21. Security, Ethics and Other IS IssuesRev: Feb, 2013

Euiho (David) Suh, Ph.D.

POSTECH Strategic Management of Information and Technology Laboratory(POSMIT: http://posmit.postech.ac.kr)

Dept. of Industrial & Management EngineeringPOSTECH

Contents1 Information System Ethical

2 Information System Security

3 Electronic Commerce Security

4 Other IS Issues

5 Case Study

3

Introduction

■ IT Security, Ethics, and Society

Information Technology

Beneficial effects

Detrimen-tal effects

Striving to optimize

the beneficial effects

Managing work activities to minimize the detrimen-tal effects

1. Information System Ethical

4

Business Ethics

■ Categories of Ethical Business Issues– Information technology has caused ethical controversy in the areas.

Ethical responsibilities of business professionals

Promote ethical uses of information technology

Accept the ethical responsibilities of your job

Properly perform your role as a human resource

Consider the ethical dimensions of activities and decisions

1. Information System Ethical

Equity Rights Honesty Exercise of Corporate Power

Executive salariesComparable worthProduct pricingIntellectual property rightsNoncompetitive agreements

Corporate due process Employee health screen-ingCustomer privacyEmployee privacySexual harassmentAffirmative actionEqual employment oppor-tunityShareholder interestsEmployment at willWhistle-blowing

Employee conflicts of in-terestSecurity of company informationInappropriate giftsAdvertising contentGovernment contract is-sues Financial and cash man-agement proceduresQuestionable business practices in foreign coun-tries

Product safetyEnvironmental issuesDisinvestmentCorporate contributionsSocial issues raised by reli-gious organizations Plant/facility closures and downsizingPolitical action committeesWorkplace safety

5

Corporate Social Responsibility Theories

Social Con-tract TheorySocial Con-

tract TheoryCompanies have an ethical responsibility to all members of society

Stakeholder Theory

Stakeholder Theory

Managers have an ethical responsibility to manage a firm for the benefit of all its stake-holders

Stockholder Theory

Stockholder Theory

Managers are agents of stockholders. Their ethical responsibility is to increase profits without violating laws or engaging in fraud

1. Information System Ethical

6

Principles of Technology Ethics

Principles of Technology Ethics

Proportional-ity

The good achieved by the technology must outweigh the harm or risk. Moreover, there must be no alternative that achieves the same or comparable benefits with less harm or risk

Informed Consent

Those affected by the technology should understand and accept the risks

Justice

The benefits and burdens of the technology should be dis-tributed fairly. Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk

Minimized Risk

Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all un-necessary risk

1. Information System Ethical

7

Computer Crime

■ Defined by the association of Information Technology Professionals (AITP) as including

2. Information System Security

The unauthorized use, access, modification, or destruction of hardware, software, data, or network re-sources

The unauthorized release of information

The unauthorized copying of software

Denying an end user access to his/her own hardware, software, data, or network resources

Using or conspiring to use computer or network re-sources illegally to obtain information or tangible property

8

Type of Computer Crime (1/3)

■ Hacking and Cracker

Hacking

The obsessive use of computers

Unauthorized access/use of networked computers

Breaking and Enter-ing

Hacking into a computer system and reading files, but neither stealing nor damaging anything

CrackerA malicious or criminal hacker who maintains

knowledge of vulnerabilities found for private advan-tage

2. Information System Security

9

Type of Computer Crime (2/3)

■ Cyber Theft

Many computer crimes involve theft of moneyMany computer crimes involve theft of money

Most are “inside jobs” that involve unauthorized net-work entry and alteration of databases to cover the tracks of the employees involved

Many attacks occur through the Internet

Most companies don’t reveal that they have been targets or victims of cyber crime

2. Information System Security

10

Type of Computer Crime (3/3)

■ Cyberterrorism– The leveraging of an organization’s or government’s computers and information

• Particularly through the Internet• To cause physical, real-world harm or severe disruption of infrastructure

– Can have serious, large-scale influence• Can weaken a country’s economy• Can affect Internet-based businesses

Examples of Cyberterrorism

No successful attacks reported yet in the U.S.

