Chapter 4: Ethics 1. Definition: a. Answer.com: set of principles of right conduct, the quality of being in accord with standards of right or good conduct. b. Wiki: Ethics is a major branch of philosophy, encompassing right conduct and good life. It is significantly broader than the common conception of analyzing right and wrong. A central aspect of ethics is "the good life", the life worth living or life that is satisfying, which is held by many philosophers to be more important than moral conduct. 2. Ethical Vs Illegal. Unethical does not mean illegal and vice versa (or does it?). http://www.encyclopedia.com/doc/1G1-154817732.html (Excellent article) 3. Recent cases a. Enron/Arthur Anderson/ Worldcom b. Google – China /Yahoo – Blogger 4. Ethics and Information (information does not have ethics akin to saying guns do not kill people): a. Characteristics of information i. Can be copied easily, owner wont even know ii. Can be copied without trace, from one continent to another. iii. Can be copied for free, i.e. no cost to replicate iv. Can be worth billions b. Types of issues (Mason, Richard, “Four Ethical Issues of the Information Age”, Management Information Systems Quarterly, 10:1, March, 1986) i. Privacy/ Confidentiality ii. Piracy / Copyright / Counterfeit / Pirated iii. Accuracy iv. Accessibility c. Questionable IT use 5. Established laws related to IT a. CAN-Spam-ACT 2003: Penalties on businesses sending unsolicited emails. b. Freedom of information act: Any person can examine govt. records. c. Computer Fraud and abuse act: Prohibits unauthorized access to computers of US govt., financial institutions, etc. d. Electronic communications privacy act: Employers can read employees emails. e. Homeland security act: Data mining on corporate information e.g. google, Eliot Spitzer 6. Ethical Information management policies: To ensure compliance a. Ethical computer use policy: Guides the user behavior. Includes restrictions on users and specifies acceptable use http://www.sjsu.edu/senate/S02-8.htm or http://www.sjlibrary.org/legal/policies.htm?pID=310b. Information privacy policy: Contains guidelines on how information about users can or cannot be used. http://www.amazon.com/gp/help/customer/display.html?nodeId=468496 or https://epay.sjsu.edu/C21344_ustores/web/privacy_policy.htm c. Acceptable use policy: policy that user must agree to follow in order to gain access to a network e.g. college, work, ISP, websites (especially the ones with age or regional restrictions) d. Email privacy policy: Details the extent to which email messages may be read by others. e. Internet use policy: General principles to guide the proper use of internet f. Anti-spam policy: Specifies that email users will not send spam. 7. Enforcement by monitoring Tracking people activities – Good or bad a. Key logger/ Hardware key logger/ cookie/ Adware/ Spyware/ Weblog / ClickstreamSecurity 1. Characteristics of information that makes protection important a. Can be copied easily, owner wont even know b. Can be copied without trace, from one continent to another. c. Can be copied for free, i.e. no cost to replicate d. Can be worth billions 2. Information security definition: Broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization. 3. Some ways security can be breached a. Social engineering (using ones soft skills to obtain information) b. Dumpster diving c. Just asking d. Key loggers etc. 4. Solutions: a. Information security plan – Using people i. Develop information security policies e.g. change password every few days/Months ii. Communicate the information security policies: train employees iii. Identify critical info assets and risk: require userid, password, antivirus, firewall, etc iv. Test and reevaluate risks: perform security reviews, audits. v. Obtain stakeholder support: obtain approval of higher ups. b. Information security plan – Technology i. Authentication and authorization: Authentications confirm user’s identities to decide access privileges. Authorization is the process to giving someone permission to perform an activity. 1. user id or password: how are they phished? 2. smart card or token (paypal) 3. biotics like fingerprint, iris scan, face, handwriting, or voice signature ii. Prevention and resistance: technologies to prevent intrusion. 1. Content filtering to prevent transmission of unauthorized information. 2. Encryption scrambles information into alternate form and requires key to decrypt. Emails/websites use public key encryption (PKE). 3. Firewalls: Guards a private network by analyzing the information leaving and entering the network. iii. Detection and response: Incase ii above fails 5. Some key concepts a. People: White hat hackers / Black hat hackers / Hactivists / Script kiddies / Cyber terrorists b. Technology: Virus (needs a career) / Worm / DOS / DDos / Trojan / Backdoor / Polymorphic virusesc. Threats: Elevation of privileges / Hoaxes / Malicious code / Spoofing / Spyware / Sniffer / Packet