Reynolds_PPT_ch03.ppt

Full Transcript

5e

Ethics in Information Technology
Chapter 3
Computer and Internet Crime
George W. Reynolds
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Learning Objectives
 What key trade-offs and ethical issues are
associated with the safeguarding of data and
information systems?
 Why has there been a dramatic increase in
the number of computer-related security
incidents in recent years?
 What are the most common types of
computer security attacks?
 Who are the primary perpetrators of
computer crime, and what are their
objectives?
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
Learning Objectives
 What are the key elements of a multilayer
process for managing security
vulnerabilities based on the concept of
reasonable assurance?
 What actions must be taken in response to a
security incident?
 What is computer forensics, and what role
does it play in responding to a computer
incident?

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
Ethical Decisions Regarding IT
Security
 To deal with computer crime, the firm should:
 Pursue prosecution of the criminals at all costs
 Maintain a low profile to avoid the negative publicity
 Inform affected customers or take some other action
 Following decisions should be taken by the firm
 How much resources should be spent to safeguard
against computer crime
 What actions should be taken when a software is
found susceptible to hacking
 What should be done if recommended computer
security safeguards increase operating costs
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
Why Computer Incidents are So
Prevalent
 Increasing complexity increases
vulnerability
 Number of entry points to a network expands
continually, increasing the possibility of security
breaches
 Cloud computing: Environment where software
and data storage are provided via the Internet
 Virtualization software: Operates in a software
layer that runs on top of the operating system
 Enables multiple virtual machines to run on a
single computer

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
Why Computer Incidents are So
Prevalent
 Higher computer user expectations
 Not verifying users’
 Sharing of login IDs and passwords by users
 Expanding and changing systems require
one to:
 Keep up with the pace of technological change
 Perform an ongoing assessment of new security
risks
 Implementing approaches for dealing with them

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
Why Computer Incidents are So
Prevalent
 Bring your own device (BYOD): Business
policy that permits employees to use their
own mobile devices to access company
computing resources and applications
 Increased reliance on commercial software
with known vulnerabilities
 Exploit: Attack on an information system that
takes advantage of a particular system vulnerability
 Zero-day attack: Takes place before the security
community or software developer knows about the
vulnerability or has been able to repair it
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
Types of Exploits
Virus

Piece of programming code, disguised as something else,
that causes a computer to behave in an unexpected and
undesirable manner

Worm

Harmful program that resides in the active memory of
the computer and duplicates itself

Trojan Horse

Program in which malicious code is hidden inside a
seemingly harmless program
Logic bomb: Executes when it is triggered by a specific
event
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
Types of Exploits
Spam
Abuse of email systems to send unsolicited email to large numbers
of people
CAPTCHA (Completely Automated Public Turing Test to Tell
Computers and Humans Apart)
Generates and grades tests that humans can pass but computer
programs cannot
Distributed Denial-of-Service (DDoS) Attack
Causes computers to flood a target site with demands for data and
other small tasks
Rootkit
Enables user to gain administrator-level access to a computer
without the end user’s consent
Phishing
Fraudulently using email to try to get the recipient to reveal
personal data

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
Figure 3.2 - Distributed Denial-
of-Service Attack

Source Line: Course Technology/Cengage Learning.

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
CAN-SPAM Act
 Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-
SPAM) Act
 It is legal to spam, provided the messages meet a
few basic requirements
 Spammers cannot disguise their identity

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
Botnet
 Group of computers which are controlled
from one or more remote locations by
hackers, without the knowledge or consent
of their owners
 Zombies: Computers that are taken over
 used to distribute spam and malicious code

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
Types of Phishing
 Spear-phishing: Phisher sends fraudulent
emails to a certain organization’s employees
 Emails are designed to look like they came from
high-level executives within the organization
 Smishing: Legitimate-looking text message
sent to people, telling them to call a specific
phone number or to log on to a Web site
 Vishing: Victims receive a voice mail telling
them to call a phone number or access a Web
site

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
Types of Perpetrators

Thrill seekers wanting a challenge

Common criminals looking for financial gain

Industrial spies trying to gain a competitive
advantage

Terrorists seeking to cause destruction to further
their cause

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
Table 3.5 - Classifying
Perpetrators of Computer
Crime

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
Types of Perpetrators
 Hackers: Test the limitations of information
systems out of intellectual curiosity
 Lamers or script kiddies: Terms used to refer to
technically inept hackers
 Malicious insiders
 Employees, consultants, or contractors
 Have some form of collusion
 Collusion: Cooperation between an employee and an
outsider
 Negligent insiders: Poorly trained and inadequately
managed employees who cause damage accidently

