Module 2: Cyber-crimes and Cyber Laws PDF

Summary

This document provides an overview of cyber-crimes and cyber laws, IT professional malpractice, and the ethical considerations for IT workers and users. It also explores the role and responsibilities of IT professionals, relationships with employers, clients, and suppliers, as well as codes of ethics and various compliance issues, such as software piracy.

Full Transcript

Module 2: Cyber-crimes and Cyber Laws
Objectives - Ethics for IT Workers and IT Users
What key characteristics
distinguish a professional What factors are
from other kinds of transforming the
workers, and is an IT professional services
worker considered a industry?
professional?

How do codes of ethics,
professional
What relationships must
organizations,
an IT worker manage,
certification, and
and what key ethical
licensing affect the
issues can arise in each?
ethical behavior of IT
professionals?

What is meant by
compliance, and how
does it help promote the
right behaviors and
discourage undesirable
ones?
Module 2

Ethics for IT Workers and IT Users-IT Professionals-

IT professional malpractice-IT,

IT Act cyber laws -Information Technology Act, 2000 (“IT Act”) –

Digital Signature – Confidentiality, Integrity and Authenticity

(CIA)
IT Professionals

Profession is a calling that requires:

Specialized knowledge
Long and intensive academic preparation

Professionals:

Require advanced training and experience
Must exercise discretion and judgment in their work
Their work cannot be standardized
Contribute to society, participate in lifelong training, assist other professionals
Carry special rights and responsibilities
Are IT Workers Professionals?

Partial list of IT specialists Legal perspective

IT workers do not meet
legal definition of
professional

Local Area Chief Not licensed by state or
Systems Software Database
Programmers Network(LAN) information federal government
analysts engineers administrators
Administrators officers (CIOs)

Not liable for malpractice
Professional Relationships That Must Be Managed
In each relationship, an ethical IT worker acts honestly and appropriately.
Professional relationships IT workers must manage:

Employers

Society Clients

IT worker

IT users Suppliers

Other
profession
als
Relationships Between IT Workers and Employers
IT workers agree on many aspects of work
relationship before workers accept job offer As steward of organization’s IT resources, IT
workers must set an example and enforce
(for example, the programming language to be policies regarding the ethical use of IT in.
used, the type and amount of documentation to
be produced, and the extent of testing to be
conducted.
Relationships Between IT
Workers and Employers

Some aspects develop over time Some aspects are addressed by law— for
(for example, example, an employee cannot be required to do
anything illegal, such as falsify the results of a
whether the employee can leave early one
quality assurance test. Software piracy
day if the time is made up another day)

Act of illegally
Area in which IT making copies
workers can be of software or
tempted to enabling access
violate laws and to software to
policies which they are
not entitled
Relationships Between IT Workers and Employers
The Business Software Alliance (BSA) is a trade group that represents the world’s largest software and
hardware manufacturers. Its mission is to stop the unauthorized copying of software produced by its
members.
Trade secrecy is another area that can present challenges for IT workers and their employers. A trade secret
is information, generally unknown to the public, that a company has taken strong measures to keep
confidential. It represents something of economic value that has required effort or cost to develop and that
has some degree of uniqueness or novelty.
Trade secrets can include the design of new software code, hardware designs, business plans, the design
of a user interface to a computer program, and manufacturing processes.
Examples include the Colonel’s secret recipe of 11 herbs and spices used to make the original KFC chicken, the
formula for Coke.
Intel’s manufacturing process for the i7 quad core processing chip.
Employers worry that employees may reveal these secrets to competitors, especially if they leave the
company.
As a result, companies often require employees to sign confidentiality agreements and promise not to reveal
the company’s trade secrets.
Relationships Between IT Workers and Employers
Another issue that can create friction between employers and IT workers is whistleblowing.

Whistle‐blowing is an effort by an employee to attract attention to a negligent, illegal, unethical, abusive, or dangerous
act by a company that threatens the public interest.

Whistle-blowers often have special information based on their expertise or position within the offending organization.
For example, an employee of a chip manufacturing company may know that the chemical process used to make the chips
is dangerous to employees and the general public.

