Security, Privacy, and Ethics PDF

Summary

This document covers various aspects of security, privacy, and ethics in information systems. It discusses different types of exploits, including ransomware, viruses, and worms. The document also highlights privacy issues and explores ethical issues in the context of information systems.

Full Transcript

Security, Privacy, and Ethics

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain 1
product or service or otherwise on a password-protected website for classroom use.
 invow
Why Computer Incidents Are So Prevalent

Increasing Complexity Increases Vulnerability
Cloud computing, networks, computers, mobile devices, virtualization, OS
applications, Web sites, switches, routers, and gateways are interconnected and
driven by millions of lines of code
Higher Computer User Expectations
Computer help desks are under intense pressure to respond very quickly to users’
questions
Expanding and Changing Systems Introduce New Risks
It is difficult for IT organizations to keep up with the pace of technological change,
successfully perform an ongoing assessment of new security risks, and implement
approaches for dealing with them

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 2
or otherwise on a password-protected website for classroom use.
 Why Computer Incidents Are So Prevalent

Increased Prevalence of Bring Your Own Device Policies
Bring your own device (BYOD): a business policy that permits (encourages) employees
to use their own mobile devices to access company computing resources and
applications
BYOD makes it difficult for IT organizations to adequately safeguard additional
portable devices with various OSs and applications
Growing Reliance on Commercial Software with Known Vulnerabilities
An exploit is an attack on an information system that takes advantage of a particular
system vulnerability
- Often this attack is due to poor system design or implementation
Users should download and install patches for known fixes to software vulnerabilities
- Any delay in doing so exposes the user to a potential security breach

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 3
or otherwise on a password-protected website for classroom use.
 Why Computer Incidents Are So Prevalent

Increasing Sophistication of Those Who Would Do Harm
Today’s computer menace is organized and may be part of an organized group that
has an agenda and targets specific organizations and Web sites

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 4
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Ransomware
Malware that stops you from using your computer or accessing your data until you
meet certain demands such as paying a ransom or sending photos to the attacker
Viruses
A piece of programming code (usually disguised as something else) that causes a
computer to behave in an unexpected and undesirable manner
Spread to other machines when a computer user shares an infected file or sends an
email with a virus-infected attachment
Worms
A harmful program that resides in the active memory of the computer and duplicates
itself
Can propagate without human intervention

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 5
or otherwise on a password-protected website for classroom use.
 https://www.thairath.co.th/content/943655

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 6
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Trojan Horses
A seemingly harmless program in which malicious code is hidden
A victim on the receiving end is usually tricked into opening it because it appears to
be useful software from a legitimate source
- The program’s harmful payload might be designed to enable the attacker to destroy hard
drives, corrupt files, control the computer remotely, launch attacks against other computers,
steal passwords or spy on users
Often creates a “backdoor” on a computer that enables an attacker to gain future
access
Logic bomb
- A type of Trojan horse that executes when it is triggered by a specific event

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 7
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Blended Threat
A sophisticated threat that combines the features of a virus, worm, Trojan horse, and
other malicious code into a single payload
Might use server and Internet vulnerabilities to initiate and then transmit and spread
an attack using EXE files, HTML files, and registry keys
Spam
The use of email systems to send unsolicited email to large numbers of people
Also an inexpensive method of marketing used by many legitimate organizations
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
states that it is legal to spam, provided the messages meet a few basic requirements
- Spammers cannot disguise their identity by using a false return address
- The email must include a label specifying that it is an ad or a solicitation
- The email must include a way for recipients to opt out of future mass mailings

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 8
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Spam (cont’d)
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans
Apart) software generates and grades tests that humans can pass and all but the most
sophisticated computer programs cannot

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 9
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Distributed Denial-of-Service Attacks
An attack in which a malicious hacker takes over computers via the Internet and
causes them to flood a target site with demands for data and other small tasks
Keeps target so busy responding to requests that legitimate users cannot get in
Botnet
- A large group of computers, controlled from one or more remote locations by hackers, without
the consent of their owners
- Sometimes called zombies
- Frequently used to distribute spam and malicious code

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 10
or otherwise on a password-protected website for classroom use.
Types of Exploits

