CNS3113 CLO4 Ethics for IT Workers & SETA - Week 10-13 PDF
Document Details
Uploaded by Deleted User
Higher Colleges of Technology
Dr. Dimitrios Xanthidis, DBA
Tags
Summary
These lecture notes from weeks 10-13 of CNS3113 outline the key concepts of ethics for IT workers and users. They discuss topics like relationships with employers, clients, and suppliers, as well as various ethical issues in IT and information security.
Full Transcript
CNS3113 – CLO4: Ethics for IT workers, SETA programs, Computer Crimes Dr. Dimitrios Xanthidis, DBA Ethics for IT Workers: Learning 2 Outcomes By the end of this Chapter, the learner should be able to: 1. Identify and explain the relationships that an IT worker...
CNS3113 – CLO4: Ethics for IT workers, SETA programs, Computer Crimes Dr. Dimitrios Xanthidis, DBA Ethics for IT Workers: Learning 2 Outcomes By the end of this Chapter, the learner should be able to: 1. Identify and explain the relationships that an IT worker must manage and the ethical issues that can arise in each. 2. Describe what can be done to encourage the professionalism of IT workers 3. Identify and explain ethical issues IT users face 4. Suggest ways that ethical behaviours by IT users can be encouraged 2 IT Professionals 3 Profession: requires specialized knowledge and long and intensive academic preparation Professionals Require advanced training and experience Must exercise discretion and judgment in their work Their work cannot be standardized Contribute to society, participate in lifelong training, and assist other professionals Carry special rights and responsibilities Partial list of IT specialists Programmers Systems analysts Software engineers Database administrators Local area network (LAN) administrators Chief information officers (CIOs) Legal perspective IT workers do not meet legal definition of professionals Not licensed by state or federal government, Not liable for malpractice 3 Professional Relationships that must be 4 managed IT workers involved in relationships with: Employers Clients Suppliers Other professionals IT users Society at large Relationship between IT Workers and employers: IT workers agree on many aspects of work relationship before workers accept job offer e.g. dress code, work hours, performance expectations Other aspects of work relationship defined in company’s policy and procedure manual or code of conduct Some aspects develop over time IT workers set example and enforce policies regarding the ethical use of IT 4 Areas in which IT workers may violate 5 laws/policies Software piracy: Act of illegally making copies of software or enabling access to software to which they are not entitled The Business Software Alliance (BSA) is a trade group representing the world’s largest software and hardware manufacturers; mission is to stop the unauthorized copying of software Thousands of cases prosecuted each year Trade secrets Business information generally unknown to public Company takes actions to keep confidential Require cost or effort to develop Have some degree of uniqueness or novelty Whistle-blowing Employee attracting attention to a negligent, illegal, unethical, abusive, or dangerous act that threatens the public interest 5 Relationships between IT Workers and 6 Clients IT worker provides hardware, software, or services at a certain cost within a time frame Client provides compensation, access to key contacts, work space Relationship is usually documented in contractual terms Client makes decisions about a project based on information, alternatives, and recommendations provided by the IT worker Client trusts IT worker to act in client’s best interests IT worker trusts that client will provide relevant information, listen to and understand what the IT worker says, ask questions to understand impact of key decisions, and use the information to make wise choices Conflict of interest: Ethical problems that arise if a company recommends its own products and services to remedy problems they have detected Problems arise during a project if IT workers are unable to provide full and accurate reporting of a project’s status May generate finger pointing and heated discussions Can lead to charges of fraud, misrepresentation, and breach of contract. 6 Problems between IT workers and 7 clients Problems arise during a project if IT workers are unable to provide full and accurate reporting of a project’s status: May generate finger pointing and heated discussions Fraud: Crime of obtaining goods, services, or property through deception or trickery Misrepresentation: Misstatement or incomplete statement of material fact, can lead to cancellation of contract or seek reimbursement for damages Breach of contract: One party fails to meet the terms of a contract. The non-breaching party may cancel the contract, seek compensation paid to the breaching party, and be discharged from any further performance under the contract IT projects are joint efforts in which vendors and customers work together. When there are problems, it is difficult to assign who is at fault 7 Relationships between IT Workers and 8 Suppliers Develop good working relationships with suppliers to encourage flow of useful information and ideas to develop innovative and cost-effective ways of using the supplier: By dealing fairly with them By not making unreasonable demands Beware of unethical behaviours from suppliers such as bribery Bribery Providing money, property, or favors to obtain a business advantage Perceptions of donor and recipient can differ At what point does a gift become a bribe? 