A whistleblower is a person, usually an employee, who exposes information or activity within a private, public, or
government organization that is deemed illegal, illicit, unsafe, fraud, or abuse of taxpayer funds.
Relationships Between IT Workers and Clients

Client trusts IT worker to act in client’s best interests
Client will provide relevant information, listen to and understand what the IT worker says, ask
questions to understand impact of key decisions, and use the information to make wise choices
Ethical problems arise if a company recommends its own products and services to remedy problems
they have detected

Creates a conflict of interest
Problems arise during a project if IT workers are unable to provide full and accurate reporting of a
project’s status

Finger pointing and heated discussions can ensue
Client makes decisions about a project based on information, alternatives, and recommendations
provided by the IT worker
Relationships Between IT Workers and Clients
Fraud is the crime of obtaining goods, services, or property through deception or trickery.

Fraudulent misrepresentation occurs when a person consciously decides to induce another person to rely and act on a
misrepresentation.

To prove fraud in a court of law, prosecutors must demonstrate the following elements:

The wrongdoer made a false representation of material fact.

The wrongdoer intended to deceive the innocent party.

The innocent party justifiably relied on the misrepresentation.

The innocent party was injured.
Misrepresentation statement or incomplete statement of material fact.
If misrepresentation causes a party to enter into a contract, that party may have the right to cancel contract or seek
reimbursement for damages
Relationships Between IT Workers and Clients
Breach of contract

One party fails to meet the terms of a contract.
When there is material breach of contract:
The non-breaching party may revoke (cancel) the contract, seek restitution of any compensation paid to
the breaching party, and be discharged from any further performance under the contract.
IT projects are joint efforts in which vendors and customers work together
When there are problems, it is difficult to assign who is at fault.
Relationships Between IT Workers and Suppliers
Develop good working relationships with suppliers:

To encourage flow of useful information and ideas to develop innovative and cost‐effective ways of using the
supplier in ways that the IT worker may not have considered
By dealing fairly with them
By not making unreasonable demands
Bribery
Bribery is the act of providing money, property, or favors to someone in business or government in order to obtain a
business advantage.
U.S. Foreign Corrupt Practices Act (FCPA): crime to bribe a foreign official, a foreign political party official, or a
candidate for foreign political office
At what point does a gift become a bribe?
No gift should be hidden
Perceptions of donor and recipient can differ
United Nations Convention Against Corruption is a global treaty to fight bribery and corruption
Bribes & Gifts
Relationships Between IT Workers and Other Professionals
Ethical problems among the IT profession.

Inappropriate sharing of corporate information

Information might be sold intentionally or shared informally with those who have no need to know.

Professionals owe each other adherence to their profession’s code of conduct.

Professionals feel a degree of loyalty to other members of their profession.
Relationships Between IT Workers and Society

Society expects members of a profession:

To provide significant benefits
To not cause harm through their actions
Professional organizations provide codes of ethics to guide IT workers’ actions.
Actions of an IT worker can affect society.
Relationships Between IT Workers and IT Users

IT user: person using a hardware or software product
IT workers’ duties:
Understand users’ needs and capabilities
Deliver products and services that meet those needs
Establish an environment that supports ethical behavior:
To discourages software piracy
To minimize inappropriate use of corporate computing resources
To avoid inappropriate sharing of information
IT Users – supporting ethical issues
Establishing Guidelines for Use of Company Software
Company IT managers must provide clear rules that govern the use of home computers and associated software.
Professional Codes of Ethics

Professional code of ethics states the principles and core values that are essential to the work of a

particular occupational group.

