Ethics 6e PPT Ch03

Ethics in Information
Technology
Chapter 3
Cyberattacks and Cybersecurity
George W. Reynolds
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use. 1
Learning Objectives
• Why are computer incidents so
prevalent, and what are their effects?
• What can be done to implement a
strong security program to prevent
cyberattacks?
• What actions must be taken in the event
of a successful security intrusion?
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or
otherwise on a password-protected website for classroom use.
The Threat Landscape
• Making decisions regarding IT security involves weighing
complex trade-offs:
• How much effort and money should be spent to safeguard
against computer crime?
• What should be done if recommended IT security
safeguards make conducting business more difficult,
resulting in lost sales and increased costs?
• If a firm is a victim of a cybercrime, should it pursue
prosecution of the criminals, maintain a low profile to avoid
negative publicity, inform affected customers, or take some
other action?
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- 3
protected website for classroom use.
Why Computer Incidents Are So Prevalent, Part
1
• Increasing complexity increases vulnerability
• As more devices are added, the number of network entry
points grows, increasing security risks
• Expanding and changing systems introduce new risks: IT
organizations must:
• Keep up with technological change
• Perform ongoing security assessments
• Implement approaches for dealing with new risks
• Increasing prevalence of BYOD policies
• Bring your own device (BYOD): Business policy that
permits employees to use their own mobile devices to
access company computing resources
© 2019 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or 4
Why Computer Incidents Are So Prevalent, Part
2
• Growing reliance on commercial software with known

vulnerabilities
• Exploit: An attack on an information system that takes
advantage of a particular system vulnerability
• Zero-day attack: Takes place before the security
community or software developer becomes aware of
and repairs a vulnerability
• Increasing sophistication of those who would do harm
Classifying Perpetrators of Computer
Crime
Type of Perpetrator Description
Black hat hacker Someone who violates computer or Internet security
maliciously or for illegal personal gain
Cracker An individual who causes problems, steals data, and
corrupts systems
Malicious insider An employee or contractor who attempts to gain financially
and/or disrupt a company’s information systems
Industrial spy An individual who captures trade secrets to gain an unfair
competitive advantage
Cybercriminal Someone who attacks a computer system for financial gain
Hacktivist An individual whose goal is to promote a political ideology
Cyberterrorist Someone who attempts to destroy government
infrastructure, financial institutions, and other
corporations, utilities, and emergency response units
Types of Exploits, Part 1
• Ransomware: Malware that stops you from using your
computer or accessing your data until you meet certain
demands, such as paying a ransom
• Virus: A piece of programming code, disguised as
something else, that causes a computer to behave in an
unexpected and usually undesirable manner
• Worm: A harmful program that resides in the active
memory of the computer and duplicates itself
• Trojan horse: A program in which malicious code is
hidden inside a seemingly harmless program
• Logic bomb: Executes when triggered by a specific event
• Blended threat: An attack that combines the features of a
virus, worm, Trojan horse, and other malicious code into a
single payload
• Spam: The use of email systems to send unsolicited email to
large numbers of people
• Controlling the Assault of Non-Solicited Pornography and
Marketing (CAN-SPAM) Act: Makes spam legal with certain
restrictions—the email must include: a real return address, a
label specifying that it is an ad or solicitation, and a way for
recipients to opt out of future emails
• CAPTCHA (Completely Automated Public Turing Test to Tell
Computers and Humans Apart): Software that generates and
grades tests that humans can pass but computer programs
cannot
• Distributed denial-of-service (DDoS) attack: An attack that
takes over computers via the Internet, causing them to flood
a target site with demands for data and other small tasks
• Rootkit: A set of programs that enables its user to gain
administrator-level access to a computer without the end
user’s consent or knowledge
• Advanced persistent threat (APT): An attack in which an
intruder gains access to a network and stays there—
undetected—with the intention of stealing data over a
period of weeks or months
• Phishing: The act of fraudulently using email to try to get
the recipient to reveal personal data
• Spear phishing: A variation of phishing in which the
phisher sends fraudulent emails to an organization’s
employees
• Smishing: A variation of phishing in which the victims
receive a legitimate-looking text message telling them to
call a specific phone number or log on to a website
• Vishing: A variation of phishing in which the victims
receive a voice-mail message telling them to call a phone
number or access a website
• Cyberespionage: The deployment of malware that steals data
from government agencies, military contractors, political
organizations, or manufacturing firms
• Cyberterrorism: The intimidation of a government or a civilian
population by using IT to disable critical national
infrastructure
• Department of Homeland Security (DHS): A federal agency whose
goal is to provide for a safer, more secure America, resilient against
terrorism and other potential threats
• U.S. Computer Emergency Readiness Team (US-CERT): A DHS
and public/private sector partnership; serves as a
clearinghouse for information on new security threats
Federal Laws for Prosecuting Computer Attacks, Part
1
• Computer Fraud and Abuse Act