8 9 Relationships between IT Workers and Other professionals Professionals feel a degree of loyalty to other members of their profession Professionals owe each other obedience to their profession’s code of conduct Ethical problems among the IT profession Résumé inflation on 30% of U.S. job applications Inappropriate sharing of corporate information Information might be sold intentionally or shared informally with those who have no need to know 9 Relationships between IT Workers 10 and User or the Society IT user: person using a hardware or software product IT workers’ duties: Understand users’ needs and capabilities; deliver products and services to meet those Establish environment that supports ethical behaviour: To discourages software piracy To minimize inappropriate use of corporate computing resources To avoid inappropriate sharing of information Society expects members of a profession to Provide significant benefits Not cause harm through their actions Actions of an IT worker can affect society Professional organizations provide codes of ethics to guide IT workers’ actions 10 Professional Codes of Ethics 11 State the principles and core values that are essential to the work of an occupational group Most codes of ethics include: What the organization aspires to become Rules and principles which members of the organization are expected to abide Many codes also include commitment to continuing education for those who practice the profession Following a professional code of ethics can produce benefits for the individual, the profession, and society as a whole. This includes: Ethical decision making High standards of practice and ethical behavior Trust and respect from general public Evaluation benchmark for self-assessment 11 IT Professional Malpractice 12 Negligence: not doing something that a reasonable person would do, or doing something that a reasonable person would not do Duty of care: obligation to protect people against any unreasonable harm or risk Reasonable person standard Reasonable professional standard Professional malpractice: professionals who breach the duty of care are liable for damages that their negligence causes Employees’ ethical use of IT is an area of growing concern because of increased access to: Personal computers Corporate information systems and data The Internet 12 Supporting the Ethical Practices of 13 IT Policies that protect against abuses: Set forth general rights and responsibilities of users Create boundaries of acceptable behaviour Enable management to punish violators Policy components include: Establishing guidelines for use of company software Defining appropriate use of IT resources Structuring information systems to protect data and information Installing and maintaining a corporate firewall 13 Common Ethical Issues for IT Users 14 Software piracy Inappropriate use of computing resources Low productivity and wastes time Could lead to lawsuits Inappropriate sharing of information, including: Every organization stores vast amounts of private or confidential data Private data (employees and customers) Confidential information (company and operations) 14 CNS3113 – SETA: Learning 15 Outcomes By the end of this Chapter, the learner should be able to: Explain the organizational approaches to information security Identify and describe the functional components of the information security program Determine how to plan and staff an organization’s information security program based on its size Evaluate the internal and external factors that influence the activities and organization of an information security program List and describe the typical job titles and functions performed in the information security program Describe the components of a security education, training, and awareness program and understand how organizations create and manage these programs 15 Components of SETA 16 Information security needs of any organization are unique to the culture, size, and budget of that organization Determining what level the information security program operates on depends on the organization’s strategic plan, in particular its vision and mission statements The CIO and CISO should use these two documents to formulate the mission statement for the information security program SETA program: designed to reduce accidental security breaches Awareness, training, and education programs offer two major benefits: Improve employee behavior Enable organization to hold employees accountable for their actions SETA program consists of three elements: security education, security training, and security awareness 16 Purpose and Framework of SETA 17 The purpose of SETA is to enhance security: By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely By improving awareness of the need to protect system resources 17 Security Training 18 Security training involves providing detailed information and hands-on instruction to give skills to users to perform their duties securely Two methods for customizing training Functional background: General user, Managerial user, Technical user Skill level: Beginner, Intermediate, Advanced Employee training: Local training program Continuing education department External training agency Professional trainer, consultant, or someone from accredited institution to conduct on-site training In-house training using organization’s own employees 18 Security Awareness 19 Security awareness program: one of least frequently implemented, but most effective security methods Security awareness programs: Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure Remind users of the procedures to be followed SETA Best Practices: When developing an awareness program: Focus on people Avoid using technical jargon Use every available venue Define learning objectives, state them clearly, and provide sufficient detail and coverage Keep things light Don’t overload the users Help users understand their roles in InfoSec Take advantage of in-house communications