CNS3113 CLO4 Ethics for IT Workers & SETA - Week 10-13 PDF

Summary

These lecture notes from weeks 10-13 of CNS3113 outline the key concepts of ethics for IT workers and users. They discuss topics like relationships with employers, clients, and suppliers, as well as various ethical issues in IT and information security.

Full Transcript

CNS3113 – CLO4:
Ethics for IT workers, SETA programs, Computer
Crimes

Dr. Dimitrios Xanthidis, DBA
Ethics for IT Workers: Learning 2

Outcomes
By the end of this Chapter, the learner should be able to:
1. Identify and explain the relationships that an IT worker
must manage and the ethical issues that can arise in
each.
2. Describe what can be done to encourage the
professionalism of IT workers
3. Identify and explain ethical issues IT users face
4. Suggest ways that ethical behaviours by IT users can be
encouraged

2
IT Professionals 3

Profession: requires specialized knowledge and long and intensive academic preparation
Professionals
Require advanced training and experience
Must exercise discretion and judgment in their work
Their work cannot be standardized
Contribute to society, participate in lifelong training, and assist other professionals
Carry special rights and responsibilities
Partial list of IT specialists
Programmers
Systems analysts
Software engineers
Database administrators
Local area network (LAN) administrators
Chief information officers (CIOs)
Legal perspective
IT workers do not meet legal definition of professionals
Not licensed by state or federal government, Not liable for malpractice

3
Professional Relationships that must be 4
managed
IT workers involved in relationships with:
Employers
Clients
Suppliers
Other professionals
IT users
Society at large
Relationship between IT Workers and employers:
IT workers agree on many aspects of work relationship before workers
accept job offer e.g. dress code, work hours, performance expectations
Other aspects of work relationship defined in company’s policy and
procedure manual or code of conduct
Some aspects develop over time
IT workers set example and enforce policies regarding the ethical use of IT
4
Areas in which IT workers may violate 5

laws/policies
Software piracy: Act of illegally making copies of software or
enabling access to software to which they are not entitled
The Business Software Alliance (BSA) is a trade group
representing the world’s largest software and hardware
manufacturers; mission is to stop the unauthorized copying of
software
Thousands of cases prosecuted each year
Trade secrets
Business information generally unknown to public
Company takes actions to keep confidential
Require cost or effort to develop
Have some degree of uniqueness or novelty
Whistle-blowing
Employee attracting attention to a negligent, illegal, unethical,
abusive, or dangerous act that threatens the public interest 5
Relationships between IT Workers and 6

Clients
IT worker provides hardware, software, or services at a certain cost within a time frame
Client provides compensation, access to key contacts, work space
Relationship is usually documented in contractual terms
Client makes decisions about a project based on information, alternatives, and
recommendations provided by the IT worker
Client trusts IT worker to act in client’s best interests
IT worker trusts that client will provide relevant information, listen to and understand
what the IT worker says, ask questions to understand impact of key decisions, and use
the information to make wise choices
Conflict of interest: Ethical problems that arise if a company recommends
its own products and services to remedy problems they have detected
Problems arise during a project if IT workers are unable to provide full and
accurate reporting of a project’s status
May generate finger pointing and heated discussions
Can lead to charges of fraud, misrepresentation, and breach of contract.
6
Problems between IT workers and 7

clients
Problems arise during a project if IT workers are unable to provide full
and accurate reporting of a project’s status:
May generate finger pointing and heated discussions
Fraud: Crime of obtaining goods, services, or property through deception or
trickery
Misrepresentation: Misstatement or incomplete statement of material fact,
can lead to cancellation of contract or seek reimbursement for damages
Breach of contract: One party fails to meet the terms of a contract. The
non-breaching party may cancel the contract, seek compensation paid to the
breaching party, and be discharged from any further performance under the
contract
IT projects are joint efforts in which vendors and customers work together.
When there are problems, it is difficult to assign who is at fault

7
Relationships between IT Workers and 8

Suppliers
Develop good working relationships with suppliers to encourage flow of useful information and
ideas to develop innovative and cost-effective ways of using the supplier:
By dealing fairly with them
By not making unreasonable demands
Beware of unethical behaviours from suppliers such as bribery
Bribery
Providing money, property, or favors to obtain a business advantage
Perceptions of donor and recipient can differ
At what point does a gift become a bribe?

