De Montfort University Kazakhstan CSEC1001K: Cyber Ethics Lecture 1 PDF

Summary

This De Montfort University Kazakhstan lecture covers cybersecurity ethics, including ethical hacking, social engineering, and cyber threats. The lecture also outlines ethical frameworks and best practices for cybersecurity professionals.

Full Transcript

CSEC1001K : Foundation of
Computing and Cyber
Security

Week 7 – Cyber Ethics
Lecture 1
Module Aims

 Examine the ethical and social aspects/issues
of cybersecurity;

 Explore the available ethical frameworks in
cybersecurity;

 Identify and evaluate the ethical
role/responsibilities of the cybersecurity
professionals
Module Outcomes
To be able to recognise social and ethical issues of
practices in cybersecurity and to identify solutions for
them
1. Demonstrate understanding of current
ethical concerns in cybersecurity
2.Recognise, contextualise and apply ethical
arguments to cases relevant to cybersecurity
3.To be able to identify applicable solutions to
the ethical issues in cybersecurity practices
Key Topics in Cybersecurity (Reminder)
CIA Triangle:(Confidentiality, Integrity, Availability) + Privacy+ Authenticity+ non-reputation
Vulnerability:a weakness in a particular product or organization or system
Threat: Exposing a system mis-using its vulnerabilities in order to achieve financial gains, obtain
secrets, influence politics, take revenge, hobbyists, etc
Risk & Risk Management: Process of identifying, controlling and minimizing or eliminating security
risks that may affect information systems
Security Strategy: a high-level plan for how an organization will secure its assets
Security Control: Security controls are countermeasures or safeguards used to reduce the chances
that a threat
Defence: Taking proactive or reactive approaches to secure a system against attacks:
– Preventive controls: firewalls, etc
– Deterrence: two-factor authentication, etc
– Deflection: honeypots, etc
– Detection controls: IDS, etc
– Mitigation controls: network segmentation, etc
– Recovery controls: off-site backups, etc
Ethical Hacking
Incident Response
Penetration Testing
Cyber Threats &
Ethical Issues
Denial of Service, Distributed DOS

an adversary tries to occupy a massive amount of the victim’s
resources
The goal is to deny these resources to legitimate users
Due care , Availability, Integrity
DDOS: compromising thousand of other hosts for DOS
Port Scanning

It is used to enumerate all publicly available reachable hosts and
services
Strict firewall rules can avoid it

Confidentiality?
It can be used to proceed to other types of explosion
Ransomware

Cryptors and Blockers
Cryptors encrypt data on the victim’s device. Usually, the black
hat will demand money and in receipt of same will restore the
encrypted data
Blockers, otherwise known as lockers, do not interfere with the
data stored on the device, instead they prevent the victim from
accessing it
Confidentiality, availability
Main Ethical Values
in Cybersecurity
Value Clusters
Security: Individual security, National security, Cybersecurity
(CIA)
Privacy: autonomy, human dignity, identity, personhood, liberty,
anonymity and confidentiality
Fairness: justice, fairness, equality, accessibility, freedom from
bias, non-discrimination, democracy and the protection of civil
liberties.
Accountability: transparency, openness, explainability,
responsibility
Conflicts between Security/Privacy & other
Ethical Principles
Privacy VS Security
Privacy VS Fairness
Privacy VS Accountability
Security VS Accountability
Security VS Fairness
Most rated Ethical Issues in
Cybersecurity

The Ethics of Cybersecurity-MarkusChristen-2021
 Cyber Security
Practices & Ethical
Issues
 Ethical
Hacking
Word cloud around “Hacker”, The Ethics of Cybersecurity,
Markus Christen

