BUS 311: Fall Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 9

BUS 311: Fall Social Issues in Information Systems Computer Waste & Mistakes Computer Waste & Mistakes Computer Crime Computer Crime Privacy Privacy Health Concerns Health Concerns Ethical Issues Ethical Issues Patent and copyright violations Patent and copyright violations

BUS 311: Fall Computer Waste Discarding technology that still has value Discarding technology that still has value Unused systems Unused systems Personal use of corporate time and technology Personal use of corporate time and technology Spam Spam Time spent configuring / “optimizing” computers Time spent configuring / “optimizing” computers

BUS 311: Fall Preventing Computer Waste and Mistakes Policies and Procedures should be Policies and Procedures should be Established Established Implemented Implemented Monitored Monitored Reviewed Reviewed

BUS 311: Fall Types of Computer-Related Mistakes Types of Computer-Related Mistakes Data entry or capture errors Data entry or capture errors Errors in computer programs Errors in computer programs Errors in file handling – copying old file over new one, deleting a file by mistake Errors in file handling – copying old file over new one, deleting a file by mistake Mishandling of computer output Mishandling of computer output Inadequate planning for and control of equipment malfunction Inadequate planning for and control of equipment malfunction Inadequate planning for and control of environmental difficulties (electrical, humidity, etc.) Inadequate planning for and control of environmental difficulties (electrical, humidity, etc.) Installing inadequate computer capacity Installing inadequate computer capacity

BUS 311: Fall Useful Policies to Eliminate Waste and Mistakes Useful Policies to Eliminate Waste and Mistakes Tightly control changes to corporate web site – ensure information is timely Tightly control changes to corporate web site – ensure information is timely Have user manuals available Have user manuals available Every report should clearly specify its general content and time period covered Every report should clearly specify its general content and time period covered Implement proper procedures to ensure correct input data (to avoid “garbage in, garbage out”) Implement proper procedures to ensure correct input data (to avoid “garbage in, garbage out”)

BUS 311: Fall Computer Crime

BUS 311: Fall Number of Incidents Reported to CERT Number of Incidents Reported to CERT

BUS 311: Fall Computer Crime and Security Survey Source: (1996: 16%)

BUS 311: Fall Fastest Growing Crime in the US? Identity theft Identity theft Use someone else’s identity to obtain credit, conduct crimes etc Use someone else’s identity to obtain credit, conduct crimes etc Necessary info: SSN, Name, (Date of Birth) Necessary info: SSN, Name, (Date of Birth) How often do you get a credit card application with your name on it? How often do you get a credit card application with your name on it? Largest Identity theft case in US history Largest Identity theft case in US history crime/story/0,10801,76252,00.html crime/story/0,10801,76252,00.html crime/story/0,10801,76252,00.html crime/story/0,10801,76252,00.html Identity theft survival guide Identity theft survival guide

BUS 311: Fall Recent Cybercrime Headlines 11/6/03: FTC Blocks Pop-Up Spammers 11/6/03: FTC Blocks Pop-Up SpammersFTC Blocks Pop-Up SpammersFTC Blocks Pop-Up Spammers 11/5/03: Microsoft Puts a Price on Hackers' Heads 11/5/03: Microsoft Puts a Price on Hackers' HeadsMicrosoft Puts a Price on Hackers' HeadsMicrosoft Puts a Price on Hackers' Heads 11/3/03: Under Attack Again as Mimail Virus Spreads 11/3/03: Under Attack Again as Mimail Virus Spreads Under Attack Again as Mimail Virus Spreads Under Attack Again as Mimail Virus Spreads 10/24/03: Microsoft Patches Its Patches 10/24/03: Microsoft Patches Its PatchesMicrosoft Patches Its PatchesMicrosoft Patches Its Patches Source: Daily cybercrime report Source: Daily cybercrime report ( (

BUS 311: Fall The Computer as a Tool to Commit Crime Social engineering Social engineering Posing as someone else to gain trust of user to give out password Posing as someone else to gain trust of user to give out password Dumpster diving Dumpster diving Search garbage for clues on how to gain access to a system Search garbage for clues on how to gain access to a system Shoulder Surfing Shoulder Surfing Stand next to someone in a public place to get vital information Stand next to someone in a public place to get vital information Install keyboard logger Install keyboard logger Record every keystroke and send back to criminal Record every keystroke and send back to criminal Cyberterrorism Cyberterrorism E.g. Distributed Denial-of-service (DDOS) attack E.g. Distributed Denial-of-service (DDOS) attack