8
 9

Relationships between IT Workers
and Other professionals
Professionals feel a degree of loyalty to other members of their
profession
Professionals owe each other obedience to their profession’s code of
conduct
Ethical problems among the IT profession
Résumé inflation on 30% of U.S. job applications
Inappropriate sharing of corporate information
Information might be sold intentionally or shared informally with those who have no need to know

9
Relationships between IT Workers 10

and User or the Society
IT user: person using a hardware or software product
IT workers’ duties:
Understand users’ needs and capabilities; deliver products and services to meet
those
Establish environment that supports ethical behaviour:
To discourages software piracy
To minimize inappropriate use of corporate computing resources
To avoid inappropriate sharing of information
Society expects members of a profession to
Provide significant benefits
Not cause harm through their actions
Actions of an IT worker can affect society
Professional organizations provide codes of ethics to guide IT workers’ actions

10
Professional Codes of Ethics 11

State the principles and core values that are essential to the work of an
occupational group
Most codes of ethics include:
What the organization aspires to become
Rules and principles which members of the organization are expected to
abide
Many codes also include commitment to continuing education for those who
practice the profession
Following a professional code of ethics can produce benefits for the individual,
the profession, and society as a whole. This includes:
Ethical decision making
High standards of practice and ethical behavior
Trust and respect from general public
Evaluation benchmark for self-assessment
11
IT Professional Malpractice 12

Negligence: not doing something that a reasonable person would do, or
doing something that a reasonable person would not do
Duty of care: obligation to protect people against any unreasonable harm or
risk
Reasonable person standard
Reasonable professional standard
Professional malpractice: professionals who breach the duty of care are liable
for damages that their negligence causes
Employees’ ethical use of IT is an area of growing concern because of
increased access to:
Personal computers
Corporate information systems and data
The Internet

12
Supporting the Ethical Practices of 13

IT
Policies that protect against abuses:
Set forth general rights and responsibilities of users
Create boundaries of acceptable behaviour
Enable management to punish violators
Policy components include:
Establishing guidelines for use of company software
Defining appropriate use of IT resources
Structuring information systems to protect data and information
Installing and maintaining a corporate firewall

13
Common Ethical Issues for IT Users 14

Software piracy
Inappropriate use of computing resources
Low productivity and wastes time
Could lead to lawsuits
Inappropriate sharing of information, including:
Every organization stores vast amounts of private or confidential data
Private data (employees and customers)
Confidential information (company and operations)

14
CNS3113 – SETA: Learning 15

Outcomes
By the end of this Chapter, the learner should be able to:
Explain the organizational approaches to information security
Identify and describe the functional components of the information
security program
Determine how to plan and staff an organization’s information
security program based on its size
Evaluate the internal and external factors that influence the activities
and organization of an information security program
List and describe the typical job titles and functions performed in the
information security program
Describe the components of a security education, training, and
awareness program and understand how organizations create and
manage these programs

15
Components of SETA 16

Information security needs of any organization are unique to the culture, size,
and budget of that organization
Determining what level the information security program operates on depends
on the organization’s strategic plan, in particular its vision and mission
statements
The CIO and CISO should use these two documents to formulate the mission
statement for the information security program
SETA program: designed to reduce accidental security breaches
Awareness, training, and education programs offer two major benefits:
Improve employee behavior
Enable organization to hold employees accountable for their actions
SETA program consists of three elements: security education, security training,
and security awareness

16
Purpose and Framework of SETA 17

The purpose of SETA is to
enhance security:
By building in-depth
knowledge, as needed, to
design, implement, or
operate security programs for
organizations and systems
By developing skills and
knowledge so that computer
users can perform their jobs
while using IT systems more
securely
By improving awareness of
the need to protect system
resources
17
Security Training 18

