IT Law and Ethics - Cybercrime Textbook PDF
Document Details
Uploaded by ShinyAntigorite5749
Belgium Campus
2023
Tags
Summary
This document is a textbook from Belgium Campus covering the subject of IT law and ethics. It discusses cybercrime prevalence, various types of cyber attacks, and legal considerations.
Full Transcript
BELGIUM CAMPUS IT LAW and Ethics ILE261 © BELGIUM CAMPUS 2023 Cybercrime prevalence Which countries do you think have the highest/lowest Surfshark’s cybercrime report for 2021 rate of malware infection?...
BELGIUM CAMPUS IT LAW and Ethics ILE261 © BELGIUM CAMPUS 2023 Cybercrime prevalence Which countries do you think have the highest/lowest Surfshark’s cybercrime report for 2021 rate of malware infection? showed that South Africa had 52 cybercrime victims per one million internet users, with Countries with highest rate of Countries with lowest rate of other countries showing even more alarming infected computers infected computers numbers. The top-ranking country was the UK, with a whopping 4,783 victims per one Country Rate Country Rate million users – followed by the US (1,494/1m), Sudan 70% Japan 6% Canada (174/1m), Australia (102/1m) and Bangladesh 64% Germany 9% Greece (72/1m). Iraq 62% Switzerland 10% Rwanda 57% Luxembourg 10% The FBI’s major cybercrime cases Nepal 56% Denmark 11% The FBI’s major cybercrime cases © BELGIUM CAMPUS 2023 Cybercrimes In the Information Security Handbook by Death (2023), cybercrime is defined as “any criminal activity involving a computer, either as the target or as a tool to carry out the crime”. This is expected to worsen as the world becomes more digitally inclined, with the World Economic Forum Global Risk Report 2022 noting that cybersecurity failures have increased by 12.4% since the start of the Covid-19 pandemic. As a result, the report ranked cybercrime among the top 10 global risks for the future, listing it above infectious diseases, stagflation, and human environmental damage – estimating that cybercrime will cost the world $10.5 trillion (R192 trillion) annually by 2025. © BELGIUM CAMPUS 2023 A FIRM IS A VICTIM OF A Pursue persecution of the criminals at all costs INTERNET CRIME. WHAT SHOULD IT DO? B Maintain a low profile to avoid negative publicity. Internet crime can appear in various forms. It invariably has a negative C Inform its affected customers and stakeholders. impact on the company itself but often also has a negative impact on the customers or clients. D Take some other action. © BELGIUM CAMPUS 2023 INTERNET CRIME IS A COMPLEX ISSUE. LOOK AT THESE QUESTIONS: 1. How much effort and money should be spent to protect against computer crime? How safe is safe enough? 2. If a company realizes it has produced software with defects that open the user up to attacks, what should it do? 3. What should be done if recommended security safeguards make business more difficult for customers and employees, resulting in a loss of profit/sales? © BELGIUM CAMPUS 2023 WHAT WAS THE WANNACRY ATTACK? “A vulnerability refers to a weakness in a piece of technology, such as a workstation, server, router, software, cloud, or process, that undermines the system’s ability to provide adequate security.” -Death (2023) © BELGIUM CAMPUS 2023 ZERO-DAY ATTACKS How many days has the vendor been aware of the vulnerability? Zero. A zero-day attack is aimed at a vulnerability the developer is not aware of. If another party like the government or a criminal detects the vulnerability, it is still a zero-day vulnerability until the developer is aware of it. ZERO-DAY ATTACKS What if Google detects a vulnerability in a foreign power? Should they let the US government know? Research the coordinated US/Israeli governments’ attack on Iran’s nuclear program. ZERO-DAY ATTACKS In ethics there is an equivalence principle. It states that actively doing harm is just as bad as not acting to prevent harm. This means that not reporting these vulnerabilities is just as bad as exploiting them yourself. Zero-day attacks These take place before the developer has 01 TYPICAL ATTACKS been able to patch it. Mobile phones have increasingly become a target. There are many types of computer exploits or attacks. New varieties are being invented all Worms, viruses, trojans etc. These are well-known attacks that have been the time. Here we will look at some of the more common attacks. 02 around for quite some time. Typically, these are what anti-virus software protect against. Ransomware An attack that locks up a computer and requires 03 users to pay an amount/fine to receive an unlock key. It is often downloaded automatically when a user visits an infected website. DDoS attacks Distributed denial-of-service attacks flood a server 04 TYPICAL ATTACKS with demands for data and other small tasks. It’s not a direct attack but causes the server to crash. There are many types of computer exploits or Rootkits attacks. New varieties are being invented all A rootkit is a set of programs that enables its user to gain administrator-level access to a computer without the end the time. Here we will look at some of the more common attacks. 