• Addresses fraud and related activities in association with
computers, including:
- Accessing a computer without authorization
- Transmitting code that causes harm to a computer
- Trafficking of computer passwords
- Threatening to cause damage to a protected computer
• Fraud and Related Activity in Connection with Access
Devices Statute
• Covers false claims regarding unauthorized use of credit cards
Federal Laws for Prosecuting Computer Attacks, Part
2
• Stored Wire and Electronic Communications and
Transactional Records Access Statutes
• Focuses on unlawful access to stored communications to obtain,
alter, or prevent authorized access to a wire or electronic
communication while it is in electronic storage
• USA Patriot Act
• Defines cyberterrorism and associated penalties
CIA Security Triad
• CIA security triad: The confidentiality, integrity, and
availability of systems and data
• IT security practices focus on the CIA security triad:
• Confidentiality ensures only those individuals with proper
authority can access sensitive data
• Integrity ensures data can only be changed by authorized users
• Availability ensures data can be accessed when and where
needed
• CIA security must be implemented at the organization,
network, application, and end-user levels
Implementing CIA security
Implementing CIA at the Organization
Level
• Implementing CIA requires a risk-based security strategy
with an active governance process and a well-defined
disaster-recovery plan.
• Risk assessment: The process of assessing security-
related risks to an organization’s computers and
networks from both internal and external threats
• A completed risk assessment identifies the biggest threats
to a company and helps focus security efforts on the areas
of highest payoff
General Risk Assessment Process
Step Description
1 Identify the set of IT assets of most concern.
2 Identify the loss events or the risks/threats that could occur.
3 Assess the frequency of events or the likelihood of each
potential threat.
4 Determine the impact of each threat occurring.
5 Determine how each threat can be mitigated.
6 Assess the feasibility of implementing the mitigation
options.
7 Perform a cost-benefit analysis to ensure that your efforts
will be cost effective.
8 Decide whether or not to implement a countermeasure.
Disaster Recovery
• Disaster recovery plan: A documented process for

recovering an organization’s business information
system assets—including hardware, software, data,
networks, and facilities—in the event of a disaster
• Mission-critical processes: Business processes that
are more pivotal to continued operations and goal
attainment than others
Security Policies and Security Audits
• Security policy: A policy that defines an organization’s