Security training involves providing detailed information and hands-on
instruction to give skills to users to perform their duties securely
Two methods for customizing training
Functional background: General user, Managerial user, Technical user
Skill level: Beginner, Intermediate, Advanced
Employee training:
Local training program
Continuing education department
External training agency
Professional trainer, consultant, or someone from accredited institution to
conduct on-site training
In-house training using organization’s own employees

18
Security Awareness 19

Security awareness program: one of least frequently implemented, but most effective security
methods
Security awareness programs:
Set the stage for training by changing organizational attitudes to realize the importance of
security and the adverse consequences of its failure
Remind users of the procedures to be followed
SETA Best Practices: When developing an awareness program:
Focus on people
Avoid using technical jargon
Use every available venue
Define learning objectives, state them clearly, and provide sufficient detail and coverage
Keep things light
Don’t overload the users
Help users understand their roles in InfoSec
Take advantage of in-house communications media
Make the awareness program formal; plan and document all actions
Provide good information early, rather than perfect information late
19
Commandments of InfoSec Awareness 20

Training
Information security is a people, rather than a technical, issue
If you want them to understand, speak their language
If they cannot see it, they will not learn it
Make your point so that you can identify it and so can they
Never lose your sense of humor
Make your point, support it, and conclude it
Always let the recipients know how the behavior that you request will affect them
Formalize your training methodology
Always be timely, even if it means slipping schedules to include urgent
information

20
Employee Behavior, Awareness, and 21

Accountability

Security awareness and security training are designed to modify any employee
behavior that endangers the security of the organization’s information
Security training and awareness activities can be undermined, however, if
management does not set a good example
Effective training and awareness programs make employees accountable for
their actions
Dissemination and enforcement of policy become easier when training and
awareness programs are in place
Demonstrating due care and due carefulness can insure the institution against
lawsuits

21
Awareness Techniques 22

Awareness can take on different forms for particular audiences
A security awareness program can use many methods to deliver its message
Effective security awareness programs need to be designed with the recognition
that people tend to practice a tuning out process
Awareness techniques should be creative and frequently changed

22
Developing Security Awareness 23

Components
Many security awareness components are available at little or no cost - others
can be very expensive if purchased.
Security awareness components include the following:
Videos
Posters and banners
Lectures and conferences
Computer-based training
Newsletters
Brochures and flyers
Trinkets (coffee cups, pens, pencils, T-shirts)
Bulletin boards

23
Security Posters 24

Security poster series can be a
simple and inexpensive way to
keep security on people’s minds
Professional posters can be quite
expensive, so in-house
development may be best solution
Keys to a good poster series:
Varying the content and keeping
posters updated
Keeping them simple, but visually
interesting
Making the message clear
Providing information on reporting
violations
24
Security Trinkets 25

Trinkets may not cost much on a
per-unit basis, but they can be
expensive to distribute throughout
an organization
Several types of trinkets are
commonly used:
Pens and pencils
Mouse pads
Coffee mugs
Plastic cups
Hats
T-shirts

25
CNS3113 – Computer Crimes & Laws in 26

U.A.E: Learning Outcomes
By the end of this Chapter, the learner should be able to:
Understand what key trade-offs and ethical issues are associated
with the safeguarding of data and information systems?
Understand what are the most common types of computer security
attacks?
Understand who are the primary perpetrators of computer crime,
and what are their objectives?
Understand what actions must be taken in response to a security
incident?
Discuss the current regulatory, compliance and liability issues in UAE cyber
law.

