Week 5: Ethics, Privacy and Information Security

Chapter 3: Ethics, Privacy and Information Security

1. Privacy- involve collecting, storing, and distributing details about individuals.
Accuracy- are issues that involve the authenticity, fidelity, and accuracy of the data that is collected and processed.
Property- are issues that involve the ownership and value of information.
Accessibility- are issues concerned with participants that should have access to information and whether they should have to pay for access.

2. Four types of I.T. attacks-

1. Unintentional Attacks are gestures or acts that have no malevolent intent.
   There are three main types of unintentional acts:
   1. Human errors - include data entry errors, lack of training and IT skills, and theft of confidential material.
   2. Variations in the quality of service by service providers - refer to situations where the delivery of a service or product to an organisation is not as expected
   3. Environmental hazards - include dust, humidity, pollution and static electricity errors. They are detrimental to the secure and safe operation of computing equipment.
2. Natural Disasters - refer to acts of God such as floods, earthquakes, hurricanes, lightning and fire. Disasters like these can lead to severe loss of data and systems. In order to ensure that companies are well prepared should a natural disaster occur, companies should devise a plan for backup and recovery of data and information systems.
3. Technical Failures - refer to problems with software and hardware.
   - A common technical failre is a hardisk drive crash.
4. Management Failures - the lack of effort and interest in information security
   A majority of information security breaches are explained by deliberate acts by organisational employees. Deliberate acts are intentional and malicious acts or gestures. Some of these acts include software attacks, theft of information of equipment or information, information extortion and cyber terrorism.

3. Three types of sofware attacks -

1. Virus - most common.
   A computer virus is a computer program that can copy itself, attach itself to another computer program and infect a computer without permission and/or knowledge of the user. A virus can lead to the exploitation of the security of information systems and corrupt data.
2. Trojan - are software programs that conceal themselves in other programs and only reveal their designed behaviour when they are activated. Malicious Trojan horse programs are used to evade protection systems in effect creating a vulnerable system to allow unauthorized access to a user's computer.
3. Worm - A worm is a self-replicating computer program that performs malicious activities and spreads without the aid of another computer program. Worms almost always cause harm to the network.
   Another software attack is a worm. A worm is a self-replicating computer program that performs malicious activities and spreads without the aid of another computer program. Worms almost always cause harm to the network.

4. The four major types of security controls in relation to protecting information systems-

1. Physical controls avert unauthorised individuals from accessing a company’s facilities. A door and wall are examples of physical controls.
2. Access controls confine unauthorised individuals from using information sources. Companies and individuals may use passwords, ID cards and biometrics as forms of access controls.
3. Communication controls govern and secure the movement of data/information between networks. Communication controls include firewalls and anti-malware systems.
4. Application controls security measures that protect certain applications.

5.Recent Software Threat: BOTNET

A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. A bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation.

Resolutions: to prevent botnets to begin with, provide effective firewalls and other safeguards such as,

• Spyware
• CounterSpy software

There is also a program, BotSniffer, a prototype system designed to detect and disable botnets. Using traffic analysis the BotSniffer tries to identify botnet members by looking for command and control channels. Apparently the BotSniffer detector has been built as an independent plug-in for the popular open source intrusion detection system.

6. Authentication refers to the identity of the person requiring access to information systems and data.
Whereas, Authorisation decides which actions, rights and privileges an individual has on the basis of verified identity.

Both authentication and authorisation are vital to e-commerce as they determine the security of information systems and data. An example to e-commerce is internet banking, when doing banking online, individuals are required to have a client number and password in order to have access to their banking details.