05 user’s consent or knowledge. They are difficult to discover since the OS currently running cannot be trusted. Phishing The act of fraudulently using email to try and get the 06 recipient to reveal personal data. Legitimate looking emails are sent urging the recipient to, typically, avoid some negative consequence or receive a reward. DECEPTION Read the brief introduction to Chapter 2 from the textbook, Cybercrime by Wade. Social engineering is “the active weaponization of human vulnerabilities, behaviours, and errors in order to gain unauthorized access to resources and assets for criminal gain and/or malicious intentions”. © BELGIUM CAMPUS 2023 6 TYPES OF PERSUASION SOCIAL 1. Reciprocity: Cybercriminals do small favours to trigger a sense of obligation in victims to return the favour. ENGINEERING 2. Scarcity: They create a sense of urgency, claiming items are limited or rare to make them more desirable. 3. Authority: Cybercriminals pose as credible experts or authorities, such as government officials, to gain trust. Wade (2022) lists 6 types of persuasion 4. Consistency: They encourage victims to make used by cybercriminals. You can see a commitments, which increases the likelihood of follow- summary of these on the right. through. Come up with some guidelines people 5. Liking: Cybercriminals use flattery and similarities to can use to protect themselves against build rapport, making it easier to influence victims. social engineering. 6. Consensus: They exploit group mentality, using the idea that "everyone is doing it" to reduce suspicion and increase compliance. © BELGIUM CAMPUS 2023 Should spam be seen as a cybercrime? Spam is legal but has certain conditions. It needs to comply with privacy laws. © BELGIUM CAMPUS 2023 TYPES OF PERPETRATORS There are many types of computer exploits or attacks. New varieties are being invented all the time. The people committing these acts do so for a variety of reasons. Hackers and crackers Malicious insiders Industrial spies Hackers test the limitations Fraud or security risks from Using illegal means to obtain of a system our of intellectual inside the company. This often trade secrets from curiosity while crackers involves collusion between an competitors. cause problems or steal data. employee and an outsider. © BELGIUM CAMPUS 2023 TYPES OF PERPETRATORS There are many types of computer exploits or attacks. New varieties are being invented all the time. The people committing these acts do so for a variety of reasons. Cybercriminals Hacktivists and cyberterrorists Committing various forms of computer fraud Hacking that is done to achieve a political or social – stealing and selling credit card numbers, goal. A cyberterrorist launches computer-based personal identities, etc. Motivated by the attacks against other computers or networks in an potential for monetary gain. attempt to intimidate or coerce them. © BELGIUM CAMPUS 2023 Why are computer incidents so prevalent? Increased complexity User expectations BYOD Networks, computers, Users share login details Employees bringing their operating systems, since they believe the own laptops or phones applications, web sites, internet to be more secure onto the company switches, routers – the more than it is. In professional network can be risky. components, the more entry situations, authentication points there are. can happen too fast. © BELGIUM CAMPUS 2023 Why are computer incidents so prevalent? Software reliance Expanding and changing Generation gaps WHICH APP OR WEBSITE HOW DOES TODAY’S HOW PROFICIENT ARE YOUR WOULDapplications Certain YOU STILL USE, are TECHNOLOGY Technology COMPARE is developing PARENTS/GRANDPARENTS The huge boost in IT EVEN IF IT used so widely WEREthat, NOT 100% even soWITH fastTECHNOLOGY FROMto that, in the rush AT USINGover occurred TECHNOLOGY, the past 30 SECURE? they with vulnerabilities, stay up to2008? date, security THEIRThis years. PHONES, leadsOR to THE large will still be used. checks can be done too numbers INTERNET? of people being quickly. either computer illiterate or very proficient. © BELGIUM CAMPUS 2023 Why are computer incidents so prevalent? Software reliance Expanding and changing Generation gaps Certain applications are Technology is developing The huge boost in IT so widely used that, even so fast that, in the rush to occurred over the past 30 with vulnerabilities, they stay up to date, security years. This leads to large will still be used. checks can be done too numbers of people being quickly. either computer illiterate or very proficient. © BELGIUM CAMPUS 2023 The law Why is it