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 11
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Rootkit
A set of programs that enables its user to gain administrator-level access to a
computer without the end user’s consent or knowledge
Attackers can use the rootkit to execute files, access logs, monitor user activity, and
change the computer’s configuration
Symptoms of rootkit infections:
- Computer locks up or fails to respond to input from the keyboard
- Screen saver changes without any action on the part of the user
- Taskbar disappears
- Network activities function extremely slow

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 12
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Phishing
The act of fraudulently using email to try to get the recipient to reveal personal data
Con artists send legitimate-looking emails urging recipients to take action to avoid a
negative consequence or to receive a reward
Spear-phishing is a variation of phishing where fraudulent emails are sent to a certain
organization’s employees
- Much more precise and narrow
- Designed to look like they came from high-level executives within organization

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 13
or otherwise on a password-protected website for classroom use.
Types of Exploits

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 14
or otherwise on a password-protected website for classroom use.
© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 15
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Smishing and Vishing
Smishing is a variation of phishing that involves the use of texting
Vishing is similar to smishing except the victims receive a voice mail message telling
them to call a phone number or access a Web site
Identity Theft
The theft of personal information and then used without their permission
Data breach is the unintended release of sensitive data or the access of sensitive data
by unauthorized individuals
- Often results in identity theft
Most e-commerce Web sites use some form of encryption technology to protect
information as it comes from the consumer

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 16
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Cyberespionage
Involves the development of malware that secretly steals data in the computer
systems of organizations, such as government agencies, military contractors, political
organizations, and manufacturing firms
Mostly targeted toward high-value data such as the following:
- Sales, marketing, and new product development plans, schedules, and budgets
- Details about product designs and innovative processes
- Employee personal information
- Customer and client data
- Sensitive information about partners and partner agreements

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 17
or otherwise on a password-protected website for classroom use.
 Types of Exploits

Cyberterrorism
The intimidation of government of civilian population by using information technology
to disable critical national infrastructure to achieve political, religious, or ideological
goals
Cyberterrorists try daily to gain unauthorized access to a number of important and
sensitive sites

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 18
or otherwise on a password-protected website for classroom use.
 Federal Laws for Prosecuting Computer Attacks

พระราชบัญญัติว่าด้วยการกระทําความผิดเกียวกับคอมพิวเตอร์ (ฉบับที ๒) พ.ศ. ๒๕๖๐
ครอบคลุมการกระทําความผิดต่อข้อมูลคอมพิวเตอร์หรือระบบคอมพิวเตอร์
การจําหน่ายหรือเผยแพร่ชดุ คําสังทีจัดทําขึนโดยเฉพาะเพือนําไปใช้เป็ นเครืองมือในการกระทําความผิด

“มาตรา ๑๖ ผูใ้ ดนําเข้าสูร่ ะบบคอมพิวเตอร์ทีประชาชนทัวไปอาจเข้าถึงได้ซงข้ ึ อมูลคอมพิวเตอร์ทีปรากฏเป็ นภาพของผูอ้ ืน
และภาพนันเป็ นภาพทีเกิดจากการสร้างขึน ตัดต่อ เติม หรือดัดแปลงด้วยวิธีการทางอิเล็กทรอนิกส์หรือวิธีการอืนใด โดย
ประการทีน่าจะทําให้ผอู้ ืนนันเสียชือเสียง ถูกดูหมินถูกเกลียดชัง หรือได้รบั ความอับอาย ต้องระวางโทษจําคุกไม่เกินสามปี
และปรับไม่เกินสองแสนบาท

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 19
or otherwise on a password-protected website for classroom use.
 “มาตรา ๑๔ ผูใ้ ดกระทําความผิดทีระบุไว้ดงั ต่อไปนี ต้องระวางโทษจําคุกไม่เกินห้าปี หรือปรับไม่เกินหนึงแสนบาท หรือทัง
จําทังปรับ

