CNS3113 - Ethics for IT Workers

Questions and Answers

What term describes the act of making illegal copies of software?

Software licensing

Software piracy (correct)

Software modification

Software engineering

What is a critical ethical issue that arises when a company recommends its own products to clients?

Software piracy

Whistle-blowing

Negligence

Conflict of interest (correct)

Which organization aims to combat unauthorized software copying?

Business Ethics Alliance

International Software Federation

Global IT Standards Association

Business Software Alliance (correct)

What is a trade secret?

Confidential business information

What type of act is whistle-blowing associated with?

Attracting attention to unethical actions

In a client-IT worker relationship, what does the client typically provide?

Compensation and access to resources

What can misrepresentation during a project lead to?

Charges of fraud or breach of contract

Which of the following describes the relationship between IT workers and their clients?

The relationship is usually documented contractually.

What is a primary duty of IT workers in relation to users?

To understand users' needs and capabilities

Which of the following elements is typically included in professional codes of ethics?

Aspirations of the organization

How can following a professional code of ethics benefit society?

By providing significant benefits and avoiding harm

What must IT workers establish to support ethical behavior?

An environment discouraging software piracy

What expectation does society have of professional IT workers?

To provide significant benefits without causing harm

Which of the following is considered a form of cybercrime under UAE law?

Hacking to IT systems

What percentage of electronic harassment cases in the Middle East involves teenagers being cautious about their social networks?

24%

Which of the following actions does NOT correlate with UAE Cybercrime Law?

Regulating social media platforms

Which of these acts does the UAE Cyber Law classify as a serious offense?

Defamation

What is one of the primary aims of the My Safe Society App in the UAE?

To report cybercrime incidents

Which cybercrime is categorized by wrongful impersonation according to UAE laws?

Identity theft

What does Federal Law no.(4) of 2002 specifically address within the UAE laws?

Criminalizing Money Laundering

Which form of cybercrime is described by publishing illegal content?

Sharing false information

What must the IT team do if a company is a victim of a cybercrime?

Cooperate with police to gather evidence.

Why might Public Prosecution not pursue cases involving automatic money transfers outside the UAE?

They lack sufficient evidence and interest.

What is essential for investigating offenders outside the UAE?

Judicial cooperation agreements for extradition.

What is a significant challenge when identifying an offender in a cybercrime case?

Not knowing the offender complicates identification.

What must be adapted when gathering evidence for cybercrime cases?

Thresholds of evidence must be less stringent.

In cases of cybercrimes involving multiple victims, what aspect may complicate legal proceedings?

Complications arise from jurisdictional issues.

What legal action is necessary for the extradition of offenders outside the UAE?

International agreements regulating extradition.

Which element of a cybercrime must be proven to assist in the investigation?

Validity of the evidence presented.

What is the key purpose of implementing a SETA program in an organization?

To enhance security and build in-depth knowledge for users

Which of the following represents a significant component of professional malpractice in IT?

Failure to exercise duty of care

What is the primary benefit of security awareness programs?

Improving organizational attitudes towards security

Which of the following is NOT a typical job title associated with information security programs?

Human Resources Manager

What does the term 'duty of care' refer to in the context of IT malpractice?

The responsibility to protect users against unreasonable risk

Which of the following is a measure to promote ethical use of IT resources?

Defining appropriate use policies for IT

What aspect should NOT be included in training methodologies according to best practices?

Use highly technical jargon for clarity

Which of these practices is essential for creating an effective security awareness program?

Regularly updating awareness techniques

What challenge is faced when conducting security training for employees?

Modifying employee behavior that risks security

Which statement best describes the role of management in security training and awareness?

Management's good example can reinforce training initiatives

What is one common ethical issue among IT users?

Inappropriate sharing of confidential information

How does the 'reasonable person standard' relate to negligence in IT?

It sets a bar for determining what a typical layperson should do

What is an effective method for customizing security training?

Tailoring training based on functional background and skill level

What is the primary purpose of malicious acts in computer crimes?

To steal important business information

Which factor contributes to the increasing vulnerability of information technology security?

Increasing complexity of computing environments

What is a common characteristic of spam emails?

Unsolicited and numerous

Which type of attack often involves a hacker controlling numerous computers to overwhelm a target site?

Distributed denial of service attack

What is the primary goal of hacktivism?

Achieving a political or social goal

Why are computer crimes often difficult to prosecute?

Prosecutors lack understanding of digital crimes

What distinguishes crackers from hackers?

Crackers engage in criminal activities intentionally

What is one major risk associated with cloud computing?

Increased complexity and vulnerabilities

How can phishing attacks be categorized?

Via emails, texts, and voice messages

What aspect makes rootkits particularly challenging to detect?

The operating system cannot be trusted

What do zero-day attacks exploit?

