Tip:
Highlight text to annotate it
X
okay so for Chapter 4 we'll cover information security
MIS Business Concerns
so information ethics
business issues
related to information ethics
you have intellectual property, copyright,
pirated, and counterfeit
software
the book defines
intellectual property as intangible creative work that is
embodied in physical form
which includes copyrights, trademarks and patents
copyrights are basically anything that you
are for provided legal protections for, usually the expression of an idea,
song, book, or video game
okay
so pirating software is the unauthorized use, duplication, distribution
or sale of copyrighted software. Counterfeit software is manufactured
to look like the real thing
so counterfeit is basically like a copy
or a copycat. Pirated is where they make copies without permission and they usually make a
profit off of it
now
within information ethics you also have privacy and confidentiality
ethics is the principles and standards that guide our behavior
towards other people
ethics they're not always "cut and dry"
sometimes
ethical
something that's ethical is not necessarily a legal
and something that is legal is not necessarily ethical
so a lot of
ethical issues
there is a lot more that goes into what is right or wrong than just
whether the law says it's right or wrong
I've given information on that here (notes)
knowing the law is important but that knowledge will not always help
some of the ethical issue
present are privacy issues
which is the right to be left alone you shouldn't have to deal with people
watching over your should, knowing
every website you visited, every person you talked online, and what you
tell them. You have a degree privacy you expect when you use
technology and the internet
you know, when you email someone
you don't expect to
have people monitoring what you sent to them and using that to, you know, market
you with ads
or
spying on you
confidentiality
information is only available to those authorized to view them
so you don't
perceive that
Google is viewing and reading your emails. You perceive more that they are
just sending your emails
now there's an ethical
issue there where Google my argue that
they are storing those emails on their servers, thus they have the right to view them whenever
feel like
where you may
say that
i did not agree to have my emails reviewed whenever you like
so here are some examples ethically questionable or unacceptable information
technology use
so with a lot of this, you may perceive it as
ethical. You may say (feel) that there is nothing wrong with that
you may look at it and say (feel) that's completely wrong you shouldn't do
that
for instance say your friend or your classmate
that you kind of know
works for Lamar and is looking at your personal information such as your
schedule
you might personally have no problem with that but what if a person is using the
schedule to
spying on someone
to follow them around, harass them
you know there's
good and bad
in that situation
you know it might just be that they are
able to access information and they're not so maybe that doesn't bother you
but there is the potential for them to access information that you may not
wanting them to have access to
employees destroy or steal
proprietary organizational information
the creator of Bratz dolls, when he came up with the concept, worked for
Barbie
so Barbie
consequently sued Bratz dolls and won
because the thing is, it may have been his concept but he was using their materials, their
time and
if he was collaborating with people there, maybe not on that idea
but he was gaining ideas from them
so technically they had a right to a portion of that idea
may not see that as ethical because it is your idea and
you came up with it
but
Barbie sees it as
they gave a part to that idea in some way
and usually when you
work for those companies you sign a contract saying that any ideas
you come up with while you work for them belongs to them
just like Facebook has a clause that any pictures you upload belong to them
that might be something you might consider
individuals copy, use, and distribute software
so you may
see no problem with
making a copy of game and giving it to your friend
but does that make it right?
those were some examples, there's more in the book
on page 135
information does not
have ethics, people do
so the information is not going to
make itself ethical
you know
as a society and on
personal levels
decide what is ethical and what is not
something being ethical doesn't necessarily depend on what you think
is right or wrong, but is accepted
in society as right or wrong
sometimes that's the case. You may
not consider something unethical
but the courts or
the people, who decide the reputation for your company, consider it
unethical
then it is probably unethical (in the eyes of society)
so a lot of it can have to do with perception as well
tools to prevent misuse
managing your information
basically...
defining...