media Make the awareness program formal; plan and document all actions Provide good information early, rather than perfect information late 19 Commandments of InfoSec Awareness 20 Training Information security is a people, rather than a technical, issue If you want them to understand, speak their language If they cannot see it, they will not learn it Make your point so that you can identify it and so can they Never lose your sense of humor Make your point, support it, and conclude it Always let the recipients know how the behavior that you request will affect them Formalize your training methodology Always be timely, even if it means slipping schedules to include urgent information 20 Employee Behavior, Awareness, and 21 Accountability Security awareness and security training are designed to modify any employee behavior that endangers the security of the organization’s information Security training and awareness activities can be undermined, however, if management does not set a good example Effective training and awareness programs make employees accountable for their actions Dissemination and enforcement of policy become easier when training and awareness programs are in place Demonstrating due care and due carefulness can insure the institution against lawsuits 21 Awareness Techniques 22 Awareness can take on different forms for particular audiences A security awareness program can use many methods to deliver its message Effective security awareness programs need to be designed with the recognition that people tend to practice a tuning out process Awareness techniques should be creative and frequently changed 22 Developing Security Awareness 23 Components Many security awareness components are available at little or no cost - others can be very expensive if purchased. Security awareness components include the following: Videos Posters and banners Lectures and conferences Computer-based training Newsletters Brochures and flyers Trinkets (coffee cups, pens, pencils, T-shirts) Bulletin boards 23 Security Posters 24 Security poster series can be a simple and inexpensive way to keep security on people’s minds Professional posters can be quite expensive, so in-house development may be best solution Keys to a good poster series: Varying the content and keeping posters updated Keeping them simple, but visually interesting Making the message clear Providing information on reporting violations 24 Security Trinkets 25 Trinkets may not cost much on a per-unit basis, but they can be expensive to distribute throughout an organization Several types of trinkets are commonly used: Pens and pencils Mouse pads Coffee mugs Plastic cups Hats T-shirts 25 CNS3113 – Computer Crimes & Laws in 26 U.A.E: Learning Outcomes By the end of this Chapter, the learner should be able to: Understand what key trade-offs and ethical issues are associated with the safeguarding of data and information systems? Understand what are the most common types of computer security attacks? Understand who are the primary perpetrators of computer crime, and what are their objectives? Understand what actions must be taken in response to a security incident? Discuss the current regulatory, compliance and liability issues in UAE cyber law. 26 27 IT Security Incidents: A major concern of their spread Security of information technology is of highest importance Safeguard: Confidential business data Private customer and employee data Protect against malicious acts of theft or disruption Balance against other business needs and issues 27 IT Security Incidents: Reasons for their 28 spreading Increasing complexity increases vulnerability: Computing environment is enormously complex Continues to increase in complexity Number of entry points expands continuously Cloud computing and virtualization software Higher computer user expectations: Computer help desks under intense pressure, forget to verify users’ IDs or check authorizations Computer users share login IDs and passwords Expanding/changing systems equal new risks: Network era: Personal computers connect to networks with millions of other computers all capable of sharing information Information technology is global and a necessary tool for organizations to achieve goals Increasingly difficult to match pace of technological change 28 IT Security Incidents: Reasons for their 29 spreading (2) Increased reliance on commercial software with known vulnerabilities: The problem is that poor systems are produced from poor system design and/or implementation Leads to exploitation of these vulnerabilities by attacking the information systems The Patch (solution) is: “Fix” and eliminate the problem Users are responsible for obtaining and installing Delays expose users to security breaches Zero-day attack Before a vulnerability is discovered or fixed 29 Types of Computer Crimes 30 Business attacks: attacking the IS of a company with the purpose of stealing important business information or relevant Financial attacks: attacking financial institutions with the usual purpose of stealing money(bank) Terrorist attacks: making online security attacks with the purpose of causing havoc in the society for various reasons Objection attacks: a way of attacking an organization to protest against the measures, policies, laws the organization or company is taking Fun attacks: making an attack just for the fun of it (usually by young people) Most common Computer Crimes: Fraud /Computer forgery: using computers to deceive or steal others Damage to or modifications of computer data or programs Unauthorized access to computer systems and service 30 Computer Crimes are hard to 31 prosecute Lack of understanding: it is often very difficult for prosecutors/judges to understand the essence of a computer crime since