Most codes of ethics include:

What the organization aspires to become

Rules and principles by which members of the organization are expected to abide

Many codes also include commitment to continuing education for those who practice the profession
Professional Codes of Ethics
Following a professional code of ethics can produce benefits for the individual, the profession, and society as a whole:

Ethical decision making:
practitioners use a common set of core values and beliefs as a guideline for ethical decision making.
High standards of practice & ethical behavior:
Adherence to a code of ethics reminds professionals of the responsibilities and duties that they may be
tempted to compromise to meet the pressures of day-to-day business.
The code also defines acceptable and unacceptable behaviors to guide professionals in their interactions with
others.
Strong codes of ethics have procedures for censuring professionals for serious violations, with penalties that can
include the loss of the right to practice

Trust and respect from general public:
Adherence to a code of ethics enhances trust and respect for professionals and their profession
Evaluation benchmark for self‐assessment:
A professional can use as a means of self-assessment. Peers of the professional can also use the code for
recognition or censure.
Professional Organizations
Four of the most prominent organizations include:
Association for Computing Machinery (ACM)
Institute of Electrical and Electronics Engineers Computer Society (IEEE-CS)
Association of IT Professionals (AITP)
SysAdmin, Audit, Network, Security (SANS) Institute

Certification: indicates that a professional possesses a particular set of skills, knowledge, or abilities in the opinion of the
certifying organization.

Can also apply to products

Generally voluntary

May or may not require adherence to a code of ethics

Employers view as benchmark of knowledge

Opinions are divided on the value of certification
Vendor Certifications

Vendor Certifications

Some Require passing
certifications Relevant for a written exam,
substantially narrowly or in some Can take years
improve IT defined roles cases, a hands- to obtain Training can be
workers’ or certain on lab to necessary expensive
salaries and aspects of demonstrate experience
career broader roles skills and
prospects knowledge
Industry association certifications

Industry association certifications

Are moving from purely
Require a higher level of
technical content to a
experience and a broader Must sit for and pass Lag in developing tests
broader mix of technical,
perspective than vendor written exam that new technologies
business, and behavioral
certifications
competencies
Industry Association Certifications
Certificate Subject matter
Microsoft Certified Technology Designing and optimizing solutions based
Specialist on Microsoft products and technologies
Certification Subject matter

Cisco Certified Internetwork Expert Managing and troubleshooting large
networks

Cisco Certified Network Professional Configuring and designing firewalls and the
Security security settings on routers and switches

CompTIA A+ Performing computer and network
maintenance,
troubleshooting, and installation—
including addressing security issues

Project Management Institute’s Leading and directing projects
Project Management Professional
( PMP)
Government Licensing
License is a government-issued permission to engage in an activity or operate a business
Generally administered at the state level in the United States often requires that recipient pass a test.
Some professionals must be licensed – doctors, lawyers, CPAs, medical and day care providers, engineers
One goal: protect public safety
Without licensing, there are no requirements for heightened care and no concept of professional malpractice
fishing; hunting; marrying; driving a motor vehicle; providing health care services; practicing law; manufacturing;
engaging in retail and wholesale commerce; operating a private business, trade, or technical school;
Issues associated with government licensing of IT workers:
There are few licensing programs for IT professionals:
There is no universally accepted core body of knowledge
It is unclear who should manage content and administration of licensing exams
There is no administrative body to accredit professional education programs.
There is no administrative body to assess and ensure competence of individual workers

IT Professional Malpractice
Negligence: not doing something that a reasonable person would do, or doing something that a reasonable person
would not do.
Duty of care: refers to the obligation to protect people against any unreasonable harm or risk.
Reasonable person standard – to evaluate how an objective, careful and conscientious person would have acted in the
same circumstances.
Reasonable professional standard – defendants who have particular expertise or competence are measured.
A breach of the duty of care is the failure to act as a reasonable person would act. A breach of duty might consist of an
action, such as throwing a lit cigarette into a fireworks factory and causing an explosion, or a failure to act when there is a
duty to do so—for example, a police officer not protecting a citizen from an attacker.
Professionals who breach the duty of care are liable for injuries that their negligence causes. This liability is commonly
referred to as professional malpractice.
For example, a CPA who fails to use reasonable care, knowledge, skill, and judgment when auditing a client’s books is
liable for accounting malpractice.
Professionals who breach this duty are liable to their patients or clients, and possibly to some third parties.
Types of Exploits

Types of attacks

Virus

Computers Worm
as well as
smartphones
Trojan horse
can be target
Distributed denial of
service

Rootkit

Spam

Phishing (spear-phishing,
smishing, and vishing)
Ethics in Information Technology, Fourth
Edition
Worms
A worm is a harmful program that resides in the active memory of the
computer and duplicates itself.
Worms differ from viruses in that they can propagate without human
intervention, often sending copies of themselves to other computers by
email.