(๑) โดยทุจริต หรือโดยหลอกลวง นําเข้าสูร่ ะบบคอมพิวเตอร์ซงข้
ึ อมูลคอมพิวเตอร์ทีบิดเบือนหรือปลอมไม่ว่าทังหมดหรือ
บางส่วน หรือข้อมูลคอมพิวเตอร์อนั เป็ นเท็จ โดยประการทีน่าจะเกิดความเสียหายแก่ประชาชน อันมิใช่การกระทําความผิด
ฐานหมินประมาทตามประมวลกฎหมายอาญา

(๒) นําเข้าสู่ระบบคอมพิวเตอร์ซงข้
ึ อมูลคอมพิวเตอร์อนั เป็ นเท็จ โดยประการทีน่าจะเกิดความเสียหายต่อการรักษาความ
มันคงปลอดภัยของประเทศ ความปลอดภัยสาธารณะ ความมันคงในทางเศรษฐกิจของประเทศ หรือโครงสร้างพืนฐานอัน
เป็ นประโยชน์สาธารณะของประเทศ หรือก่อให้เกิดความตืนตระหนกแก่ประชาชน

(๓) นําเข้าสู่ระบบคอมพิวเตอร์ซงข้
ึ อมูลคอมพิวเตอร์ใด ๆ อันเป็ นความผิดเกียวกับความมันคงแห่งราชอาณาจักรหรือ
ความผิดเกียวกับการก่อการร้ายตามประมวลกฎหมายอาญา

ึ อมูลคอมพิวเตอร์ใดๆ ทีมีลกั ษณะอันลามกและข้อมูลคอมพิวเตอร์นนประชาชนทั
(๔) นําเข้าสู่ระบบคอมพิวเตอร์ซงข้ ั วไป
อาจเข้าถึงได้

(๕) เผยแพร่หรือส่งต่อซึงข้อมูลคอมพิวเตอร์โดยรูอ้ ยู่แล้วว่าเป็ นข้อมูลคอมพิวเตอร์ตาม (๑) (๒) (๓) หรือ (๔)
© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 20
or otherwise on a password-protected website for classroom use.
 Prevention

Organizations should implement a layered security solution to make computer
break-ins so difficult that an attacker gives up
If an attacker breaks through one layer, another layer must then be overcome
Layers of protective measures
Corporate Firewall
Security Dashboard
Antivirus software
Authorization and Authentication
IT Security Audits

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 21
or otherwise on a password-protected website for classroom use.
 Utilizing a Security Dashboard

Security dashboard software provides a comprehensive display of all vital data
related to an organization’s security defenses

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 22
or otherwise on a password-protected website for classroom use.
 Privacy Issues

Issue of privacy deals with the right to be left alone or to be withdrawn from
public view
Data is constantly being collected and stored on each of us
The data is often distributed over easily accessed networks without our knowledge or
consent
Who owns this information and knowledge?

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 23
or otherwise on a password-protected website for classroom use.
 Privacy at Work

Employers use technology and corporate policies to manage worker
productivity and protect the use of IS resources
Employers are concerned about inappropriate Web surfing
Organizations monitor employees’ email
More than half retain and review messages
Most employers have a policy that explicitly eliminates any expectation of
privacy when an employee uses any company-owned computer, server, or e-
mail system
The courts have ruled that, without a reasonable expectation of privacy, there is
no Fourth Amendment protection for the employee

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 24
or otherwise on a password-protected website for classroom use.
 Privacy and Email

Federal law permits employers to monitor email sent and received by
employees
Email messages that have been erased from hard disks can be retrieved and
used in lawsuits

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 25
or otherwise on a password-protected website for classroom use.
 Privacy and Internet Libel Concerns

Libel: publishing an intentionally false written statement that is damaging to a
person’s or organization’s reputation
Individuals:
Can post information to the Internet using anonymous e-mail accounts or screen
names
Must be careful what they post on the Internet to avoid libel charges

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 26
or otherwise on a password-protected website for classroom use.
 Privacy and Fairness in Information Use

Selling information to other companies can be very lucrative; many companies
store and sell the data they collect on customers, employees, and others
When is this information storage and use fair and reasonable to the people whose
data is stored and sold?
Do people have a right to know about and to decide what data is stored and used?