Life-support at Antarctic research station turned off

Release of untreated sewage into waterways

Nonessential systems shut down in nuclear power plants

Estonian government ministry and banks knocked offline

2. Information System Security

11

Security Management (1/5)

■ The goal of security management is the accuracy, integrity, and safety of all information system processes and resources

■ Internetworked Security Defenses– Encryption

• Data is transmitted in scrambled form• It is unscrambled by computer systems for authorized users only• The most widely used method uses a pair of public and private keys unique to each individual

2. Information System Security

12

Security Management (2/5)

■ Public/Private Key Encryption

2. Information System Security

13

Security Management (3/5)

■ Internetworked Security Defenses

Firewalls

Gatekeeper system that protects a company’s intranets and other computer networksfrom intrusion

Provides a filter and safe transfer point for ac-cess to/from the Internet and other networks

Important for individuals who connect to the In-ternet with DSL or cable modems

Can deter hacking, but can’t prevent it

2. Information System Security

14

Security Management (4/5)

■ Internet and Intranet Firewalls

2. Information System Security

15

Security Management (5/5)

■ Security Management for Internet Users– “Use antivirus and firewall software, and update it often to keep destructive programs

off your computer.”– “Don’t allow online merchants to store your credit card information for future pur-

chases.”– “Use a hard-to-guess password that contains a mix of numbers and letters, and change

it frequently.”– “Use different passwords for different websites and applications to keep hackers guess-

ing.”– “Install all operating system patches and upgrades.”– “Use the most up-to-date version of your Web browser, e-mail software, and other pro-

grams.”– “Send credit card numbers only to secure sites; look for a padlock or key icon at the

bottom of the browser.”– “Use a security program that gives you control over ‘cookies’ that send information

back to websites.”– “Install firewall software to screen traffic if you use DSL or a cable modem to connect

to the Net.”– “Don’t open e-mail attachments unless you know the source of the incoming mes-

sage.”

2. Information System Security

16

What is Electronic Commerce (EC) Security?

■ Special case of network security

■ Special case of client server security

■ Evolving area of computer science– Digital cash– Internet banking– Store fronts versus Store reality– International market place …

■ Still an area of immense temptation for the criminal element

3. Electronic Commerce Security

17

Possible threats of EC (1/2)

■ The traditional threats apply– Confidentiality, Integrity, Availability, Accountability– Malicious code – Network vulnerabilities – Others

■ Additional privacy concerns surface (ethics concerns)– Cookies– Buying habits and profiling– Shared databases – Short term and long term storage of sensitive data– Others

3. Electronic Commerce Security

18

Possible threats of EC (2/2)

■ Authentication takes on a new role– Who is the buyer?– Who is the seller?– Is the seller real?– Where is the seller?– Non-repudiation is important– Accountability for seller and buyer actions

■ Availability – loss of access equals loss of revenue– recovery procedures are very important– The greatest threat to E-Commerce today (arguable perhaps…)

3. Electronic Commerce Security

19

A Simple View

■ E-Commerce protection must include data in transit; data in processing; and, data in storage

– over an open network– in a client server environment

Server

Client

3. Electronic Commerce Security

20

Security Requirements & Client Side Security

■ Security Requirements– Transaction integrity – Confidentiality of the transaction– Mutual authentication of all parties (customer, store, bank)– Non-repudiation – Timely service– Record keeping– Protection of the systems against intrusion

■ Client Side Security– Essentially “web browser” security– Two main risks have emerged

• Vulnerabilities in the Web Browser software• Risk of Active Content

– Active Content (mobile code) • Java and Java Applets• Active X controls• Push technology• MS Macros• Plugin’s

3. Electronic Commerce Security

21

Secure Transport & Web Server Side

■ Secure Transport– Secure Channels

• Secure Sockets Layer (SSL)• Secure HTTP (S-HTTP)

– Smart Cards carrying a private key for encryption– E-Cash protocols

■ Web Server Side– Typically a front end web server, backend database, and interface software (e.g., CGI

scripts)– Firewalls are most useful here - but varying degrees of strength and responsiveness– Operating system security an issue (for both the network OS and the server OS)

3. Electronic Commerce Security

22

Solution Sets

■ Encryption plays a very big role– SSL, S-HTTP– Digital Signatures– Certificates (X.509-PKI)– PGP

■ Firewalls■ Trusted OS and products■ Disaster recovery plans■ Education and awareness■ Law

3. Electronic Commerce Security

23

Public Key Infrastructure

■ Enables the Use of Public Key Technology

■ Parts– Certificate Maintenance

• Issuance, Reissuance, Revocation

– Certificate Availability– Interoperations

■ Answer: Public Key Infrastructure– Getting public-key materials

• Where they are needed• When they are needed

Jane DoeAcme

public

private

3. Electronic Commerce Security

24

Doing Business With Keys

Internet

PKIforDummies

4417 5712 1238 51961

PKIforDummies

Xyl?wk$

public

But where did the key come from?

private

amazon.com

4417 5712 1238 51961 Sold

3. Electronic Commerce Security

25

Certificate: ID? Or ATM Card?