A worm is a program that makes copies Method of replication:
of itself and causes major damage to the Email
files, software, and data File sharing
is a network worm that spreads by
emailing attachments of itself
It creates a thread which attempts to
terminate anti-virus and security
programs
W32/Bugbear‐A The worm will log keystrokes and send
this information when the user is
connected online
The worm will open port 80 on the
infected computer
Ethics in Information Technology, Fourth
Edition
Trojan Horses- when the user downloads and installs a file onto their system
A Trojan horse is a program in which malicious code is hidden inside a seemingly harmless program.
The program’s harmful payload might be designed to enable the hacker to destroy hard drives, corrupt files, control
the computer remotely, launch attacks against other computers, steal passwords or Social Security numbers,
or spy on users by recording keystrokes and transmitting them to a server operated by a third party.

This opens a port without the knowledge of the user. The open port gives the remote user access to one’s computer.
Delivered via email attachment, downloaded from a Web site, or contracted via a removable media device
Logic bomb
Another type of Trojan horse

Executes when triggered by certain event

For example, logic bombs can be triggered by a change in a particular file, by typing a specific series of keystrokes,
or by a specific time or date.

Ethics in Information Technology, Fourth
Edition
Distributed Denial-of-Service (DDoS) Attacks
A distributed denial‐of‐service (DDoS) attack is one in which a malicious hacker takes over computers via the
Internet and causes them to flood a target site with demands for data and other small tasks.
A distributed denial-of-service attack does not involve infiltration of the targeted system.
The computers that are taken over are called zombies.
Botnet is a very large of such computers.
Botnets are installed by virus or worm, allow remote unreserved access to the system.
Does not involve a break-in at the target computer
Target machine is busy responding to a stream of automated requests
Legitimate users cannot access target machine

Ethics in Information Technology, Fourth
Edition
Rootkits
A rootkit is a set of programs that enables its user to gain administrator-level access to a computer without
the end user’s consent or knowledge.
Once installed, the attacker can gain full control of the system and even obscure the presence of the rootkit
from legitimate system administrators.
Attackers can use the rootkit to execute files, access logs, monitor user activity, and change the
computer’s configuration.
Rootkits are one part of a blended threat, consisting of the dropper, loader, and rootkit.
The dropper code gets the rootkit installation started and can be activated by clicking on a link to a
malicious Website in an email or opening an infected PDF file.
The dropper launches the loader program and then deletes itself.
The loader loads the rootkit into memory; at that point, the computer has been compromised.
Rootkits are designed so cleverly that it is difficult even to discover if they are installed on a computer.
Symptoms of rootkit infections:
The computer locks up or fails to respond to input from the keyboard or mouse.
The screen saver changes without any action on the part of the user.
The taskbar disappears.
Network activities function extremely slowly.
Spam

Abuse of email systems Controlling the Assault Completely Automated
to send unsolicited of Non-Solicited Public Turing Test to
email to large numbers Pornography and Tell Computers and
of people Marketing (CAN-SPAM) Humans Apart
Act (CAPTCHA)

Low-cost Software
Legal to spam if
commercial generates tests
basic
advertising for that humans can
requirements are
questionable pass but computer
met
products programs cannot

Method of
marketing also
used by many
legitimate
organizations

Ethics in Information Technology, Fourth
Edition
Phishing

Phishing is the act of fraudulently using email to try to get the recipient to reveal personal data.

In a phishing scam, con artists send legitimate-looking emails urging the recipient to take action to avoid a negative
consequence or to receive a reward.

