Slide 1:SECURITY, PRIVACY, AND ETHICAL ISSUES IN INFORMATION SYSTEM GROUP-3 ROLL.NO-41 TO 60


Slide 2:Information security is intended to achieve confidentiality, availability, and integrity in the firm's information resources. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction Information security describes efforts to protect computer and non computer equipment, facilities, data, and information from misuse by unauthorized parties. The management of information security consists of: The day-to-day protection called information security management (ISM) Preparing for operating after a disaster called business continuity management (BCM) Information security


Slide 3:Information Security Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA).


Slide 4:For over twenty years information security has held that confidentiality, integrity and availability (known as the CIA Triad) are the core principles of information security. Information security is intended to achieve three main objectives: Confidentiality: protecting a firm’s data and information from disclosure to unauthorized persons. Availability: making sure that the firm's data and information is only available to those authorized to use it. Integrity: information systems should provide an accurate representation of the physical systems that they represent. In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility.


Slide 5:INFORMATION SECURITY IN HUMOUR


Slide 6:ISM consists of four steps: Identifying the threats that can attack the firm's information resources . Defining the risks that the threats can impose . Establishing an information security policy. Implementing controls that address the risk. Benchmarks are also used to ensure the integrity of the risk management system. INFORMATION SECURITY MANAGEMENT (ISM)


Slide 8:A threat is anything (man made or act of nature) that has the potential to cause harm. An information security threat is a person, organization, mechanism, or event that can potentially inflict harm on the firm's information resources Threats can be internal or external, accidental or intentional Figure below shows the information security objectives and how they are subjected to the four types of risks: Internal and External Threats Accidental and Deliberate threat


Slide 10:Threats: Illicit Activities ‘Phishing’: sending out ‘scam’ e-mails with the criminal intent of deceit and extortion Phishing is a technique used by strangers to "fish" for information about you, information that you would not normally disclose to a stranger, such as your bank account number, PIN, and other personal identifiers such as your National Insurance number. These messages often contain company/bank logos that look legitimate and use flowery or legalistic language about improving security by confirming your identity details.


Slide 11:Phishing example


Threats: MALWARE :Threats: MALWARE Malware is Malicious Software - deliberately created and specifically designed to damage, disrupt or destroy network services, computer data and software. There are several types...


Malware Types :Malware Types Viruses: Conceal themselves Infect computer systems Replicate themselves Deliver a ‘payload’


Slide 14:Worms: Programs that are capable of independently propagating throughout a computer network. They replicate fast and consume large amounts of the host computers memory. Malware Types


Slide 15:Trojan Horses: Programs that contain hidden functionality that can harm the host computer and the data it contains. THs are not automatic replicators - computer users inadvertently set them off. Malware Types


Slide 16:Software Bombs: Time Bombs - triggered by a specific time/date Logic Bombs - triggered by a specific event Both are introduced some time before and will damage the host system Malware Types


Slide 17:A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The term "virus" is also commonly used, albeit erroneously, to refer to many different types of malware and adware programs A virus is a computer program that can replicate itself without the user’s knowledge A worm can’t replicate itself within a system but can transmit copies of itself by e-mail A Trojan horse can neither replicate nor distribute itself. Distribution is accomplished by users who distribute it as a utility that, when used, produces unwanted changes in the system's functionality the most notorious threat-"virus"


Slide 18:Cyber Warfare Sides have been taken: By June 2006, 180,292 unique computer viruses had been identified. ** There are approximately 150-250 new viruses identified every month * * Source: Cybercrime by Steven Furnell (2002) p 154 ** Source: (2006) www.sophos.com


Slide 19:Nonresident viruses Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. Resident viruses Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file..


Slide 20:Vectors and hosts Viruses have targeted various types of transmission media or hosts. This list is not exhaustive: Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms). Application-specific script files (such as Telix-scripts) Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files) Cross-site scripting vulnerabilities in web applications Arbitrary computer files.


Slide 21:computer gets cold 2008 latest viruses:- May 6 : Rustock.C, a hitherto-rumoured spambot-type malware with advanced rootkit capabilities, was announced to have been analysed and detected, having been in the wild and undetected since October 2007 at the very least. [2] Jun 29 : An XSS Worm known as JTV.worm was initiated by a security group known as n0ths affecting Justin.tv, infecting 2,525 profiles within 24 hours..


Slide 22:Anti-virus software and other preventive measures Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use aheuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats.


Slide 23:Other preventive measures:- One may also minimise the damage done by viruses by making regular backups of data (and the Operating Systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. Recovery methods Once a computer has been compromised by a virus, it is usually unsafe to continue using the same computer without completely reinstalling the operating system. However, there are a number of recovery options that exist after a computer has a virus. These actions depend on severity of the type of virus.


Slide 24:Virus removal One possibility on Windows Me, Windows XP and Windows Vista is a tool known as System Restore, which restores the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files or also exists in previous restore points [15]. Some viruses, however, disable system restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor.


Slide 25:Common anti-viruses: Norton Macfee Kaspersky Avg


Slide 26:Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). Unauthorized acts that present risks can be categorized into four types: Unauthorized Disclosure and Theft Unauthorized Use Unauthorized Destruction and Denial of Service Unauthorized Modification risk


Slide 27:. Security awareness poster. U.S. Department of Commerce/Office of Security.


Slide 28:The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and regulatory compliance. risk assessment


Slide 29:In broad terms the risk management process consists of: Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization risk management The four sub steps to defining information risks are: Identify business assets to be protected from risks Recognize the risks Determine the level of impact on the firm should the risks materialize Analyze the vulnerabilities of the firm


Slide 30:informaton security policy An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information. Not all information is equal and so not all information requires the same degree of protection. This requires information to be assigned a security classification. The first step in information classification is to identify a member of senior management as the owner of the particular information to be classified. Next, develop a classification policy .