Vulnerabilities before they are known or patched

Which type of attacker is primarily motivated by financial gain?

Cyber criminals

What issue arises from users sharing login IDs and passwords?

Increased susceptibility to unauthorized access

What is a known vulnerability associated with commercial software?

Poor system design and implementation

Study Notes

Course Information

• Course title: CNS3113 - CLO4: Ethics for IT workers, SETA programs, Computer Crimes
• Instructor: Dr. Dimitrios Xanthidis, DBA
• Institution: Higher Colleges of Technology

Learning Outcomes (Ethics for IT Workers)

• Identify and explain relationships IT workers manage, and associated ethical issues
• Describe actions to encourage IT worker professionalism
• Identify and explain ethical issues faced by IT users
• Suggest ways to encourage ethical behaviors by IT users

IT Professionals

• Profession requires specialized knowledge and extensive academic preparation
• Professionals require advanced training and experience
• Must exercise discretion and judgment in their work
• Work cannot be standardized
• Contribute to society, participate in continuous training, and assist other professionals
• Carry special rights and responsibilities
• Partial list of IT specialists includes programmers, systems analysts, software engineers, database administrators, LAN administrators, and CIOs
• IT workers are not legally defined as professionals, are not licensed by state or federal government, and are not liable for malpractice

Professional Relationships

• Relationships are managed between employers, clients, suppliers, other professionals, and IT users
• Relationships are often agreed upon (e.g., dress code, work hours, performance expectations)
• Other aspects are defined by company policy and procedures
• Some relationship aspects develop over time
• IT workers set examples and enforce policies regarding ethical use of IT

Areas of IT Worker Law/Policy Violations

• Software piracy: illegally copying or enabling access to software not entitled to use
• The Business Software Alliance (BSA) is a trade group focused on stopping unauthorized software copying
• Thousands of cases are prosecuted annually
• Trade secrets, company information
• Company actions to keep confidential information confidential
• Some degree of uniqueness or novelty in information

Relationships Between IT Workers and Clients

• Worker provides hardware, software, or services at a specific cost and time frame
• Client provides compensation, access to key contacts, and work space
• Relationship usually documented contractually; clients rely on worker's information, recommendations, and act as client's best interests
• Conflict of interest: Workers potentially recommending own products/services
• Problems may arise due to inability of workers to provide comprehensive project status reports

Problems Between IT Workers and Clients

• Problems arise when workers cannot provide full and accurate project status reports
• May lead to finger pointing and heated discussions
• Fraud: obtaining goods, services, or property through deception or trickery
• Misrepresentation, incomplete statement of material fact – leads to contract cancellation or reimbursement
• Breach of contract: failure to meet contract terms, leading to party cancellation/compensation or discharge of performance
• IT projects are collaborations, and difficulties may be difficult to assign blame

Relationships Between IT Workers and Suppliers

• Develop good relationships to encourage flow of useful information and ideas effectively
• Deal fairly with suppliers, and avoid unreasonable demands
• Be wary of ethical abuses like bribery
• A distinction between acceptable gifts and bribes can be based on the method of offering, secrecy, morality, and whether a favor is expected

Relationships Between IT Workers and Other Professionals

• Professionals feel loyalty to other members of their profession
• Professionals owe each other an obligation to follow their profession's code of conduct
• Ethical problems frequently occur, e.g., résumé inflation

Relationships Between IT Workers and Users/Society

• IT user is any person using hardware or software
• IT workers' duties are to understand users' needs and capabilities; provide products and services accordingly
• Establish environment that supports ethical behaviour, discourage software piracy, minimize inappropriate use of company resources, and avoid inappropriate sharing of information
• Society expects benefits from members of professions; they should not cause harm through their actions
• Professional organizations provide codes of ethics for action guidelines

Professional Codes of Ethics

• State principles and core values essential to the work of an occupational group
• Codes usually outline aspirational goals, expectations for members, and requirements for continuing education
• Ethical practices often engender professional and societal benefits

IT Professional Malpractice

• Negligence: failure to act as a reasonable person would; or acting in a way a reasonable person would not
• Duty of care, obligation to protect people from unreasonable harm
• Reasonable person standard, reasonable professional standard
• Professionals liable for damages caused by their negligence
• Ethical use of IT increasingly important due to increased access to personal computers, corporate systems, and the internet

Supporting Ethical Practices of IT

• Policies protect against abuses by setting forth general rights, acceptable behaviors, and enabling management to punish violations
• Policy components include guidelines for use of company software, defining appropriate use of IT resources, structuring info systems, and installing/maintaining a corporate firewall

Common Ethical Issues for IT Users

• Software piracy
• Inappropriate use of computing resources
• Low productivity and wasted time
• Possible lawsuits
• Inappropriate sharing of information, including:
  • Private data (employees and customers)
  • Confidential information (company and operations)