The requested action may involve clicking on a link to a Web site or opening an email attachment.

Spear‐phishing is a variation of phishing in which the phisher sends fraudulent emails to a certain organization’s
employees.

It is known as spear-phishing because the attack is much more precise and narrow, like the tip of a spear.
Ethics in Information Technology, Fourth Edition
Smishing & Vishing

Smishing is another variation of phishing that involves the use of Short Message Service (SMS) texting.

In a smishing scam, people receive a legitimate-looking text message on their phone telling them to call a specific

phone number or to log on to a Web site. This is often done under the guise that there is a problem with their bank

account or credit card that requires immediate attention.

Vishing is similar to smishing except that the victims receive a voice mail telling them to call a phone number or

access a Web site.
The C I A Security Triad
Confidentiality ensures that only those individuals with the proper authority can access sensitive data such as employee
personal data, customer and product sales data, and new product and advertising plans.

Integrity ensures that data can only be changed by authorized individuals so that the accuracy, consistency, and
trustworthiness of data are guaranteed.

Availability ensures that the data can be accessed when and where needed, including during times of both normal and
disaster recovery operations.
Confidentiality, integrity, and availability are referred to as the CIA security triad.
Information Technology Act,
2000
Information Technology Act, 2000
The Information Technology Act, 2000 (also known as ITA‐2000, or
the IT Act) is an Act of the Indian Parliament (No 21 of 2000) notified
on 17 October 2000.
It is the primary law in India dealing with cybercrime and electronic
commerce.
It is based on the United Nations Model Law on Electronic Commerce
1996 (UNCITRAL Model) recommended by the general assembly of
United Nations by a resolution dated 30th January 1997.
 The laws apply to the whole of India.
Persons of other nationalities can also be indicted under the law, if the
crime involves a computer or network located in India.
Definitions ( section 2)
"computer" means electronic, magnetic, optical or other high‐speed date
processing device or system which performs logical, arithmetic and memory
functions by manipulations of electronic, magnetic or optical impulses, and
includes all input, output, processing, storage, computer software or
communication facilities which are connected or relates to the computer in a
computer system or computer network;
"computer network" means the inter‐connection of one or more computers
through‐
(i) the use of satellite, microwave, terrestrial lime or other communication media;
and
(ii) terminals or a complex consisting of two or more interconnected computers
whether or not the interconnection is continuously maintained;
Definitions ( section 2)
"computer system" means a device or collection of devices, including input and
output support devices and excluding calculators which are not programmable
and capable being used in conjunction with external files which contain computer
programmes, electronic instructions, input data and output data that performs
logic, arithmetic, data storage and retrieval, communication control and other
functions;
"data" means a representation of information, knowledge, facts, concepts or
instruction which are being prepared or have been prepared in a formalised
manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network, and may be in any form
(including computer printouts magnetic or optical storage media, punched cards,
punched tapes) or stored internally in the memory of the computer.
Definitions ( section 2)
"electronic record" means date, record or date generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro
fiche;
“secure system” means computer hardware, software, and procedure that‐
(a) are reasonably secure from unauthorized access and misuse;
(b) provide a reasonable level of reliability and correct operation;
(c) are reasonably suited to performing the intended function; and
(d adhere to generally accepted security procedures
“security procedure” means the security procedure prescribed by the Central
Government under the IT Act, 2000.
“secure electronic record” – where any security procedure has been applied to an
electronic record at a specific point of time, then such record shall be deemed to
be a secure electronic record from such point of time to the time of verification
Commission of cyber crime
Three basic groups:
Individual
Organisation
Society at Large
Against Individual
Harassment via Emails
Cyber Stalking
Dissemination of obscene material
Defamation
Hacking/Cracking
Indecent Exposure
Individual Property

Computer Vandalism
Transmitting Virus
Network Trespassing
Unauthorized Control over Computer System
Hacking/Cracking
Against Organisation

Hacking & Cracking
Possession of unauthorised Information
Cyber‐ Terrorism against Government Organisation
Distribution of Pirated Software Etc
Against Society at Large
Pornography
Polluting the youth through indecent exposure
Trafficking
Electronic World
Electronic document produced by a computer.
Stored in digital form, and cannot be perceived
without using a computer
It can be deleted, modified and rewritten
without leaving a mark
Integrity of an electronic document is
“genetically” impossible to verify
A copy is indistinguishable from the original
It can’t be sealed in the traditional way, where
the author affixes his signature
The functions of identification, declaration,
proof of electronic documents carried out using
a digital signature based on cryptography.
Electronic World
A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software
or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers far more
inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital
communications.

