Transcript Chapter08x
CHAPTER FOUR ETHICS AND INFORMATION SECURITY Organization I organize this lecture into 2 parts Ethnics in information systems (and life) Some technical security fundamentals (how it all works) Ethics and Morals Morals are about personal character Ethics are about social systems that apply (enforce) personal character http://www.mit.edu/people/nygren/cou rses/6.868/project/ Moral restraint So some questions are? How do your morals influence ethics? How do social systems influence your morals? Ethical Issues Related to Information Systems Ethics are social principals that guide right and wrong We can categorize these into moral dimensions of the information age Information rights and obligations Property rights Accountability and control System quality Quality of life Philosophical (and other)Ethical Principles The Golden Rule Kant’s categorical imperative The law of autonomous will Any action is OK given the right circumstances John Stuart Mill’s Utilitarian Principle If it’s good for the masses, it’s good We maximize utility (quantitative) The Risk Aversion Principle http://plato.stanford.edu/entries/risk/#E th The no free lunch theory The Legal / Political Dilemma The Constitution grants rights to individuals and defines basic ethical values for society The legal system has codified many ethical values too The problem is that the legal system and Congress cannot keep up with the rapid rate of change The framers of the Constitution did not envision the Internet Ethics in an Information Society We are responsible for what we do We become accountable when a responsibility is violated When accountable and responsible, we are liable within legal systems These common rules apply to privacy / accuracy / confidentiality of information Real-world Problems The digital divide Net neutrality Universal information availability Digital Divide 1.0 The haves and have not's The magical number for internet connectivity is about $10.00 / month or $120.00 / year 40% of the worlds population lives on less than $2.00 / day 20% lives on less than $1.00 / day The Appalachians defined by the Denver post http://blogs.denverpost.com/captured/2012/04/24/photos-life-appalachia/5680/ Digital Divide 2.0 We solve this by wasting time http://www.nytimes.com/2012/05/30/ us/new-digital-divide-seen-in-wastingtime-online.html?pagewanted=all Interesting to see this around school So is it about access or culture? Net Neutrality The principle says that everyone on the internet should be treated the same Net Neutrality YouTube and Netflix combined account for 45% of peak network traffic Amazon and Hulu consume about 3% So should I pay more than you? https://www.whitehouse.gov/netneutrality Universal Information Availability China completely blocks Facebook and Twitter Google is on restriction Why… Tiananmen Square (June 3-4) Yet… http://www.businessinsider.com/whatthe-chinese-tech-industry-is-like-20141 Universal Information Availibility And “the internet is written in ink?” But now we can delete an e-mail? http://www.reuters.com/article/2014/07/02/usgoogle-goldman-leak-idUSKBN0F729I20140702 Professional Rules of Conduct Professionals establish ethical guidelines and are ‘somewhat’ selfregulating Examples ABA AMA ACM Real-World Ethical Dilemmas Electronic profiling Employee monitoring Via telephone Web usage Phishing and spam Moral Dimensions of Information systems 1st amendment right to free speech 4th amendment right to privacy Is pornography obscene or a first amendment right? Does electronic profiling violate 4th amendment rights? Intellectual property rights How do we respect Web content creators The music industry anyone? Fair Information Practices (Introduction) The balance between an individual's right to privacy and a record keeper's rights to transaction information What do companies do with the information that they collect? Privacy Legislation (1) Freedom of Information Act (1968) Applies only to Federal agencies Does not apply to state or local governments Does not apply to the courts or to Congress Does not apply to information deemed classified Information must be requested in writing Privacy Legislation (2) Privacy act of 1974 Goals Attempts to regulate the collection, maintenance, use, and dissemination of personal information by Federal executive branch agencies Restrictions on Social Security number usage Privacy act of 2001 additional restrictions Sales of health information Privacy Legislation (3) Electronic Communications Privacy Act of 1986 Provides privacy for wireless communications Restricts rights to intercept e-mail Provides a modicum of workplace privacy It does not address well data stored in the cloud The Act was revised in 2000 http://en.wikipedia.org/wiki/Electronic_ Communications_Privacy_Act Privacy Legislation (4) Data Privacy Act of 1997 Defines voluntary guidelines that: Limit the collection and use of personal information through interactive computer services Prohibits the marketing use of personal health information obtained through interactive computer services http://epic.org/privacy/internet/hr_98. html Privacy Legislation (5) The DON’T CALL LIST Privacy Legislation (6) The CAN-SPAM Act of 2003 Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 Unsolicited e-mail messages to be labeled as such No standard methodology was specified Prohibits the use of deceptive subject lines Prohibits the use of false headers Opt-out instructions must be included There is no “do not e-mail” list http://en.wikipedia.org/wiki/CANSPAM_Act_of_2003 Unenacted Privacy Legislation Anti-Phishing Act of 2005 Computer Owners’ Bill of Rights which would have established a donot-email registry Criminal Spam Act of 2003 Wireless Telephone Spam Protection Act Understanding Intellectual Property (1) Trade secrets Protection varies from state to state Any intellectual work not in the public domain Copyrights Protects intellectual property for 28 years Copyrights have been extended