CNS3113 - SETA: Learning Outcomes

• Explain organizational approaches to information security
• Identify and describe functional components of the information security program
• Determine how to plan and staff organizational information security programs (size-based)
• Evaluate internal and external factors affecting information security programs
• List and describe typical IT security job titles and functions
• Describe components of security education, training, and awareness programs
• Explain how organizations create and manage security programs

Components of SETA

• The details of information security needs vary based on organization/business culture, size, and budget
• Determining what level information security program operates requires knowledge of organization's strategic plans/vision statements. CIO/CISOs use these statements to develop program mission statements designed to reduce accidental security breaches
• Employee behavior and accountability improvement are two benefits of awareness, training, and education programs

Purpose and Framework of SETA

• Building in-depth, needed knowledge to design, implement, or operate security programs for organizations and systems
• Developing skills to better use IT systems while more securely performing job duties
• Improve awareness of need to protect system resources

Security Training

• Detailed information and hands-on instruction providing skills to users for secure performance of duties
• Methods for customizing training (e.g., general, managerial, technical users; beginner, intermediate, advanced skill levels)
• Employee training utilizing local training programs, continuing education departments, external training agencies, professional trainers, and in-house training

Security Awareness

• Security awareness programs are one of the least frequently implemented, yet most effective methods.
• Programs utilize methods to adjust organizational attitudes and realize the importance of security practices
• SETA (Security Education, Training, and Awareness) best practices: focus on people, avoid technical jargon, utilize available venues, define objectives clearly, keep it easy to understand, and be timely

Commandment of InfoSec Awareness Training

• Information security is a user/people issue, not a technical one; use language users understand
• Make points identifiable; avoid jargon
• Maintain humor and conclude points clearly
• Let recipients know how actions will affect them
• Formalize methodology
• Be timely, even if it means adjusting schedules

Employee Behavior, Awareness, and Accountability

• Security awareness and training modify employee behavior that endangers organizational information
• Effective programs make employees accountable for their actions.
• Dissemination and enforcement of policy is supported by training, and demonstrating due care prevents lawsuits

Awareness Techniques

• Awareness can use various methods to deliver information based on the specific audience in a creative and frequently evaluated way
• Effective security awareness programs recognize that some people tend to tune out

Developing Security Awareness Components

• Many program components are available at low cost (videos, posters, lectures, conferences, computer-based training, newsletters, brochures, trinkets, bulletin boards)

Security Posters

• Series can be a practical and inexpensive method for increasing awareness of security issues
• Posters keep security concerns prominent in users' minds and can have a positive impact on user behavior
• Professional posters are generally expensive; in-house development may be a more budget-friendly choice

Security Trinkets

• Low unit cost, expensive to implement en masse
• Examples (pens, mouse pads, coffee mugs, plastic cups, hats, t-shirts)

CNS3113 Computer Crimes & Laws in UAE: Learning Outcomes

• Understand key trade-offs and ethical issues related to data/information system safeguards
• Understand common types of computer security attacks
• Understand primary perpetrators and their objectives
• Understand required actions in response to security incidents
• Discuss UAE cyber law's regulatory, compliance, and liability issues

IT Security Incidents

• Security of information technology is crucial, especially for confidential business/customer data protection, and preventing theft/disruption
• Importance of balancing against other business needs/issues

IT Security Incidents: Reasons for Their Spreading

• Increased computing environment complexity
• Expanding number of entry points/increasing complexity due to computer help desk pressure
• Higher computer user expectations, need for more verification methods
• Network era/globalization requiring more interconnected computer systems
• Pace of technological change making organizations struggle to keep up with the rapid evolution of technological advancements

IT Security Incidents: Reasons for Their Spreading (2)

• Increased dependence upon commercial software with known vulnerabilities
• Poor design/implementation, leading to vulnerabilities
• Attacks/exploitation of vulnerabilities
• The "patch" (solution) involving users fixing/installing problems
• Delays in fixing issues expose users

Types of Computer Crimes

• Business attacks: compromise company systems for information theft
• Financial attacks: exploit financial institutions for monetary gain
• Terrorist attacks: cause havoc in society, usually through attacks on IT systems
• Objection attacks: targeted at organizations/companies via IT systems to voice opposition to policies/measures
• Fun attacks: done for recreational/entertainment purposes
• Most common offenses (fraud, data damage/modification, unauthorized access)

Computer Crimes Are Hard to Prosecute

• Lack of understanding by those tasked with prosecuting (judge, prosecutor)
• Lack of easily-obtained physical evidence, with crimes often involving intangible items
• Difficulty in recognizing the value of digital assets
• Lack of political impact in such crimes
• Complexity in describing cases
• Young offenders involved in such cybercrimes