(searching)
regulates the definition, use, and distribution ensuring it has types of data
and information required to function and grow
so you're managing information, you're governing it
and you're complying
and then ediscover
so basically
you need to manage information, you need to govern it, and
you need to comply with it
employees need to know what's expected of them in terms of
information so
if the company itself considers something unethical it needs to
let the employees know in some way that's considered unethical
usually through the employee manual
or information security manual
okay
they also need to know that if they
agree to the terms then they are agreeing to comply with that information
management
criteria
ediscovery
is the
ability of the company to identify, search, gather, seize, or export
digital information
and
basically if you work for a company
any information
they own
you know any emails you send through their email accounts, any
files you open, any websites you open
all of that they have the right to view and read, by law
because it's on their servers, it is on their internet
it is theirs
so you have to keep that in mind when you're at a
job
what you're doing, what you are saying
what you are sending
because if is perceived as a conflict interesting, if it's perceived as unethical
you'll be held accountable
digital information can be
used in court
so emails can be used in court
file, data files. If you have ever watched CSI (Crime Scene Investigation)
now they can recover data that's been deleted
data is
not gone until it's deleted from all the hard drives that it exists on
so just because you delete a file
if you've sent it over the internet, it can be on
many different hard drives
so there's no way to get that back
so they had a problem once where
some scientists got in trouble because they
they were emailing eachother back and forth, talking about something
basically what happened was they deleted their emails when they were done with them
but they were still stored on the server
so someone hacked the server
got the emails
sent it to a news group
and the scientists were apparently doing something unethical and they got into a lot of trouble
for it
so just because you delete it, doesn't mean it is gone
so some information
based laws are on page 138
Figure 4.3
it is good to understand those laws and what
they mean
three important ones are
the Electronic Communications (Privacy) Act
which was 1986, the communications privacy act
employees have no right to privacy when using their company's computers. By law
you have no privacy rights
Sarbanes-
Oxley you'll see that quite often if you take other business course. It
required companies to implement extensive and detailed policies to prevent
illegal activity
they have to respond in a timely manner
to investigate illegal activity
so they can't just
see that their database was hacked and do nothing
they have to let you know in a timely manner that something's happened
the Fair and Accurate Credit Transactions act in
2003
basically you get a free credit report each year, that doesn't mean credit score.
credit report, they're two different things
they cannot put your full credit card (number) on the receipt
and
lenders and creditors have to
action before
a victim knows a crime has occurred
so if a system has been
hacked or
maybe
someone's loses a flash drive or maybe they see someone is using your card in China
they have to
notify you
and you are legally
allowed to have a 90 day
you have
a 90 day, I can't remember what it is called, you can put it on your credit report
where
no one can open new credit on your credit account without asking you first. They have
to call and check with you
before they can actually
open any new credit accounts
so it is like a credit protection
so read through those laws and understand what they mean
Information Management Policies
organization strive to build culture based on ethical principles
epolicies are policies and procedures that address information management along
with the ethical use of computers and internet
so this has to do with
policies
involving information management and
information use. Like I said
before you need to have policies in place that let employees know
what's expected of them
what they can and cannot do, but they also need to know the consequences
if they do something
and that is where these policies come in
so you have your ethical computer use policy which is general principles on
using a computer (at work)
if you can or cannot access Facebook
you know
that has more to do with social media
computer uses is where you can only use a computer to log on to
company software. You can only use it to access company email, you can't access
personal email, etc
information privacy you can't share company documents outside of the business
you can't take certain documents home
acceptable use policy
that's where you can't access Facebook
for example, state (of Texas) employees
they are not allowed to access any personal website
they cannot access personal email, cannot access Facebook. They are not supposed to
access anything but
company software
or company websites
and they usually monitor this
and if they catch you usually it's termination or
a warning
in these are all stated in the accepted use policy
now the accepted use policy is also something that you usually agree to
before you can use
the service
so you'll usually sign that when you join organization
you'll also sign one when you use some
WIFI hot spots. If you go to a hotel and you use the WIFI
you'll sign (or agree to) an acceptable use policy
and then email privacy policies
are the extent to which emails may be read by others
social media policies
govern employee communication online, which they can
monitor
If you make your posts on Facebook public, then they can monitor your Facebook posts
workplace
monitoring pretty much
it happens
if you don't like it then you just don't work there
you know like i said before you are not
given privacy when using work computers
protecting
intellectual assets
downtime can cost a lot of money
downtime is not just
natural disasters
you have things like power outages,
you have network failures,
static electricity, viruses, corrupted data
there are any number of things that can cause the system to go down
there's a full list on page 146
it (downtime) needs to be planned for both proactively, meaning to prevent it
and to plan for it ahead of time
and it needs to
be planned for afterward. What to do if it does happen
information security is used to combat downtime. If you can secure the information
downtown can be kept to a minimum
as well if you can prevent hacking
maybe you can back up the data so that if it does go down you could bring it
back up
if there is a power outage maybe you have a
surge protector or a backup battery
and that way you don't actually lose the system
so how much could downtime cost your business?