■ Identity Card– Something you have– Something you are

■ ATM Card– Something you have– Something you know

■ A Certificate is Three Things

• An ID Card

Jane DoeAcme

public

• A Notarized Signature • A Scrambling Device

plaintext X&8uj*l.

Missis-sippi Jane Doe

105 Lee StreetAnywhere, MS 39759

3. Electronic Commerce Security

26

Doing Business With Certificates

amazon.com

Internet

PKIforDummies

4417 5712 1238 51961

PKIforDummies

Xyl?wk$

public

But where did the certificate come from?

private

Jane DoeAcme

public

4417 5712 1238 51961 Sold!

3. Electronic Commerce Security

27

Certifying Authorities

■ Public Key technology is powerful - but you can’t keep everyone’s public key on your hard drive

– Hundreds of thousands of users globally– Expiration and maintenance issues

■ More practical to rely on trusted “third parties” - Certifying authorities

■ Commercial enterprise that vouches for the identities of individuals and orga-nizations.

■ Browsers have public keys of well known CA’s built in.

■ Certificates are (for most practical purposes) viewed as “untamperable” and “unforgeable”

■ VeriSign, AT&T, BBN, CeriSign, and others (check your browser)

3. Electronic Commerce Security

28

A Process for Secure EC & Assessing Risk

■ A Process for Secure EC – Assess your risks– Secure the Infrastructure– Secure your Internet Connections– Secure Electronic Commerce– Disaster Recovery

■ Assessing Risk – Conduct a Threat and Vulnerability Analysis

• What are the threats to your information assets• How vulnerable are each of those threats• What would be the business impact if each of the threats were to occur• What controls are available/needed to mitigate the threats

– Identify and Prioritize (...and build a plan)• Address the threats and vulnerabilities• Insure plan is consistent with business objectives and cost• Plan fits with organizational culture?

3. Electronic Commerce Security

29

Secure the Infrastructure & Internet Connection

■ Secure the Infrastructure – Concerned with OS security, external connectivity, & network security ...

– Develop an Information Security Architecture• “…a structure for implementing security across an enterprise”• Defines the organization of the information security program• The foundation of a solid information security program

■ Secure Internet Connection– Based on Firewall protection primarily– Recall - firewalls vary in trust and capability– Defense in depth is suggested– Tradeoff between security and ease of access is a business and risk decision– There is no cookbook solution

3. Electronic Commerce Security

30

Disaster Recovery

■ Disaster Recovery– Continuity of operation plans

• Written down, practiced, realistic and implementable

– Backups– Hot/Cold sites– Usually overlooked– Finding out what happened.

3. Electronic Commerce Security

31

Other Security Issues

■ Software Piracy– Unauthorized copying of computer programs

■ Licensing– Purchasing software is really a payment for a license for fair use– Site license allows a certain number of copies– Public domain software is not copyrighted

■ Intellectual Property– Copyrighted material– Includes music, videos, images, articles, books, and software

■ Copyright Infringement is Illegal– Peer-to-peer networking techniques have made it easy to trade pirated intellectual

property

■ Publishers Offer Inexpensive Online Music– Illegal downloading of music and video is down and continues to drop

A third of the software industry’s revenues are lost to piracy

4. Other IS Issues

32

Viruses and Worms

■ Viruses– Program that cannot work without being inserted into another program

■ Worm – Distinct program that can run unaided

■ These programs copy annoying or destructive routines into networked com-puters

– Copy routines spread the virus

■ Commonly transmitted through– The Internet and online services– Email and file attachments– Disks from contaminated computers– Shareware

4. Other IS Issues

33

Adware and Spyware

■ Spyware Problems– Steal private information– Add advertising links to Web pages– Redirect affiliate payments– Change a users home page and search settings– Degrade system performance

■ Spyware often can’t be eliminated

AdwareAdware

1. Software that purports to serve a useful purpose, and often does

2. Allows advertisers to display pop-up and banner ads without the consent of the computer user

1. Software that purports to serve a useful purpose, and often does

2. Allows advertisers to display pop-up and banner ads without the consent of the computer user

SpywareSpyware

1. Adware that uses an Internet connection in the background, without the user’s permission or knowledge

2. Captures information about the user and sends it over the Internet

1. Adware that uses an Internet connection in the background, without the user’s permission or knowledge

2. Captures information about the user and sends it over the Internet

4. Other IS Issues

34

Reference

■ O’Brien & Marakas, “Introduction to Information Systems – Fifteenth Edition”, McGraw – Hill, Chapter 11, pp. 453~$502

■ David Dampier, “Electronic Commerce Security (PPT Slides)”, Department of Computer Science & Engineering