BUS 311: Fall Computers as Objects of Crime Illegal access and use Illegal access and use Hackers Hackers ‘Hacking’ away at programming and using a computer to its fullest capabilities ‘Hacking’ away at programming and using a computer to its fullest capabilities Crackers (criminal hacker) Crackers (criminal hacker) Information and equipment theft Information and equipment theft Software and Internet piracy Software and Internet piracy Computer-related scams Computer-related scams Nigerian 419 Nigerian 419 International computer crime International computer crime

BUS 311: Fall Data Alteration and Destruction Virus Virus Worm Worm Logic bomb Logic bomb Trojan horse Trojan horse © Hal Mayforth 2003

BUS 311: Fall Virus elements Distribution Vector Distribution Vector How does it move from one computer to the next? How does it move from one computer to the next? Virus: Attaches to other program, user must take action to spread Virus: Attaches to other program, user must take action to spread Worm: Self-propagates Worm: Self-propagates Payload Payload What does it do when it gets there? What does it do when it gets there? Ability to mutate Ability to mutate Makes it harder to detect, like the AIDS virus Makes it harder to detect, like the AIDS virus

BUS 311: Fall Virus Characteristics Similar to biological viruses Similar to biological viruses Replicates on its own Replicates on its own May mutate May mutate Can be benign or malicious Can be benign or malicious Attaches to a ’host’ program Attaches to a ’host’ program Constructed by a programmer Constructed by a programmer Types of damage (payload) Types of damage (payload) Destruction of data, programs or hardware Destruction of data, programs or hardware Loss of productivity Loss of productivity Annoyance Annoyance Top 10 last month: com/virusinfo/topten / com/virusinfo/topten /

BUS 311: Fall Virus Distribution Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”) Executable attachment that masquerades as image file (”Click to see picture of Anna Kournikova!”) HTML code that executes automatically in program (esp. Outlook and Outlook Express) HTML code that executes automatically in program (esp. Outlook and Outlook Express) Worm Worm Spreads directly from computer to computer Spreads directly from computer to computer Often exploiting ’open ports’ or other vulnerabilities Often exploiting ’open ports’ or other vulnerabilities Trojan Horse / Logic Bomb Trojan Horse / Logic Bomb Virus disguised inside other program Virus disguised inside other program Greeting Cards (or other web sites) Greeting Cards (or other web sites) Clicking link may cause nasty things to happen Clicking link may cause nasty things to happen Hoax Hoax about a ‘false’ threat. May ask user to delete important system file and forward to other users about a ‘false’ threat. May ask user to delete important system file and forward to other users

BUS 311: Fall Virus Example: SoBig virus Distribution vector: Distribution vector: Arrives in message, installs own SMTP engine (allows for sending without using installed program) Arrives in message, installs own SMTP engine (allows for sending without using installed program) Sends itself to all addresses in address books Sends itself to all addresses in address books Forges Sender address, so the person that the appears to come from may not be infected (“ spoofing”) Forges Sender address, so the person that the appears to come from may not be infected (“ spoofing”) User must execute attachment to be infected User must execute attachment to be infected Tried to copy itself to Windows shares (unsuccessful, due to bugs) Tried to copy itself to Windows shares (unsuccessful, due to bugs) Payload: None (except for extra traffic) Payload: None (except for extra traffic) Might download malicious software from web site Might download malicious software from web site Expired September 10, 2003 Expired September 10, 2003 Source: tml Source: tml tml tml

BUS 311: Fall Symantec’s Virus guidelines Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.blended threatblended threat Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your server to block or remove that contains file attachments that are commonly used to spread viruses, such as.vbs,.bat,.exe,.pif and.scr files. Configure your server to block or remove that contains file attachments that are commonly used to spread viruses, such as.vbs,.bat,.exe,.pif and.scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

BUS 311: Fall The Six Computer Incidents with the Greatest Worldwide Economic Impact The Six Computer Incidents with the Greatest Worldwide Economic Impact ILOVEYOU was started by student in Philippines who had a project rejected by a teacher!