security requirements, as well as the controls and
sanctions needed to meet those requirements
• A good security policy delineates responsibilities and the
behavior expected of members of the organization.
• Security audit: An audit that evaluates whether an
organization has a well-considered security policy in
place and if it is being followed
Regulatory Standards Compliance
• An organization may be required to comply with
external standards; examples include:
• Bank Secrecy Law of 1970
- Requires financial institutions in the United States to assist
U.S. government agencies in detecting and preventing money
laundering
• Federal Information Security Management Act
- Requires every federal agency to provide information security
for the data and information systems that support the
agency’s operations and assets
• Health Insurance Portability and Accountability Act
- Regulates the use and disclosure of an individual’s health
information
Security Dashboards
• Security dashboard software
• Provides a comprehensive display of all key performance
indicators related to an organization’s security defenses,
including:
- Threats
- Exposures
- Policy compliance
- Incident alerts
• Reduces the effort required to monitor, identify and
respond to threats
Implementing CIA at the Network
Level
• Authentication methods
• An organization must authenticate users attempting to
access its network
- Username and password
- Smart card and a PIN
- Fingerprint
- Voice pattern sample
- Retina scan
• Multifactor authentication schemes include:
- Biometrics
- One-time passwords
- Hardware tokens that plug into a USB port and generate a
password
Firewalls & Routers
• Firewall: A system of software and/or hardware that
stands guard between an organization’s internal network
and the Internet
• Next-generation firewall (NGFW): A hardware- or software-
based network security system that blocks attacks by filtering
network traffic based on packet contents
• Router: A networking device that connects multiple
networks and transmits data packets between networks
• Allows you to:
- Create a secure network by assigning it a passphrase
- Specify a unique media access control (MAC) address for each
legitimate device connected to the network and prevent access
by any other device
Encryption
• Encryption: The process of scrambling messages or data in
such a way that only authorized parties can read it
• Encryption key: A value that is applied to unencrypted text
to produce encrypted text that is unreadable by those
without the encryption key
• Two types of encryption algorithms:
- Symmetric and asymmetric
• Transport Layer Security (TLS): A communications protocol
that ensures privacy between communicating applications
and their users on the Internet
• TLS enables a client (e.g., a web browser) to initiate a
temporary private conversation with a server
Proxy Servers and Virtual Private
Networks
• Proxy server: Acts as an intermediary between a web
browser and another server on the Internet
• You enter the URL for a website into your browser.
• The request is forwarded to the proxy server, which relays
the request to the server where the website is hosted.
• The web page is returned to the proxy server, which then
passes it on to you.
• Result: The website sees the proxy server as the actual
visitor and not you.
• Virtual private network (VPN): Enables remote users to
securely access an organization’s computing resources
and share data by transmitting and receiving encrypted
data over public networks, such as the Internet
Intrusion Detection System
• Intrusion detection system (IDS): Software and/or
hardware that monitors system resources and activities
and issues an alert when it detects network traffic
attempting to circumvent security measures
• Two approaches to intrusion detection:
- Knowledge-based: Contains information about specific attacks
and system vulnerabilities and watches for attempts to exploit
these vulnerabilities (e.g., repeated failed login attempts).
- Behavior-based: Models normal behavior of a system and its
users based on reference information; compares current
activity to this model, looking for deviations (e.g., unusual
traffic at odd hours)
Implementing CIA at the Application Level
• Single-factor: Requires only one credential
(e.g., a password)
• Two-factor: Requires two types of credentials
(e.g., a bank card and a PIN)
• User roles and accounts
• Used to give users authority to perform their
responsibilities within an application and nothing more
• Data encryption
• Protects data being used within an application from
unauthorized access
Implementing CIA at the End-User-
Level
• Security education
• Educate end users about the importance of security so they
are motivated to understand and follow security policies.
• Require end users to implement a security passcode that
must be entered before their device accepts further input.
• Antivirus software
• Virus signature: A specific sequence of bytes that indicates
the presence of a previously identified virus
• Data encryption
• Full-disk encryption protects storage devices and/or hard
drives so they cannot be removed from a computer and
plugged into another computing device
Response to Cyberattack
• An organization should be prepared for the worst—a

successful attack that defeats all or some of a system’s
defenses and damages data and information systems.
• In a security incident, the primary goal must be to regain
control and limit damage, not to attempt to monitor or
catch an intruder.
• A well-developed response plan helps keep an incident
under technical and emotional control.
Incident Notification
• A key element of any response plan is to define who to
notify and who not to notify in the event of a computer
security incident.
• Questions to cover include:
-Within the company, who needs to be notified, and what
information does each person need to have?
-Under what conditions should the company contact major
customers and suppliers?
-How does the company inform them of a disruption in
business without unnecessarily alarming them?
-When should local authorities or the FBI be contacted?
Protection of Evidence and Activity Logs
• An organization should document all details of a security

incident as it works to resolve a security incident.
• Capture all system events, the specific actions taken
(what, when, and who), and all external conversations
(what, when, and who) in a logbook.
Eradication and Incident Follow-Up
• Eradication
• Before the IT security group begins eradication efforts, it
must collect and log all possible criminal evidence and then
verify all backups are current, complete, and free of
malware.
• Incident Follow-Up
• An essential part of follow-up is to determine how the
organization’s security was compromised so that it does not
happen again.
• A formal incident report includes a detailed chronology of
events and the impact of the incident.
Using an MSSP
• Managed security service provider (MSSP): A company

that monitors, manages, and maintains computer and
network security for other organizations.
• Many small and midsized organizations use an MSSP
because the level of in-house network security expertise
needed to protect their business operations is too costly
to acquire and maintain.
Computer Forensics
• Computer forensics: Combines elements of law and