it can cost you financially, it can cost you in reputation, and it can cost you legally
I gave the example of the Playstation network. In 2011
they went down from April through May
it cost them a reported
$171 million
they lost from players who were not buying add-ons, not buying videos,
not buying games
not using the virtual reality interfaces and buying content there
and then they had to put money out to fix the problem
they still had to pay their employees
and they had to pay to mediate afterward
they had to offer
something to make their customers happy again
some were even paying subscription fees, which they had to refund
so there's a lot that can go into
downtime. So it's cheaper to prevent it
okay
security threats caused by hackers
hackers will often cause an elevation of privilege, to lead the system into
granting them unauthorized access
they'll pose as the wrong kind of user
or find a
"back door" into the system
hoaxes
maybe they'll transmit a virus hoax with a real virus attached. They may be pretending to be a
virus scanner
which is actually a virus
malicious code includes viruses, worms, and Trojan horses
you have spoofs which are basically
emails that pretends to be
authentic emails from actual sender, but are not
then you have spyware, which
basically tracks what you're doing online
often the "intent"...
the idea behind spyware is that they can monitor that software to see
how you are using it and improve it, but really they use it to monitor how you are misusing the software (if you are)
common forms of viruses
you have backdoor programs
which find a back way into the network
or open up a back way
you have denied all services attacks which flood a website with a bunch of requests
causing it to crash
you also have (distributed) denial of
service attacks that involve multiple computers that flood a website with so
many requests that it closes or crashes
Trojan horses they self replicate
basically that's where you might have a virus scanner that says it's scanning for viruses
but it's actually a virus
worms
they tend to spread themselves. They don't have to be
sent or attached, once they get on your computer they can
replicate themselves. Either they might attack your email and send themselves out to
your friends
or they might be on your network at work and attack all the computers on the network
some examples I gave are key loggers
key loggers will log your key strokes and send them back to the host so if you log into
your website they could see now what your password and what your username is
cooking grabbers, those are a kind of
a pain
you can go to a website and it will grab the "cookie" out of your browser without you knowing
so maybe you have your login saved for your bank
well now they're on a computer that thinks that are logged into that bank as you
banks tend to have a protection against that now, that automatically logs you out when
you leave
but they are still problems cookie grabbers can cause
if you have a World of Warcraft account
you don't want it hacked
you know, something like that
the first line of defense are the people
you know, most errors in a system are user related
the big problem with
users is
firsthand you have insiders who made purposely
give out their information
or they may accidentally (give out information)
you may write your passwords on a piece of paper that you keep on your desk
and maybe you show your password to someone you trust
or you leave your account logged in
or if you forget to lock your computer
so you didn't intend to allow that person to
access the system but, you did
the big thing about
leaving your computer logged in is you work for a place that has user logins
if your user account does the act
it's you
you left it logged in
that's still considered as you did it because they have no proof that you didn't
to be very careful with your student accounts, especially leaving them logged in
social engineering, hackers are usually very
some of them can be very socially
skilled
so they can
kind of make you believe that
that aren't going to do anything they just..maybe they forgot their password kind of like
when you go to work and someone says "hey, I forgot my key card, can you buzz me in?"
you know
do you trust that person
dumpster diving
is where they (individuals) go through your trash to get information
one of the things they've (police) seen is people on bikes
going
down the neighborhood and watching
for trash
or watching for unlocked cars
and then they just grab something. stick it in their jacket, and then ride off
so you have to be real careful about what you put in your trash
information security policies identify the rules required to
maintain information security
a security plan
are how you will implement the security policies
so again
you need to inform people, they need to know what is expected of them
you know make sure they know what type of information attacks there are
that they understand
that they know to log out of their accounts when they are done
that they know what a phishing website is, what a
spoof email is
you know you have to inform people so
they don't become
a problem in the system
the second line of defense is technology
you cannot authenticate and authorize, prevent and resist, and then detect and
respond
first is authentication
and authorization
identity theft is where
someone's pretending to be (someone)
it is one of the biggest attacks online
in terms of theft
and hacking. A lot of people's identities are stolen every year
in fact that had an issue
that was reported on the news where
a couple went to file their taxes and someone had already claimed their baby as a
dependent
(the baby) had just died recently
apparently there was a database were
all deceased children (and individuals) had been reported and this person got their (the baby's) information and
put the baby on their own taxes
and
it was over a year before they got it fixed
so
identity theft is a problem. If
you have kids
check their credit reports each year
you may not think anyone would be able to, but there are people who steal kids' social
security accounts...