it is normally out of the ordinary crimes Lack of physical evidence: computer crimes usually involve intangible things Lack of recognition of assets: it is not easy to recognize the real value of digital assets being stolen Lack of political impact: computer crimes don’t have the same political effects, positive or negative, with the physical crimes Complexity of case: usually computer crimes are quite complex to describe in ordinary terms Youngsters: it is quite often that computer crimes involve very young individuals most 31 Types of attacks on computers & 32 smartphones Viruses: (small) pieces of (strong) programming code, Usually disguised as something else, Often attached to files, Deliver a “payload”, Spread by actions of the ”infected” computer user in the form of infected email document attachments when an infected program is downloaded or an infected Web site is visited Worms: Harmful programs that reside in active memory of a computer and duplicate themselves Can propagate without human intervention Cause data and programs loss, lost productivity, additional effort for IT workers 32 Types of attacks on computers & 33 smartphones (2) Trojan horse: Malicious code hidden inside seemingly harmless programs Users are tricked into installing them Delivered via email attachment, downloaded from a Web site, or contracted via a removable media device Logic bomb: Executes when triggered by certain event Distributed denial of service: Malicious hacker takes over computers on the Internet and causes them to flood a target site with demands for data and other small tasks The computers that are taken over are called zombies Botnet is a very large group of such computers Does not involve a break-in at the target computer Target machine is busy responding to a stream of automated requests 33 Types of attacks on computers & 34 smartphones Rootkit: (3) Set of programs that enables its user to gain administrator-level access to a computer without the end user’s consent or knowledge Attacker can gain full control of the system and hide the presence of the rootkit Fundamental problem in detecting a rootkit is that the operating system currently running cannot be trusted to provide valid test results Spam: Abuse of email systems to send unsolicited email to large numbers of people Low-cost commercial advertising for questionable products Method of marketing also used by many legitimate organizations Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act: Legal to spam if basic requirements are met Completely Automated Public Turing Test to Tell Computers and 34 Types of attacks on computers and 35 smartphones (4) Phishing (spear-phishing, smishing, and vishing): Act of using email fraudulently to try to get the recipient to reveal personal data Legitimate-looking emails lead users to counterfeit Web sites Spear-phishing: Fraudulent emails to an organization’s employees Smishing: Phishing via text messages Vishing: Phishing via voice mail messages 35 Types of Perpetrators based on their 36 motive Perpetrators include: Thrill seekers wanting a challenge Common criminals looking for financial gain Industrial spies trying to gain an advantage Terrorists seeking to cause destruction 36 Types of Perpetrators: Description 37 Hackers: test limitations of systems out of intellectual curiosity Some smart and talented Others inept; termed “lamers” or “script kiddies” Crackers: Cracking is a form of hacking, Clearly criminal activity Malicious Insiders: Major security concern for companies Fraud within an organization is usually due to weaknesses in internal control procedures Collusion: Cooperation between an employee and an outsider Insiders are not necessarily employees, can also be consultants and contractors Extremely difficult to detect or stop Authorized to access the very systems they abuse Negligent insiders have potential to cause damage 37 Types of Perpetrators: Description 38 (2) Industrial Spies: Use illegal means to obtain trade secrets from competitors Trade secrets are protected by the Economic Espionage Act of 1996 Competitive intelligence: legal techniques to gather information available to the public Industrial espionage: illegal means to obtains information not available to the public Cyber Criminals: Hack into corporate computers to steal or engage in all forms of computer fraud Chargebacks are disputed transactions Loss of customer trust has more impact than fraud To reduce potential for online credit card fraud: Use encryption technology Verify the address submitted online against the issuing bank Request a card verification value (CVV) Use transaction-risk scoring software Smart cards: contain memory chip, updated with encrypted data when card is used 38 Types of Perpetrators: Description 39 (3) Hacktivism: Hacking to achieve a political or social goal Cyberterrorist: Attacks computers or networks in an attempt to intimidate or coerce a government in order to advance certain political or social objectives Seeks to cause harm rather than gather information Uses techniques that destroy or disrupt services 39 Implementing Trustworthy 40 Computing Trustworthy computing: Delivers secure, private, and reliable computing Based on sound business practices Security of any system or network: Combination of technology, policy, and people Requires a wide range of activities to be effective Systems must be monitored to detect possible intrusion Clear reaction plan addresses: Notification, evidence protection, activity log maintenance, containment, eradication, and recovery 40 Cybercrimes in the U.A.E. 41 The Computer Emergency and Response Team in the UAE (aeCERT) reported the following statistics about the Cybersecurity status of the UAE national Government in its June 2020 