so difficult to stop sites like PirateBay? © BELGIUM CAMPUS 2023 Interpol’s AFRICAN CYBERTHREAT ASSESSMENT REPORT You can find the report on BC Connect. Scan through it and identify the main points. © BELGIUM CAMPUS 2023 What should be included in a law to combat cybercrime? South Africa has a new cybercrime law. What is the extent of cybercrimes in South Africa? © BELGIUM CAMPUS 2023 1 Unlawful access Cybercrime The South African 2 Unlawful interception of data Cybercrime law 3 Unlawful acts in respect of software or hardware tools The South African Cybercrime Act was 4 Unlawful interference with data or computer program 5 signed into effect in December 2021. On Unlawful interference with a computer data storage medium the right you will find some of the areas or computer system this law addresses. 6 Unlawful acquisition, possession, provision, receipt or use of password, access code or similar data or device 7 Theft of incorporeal property Cybercrime 8 Cyber fraud using data/software to misrepresent yourself The South African 9 Cyber forgery Cybercrime law using false data/software (usually with the intention to commit fraud) The South African Cybercrime Act was 10 signed into effect in December 2021. On Cyber extortion the right you will find some of the areas using illegal data/software to gain an advantage or to force this law addresses. someone else to do something. CYBER EXTORTION Wade (2022) states that “Extortion is the threat of force, violence or intimidation to gain something from an individual or an entity (for example business, government). It can include harming a victim’s reputation.” The textbook mentions the lawyer Michael Avenatti who threatened Nike with a news conference where he would ruin their reputation unless they paid him $25 million. © BELGIUM CAMPUS 2023 Prioritise 01 Identify the assets related to the company’s primary business goals. Which IT assets are you most concerned about? Risk Identify assessment 02 Identify the risks or threats that could occur, such as insider steps fraud of DDoS attacks. Assess 03 What is the likelihood of each threat. Which potential threat would be more likely to occur? © BELGIUM CAMPUS 2023 Impact 04 How would an attack affect the continuity of the organisation? Risk Mitigate assessment 05 What counter-measures or preventative steps can be taken steps to lessen the impact of an IT attack? Implement 06 If financially and practically feasible, decide to implement the measures. © BELGIUM CAMPUS 2023 BCDR Plan An important part of risk assessment is ensuring the company has a Business Risk Continuity and Disaster Recovery plan. assessment A Business Continuity (BC) plan steps and Disaster Recovery (DR) plan are created separately with their integration handled afterwards. © BELGIUM CAMPUS 2023 RISK ASSESSMENT Risk assessment steps and BCDR Look at the steps for a risk assessment and apply them to FNB, Steam, WhatsApp, and IOCO. What would their BCDR be? References Confessore, N. (2018), Cambridge Analytica and Facebook: the scandal and the fallout so far, The New York Times, https://www.nytimes.com/2018/04/04/us/politics/cambridge- analytica-scandal-fallout.html. Frederiksen, C.S., Nielsen, M.E.J. (2013). Ethical Theories. In: Idowu, S.O., Capaldi, N., Zu, L., Gupta, A.D. (eds) Encyclopedia of Corporate Social Responsibility. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28036-8_613 Gundugurti PR, Bhattacharyya R, Kondepi S, Chakraborty K, Mukherjee A. (2022). “Ethics and Law”. Indian J Psychiatry. doi:10.4103/indianjpsychiatry.indianjpsychiatry_726_21. Epub 2022 Mar 22. PMID: 35599656; PMCID: PMC9122144. Hotten, BR. (2015). Volkswagen: The scandal explained, BBC News, https://www.bbc.com/news/business-34324772. Hortensius R, de Gelder B. (2018). “From Empathy to Apathy: The Bystander Effect Revisited”. Curr Dir Psychol Sci. 2018 Aug;27(4):249-256. doi: 10.1177/0963721417749653. PMID: 30166777; PMCID: PMC6099971. Krasny, J., (2020). Every parent should know the scandalous history of infant formula, Business Insider, https://www.businessinsider.com/nestles-infant-formula-scandal-2012-6. Reynolds, G. (2015). Ethics in Information Technology (5th ed.). Cengage Learning. Smeulers, (2019). “Why Serious International Crimes Might Not Seem ‘Manifestly Unlawful’ to Low-level Perpetrators: A Social–Psychological Approach to Superior Orders”, Journal of International Criminal Justice, 17(1):105–123, https://doi.org/10.1093/jicj/mqz001 South Africa. Consumer Protection Act, 2008 (Act No. 68 of 2008). Government Gazette of the Republic of South Africa, April 29, 2009, Vol. 522, No. 32186, pp. 2-93. Thiroux, J. P., & Krasemann, K. W. (2014). Ethics: Theory and Practice (11th ed.). Pearson. Wade, T. (2022). Cybercrime: Protecting Your Business, Your Family and Yourself. BCS, The Chartered Institute for IT. © BELGIUM CAMPUS 2023