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 27
or otherwise on a password-protected website for classroom use.
 Individual Efforts to Protect Privacy

To protect personal privacy:
Find out what is stored about you in existing databases and why
How long your personal data will be stored
Who will be data controller
Be careful when you share information about yourself
Be proactive to protect your privacy
Take extra care when purchasing anything from a Web site

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 28
or otherwise on a password-protected website for classroom use.
 พระราชบัญญัติคมุ ้ ครองข้อมูลส่ วนบุคคล พ.ศ. 2562

ในการประมวลผลข้อมูลใดๆ (ไม่ว่าจะเป็ นการเก็บรวบรวม การใช้ การเผยแพร่ การเก็บรักษา) จะต้องมีฐานทางกฎหมายที
ถูกต้อง (lawful basis)
ฐานในการประมวลผลข้อมูลส่วนบุคคลทัวไป (ทีไม่ใช่ขอ้ มูลอ่อนไหวหรือ sensitive data) ประกอบด้วย
ฐานความยินยอม
ฐานการปฏิบตั ิตามสัญญา
ฐานการผลประโยชน์อนั ยิงยวดต่อสุขภาพและชีวิต
ฐานภารกิจของรัฐ
ฐานการปฏิบตั ิตามกฎหมาย
ฐานผลประโยชน์อนั ชอบธรรม
ฐานการศึกษาวิจยั สถิติและจดหมายเหตุ
“ผูค้ วบคุมข้อมูล” (data controller) นันจะต้องระบุให้ได้ชดั เจนตังแต่ก่อนจะเริมเก็บรวบรวมข้อมูลว่าวัตถุประสงค์ของ
การประมวลผลข้อมูลนันคืออะไร จะประมวลผลข้อมูลไปเพืออะไร แล้วจะใช้ฐานใดในการประมวลผล ซึงแต่ละฐานก็จะมี
เงือนไขไม่เหมือนกัน ทําให้เกิดหน้าทีของ “ผูค้ วบคุมข้อมูล” ทีแตกต่างกัน และเจ้าของข้อมูลส่วนบุคคล (data subject)
นันก็จะมีสทิ ธิไม่เหมือนกันด้วย

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 29
or otherwise on a password-protected website for classroom use.
 Ethical Issues in Information Systems

Ethical issues
Deal with what is generally considered right or wrong
IS professionals are often faced with their own unique set of ethical challenges
Some IS professional organizations have developed code of ethics to guide
people working in IS professions

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 30
or otherwise on a password-protected website for classroom use.
 What Is Ethics?

A set of standards for behavior that helps us decide how we ought to act in a
range of situations.
Ethical behavior conforms to generally accepted social norms

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 31
or otherwise on a password-protected website for classroom use.
 Code of Ethics

A code of ethics:
States the principles and core values essential to a set of people and, therefore,
govern their behavior
Can become a reference point for weighing what is legal and what is ethical
Mishandling of the social issues discussed in this chapter—including waste and
mistakes, crime, privacy, health, and ethics—can devastate an organization
Prevention of these problems and recovery from them are important aspects of
managing information and information systems as critical corporate assets

© 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service 32
or otherwise on a password-protected website for classroom use.
 Ethical Decision-Making Process

Recognize/define an ethical issue
Consider the parties involved
Gather all of the relevant information
Formulate actions and consider alternatives
Make a decision and consider it (How do I feel about my choice?)
Act
Reflect on the outcome

33
 Ethical issues

Privacy violation
Formation and promotion of gossip and fake news
Anti-religious propaganda (in cyberspace)
Addiction to social networks
Verbal attacks
Violation of ethical principles using a mobile phone camera
Online theft
Hacking
Copyright violation
Forging digital documents
Violent computer games
Online gambling

34
35
36
37
 Is Roger’s decision acceptable?
If you were Roger, what is the probability that you would have loaded the
software onto all computers that require it?
Was the issue behind the teacher’s decision an important issue and was it an
issue of concern?

38
(Thomas and Ahyick, 2010)

39
 Is Juliet’s decision acceptable?
If you were Juliet, what is the probability that you would have loaded the
software onto all computers that require it?
Was the issue behind the teacher’s decision an important issue and was it an
issue of concern?

40