26
 27

IT Security Incidents: A major concern
of their spread
Security of information technology is of highest importance
Safeguard:
Confidential business data
Private customer and employee data
Protect against malicious acts of theft or disruption
Balance against other business needs and issues

27
IT Security Incidents: Reasons for their 28

spreading
Increasing complexity increases vulnerability:
Computing environment is enormously complex
Continues to increase in complexity
Number of entry points expands continuously
Cloud computing and virtualization software
Higher computer user expectations: Computer help desks under
intense pressure, forget to verify users’ IDs or check authorizations
Computer users share login IDs and passwords
Expanding/changing systems equal new risks:
Network era: Personal computers connect to networks with millions
of other computers all capable of sharing information
Information technology is global and a necessary tool for
organizations to achieve goals
Increasingly difficult to match pace of technological change
28
IT Security Incidents: Reasons for their 29

spreading (2)
Increased reliance on commercial software with known
vulnerabilities:
The problem is that poor systems are produced from
poor system design and/or implementation
Leads to exploitation of these vulnerabilities by attacking
the information systems
The Patch (solution) is:
“Fix” and eliminate the problem
Users are responsible for obtaining and installing
Delays expose users to security breaches
Zero-day attack
Before a vulnerability is discovered or fixed
29
Types of Computer Crimes 30

Business attacks: attacking the IS of a company with the purpose of stealing
important business information or relevant
Financial attacks: attacking financial institutions with the usual purpose of
stealing money(bank)
Terrorist attacks: making online security attacks with the purpose of causing
havoc in the society for various reasons
Objection attacks: a way of attacking an organization to protest against the
measures, policies, laws the organization or company is taking
Fun attacks: making an attack just for the fun of it (usually by young people)
Most common Computer Crimes:
Fraud /Computer forgery: using computers to deceive or steal
others
Damage to or modifications of computer data or programs
Unauthorized access to computer systems and service
30
Computer Crimes are hard to 31

prosecute
Lack of understanding: it is often very difficult for prosecutors/judges
to understand the essence of a computer crime since it is normally
out of the ordinary crimes
Lack of physical evidence: computer crimes usually involve intangible
things
Lack of recognition of assets: it is not easy to recognize the real value
of digital assets being stolen
Lack of political impact: computer crimes don’t have the same
political effects, positive or negative, with the physical crimes
Complexity of case: usually computer crimes are quite complex to
describe in ordinary terms
Youngsters: it is quite often that computer crimes involve very young
individuals most

31
Types of attacks on computers & 32

smartphones
Viruses:
(small) pieces of (strong) programming code,
Usually disguised as something else,
Often attached to files,
Deliver a “payload”,
Spread by actions of the ”infected” computer user in the form of
infected email document attachments when an infected program is
downloaded or an infected Web site is visited
Worms:
Harmful programs that reside in active memory of a computer and
duplicate themselves
Can propagate without human intervention
Cause data and programs loss, lost productivity, additional effort
for IT workers
32
Types of attacks on computers & 33

smartphones (2)
Trojan horse:
Malicious code hidden inside seemingly harmless programs
Users are tricked into installing them
Delivered via email attachment, downloaded from a Web site, or
contracted via a removable media device
Logic bomb: Executes when triggered by certain event
Distributed denial of service:
Malicious hacker takes over computers on the Internet and causes
them to flood a target site with demands for data and other small
tasks
The computers that are taken over are called zombies
Botnet is a very large group of such computers
Does not involve a break-in at the target computer
Target machine is busy responding to a stream of automated
requests 33
 Types of attacks on computers & 34

smartphones
Rootkit:
(3)
Set of programs that enables its user to gain administrator-level
access to a computer without the end user’s consent or knowledge
Attacker can gain full control of the system and hide the presence of
the rootkit
Fundamental problem in detecting a rootkit is that the operating
system currently running cannot be trusted to provide valid test
results
Spam:
Abuse of email systems to send unsolicited email to large numbers
of people
Low-cost commercial advertising for questionable products
Method of marketing also used by many legitimate organizations
Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN-SPAM) Act: Legal to spam if basic requirements are met
Completely Automated Public Turing Test to Tell Computers and 34
Types of attacks on computers and 35

smartphones (4)
Phishing (spear-phishing,
smishing, and vishing):
Act of using email
fraudulently to try to get the
recipient to reveal personal
data
Legitimate-looking emails
lead users to counterfeit Web
sites
Spear-phishing: Fraudulent
emails to an organization’s
employees
Smishing: Phishing via text
messages
Vishing: Phishing via voice
mail messages 35
Types of Perpetrators based on their 36

motive
Perpetrators include:
Thrill seekers wanting a challenge
Common criminals looking for financial gain
Industrial spies trying to gain an advantage
Terrorists seeking to cause destruction