to software Understanding Intellectual Property (2) Patents 17 (usually) year monopoly behind the ideas on an invention Information Management Policies Companies typically have policies for use of information Ethical computer use Information privacy E-mail privacy Appropriate Internet use in the workplace Security policies Employee education is the key Ethical Computer Use Restrictions on personal e-mail at the workspace Restrictions on workplace e-mail content Appropriate use of the Web Restrictions vary based on the type of company Information Privacy Policies Know what information is being collected and what is done with that information Secure information that is collected Ensure that information is not maliciously or inadvertently altered Establish clear guidelines for information sharing E-mail Privacy E-mail is not secure Most anyone can read it if they want Several copies of an e-mail exists as it moves through the network Establish policies for reading e-mail destined for other users Establish policies for e-mail as a communication vehicle E-mail retention policies Workplace Ethics Countless work hours are lost to employees conducting personal business at work Employee monitoring is on the rise Employee monitoring policies should be well-understood by employees The cultural impact of employee monitoring can be severe! Part 2 Information Security The Cost of Failure Partial and complete system failures cost money Failures arise from Natural disasters Plant failures (electrical / water / cooling) Technical failures (hardware / software / network) The problems are severe with mission critical systems Protecting Intellectual Property Information is intellectual capital Information security is often required by law HIPAA People - a coherent security policy, and procedures are the first line of defense Social engineering is a big problem Information Security Issues Employee training and awareness Physical security Network security Firewalls Network monitoring software Risks of outsourcing and application service providers Disaster recovery Technological Solutions to Security Dimensions of security Authentication and authorization Prevention and resistance Detection and response Authentication and Authorization Authentication confirms identity User ID and password (Something you know) Smart cards (Something you have) Enforce the use of strong passwords Electronic cards whose password changes every few minutes Biometrics (Something part of you) Fingerprints / voice / retina / etc… Prevention and Resistance (1) Network monitoring for different types of attacks Denial of service Phishing attacks Content filtering Anti-virus software Firewalls Encryption of sensitive data Public key crypto Denial of Service Attacks (1) Make the system unavailable (crash it or make it run very slowly) by sending one message or a stream of messages Single Message DOS Attack (Crashes the Victim) Server Server Message Stream DOS Attack (Overloads the Victim) Attacker Attacker Denial of Service Attacks (2) Distributed DOS (DDoS) Attack: Messages come from many sources Attack DoS Attack Packets Computer with Command Zombie Server Attack Attacker Command DoS Attack Packets Computer with Zombie Firewalls Firewalls are of two types Packet level firewalls restrict access to known sources (hosts) Application level firewalls use a proxy server on a per service basis Packet Filter Firewall Corporate Network The Internet Permit Packet Filter Firewall Deny IP-H TCP-H Application Message IP-H UDP-H Application Message IP-H ICMP Message Arriving Packets Examines Packets in Isolation Fast but Misses Some Attacks Application (Proxy) Firewall 5. Inspect Response Message Browser 6. Examined HTTP Response HTTP Proxy 4. HTTP Response There must be a proxy for each application FTP Proxy Client PC SMTP (E-Mail) Proxy Webserver Application Firewall Detection and Response Security Probes – vulnerability scanners Test, report, suggest SATAN (Security Analyzer Tool for Analyzing Networks) Unix, TCP/IP Intrusion Detection Identify traffic patterns Cisco Secure, Snort Anti-virus software Workplace Security Solutions (1) Passwords One-time passwords Use of strong passwords Require regular password changes E-mail Unencrypted e-mail can be read as it moves through the network Source of viruses from attachments and scripts Employ e-mail virus scanning software Workplace Security Solutions (2) Untrusted software Physical Restrict download of untrusted or unknown software Require standard computer configurations Restrict access to computer room and trusted terminals Restrict access to physical site Social Engineering Train personnel against social engineering attacks Home Security Solutions (1) Operating system Install updates and patches Configure chat programs Firewalls Microsoft Office and e-mail Do not run untrusted Office macros Encrypt sensitive e-mail Use care when opening e-mail attachments Beware of e-mail spoofing Home Security Solutions (2) General security measures Install and use anti-virus programs Backup important files and folders Use strong passwords Don’t enable file sharing Beware of wireless networks Social Engineering (Introduction) Using human relationships to attain a goal Intruders use social engineering to illegally compromise corporate assets Social Engineering (Tactics) Social engineers try to establish trust Pretend to provide help to victim (reverse social engineering) Attempt to gain physical access Social Engineering (Defenses) Establish password policies Classify data based on risk and sensitivity Define acceptable use policies Perform background checks Define rigorous termination policies Define physical security policies Perform ongoing security awareness training Security Organizations (CERIAS) Mission is to enhance public awareness of information protection (CERT) Analyze and report on the state of Internet security www.cerias.org www.cert.org (SANS) Operates an early warning system www.sans.org