Digital signatures can provide evidence of origin, identity and status of electronic documents, transactions or digital
messages.

Digital signatures created and verified using cryptography.

Public key System based on Asymmetric keys
An algorithm generates two different and related keys
Public key (PU, PR )
Private Key
Private key used to digitally sign.
Public key used to verify.
Role of the Government

Government has to provide the definition of

the structure of PKI

the number of levels of authority and their juridical form (public or private certification)

which authorities are allowed to issue key pairs

the extent to which the use of cryptography should be authorised for confidentiality purposes

whether the Central Authority should have access to the encrypted information; when and how

the key length, its security standard and its time validity
Section 3 Defines Digital Signatures

The authentication to be affected by use of asymmetric crypto system and hash function

The private key and the public key are unique to the subscriber and constitute functioning key pair

Verification of electronic record possible
THE CIA SECURITY TRIAD

Confidentiality ensures that only those individuals with the proper authority can access sensitive data
such as employee personal data, customer and product sales data, and new product and advertising plans.

Integrity ensures that data can only be changed by authorized individuals so that the accuracy,
consistency, and trustworthiness of data are guaranteed.

Availability ensures that the data can be accessed when and where needed, including during times of
both normal and disaster recovery operations
Confidentiality
Integrity
Availability
CIA
CIA Security Triad
Implementing CIA at the Organization Level

Security Strategy

Risk Assessment

Disaster Recovery

Security Policies

Security Audits

Regulatory Standards Compliance

Security Dashboard
Implementing CIA at the Network Level

Authentication Methods

Firewall - next-generation firewall (NGFW)

Routers

Encryption

Proxy Servers and Virtual Private Networks

Intrusion Detection System
Implementing CIA at the Network Level
A firewall is a system of software, hardware, or a combination of both that stands guard between an
organization’s internal network and the Internet and limits network access based on the organization’s access
policy.

A next‐generation firewall (NGFW) is a hardware- or software-based network security system that is able to
detect and block sophisticated attacks by filtering network traffic dependent on the packet contents.

A router is a networking device that connects multiple networks together and forwards data packets from one
network to another.

A proxy server serves as an intermediary between a web browser and another server on the Internet that
makes requests to websites, servers, and services on the Internet for you.

A VPN enables remote users to securely access an organization’s collection of computing and storage devices
and share data remotely.
Proxy Servers and Virtual Private Networks
Intrusion detection system (IDS)
An intrusion detection system (IDS) is software and/or hardware that monitors system and network resources and
activities and notifies network security personnel when it detects network traffic that attempts to circumvent the
security measures of a networked computer environment.
Implementing CIA at the Application Level

Authentication Methods

Two-factor authentication requires the user to provide two types of credential before being able to access an
account; the two credentials can be any of the following:

PIN or password

Some form of security card or token

Such as a biometric (for example, a fingerprint or retina scan)

User Roles and Accounts

Data Encryption

enterprise resource planning (ERP), customer relationship management (CRM), and product lifecycle
management (PLM)
Implementing CIA at the End-User Level
Security Education
Authentication Methods
Antivirus Software
Data Encryption

Security Education

Guarding their passwords to protect against unauthorized access to their accounts

Prohibiting others from using their passwords

Applying strict access controls (file and directory permissions) to protect data from disclosure or destruction

Reporting all unusual activity to the organization’s IT security group

Taking care to ensure that portable computing and data storage devices are protected (hundreds of thousands of
laptops are lost or stolen per year)