36
Types of Perpetrators: Description 37

Hackers: test limitations of systems out of intellectual curiosity
Some smart and talented
Others inept; termed “lamers” or “script kiddies”
Crackers: Cracking is a form of hacking, Clearly criminal activity
Malicious Insiders:
Major security concern for companies
Fraud within an organization is usually due to weaknesses in
internal control procedures
Collusion: Cooperation between an employee and an outsider
Insiders are not necessarily employees, can also be consultants and
contractors
Extremely difficult to detect or stop
Authorized to access the very systems they abuse
Negligent insiders have potential to cause damage
37
 Types of Perpetrators: Description 38

(2)
Industrial Spies:
Use illegal means to obtain trade secrets from competitors
Trade secrets are protected by the Economic Espionage Act of 1996
Competitive intelligence: legal techniques to gather information available to the
public
Industrial espionage: illegal means to obtains information not available to the
public
Cyber Criminals:
Hack into corporate computers to steal or engage in all forms of computer fraud
Chargebacks are disputed transactions
Loss of customer trust has more impact than fraud
To reduce potential for online credit card fraud:
Use encryption technology
Verify the address submitted online against the issuing bank
Request a card verification value (CVV)
Use transaction-risk scoring software
Smart cards: contain memory chip, updated with encrypted data when card is
used 38
Types of Perpetrators: Description 39

(3)
Hacktivism:
Hacking to achieve a political or social goal
Cyberterrorist:
Attacks computers or networks in an attempt to intimidate or
coerce a government in order to advance certain political or social
objectives
Seeks to cause harm rather than gather information
Uses techniques that destroy or disrupt services

39
 Implementing Trustworthy 40

Computing
Trustworthy computing:
Delivers secure, private, and reliable
computing
Based on sound business practices
Security of any system or network:
Combination of technology, policy,
and people
Requires a wide range of activities to
be effective
Systems must be monitored to detect
possible intrusion
Clear reaction plan addresses:
Notification, evidence protection,
activity log maintenance,
containment, eradication, and
recovery
40
Cybercrimes in the U.A.E. 41

The Computer Emergency and Response Team in the UAE (aeCERT)
reported the following statistics about the Cybersecurity status of the
UAE national Government in its June 2020 report.
https://www.tra.gov.ae/userfiles/assets/DcV6zIEShJV.pdf

41
Examples - Videos 42

Watch the video Cybercrime Law in UAE: In-depth Definition
and answer the questions:
What is cybercrime?
Is having a VPN a cybercrime in the UAE?
Watch the video My Safe Society App and answer the
questions:
What does this solution aim for?
Can anyone use this solution?
Which entity created this solution?
Is it easy to use?
Watch the following video 10 Most Devastating Cyber
Attacks in History 42
The U.A.E. Cyber Law “Key 43

offenses”
Hacking to IT system, website, IT tool, or information
network
Deletion, destruction, amending, copying or disclosing data
Tampering with/Changing the design or layout of a site
Credit Card fraud,
Forging official documents
Wrongful impersonation
inciting criminal and terrorist acts
threatening state security
disclosure of confidential information
defamation
publishing "illegal content ”
43
Correlated U.A.E. Laws 44

The Cybercrime Law correlates with other UAE Laws, namely:
Federal Law no. (15) of 1980 on Publications,
Federal Law no. (3) of 1987 on the Issuance of the Penal Code and the
amending laws thereof,
Federal Law no. (7) of 2002 on the Copyright and related rights and the
amending laws thereof,
Federal Law no. (1) of 2006 on Electronic Transactions and Commerce
Federal Law no. (37) of 1992 on Trademarks and the amending laws
thereof,
Federal Law no. (4) of 2002 on Criminalizing Money Laundering
Federal Law no. (35) of 1993 on Criminal Procedures