computer science to collect, examine, and preserve data
from computer devices and networks in a manner that
preserves the integrity of the data gathered so it is
admissible as evidence in court.
• Proper handling of a computer forensics investigation is
the key to fighting computer crime successfully in court.
Summary, Part 1
• Why are computer incidents so prevalent, and what are
their effects?
• Reasons include:
- Increasing computing complexity
- Expanding and changing systems
- An increase in the prevalence of BYOD policies
- A growing reliance on software with known vulnerabilities
- Increasing sophistication of those who would do harm
• Exploit: An attack on an information system that takes
advantage of a particular system vulnerability (often a
result of poor system design or implementation)
Summary, Part 2
their effects?
• Perpetrators of computer crime:
- Black hat hacker
- Cracker
- Malicious insider
- Industrial spy
- Cybercriminal
- Hacktivist
- Cyberterrorist
• White hat hacker: Hired by an organization to test the
security of its information systems allowing the
organization to improve its defenses
Summary, Part 3
their effects?
• Common computer exploits:
- Ransomware, viruses, and worms
- Trojan horses
- Logic bombs
- Blended threats
- Spam
- DDoS attacks and rootkits
- Advanced persistent threats
- Phishing, spear phishing, smishing, and vishing
- Cyberespionage and cyberterrorism
Summary, Part 4
their effects?
• Department of Homeland Security (DHS): Federal agency
with the responsibility to provide for a “safer, more secure
America, which is resilient against terrorism and other
potential threats.”
- Office of Cybersecurity and Communications is responsible for
enhancing the security, resilience, and reliability of U.S. cyber-
and communications infrastructure
• US-CERT: A partnership between DHS and the public and
private sectors established to protect the nation’s Internet
infrastructure against cyberattacks
Summary, Part 5
their effects?
• Laws enacted to combat computer-related crime:
- Computer Fraud and Abuse Act
- Fraud and Related Activity in Connection with Access
Devices Statute
- Stored Wire and Electronic Communications and
Transactional Records Access Statutes
- USA Patriot Act
Summary, Part 6
• What can be done to implement a strong security
program to prevent cyberattacks?
• CIA security triad: Confidentiality, integrity, and
availability of IT resources and data
• An organization’s security strategy must include security
measures at the organization, network, application, and
end-user levels
Summary, Part 7
• Key elements of a risk-based security strategy:
- A risk assessment to identify and prioritize threats
- A well-defined disaster recovery plan that ensures the
availability of key data and information technology assets
- Definition of security policies to guide employees to follow
recommended processes and practices
- Periodic security audits to ensure end users are following
established policies and to assess adequacy of security policies
- Compliance standards defined by external parties
- Use of a security dashboard to track key performance indicators
Summary, Part 8
• Reasonable assurance: Manager’s must use their judgment
to ensure that the cost of control does not exceed the
system’s benefits or the risks involved
• Network security layer—key elements: Authentication
methods, a firewall, routers, encryption, proxy servers,
VPN, and an IDS
• Application security layer—key elements: Authentication
methods, user roles and accounts, and data encryption
• End-user security layer—key elements: Security
education, authentication methods, antivirus software,
and data encryption
Summary, Part 9
• What actions must be taken in the event of a successful
security intrusion?
• A response plan must be developed well in advance of any
incident, and should address:
- Notification
- Protection of evidence and activity logs
- Containment
- Eradication
- Follow-up
• Organizations must implement fixes against well-known
vulnerabilities and conduct periodic IT security audits
Summary, Part 10
• What actions must be taken in the event of a successful
security intrusion?
• Many organizations use a managed security service
provider (MSSP) to monitor, manage, and maintain their
computer and network security
• Experts trained in computer forensics collect, examine,
and preserve data from computer devices and networks,
in a manner that preserves the integrity of the data so it is
admissible as evidence in a court of law.

Ethics 6e PPT Ch03

Uploaded by

Copyright:

Available Formats

Ethics 6e PPT Ch03

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ethics 6e PPT Ch03

Uploaded by

Copyright:

Available Formats

Ethics in Information

• Growing reliance on commercial software with known

• Computer Fraud and Abuse Act

• Disaster recovery plan: A documented process for

• Security policy: A policy that defines an organization’s

• An organization should be prepared for the worst—a

• An organization should document all details of a security

• Managed security service provider (MSSP): A company

• Computer forensics: Combines elements of law and

You might also like