Slide 31:Common information security classification labels used by the business sector are:  public, sensitive, private, confidential. Common information security classification labels used by government are:  Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret, Top Secret and their non-English equivalents


Slide 32:A control is a mechanism implemented to protect the firm from risks or minimize the impact of those risks on the firm should they occur: Technical controls are those built into systems by system developers during the system development life cycle Access control is the basis for security against threats by unauthorized persons Intrusion detection systems try to recognize an attempt to breach security before it has the opportunity to inflict damage implementing controls


Slide 34:Identification Identification is an assertion of who someone is or what something is. If a person makes the statement "Hello, my name is John Doe." they are making a claim of who they are. However, their claim may or may not be true. Before John Doe can be granted access to protected information it will be necessary to verify that the person claiming to be John Doe really is John Doe.


Slide 35:Authentication  Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe (a claim of identity). The bank teller asks to see a photo ID, so he hands the teller his driver's license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be.


Slide 36:There are three different types of information that can be used for authentication: something you know, something you have, or something you are.  Examples of something you knowinclude such things as a PIN, a password, or your mother's maiden name. Examples of something you have include a driver's license or a magnetic swipe card.  Something you are refers to biometrics. Examples of biometrics include palm prints, finger prints, voice prints and retina (eye) scans. On computer systems in use today, the Username is the most common form of identification and the Password is the most common form of authentication.


Slide 37:AUTHORIZATION After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization.


Slide 39:A digital signature scheme typically consists of three algorithms: A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm which, given a message and a private key, produces a signature. A signature verifying algorithm which given a message, public key and a signature, either accepts or rejects. Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify on that message and the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key


Slide 43:HANDWRITING RECOGNITION


Slide 44:Cryptography is the use of coding by means of mathematical processes The data and information can be encrypted as it resides in storage and or transmitted over networks If an unauthorized person gains access, the encryption makes the data and information unreadable and prevents its unauthorized use Special protocols such as SET (Secure Electronic Transactions) have been developed for use in e-commerce Cryptography


Slide 45:The key element in BCM is a contingency plan, formally detailing the actions to be taken in the event that there is a disruption, or threat of disruption, in any part of the firm’s computing operation Rather using a single, large contingency plan, a firm’s best approach is to develop several sub-plans that address specific contingencies. Such as: An emergency plan A backup plan A vital records plan BUSSINESS SECURITY MANAGEMENT (BSM)


Slide 46:Data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal issues surrounding them. Privacy concerns exist wherever personally identifiable information is collected and stored - in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. Data privacy issues can arise in response to information from a wide range of sources, such as: Healthcare records Criminal justice investigations and proceedings Financial institutions and transactions Biological traits, such as genetic material Residence and geographic records Ethnicity Information privacy


Slide 47:Information types Various types of personal information often come under privacy concerns. 1. Lifestyle For various reasons, individuals may not wish personal information such as their religion, sexual orientation, political affiliations, or personal activities to be revealed 2. Financial Information about a person's financial transactions, including the amount of assets, positions held in stocks or funds, outstanding debts, and purchases can be sensitive 3. Internet The ability to control what information one reveals about oneself over the Internet, and who can access that information, has become growing concerns.


Slide 48:Information types (cont’d) 4. Medical A person may not wish for their medical records to be revealed to others. This may be because they have concern that it might affect their insurance coverages or employment. 5. Political Political privacy has been a concern since voting systems emerged in ancient times. The secret ballot is the simplest and most widespread measure to ensure that political views are not known to anyone other than the voter 6. Legality The legal protection of the right to privacy in general - and of data privacy in particular - varies greatly around the world.


Slide 49:Ethics: A Definition Ethics are the principles and standards that guide our behavior towards other people. Information ethics is the field that investigates the ethical issues arising from the development and application of information technologies. How does it apply to us? Faced everyday with decisions -right or wrong -good or bad Internet usage -plagiarism -downloading music Information ethics


Slide 50:The Importance of Information Ethics In our increasingly complex and technologically dependent society, many critical issues relevant to information access and usage are misunderstood, overlooked, or simply ignored. Some of these issues involve an individual’s privacy vs. the public’s “right to know.” Other issues include the extent to which an employer may have access to its employees’ medical records, e-mail, personnel files, and other confidential information. Still other issues concern the increased need for security of information content and systems to protect against terrorist attacks.


Slide 51:Dr. Ramon C. Barquin developed the TEN COMMANDMENTS OF COMPUTER ETHICS which has been defined by the computer ethics institute.:- Thou shall not use a computer to harm other people. Thou shall not interfere with other people's computer work. Thou shall not snoop around other people’s files. Thou shall not use a computer to bear false witness. Thou shall not use or copy software for which you have not paid. Thou shall not other people’s computer resources without authorization. Thou shall not appropriate other people’s intellectual outputs. Thou shall think about the social consequences of the program you write. Thou shall use a computer in ways that show consideration and respect.


Slide 52:Ethical issues related to technology:- intellectual property copyright fair use doctrine counterfeit software pirated software What Is Copyright? Copyright is simply that: the right to copy. The holder of a copyright is the person who legally owns that right. Most of the time the copyright holder is the creator of the work (the author, composer, painter or photographer) although that is not always the case .


Slide 53:Treat your password like you treat your toothbrush. Never give it to anyone else to use, and change it every few months. A final word: THANK YOU