Chapter 4.pdf

Transcript

Chapter 4 Section 4.1 Ethics Information Ethics Ethics: The principles and standards that guide our behavior toward other people. Information Ethics - govern the ethical and moral issues arising from the development and use of information technologies, as well as the creation, collection, duplication, distribution, and processing of information itself. Business issues related to information ethics ○ Intellectual property ○ Copyright ○ Pirated software ○ Counterfeit software ○ Digital rights management Privacy is a major ethical issue Privacy - The right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent. Confidentiality - the assurance that messages and information are available only to those who are authorized to view them. INFORMATION DOES NOT HAVE ETHICS, PEOPLE DO Tools to prevent information misuse ○ Information management ○ Information governance ○ Information compliance ○ Information Secrecy ○ Information Property OVERVIEW OF EPOLICIES Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement Ethical Computer Use Policy Contains general principles to guide computer user behavior. The ethical computer user policy ensures that all users are informed of the rules by agreeing to the use of the system on the basis of consent to abide by the rules. Information Privacy Policy Contains general principles regarding information privacy Acceptable Use Policy (AUP) Requires a user to agree to follow it to be provided access to corporate email, information systems, and the internet Nonrepudiation A contractual stipulation to ensure that ebusiness participants do not deny their online actions Internet Use Policy Contains general principles to guide the proper use of the internet Email Privacy Policy Details the extent to which email messages may be read by others Social Media Policy Outlines the corporate guidelines or principles governing employee online communications WORKING MONITORING POLICY The dilemma surrounding employee monitoring in the workplace is that an organization places itself at risk if it fails to monitor is employees. However, some people feel that monitoring employees is unethical. Information technology monitoring - Tracks people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed. Employee monitoring Policy - Explicitly state how, when, and where the company monitors its employees. PROTECTING INTELLECTUAL ASSETS Organizational information is intellectual capital - it must be protected. Information security - The protection of information from accidental or intentional misuse by persons inside or outside the organization Downtime - Refers to a period of time when a system is unavailable. The cost of downtime Financial Performance ○ Revenue recognition ○ Cash flow ○ Payment guarantees ○ Credit rating ○ Stock price Revenue ○ Direct loss ○ Compensatory payments ○ Lost future revenue ○ Billing losses ○ Investment losses ○ Lost productivity Damaged Reputation ○ Customers ○ Suppliers ○ Financial markets ○ Banks ○ Business partners Other expenses ○ Temporary employees ○ Equipment details ○ Overtime costs ○ Extra shipping charges ○ Travel expenses ○ Legal obligations Security Threats Caused by Hackers and Viruses Hacker - Experts in technology who use their knowledge to break into computers and computer networks, either for profit or just motivated by the challenge. ○ Black-hat hacker - steal, destroy or do nothing ○ Cracker - with criminal intent ○ Cyberterrorist - destroy crticial systems or information ○ White-hat hacker - work at the request of system owner to find system vulnerabilities and fix them. Virus - software written with malicious intent to cause annoyance or damage ○ Worm - a type of virus that spreads itself form file to file, but also from computer to computer. ○ Malware - software that is intended to damage or disable computers and computer systems ○ Adware - allows the internet advertisers to display advertisements without the consent of the computer users. ○ Spyware - a special class of adware that collects data about the user and transmits it over the internet without the user’s knowledge or permission. ○ Ransomware - a form of malicious software that infects your computer and ask for money ○ Scareware - a type of malware designed to trick victims into giving up personal information to purchase or download useless and potentially dangerous software. Security THREATS TO EBUSINESS INCLUDE Elevation of privilege - grants authorized rights. Hoaxes - transmits a virus hoax with a real virus attached. Sniffer - a program or device that can monitor data traveling over a network. Spoofing - forging of the return address on an email so that the email message appears to come from someone other than the actual sender. Spyware - comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer. The First line of defense - People Organizations must enable employees, customers, and partners to access information electronically. The biggest issue surrounding information security is not a technical issue but a people issue. The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan. ○ Information security policies Identify the rules required to maintain information security ○ Information security plan Details how an organization will implement the information security policies. Three Areas of Information Security 1. People - Authentication and authorization 2. Data - Prevention and Resistance 3. Attacks - Detection and Response Authentication and Authorization Identity theft - The forging of someone’s identity for the purpose of fraud. ○ Phishing - technique to gain personal information for the purpose of identity theft. ○ Pharming - reroutes requests for legitimate websites to false websites ○ Sock puppet marketing - the use of a false identity to artificially stimulate demand for a product, brand, or service. ○ Astroturfing - the practice of artificially stimulating online conversation and positive reviews about a product, service, or brand. Authentication - A method for confirming users’ identities. Authorization - The process of giving someone permission to do or have something. The most secure type of authentication ○ Something the user knows ○ Something the user has ○ Something that is part of the user Three Categories of Authentication Techniques 1. Something the user knows, such as a user ID and password 2. Something the user has, such as a smart card or token Tokens - Small electronic devices that change user passwords automatically Smart card - A device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing. 3. Something that is part of the user, such as fingerprints or voice (biometrics). Prevention and Resistance Prevention and resistance technologies stop intruders from accessing and reading data. Privilege escalation - A network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. ○ Vertical privilege escalation - Attackers grant themselves a higher access level, such as administrator ○ Horizontal privilege escalation - attackers grant themselves the same levels that they already have but assume the identity of another user. Technology available to help prevent and build resistance to attacks include 1. Content filtering - use of software that filters content to prevent the transmission of unauthorized information. 2. Encryption - scrambles information into an alternative from that requires a key or password to decrypt. 3. Firewalls - a hardware and/or software that guard a private network by analyzing incoming and outgoing information for the correct markings. Detection and Response If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. Intrusion detection software - Features full-time monitoring tools that search for patterns in network traffic to identify intruders. Spam management Tips from information week To avoid ending up on a spammer’s mailing list when you post to a web forum or a newsgroup, you can obscure your email address by inserting something obvious into it. So if your email address is [email protected], change it to xyz@yah[delete_this]oo.com. Or, try something like this: "xyz at yahoo dot com." Don't reply to spam messages, not even to reply to be "removed." Often the instructions are fake, or they're a way to collect more addresses. Replying confirms to the spammers that your email address is active, and you may receive even more junk mail. Remove your email address from your Website's pages and offer a Web-based mail form instead. That prevents spammers' robots from harvesting email addresses and putting them on their mailing lists. Contact-Us-Online.com can provide you with such a script free of charge.