sorry, social security numbers (correction)
and they are able to get bank accounts
and able to get credit cards
so be sure to check credit reports
phishing is a technique where
they
use email to look like a legitimate email
maybe Ebay emails you and says "Hey,
your account has been hacked,
there's
unauthorized activity, we've locked your account. Send us your personal
information so we can open your account."
that's a phishing email
they usually look
really legit but they are not
usually there are little subtle
problems in the email
pharming is where they reroute
a legitimate website to a non-legitimate website, so you have to pay attention when logging
into any website
because they can hack and get in there and redirect
here's an example of a phishing website
phishing email, sorry (correction)
questionable sender address, see how it says
@reply
it doesn't say
@ebay.com
it has all this other stuff in there
it says ebaybid.com
they try to create a sense of urgency
you know saying
this is marked as fraudulent
you will pay a fee for financial transactions
so they are trying to make it urgent to where you won't take time to
think about it and review before you go
giving them information
a lot of times the dates will be kind of
formatted weird, you may have bad
spelling
bad formatting
there's two ways you can check links. You can either right click the link and go to
properties
you can put your mouse over it
and it will show in the bottom (left) corner of your screen
you see these don't match (link and link address in bottom left)
when you create a hyperlink in an email
you can state what text you want to show so you can put a fake web address as the
text and you'll think it is just a hyperlink (normal link version)
when actually
it is not
it is a fake website
you don't want to click that (link in) the email because
1)
you may not log in but 2) they may have a virus that you'll get once you click it
here's an example of a pharming website
they've actually created a fake address bar that
made it look like a legitimate address
but one thing you can watch for with a secure website like Paypal is there's no
secure icon on the bottom right corner
there should be secure icon but if you can see this (the link) is an HTTPS
it's hard to see, but it says HTTPS://
that's a secure web link, it should have a
secure lock icon down here (bottom left corner)
so you just have to watch for little subtle differences. When you go to log in just
try to see if you can see that switchover all of a sudden
pharming
can be real hard to spot
authentication and authorization
so a way to protect users
is to authenticate
their accounts
you know, banking websites have some of the most
bothersome logins you can have. They need to have so many characters
you have to have a
capital
and a
special symbol, you have to have so many numbers
and then
some sites make you change it every month
i had a log in once where I had to change it every month and you could not have
your last 12 passwords have been the same
so you have to have a different password for every month of the year
but
while it may be a pain
it helps protect you
from unauthorized access
users "know" their user ID and password
a user usually "has" a
maybe an ID card to get into
a
protected area where they scan and it (card) opens the door
the problem with those two is they can be stolen
something that is "part" of the user is hard to be stolen like fingerprints, eye
scanning
it is hard to steal those
but they can change
you might burn your fingertips or you might sand your fingerprints off by accident
I mean, it happens
I knew
someone who burned her fingertips
on a flat iron and it burned her fingerprints off
she grabbed
the hot part of the flat iron trying to pick it up, by accident
I actually burned my fingerprints but they luckily grew back
I burned them severely when I picked up a pan where the protective handle had come off, and i
didn't know
and so
it can happen
so
these are ways to protect users but they're not infallible
data prevention and resistant, downtime can cost anywhere from $100 to
$1 million per hour
depending on the organization
available to help prevent
and build resistance to attacks are content filtering,
which is where
you can filter contents to prevent accidental malicious transmission
maybe you have a firewall that is filtering content
encryption you can encrypt data to where it can't be read
by just any user
the CIA uses a lot of encryption
firewall will
filter data as it goes in and out
usually if you have a router attached
to your
modem...If you have cable internet or DSL you have a modem
that's where your internet connects
then you have a router where you can have a wireless signal or other
devices to connect to it
the router will have a firewall built in, and usually your modem
will have one
it depends on the modem
and then you have antivirus software which can scan and prevent
attacks
a good one I mentioned before is Avast
it actually, when you open a malicious website, will block it
so that's a good one
it's A-V-A-S-T
and it is free
detection and response
intrusion detection software can actually shut down the system to prevent
a worm or a virus from
destroying the system or
working its way through the system
it can also block a user, that has accessed (unauthorized) the system,
from accessing anywhere else
and can also store information about that user that accessed the system
so again that is
ethics and information security
and
be sure to review Assignment 4
I don't think I have posted it yet (I have)
I will get that posted (it is posted)
Assignment 4 I believe has to do with
disaster recovery planning (no, that is Ch. 5. Chapter 4 is identity theft)