44
8 Common Cybercrimes in the 45

U.A.E.
1. Hacking
2. Electronic harassment (Cyberbullying/Verbal
offense/Defamation): 50% in the Middle East and as high as many
of the world's developed countries, 24% teenagers incautious about
who they add to their social network.
3. Email fraud: 57% Internet users in UAE believe likely to suffer an
attack from cybercriminals.
4. Fake websites: ask Dh150-500 from the unsuspecting expatriate job-
seekers to register, many have fallen victims.
5. Credit card forgery: 5% of the world’s cyberattacks had been
targeting the UAE. Con artists are always in the hunt for new ways to
defraud consumers.
6. Online blackmail: 450 Cases of blackmailing recorded in the Gulf countries
daily, 1.5 Persons blackmailed in the UAE every day, on an average.
7. Phishing: $476 (Dh1,745) the average amount of money lost per
attack, 10% of the survey respondents said that they lost more than
45
Overview of Cyber Criminal Proceedings46
in U.A.E.
Criminal complaint is filed before the police station unit ( “Unit”);
filling out forms prescribed by Dubai Police including inserting IP
Address;
The Unit obtains statement and refers matter to investigations to the
Cyber Criminal Evidences Forensic within CID lab and Cybercrime
Departments ( “Cyber Departments ”);
The Cyber Departments hands out the investigation reports to the
Unit;
The Unit then prepares a report to the Public Prosecutor to continue
investigations and take it forward;
Public prosecutor may issue arrest warrants, transfer the matter to
the court depending on the evidence available.

* Source: Omar M. A Obeidat, Al Tamimi & Company, Jan 2016 46
Required Documents and 47

Evidences
Screen shots: If the hacker hacked into social media pages
of the victim, then immediate screen shots must be
submitted; but Lab must record screen shot in order to
include in report
Relevant documents: All emails, letters, correspondences
showing that the hacking has resulted in a wrongful
impersonation of the victim.
Information on bank: which the fraudulent account was
used to open.
Presence of the complaint or victim

* Source: Omar M. A Obeidat, Al Tamimi & Company, Jan
2016 47
Technical Evidences/Bank 48

Cooperation
The Victim must be prepared to assist the police with all
technical aspects namely:
Having readily available the relevant computer/lap top
subject matter of the crime;
IT report on how the crime occurred. Usually, if victim is a
company, the IT team must be ready to cooperate with
police to gather all necessary evidence;
Crucial that the hard disk is NOT removed to safeguard the
evidence;
Cooperation of the banks is crucial to assist in
investigating the criminal who opened the suspicious
account.
48
 Challenges in the U.A.E. 49

In cases of automatic transfers for money forwarded outside the UAE,
Public Prosecution may not be interested to pursue case
For offenders outside UAE, judicial cooperation agreements would allow
for PP to refer investigation to foreign judicial authority, but foreign
judicial authorities are not bound to act without a court judgment
Slowness in responding to nature of cybercrimes (e.g. blocking of bank
account) where part of crimes are outside UAE, PP are reluctant to
pursue case
Not knowing the offender makes identifying him a main challenge
For offender outside UAE, there should be cooperation with countries for
extradition to the UAE through international agreements to regulate
such issues
Thresholds of evidence must be adapted to less stringent measures. For
instance, screen shots of a Facebook page detailing the illegal incident
may not be sufficient for police investigation purposes
49
Example: Jurisdictional issues and multiple50
victims
The hacker hacked into the computer systems of Victim
No. 1 (a customer placed overseas) with the intention of
impersonating Victim 2 based in UAE to defraud its
customers who are Victim 1;
Victim No. 1 (based overseas) is the customer of Victim
No.2 (based in UAE);
The fraudulent bank account used to receive funds is in
the UAE.
While, technically in this case, the hacking most likely
occurred only overseas, Victim 2 is still based in UAE and
there are many elements of the crimes that happened in
the UAE (i.e., opening of fraudulent bank account,
impersonation, attempted fraud, etc.). 50
Thank You