BUS 311: Fall Measures of Protection General controls General controls Physical Physical A guard in front of a locked door can prevent many problems... A guard in front of a locked door can prevent many problems... Biometric controls Biometric controls fingerprint, hand print, retina scan, voice,... fingerprint, hand print, retina scan, voice,... Data security control Data security control confidentiality, access control, data integrity confidentiality, access control, data integrity

BUS 311: Fall Measures of Protection Network Protection and Firewalls Network Protection and Firewalls Access control Access control Encryption Encryption Firewalls: Most cost-effective defense, but not 100% effective Firewalls: Most cost-effective defense, but not 100% effective ZoneAlarm (personal software firewall) ZoneAlarm (personal software firewall) Hardware firewall protects all computers on LAN Hardware firewall protects all computers on LAN Intrusion Detection Software Intrusion Detection Software How can you protect yourself if you don’t know you were attacked? How can you protect yourself if you don’t know you were attacked? Protection can be assured by conducting an audit Protection can be assured by conducting an audit Perhaps even hiring a hacker… Perhaps even hiring a hacker… Managed Security Service Providers (MSSPs) Managed Security Service Providers (MSSPs) Outsource the whole thing! Outsource the whole thing!

BUS 311: Fall Common Computer Crime Methods Common Computer Crime Methods

BUS 311: Fall What can You Do Personally? Install security patches Install security patches For windows: For windows: Use a virus scanner Use a virus scanner Take backup Take backup Protect your password (beware of social engineering) Protect your password (beware of social engineering) Install a Firewall Install a Firewall Encrypt sensitive data Encrypt sensitive data Don’t use IM chat software for sensitive communication (see Don’t use IM chat software for sensitive communication (see Changing: Vendors coming out with ‘corporate’ versions Changing: Vendors coming out with ‘corporate’ versions Visit to make sure your Shields are Up Visit to make sure your Shields are Upwww.grc.com

BUS 311: Fall Privacy

26 Privacy Issues Privacy and the Government Privacy and the Government Privacy at work Privacy at work privacy privacy Privacy and the Internet Privacy and the Internet

BUS 311: Fall Privacy Dilemma People’s right to privacy – not be monitored People’s right to privacy – not be monitored Employers need to monitor activity on their premises Employers need to monitor activity on their premises Discourage time-wasting behavior Discourage time-wasting behavior Prevent criminal activity on network Prevent criminal activity on network Law enforcement needs to solve crimes Law enforcement needs to solve crimes Anonymity makes some people more criminal/amoral Anonymity makes some people more criminal/amoral

BUS 311: Fall The Right to Know and the Ability to Decide The Right to Know and the Ability to Decide

BUS 311: Fall Privacy Work is not private Work is not private Employers have right to read employee Employers have right to read employee Can be used as evidence in court Can be used as evidence in court Companies need to have a policy for storing Companies need to have a policy for storing Can also cause problems for elected officials Can also cause problems for elected officials Recently Oshkosh School Board was ‘discovered’ to delete messages Recently Oshkosh School Board was ‘discovered’ to delete messages Violates open meeting laws Violates open meeting laws

BUS 311: Fall The Work Environment

BUS 311: Fall Health Concerns Repetitive Motion Disorder (Repetitive Stress Injury; RSI) Repetitive Motion Disorder (Repetitive Stress Injury; RSI) An injury that can be caused by working with computer keyboards and other equipment An injury that can be caused by working with computer keyboards and other equipment Carpal Tunnel Syndrome (CTS) Carpal Tunnel Syndrome (CTS) The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel) The aggravation of the pathway for nerves that travel through the wrist (the carpal tunnel) Current research says computers do not cause permanent damage Current research says computers do not cause permanent damage a few months without computer will help a few months without computer will help Research is still being conducted Research is still being conducted Technology can also remove dangerous work situations Technology can also remove dangerous work situations

BUS 311: Fall Ergonomics The study of designing and positioning computer equipment for employee health and safety The study of designing and positioning computer equipment for employee health and safety How high should your monitor be? How high should your monitor be? Where should keyboard, mouse be? Where should keyboard, mouse be? Good ways of working to minimize risks Good ways of working to minimize risks Web sites on ergonomics: Web sites on ergonomics: er/ er/ er/ er/

BUS 311: Fall That’s it Thursday Thursday Rest of lecture Rest of lecture Time to work on DB Project implementation. Suggested design solution will be available Time to work on DB Project implementation. Suggested design solution will be available Tuesday Tuesday Web design/development lecture/demonstration Web design/development lecture/demonstration Learn to create your own web page Learn to create your own web page Thursday Thursday Lab to work on web page (IT Problem 4) Lab to work on web page (IT Problem 4)