Ethical hackers are white hats mandated by clients (companies)
who want their own IT-security to be assessed and they are
abiding to a code of ethics privileging business-friendly values.
However, there is no guarantee that respecting such values is
always compatible with the all-things considered morally best
act. It is recognised, however, that in terms of assessment, it may
be quite difficult to determine who is an ethical hacker in the ‘all
things considered’ sense.
Penetration Testing
Usually done by special firms
It simulates a real attack scenario
Also to check if previous trainings such as for social engineering
was useful
Metasploit toolkit
Network Traffic Analysis: Wireshark
Ethical issue: sharing of exploit code/vulnerability to mailing lists
for awareness, aggressive tests/Social engineering and
employees challenges/disclosing report
Security, trust, consent, transparency, honestly, due care
Source Code Analysis
Attacks such as Buffer overflow, SQL injection, etc (software bugs) need
performing a code audit to discover the vulnerabilities
Code audit requires access to the software/application source code
Source codes are not available to external auditors (except open source
apps)
Analysing software codes need instructions from the software vendor
External auditors have to do reverse engineering to understand source
codes
IP rights of the vendor
Security, integrity, trust, consent, transparency, honestly, due care
Fuzzing is to test applications unintended behaviour by feeding the
application by millions of different random inputs
Disclosing Vulnerability Test Results
Hired testers: NDA (Non-disclosure agreement) should be signed in situations where ethical hackers
are hired
Cybersecurity researchers shall follow responsible disclosure procedures: Full disclosure and
responsible disclosure, keep it secret
Keep secret: planned criminal action, secret service espionage, accessing a suspect’s device by law
-> Zero day vulnerability
Vender can not fix the vulnerability-> Security, Privacy issues
Consideration for others /Professional Competence
Vendors should have adequate approaches to handle vulnerabilities:
– provide contact of Info security on their website
– Provide public key on website to encrypt reporting emails
– Acknowledge receipt of the report and confirm the problem
– Suggest and inform a schedule to fix the problem and release
the outcome
– No legal threat, it may cause Streisand effects
– Offer a bug bounty program or engagement payment
– Be transparent to system users
Green and red report
Reconnaissance
Whois service: a database of releases IP addresses to domain
owners
Attackers can use these information to gain other useful
information of their targets such admin employees for social
engineering attacks
Cybersecurity officers can also use these information to contact
each other in case of problem arising.
Transparency or Privacy or Security?
DNS lookup
Port scan reports: Shodan.io, censys.io
Cybersecurity Professionals Faulty
Tasks
Wrong configuration
No updating
Security bugs
Security, privacy, Due Care, Negligence
Using AI in Cybersecurity
IDS/TLS: It intercept all encrypted traffics
Network admin can eavesdrop through encrypted
communication
Respect, Confidentiality, Privacy
It also decrease the actual security of encrypted communication
IDS makes huge rate of false positive/false alarms
Security
Surveillance in Cybersecurity/Profiling
Governmental surveillance
Organisational surveillance
Profiling “may be used by the police or security agencies to find
criminals or terrorists; by airports to decide who to check more
carefully” (Yaghmaei et al. 2017: 29–30)
In profiling “people are approached, judged or treated in a
certain way because these have characteristics that fit a certain
profile
Accountability, Privacy, Discrimination, Democracy
Digital Forensic Investigators
Disturbing evidence data
Accessing to personal data
Providing wrong evidences
Privacy, Negligence, integrity
Ethic Frameworks in Cybersecurity
Human Rights (The European Convention on Human Rights
(ECHR))
GDPR (General Data Protection Regulation)
Ethical code of practices for cybersecurity professionals
Ethical Best Practices for cybersecurity professionals
Ethical Code of conduct for
Cybersecurity
UK Cybersecurity Council: Code of Ethic for Member
Organisations

– Credibility
– Integrity
– Professionalism
– Responsibility & Respect
https://www.ukcybersecuritycouncil.org.uk/
Best Ethical Practices for
Cybersecurity Professionals
Customer data handling; personal data, GDPR
Information about breaches;
Threat intelligence;
Vulnerability-related information;
Data involved when collaborating with peers;
Special consideration to run penetration testing;
Cybersecurity research groups;
etc
Questions