report. https://www.tra.gov.ae/userfiles/assets/DcV6zIEShJV.pdf 41 Examples - Videos 42 Watch the video Cybercrime Law in UAE: In-depth Definition and answer the questions: What is cybercrime? Is having a VPN a cybercrime in the UAE? Watch the video My Safe Society App and answer the questions: What does this solution aim for? Can anyone use this solution? Which entity created this solution? Is it easy to use? Watch the following video 10 Most Devastating Cyber Attacks in History 42 The U.A.E. Cyber Law “Key 43 offenses” Hacking to IT system, website, IT tool, or information network Deletion, destruction, amending, copying or disclosing data Tampering with/Changing the design or layout of a site Credit Card fraud, Forging official documents Wrongful impersonation inciting criminal and terrorist acts threatening state security disclosure of confidential information defamation publishing "illegal content ” 43 Correlated U.A.E. Laws 44 The Cybercrime Law correlates with other UAE Laws, namely: Federal Law no. (15) of 1980 on Publications, Federal Law no. (3) of 1987 on the Issuance of the Penal Code and the amending laws thereof, Federal Law no. (7) of 2002 on the Copyright and related rights and the amending laws thereof, Federal Law no. (1) of 2006 on Electronic Transactions and Commerce Federal Law no. (37) of 1992 on Trademarks and the amending laws thereof, Federal Law no. (4) of 2002 on Criminalizing Money Laundering Federal Law no. (35) of 1993 on Criminal Procedures 44 8 Common Cybercrimes in the 45 U.A.E. 1. Hacking 2. Electronic harassment (Cyberbullying/Verbal offense/Defamation): 50% in the Middle East and as high as many of the world's developed countries, 24% teenagers incautious about who they add to their social network. 3. Email fraud: 57% Internet users in UAE believe likely to suffer an attack from cybercriminals. 4. Fake websites: ask Dh150-500 from the unsuspecting expatriate job- seekers to register, many have fallen victims. 5. Credit card forgery: 5% of the world’s cyberattacks had been targeting the UAE. Con artists are always in the hunt for new ways to defraud consumers. 6. Online blackmail: 450 Cases of blackmailing recorded in the Gulf countries daily, 1.5 Persons blackmailed in the UAE every day, on an average. 7. Phishing: $476 (Dh1,745) the average amount of money lost per attack, 10% of the survey respondents said that they lost more than 45 Overview of Cyber Criminal Proceedings46 in U.A.E. Criminal complaint is filed before the police station unit ( “Unit”); filling out forms prescribed by Dubai Police including inserting IP Address; The Unit obtains statement and refers matter to investigations to the Cyber Criminal Evidences Forensic within CID lab and Cybercrime Departments ( “Cyber Departments ”); The Cyber Departments hands out the investigation reports to the Unit; The Unit then prepares a report to the Public Prosecutor to continue investigations and take it forward; Public prosecutor may issue arrest warrants, transfer the matter to the court depending on the evidence available. * Source: Omar M. A Obeidat, Al Tamimi & Company, Jan 2016 46 Required Documents and 47 Evidences Screen shots: If the hacker hacked into social media pages of the victim, then immediate screen shots must be submitted; but Lab must record screen shot in order to include in report Relevant documents: All emails, letters, correspondences showing that the hacking has resulted in a wrongful impersonation of the victim. Information on bank: which the fraudulent account was used to open. Presence of the complaint or victim * Source: Omar M. A Obeidat, Al Tamimi & Company, Jan 2016 47 Technical Evidences/Bank 48 Cooperation The Victim must be prepared to assist the police with all technical aspects namely: Having readily available the relevant computer/lap top subject matter of the crime; IT report on how the crime occurred. Usually, if victim is a company, the IT team must be ready to cooperate with police to gather all necessary evidence; Crucial that the hard disk is NOT removed to safeguard the evidence; Cooperation of the banks is crucial to assist in investigating the criminal who opened the suspicious account. 48 Challenges in the U.A.E. 49 In cases of automatic transfers for money forwarded outside the UAE, Public Prosecution may not be interested to pursue case For offenders outside UAE, judicial cooperation agreements would allow for PP to refer investigation to foreign judicial authority, but foreign judicial authorities are not bound to act without a court judgment Slowness in responding to nature of cybercrimes (e.g. blocking of bank account) where part of crimes are outside UAE, PP are reluctant to pursue case Not knowing the offender makes identifying him a main challenge For offender outside UAE, there should be cooperation with countries for extradition to the UAE through international agreements to regulate such issues Thresholds of evidence must be adapted to less stringent measures. For instance, screen shots of a Facebook page detailing the illegal incident may not be sufficient for police investigation purposes 49 Example: Jurisdictional issues and multiple50 victims The hacker hacked into the computer systems of Victim No. 1 (a customer placed overseas) with the intention of impersonating Victim 2 based in UAE to defraud its customers who are Victim 1; Victim No. 1 (based overseas) is the customer of Victim No.2 (based in UAE); The fraudulent bank account used to receive funds is in the UAE. While, technically in this case, the hacking most likely occurred only overseas, Victim 2 is still based in UAE and there are many elements of the crimes that happened in the UAE (i.e., opening of fraudulent bank account, impersonation, attempted fraud, etc.). 50 Thank You