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
Types of Perpetrators
 Industrial spies
 Competitive intelligence: Legally obtained data
gathered using sources available to the public
 Industrial espionage: Using illegal means to
obtain information that is not available to the
public
 Cybercriminals
 Hack into computers to steal and engage in
computer fraud
 Data breach: Unintended release of sensitive data
or the access of sensitive data by unauthorized
individuals
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
Types of Perpetrators
 Hacktivists: Hack to achieve a political or
social goal
 Cyberterrorists: Launch computer-based
attacks to intimidate or coerce an
organization in order to advance certain
political or social objectives
 Use techniques that destroy or disrupt services
 Consider themselves to be at war
 Have a very high acceptance of risk
 Seek maximum impact
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
Strategies to Reduce Online
Credit Card Fraud
 Use encryption technology
 Verify the address submitted online against
the issuing bank
 Request a card verification value (CVV)
 Use transaction-risk scoring software
 Use smart cards
 Smart cards: Memory chips are updated
with encrypted data every time the card is
used

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
Table 3.6 - Federal Laws that
Address Computer Crime

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
Trustworthy Computing

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
Risk Assessment
 Assessing security-related risks to an
organization’s computers and networks from
internal and external threats
 Identify investments that will protect the
organization from most likely and serious
threats
 Asset - Hardware, software, information
system, network, or database used by an
organization to achieve its business objectives
 Loss event - Any occurrence that has a
negative impact on an asset
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Figure 3.5 - General Security
Risk Assessment

Source Line: General Security Risk Assessment Guidelines, ASIS International (2003). See the Standards and Guidelines page of the ASIS International website
(www.asisonline.org) for revisions and/or updates. Reprinted by permission.

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
Security Policy
 Defines an organization’s security
requirements and the controls and
sanctions needed to meet those
requirements
 Delineates responsibilities and expected
behavior
 Outlines what needs to be done and not
how it should be done

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
Establishing a Security Policy
 Areas of concern
 Use of email attachments
 Use of wireless devices
 Virtual private network (VPN): Works by
using the Internet to relay communications
 Encrypts data at the sending end and decrypts it
at the receiving end

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
Educating Employees and
Contract Workers
 Motivates them to understand and follow the
security policies
 Users must help protect an organization’s
information systems and data by:
 Guarding their passwords
 Prohibiting others from using their passwords
 Applying strict access controls
 Reporting all unusual activity to the organization’s
IT security group
 Ensuring that portable computing and data storage
devices are protected
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
Prevention
Install a corporate firewall
Limits network access based on the organization’s
access policy
Intrusion detection system (IDS)
Monitors system and network resources and
activities
Notifies network security personnel when network
traffic attempts to circumvent the security measures
Antivirus software
Scans for a specific sequence of bytes, known as a
virus signature
Virus signature: Indicates the presence of a
specific virus
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
Prevention
Implement safeguards against attacks by malicious
insiders
Promptly delete the computer accounts, login IDs, and
passwords of departing employees and contractors
Defend against cyberterrorism
Department of Homeland Security (DHS):Aims to secure
critical infrastructure and information systems
Address critical internet security threats
High-impact vulnerabilities should be fixed on priority basis

Conducting periodic it security audits
Security audit: Evaluates whether an organization has a well-
considered security policy in place and if it is being followed

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
United States Computer
Emergency Readiness Team
(US-CERT)
 Partnership between the Department of
Homeland Security and the public and
private sectors
 Protect the nation’s Internet infrastructure
against cyberattacks
 Serves as a clearinghouse for information
on new viruses, worms, and other computer
security topics

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
Figure 3.6 - Intrusion Detection
System

Credit: Monkey Business Images/Shutterstock.com.

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
Detection Systems

Catch Minimize the
Intruders in Impact of
the Act Intruders

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
Response Plan
 Incident notification
 Define who to notify and who not to notify
 Refrain from giving out specific information
about a compromise in public forums
 Protection of evidence and activity logs
 Document all details of a security incident to help
with future prosecution and incident eradication
 Incident containment
 Determine if an attack is dangerous enough to
warrant shutting down the systems

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
Response
 Eradication
 Collect and log all criminal evidence from the
system
 Verify that all backups are current, complete, and
free of any virus
 Incident follow-up
 Determine how the security was compromised
 Conduct a review to evaluate how the organization
responded
 Create a detailed chronology of all events
 Estimate the monetary damage
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
Computer Forensics
 Combines elements of law and computer
science to:
 Identify, collect, examine, and preserve data
from computer systems
 Collect data in a manner that preserves the
integrity of the data gathered so that it is
admissible as evidence in a court of law

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
Table 3.10 - Partial List of Constitutional
Amendments and Statutes Governing the
Collection of Evidence

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
Summary
 Ethical decisions in determining which
information systems and data most need
protection
 Most common computer exploits
 Viruses and worms
 Trojan horses
 Distributed denial-of-service attacks
 Rootkits and spam
 Phishing and spear-fishing
 Smishing and vishing
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
Summary
 Perpetrators include:
 Hackers
 Crackers
 Malicious insider
 Industrial spies
 Cybercriminals
 Hacktivist
 Cyberterrorists

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
Summary
 Must implement multilayer process for
managing security vulnerabilities, including:
 Assessment of threats
 Identifying actions to address vulnerabilities
 User education
 IT must lead the effort to implement:
 Security policies and procedures
 Hardware and software to prevent security
breaches
 Computer forensics is key to fighting computer
crime in a court of law
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38