for the purpose
of compromising or destroying the system. For example, an
attacker might log on to a network by using a guest account, and
then exploit a weakness in the software that lets the attacker
change the guest privileges to administrative privileges.
Hoaxes attack computer systems by transmitting a virus hoax,
with a real virus attached. By masking the attack in a seemingly
legitimate message, unsuspecting users more readily distribute
the message and send the attack on to their co-workers and
friends, infecting many users along the way.
Malicious code includes a variety of threats such as viruses,
worms, and Trojan horses
Spoofing is the forging of the return address on an email so that
the email message appears to come from someone other than
the actual sender. This is not a virus but rather a way by which
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Spyware is software that comes hidden in free downloadable
software and tracks online movements, mines the information
stored on a computer, or uses a computer’s CPU and storage for
some task the user knows nothing about. According to the
National Cyber Security Alliance, 91 percent of the study had
spyware on their computers that can cause extremely slow
performance, excessive pop-up ads, or hijacked home pages.
A snifferis a program or device that can monitor data traveling
over a network. Sniffers can show all the data being transmitted
over a network, including passwords and sensitive information.
Sniffers tend to be a favorite weapon in the hacker’s arsenal.
Packet tampering consists of altering the contents of packets as
the travel over the Internet or altering data on computer disks
after penetrating a network. For example, an attacker might
place a tap on a network line to intercept packets as they leave
the computer. The attacker could eavesdrop or alter the
information as it leaves the network.
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Can you research the Internet to find the latest version of the
CSI/FBI Computer Crime and Security Survey to find the newest
information on computer crime and security breeches
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Review LIU school’s information security plan and policies. Have them answer the
following questions:
• What did the plan address that your students found surprising?
• What is the plan missing or failing to address?
• What policies were missing or not addressed appropriately?
• What policies should be added to the plan?
• How frequently should the plan be updated?
• Who should be responsible for updating the plan?
• Who should be asked for sign-off on the plan?
• How should the plan be communicated with all students and staff?
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
THE FIRST LINE OF DEFENSE – PEOPLE
Organizations must enable employees, customers, and
partners to access information electronically
The biggest issue surrounding information security is
not a technical issue, but a people issue
• Insiders
• Social engineering
• Dumpster diving
• Pretexting
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
THE SECOND LINE OF DEFENSE - TECHNOLOGY
There are three primary information technology
security areas
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
AUTHENTICATION AND AUTHORIZATION1
Identity theft – The forging of someone’s
identity for the purpose of fraud
•
Phishing
•
Pharming
•
Sock puppet marketing
•
Astroturfing
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Phishing – A technique to gain personal information for the purpose of identity theft, usually by
means of fraudulent email
Pharming – Reroutes requests for legitimate websites to false websites
Sock puppet marketing is the use of a false identity to artificially
stimulate demand for a product, brand, or service. A false
identity on the Internet is known colloquially as a sock puppet
or catfish, depending upon the level of detail attached to the
false identity. Typically, a sock puppet has very little (if any)
detail attached to it and may simply be a fictional name
attached to a new Google or Yahoo email account.
Astroturfing, the practice of artificially stimulating online
conversation and positive reviews about a product, service, or
brand. Sock puppets can be created quickly and are frequently
used on social media websites that rely on customer reviews
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
AUTHENTICATION AND AUTHORIZATION2
Authentication – A method for confirming users’
identities
Authorization – The process of giving someone
permission to do or have something
The most secure type of authentication involves
1. Something the user knows
2. Something the user has
3. Something that is part of the user
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SOMETHING THE USER KNOWS
SUCH AS A USER ID AND PASSWORD1
This is the most common way to
identify individual users and
typically contains a user ID and
a password
This is also the most ineffective
form of authentication
Over 50 percent of help-desk
calls are password related
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SOMETHING THE USER KNOWS
SUCH AS A USER ID AND PASSWORD2
Smart cards and tokens are more effective than
a user ID and a password
•
Tokens – Small electronic devices that change
user passwords automatically
•
Smart card – A device that is around the same
size as a credit card, containing embedded
technologies that can store information and
small amounts of software to perform some
limited processing
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SOMETHING THAT IS PART OF THE USER SUCH
AS A FINGERPRINT OR VOICE SIGNATURE
This is by far the best and most effective way to
manage authentication
Biometrics – The identification of a user based on a
physical characteristic, such as a fingerprint, iris, face,
voice, or handwriting
Unfortunately, this method can be costly and
intrusive
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PREVENTION AND RESISTANCE1
Prevention and resistance technologies stop
intruders from accessing and reading data
Privilege escalation - A network intrusion attack
that takes advantage of programming errors or
design flaws to grant the attacker elevated
access to the network and its associated data
and applications
•
Vertical privilege escalation
•
Horizontal privilege escalation
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PREVENTION AND RESISTANCE2
Downtime can cost an organization anywhere
from $100 to $1 million per hour
Technologies available to help prevent and build
resistance to attacks include
1. Content filtering
2. Encryption
3. Firewalls
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PREVENTION AND RESISTANCE3
Spam – A form of unsolicited email
Content filtering - Prevents emails containing sensitive
information from transmitting and stops spam and
viruses from spreading
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PREVENTION AND RESISTANCE4
Personally identifiable information (PII) - Any
data that could potentially identify a specific
individual
• Sensitive PII
• Nonsensitive PII
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PREVENTION AND RESISTANCE7
One of the most common defenses for
preventing a security breach is a firewall
•
Firewall – Hardware and/or software that
guards a private network by analyzing the
information leaving and entering the network
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
PREVENTION AND RESISTANCE8
Sample firewall architecture connecting systems located
in Chicago, New York, and Boston
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
DETECTION AND RESPONSE
If prevention and resistance strategies fail and there is a
security breach, an organization can use detection and
response technologies to mitigate the damage
Intrusion detection software – Features full-time
monitoring tools that search for patterns in network
traffic to identify intruders
© McGraw Hill Education” but the suggested line is: “Copyright © McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
LEARNING OUTCOME REVIEW
• Now that you have finished the
chapter please review the
learning outcomes in your text
Question 1
-- / 0.5
Class Exercise for Information
Security
2/24/2022
There are various security threats listed in the
textbook chapter 4 and on the PowerPoint slides.
Please read the powerpoint slides from 39-49
(chapter 4) to generate ideas about the cyber
threats.
TASK 1:
To learn about information security and protection,
students search on the internet by “Cyber Crime
Examples in the year 2020-2021” read those
examples and discussion. List at least 5 Cyber
Crimes that have taken place in the year 2020-21.
Type your answer
Question 2
-- / 0.25
Read the slide number in Chapter 4, from 56 - 59 Can you
demonstrate an example that ensures users authentication
and authorization?
Type your answer
Question 3
-- / 0.25
Read the slides from 62-65 (ch:4) demonstrate two
examples (any software name) for prevention and resistance
Type your answer
Purchase answer to see full
attachment