Types of Attacks on Computers & Smartphones

• Viruses (small programs often disguised, attached to files, spread through user actions)
• Worms (harmful programs, reside in active memory, can duplicate without intervention), can cause damage
• Trojan Horses (malicious code within harmless programs)
• Logic Bombs (execute when triggered by specific event)
• Distributed Denial of Service (DoS): many machines flooding a target with requests)
• Botnet (large networked group of compromised computers, used as tools in many types of attacks)
• Rootkits (set of programs enabling administrator-level access without user consent/knowledge)
• Spam ( unsolicited email abuse from many senders)
• Phishing (email) and spear-phishing (emails to organizations), smishing (text messages), and vishing (voice messages)

Types of Perpetrators (Based on Motive)

• Thrill seekers (seeking challenge)
• Common criminals (financial gain)
• Industrial spies (competitive advantage)
• Terrorists (causing destruction)
• Hacker (testing system limits, publicity)
• Cracker, malicious insider, industrial spy, cybercriminal, hacktivist, cyberterrorist

Types of Perpetrators: Description

• Hackers (intellectual curiosity)
• Crackers (inept or with criminal intent)
• Malicious insiders (weak internal controls, employee/outsider collusion)

Types of Perpetrators: (Industrial Spies)

• Use illegal means to gain trade secrets from rivals (Economic Espionage Act of 1996)
• Legal approaches to gathering competitor data (competitive intelligence)
• Illegal methods to gain non-public data (industrial espionage)
• Cybercriminals (computer hacking)

Types of Perpetrators: (Hacktivism)

• Hacking for political/social goals
• Cyberterrorist (goal is to intimidate/coerce, rather than gain information)
• Techniques that destroy or cripple services

Implementing Trustworthy Computing

• Trustworthy computing focuses on secure, private and reliable computing
• Sound business practices are essential
• Systems and networks require a combination of technology, policy and people for successful use
• Monitors (detects possible intrusion) are essential for a thorough system
• Thorough reaction plans are required to address issues such as notification, evidence protection, activity log maintenance, containment, eradication and recovery

Cybercrimes in the U.A.E.

• UAE Computer Emergency Response Team reported cybersecurity statistics in a June 2020 report.
• Details on attacks stopped and identified

Examples - Videos

• Watch videos covering cybercrime law in UAE, My Safe Society app, and 10 most devastating cyberattacks

The U.A.E. Cyber Law "Key Offenses"

• Hacking to IT systems, websites, or networks
• Deletion/destruction of data
• Altering/Modifying website design/layout
• Credit card fraud
• Forging official documents
• Wrongful impersonation
• Inciting criminal and terrorist acts
• Threatening state security
• Disclosure of confidential info
• Defamation (publishing illegal content)

Correlated U.A.E. Laws

• Cybersecurity Law correlates with several other UAE laws

8 Common Cybercrimes in the U.A.E.

• Hacking
• Cyberbullying and verbal offenses/defamation
• Email fraud
• Fake Websites/job-seeking fraud
• Credit Card forgery
• Online blackmailing
• Phishing

Overview of Cyber Criminal Proceedings in U.A.E.

• Police involvement/documentation procedures
• Referrals to a Cybercrime unit/CID lab
• Work with Cyber Departments
• Reports to a prosecutor, possible arrest warrants, and court referrals

Required Documents and Evidence

• Screen shots of social media pages involved in hacking case
• Complete email, letter, correspondence documenting fraudulent impersonation
• Information about the bank/type of account used in the incident.
• Presence of victim/complainant

Technical Evidences/Bank Cooperation

• Victims must assist police with all technical details
• Detailed IT reports outlining how offenses occurred
• Cooperation from companies/banks to gather evidence
• Hard drives must not be replaced to preserve evidence
  • Bank cooperation crucial for investigating criminals

Challenges in the U.A.E.

• Automatic money transfer issues/jurisdiction outside UAE
• Public prosecution may be reluctant to pursue cases outside UAE
• Judicial cooperation agreements needed for cases outside UAE
• Thresholds for evidence can be challenging/lack of strictness
• Negligence of prosecuting officials/lack of evidence

Example Jurisdictional Issues and Multiple Victims

• Hacker accesses overseas victim's computers, impersonates a UAE victim, and defrauds consumers
• Fraudulent bank account is located in UAE
• Cases are more complex due to transnational involvement

Note About the Document

• Study notes are derived from provided images. Please note that these are in summary format, leaving out details such as individual names, addresses etc.

Description

This quiz explores ethical issues faced by IT workers and users, highlighting the importance of professionalism in the IT field. It covers relationships between IT professionals and ethical dilemmas they encounter, aiming to promote ethical behaviors and decision-making. Prepare to identify key concepts and suggest strategies to foster an ethical work environment.