5e

Ethics in Information Technology

Chapter 3
Computer and Internet Crime
George W. Reynolds
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Learning Objectives
 What key trade-offs and ethical issues are
associated with the safeguarding of data and
information systems?
 Why has there been a dramatic increase in the
number of computer-related security incidents in
recent years?
 What are the most common types of computer
security attacks?
 Who are the primary perpetrators of computer
crime, and what are their objectives?
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
Learning Objectives
 What are the key elements of a multilayer process
for managing security vulnerabilities based on the
concept of reasonable assurance?
 What actions must be taken in response to a
security incident?
 What is computer forensics, and what role does it
play in responding to a computer incident?

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
Ethical Decisions Regarding IT
Security
 To deal with computer crime, the firm should:
 Pursue prosecution of the criminals at all costs
 Maintain a low profile to avoid the negative publicity
 Inform affected customers or take some other action
 Following decisions should be taken by the firm
 How much resources should be spent to safeguard against
computer crime
 What actions should be taken when a software is found
susceptible to hacking
 What should be done if recommended computer security
safeguards increase operating costs
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
Why Computer Incidents are So
Prevalent
 Increasing complexity increases vulnerability
 Number of entry points to a network expands
continually, increasing the possibility of security
breaches
 Cloud computing: Environment where software and
data storage are provided via the Internet
 Virtualization software: Operates in a software layer
that runs on top of the operating system
 Enables multiple virtual machines to run on a single
computer

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
Why Computer Incidents are So
Prevalent
 Higher computer user expectations
 Not verifying users’
 Sharing of login IDs and passwords by users
 Expanding and changing systems require one to:
 Keep up with the pace of technological change
 Perform an ongoing assessment of new security risks
 Implementing approaches for dealing with them

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
Why Computer Incidents are So
Prevalent
 Bring your own device (BYOD): Business
policy that permits employees to use their own
mobile devices to access company computing
resources and applications
 Increased reliance on commercial software with
known vulnerabilities
 Exploit: Attack on an information system that takes
advantage of a particular system vulnerability
 Zero-day attack: Takes place before the security
community or software developer knows about the
vulnerability or has been able to repair it
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
Types of Exploits
Virus

• Piece of programming code, disguised as something else, that

causes a computer to behave in an unexpected and undesirable
manner

Worm

• Harmful program that resides in the active memory of the

computer and duplicates itself

Trojan Horse

• Program in which malicious code is hidden inside a seemingly

harmless program
• Logic bomb: Executes when it is triggered by a specific event

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
Types of Exploits
Spam
• Abuse of email systems to send unsolicited email to large numbers of people
• CAPTCHA (Completely Automated Public Turing Test to Tell
Computers and Humans Apart)
• Generates and grades tests that humans can pass but computer programs
cannot
Distributed Denial-of-Service (DDoS) Attack
• Causes computers to flood a target site with demands for data and other small
tasks
Rootkit
• Enables user to gain administrator-level access to a computer without the end
user’s consent
Phishing
• Fraudulently using email to try to get the recipient to reveal personal data

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
Figure 3.2 - Distributed Denial-of-
Service Attack

Source Line: Course Technology/Cengage Learning.

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
CAN-SPAM Act
 Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM)
Act
 It is legal to spam, provided the messages meet a few
basic requirements
 Spammers cannot disguise their identity

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
Botnet
 Group of computers which are controlled from one
or more remote locations by hackers, without the
knowledge or consent of their owners
 Zombies: Computers that are taken over
 used to distribute spam and malicious code

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
Types of Phishing
 Spear-phishing: Phisher sends fraudulent
emails to a certain organization’s employees
 Emails are designed to look like they came from high-
level executives within the organization
 Smishing: Legitimate-looking text message sent
to people, telling them to call a specific phone
number or to log on to a Web site
 Vishing: Victims receive a voice mail telling them
to call a phone number or access a Web site

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
Types of Perpetrators

Thrill seekers wanting a challenge

Common criminals looking for financial gain

Industrial spies trying to gain a competitive advantage

Terrorists seeking to cause destruction to further their cause

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
Table 3.5 - Classifying Perpetrators of
Computer Crime

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
Types of Perpetrators
 Hackers: Test the limitations of information
systems out of intellectual curiosity
 Lamers or script kiddies: Terms used to refer to
technically inept hackers
 Malicious insiders
 Employees, consultants, or contractors
 Have some form of collusion
 Collusion: Cooperation between an employee and an
outsider
 Negligent insiders: Poorly trained and inadequately
managed employees who cause damage accidently
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
Types of Perpetrators
 Industrial spies
 Competitive intelligence: Legally obtained data
gathered using sources available to the public
 Industrial espionage: Using illegal means to obtain
information that is not available to the public
 Cybercriminals
 Hack into computers to steal and engage in computer
fraud
 Data breach: Unintended release of sensitive data or
the access of sensitive data by unauthorized individuals

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
Types of Perpetrators
 Hacktivists: Hack to achieve a political or social
goal
 Cyberterrorists: Launch computer-based
attacks to intimidate or coerce an organization in
order to advance certain political or social
objectives
 Use techniques that destroy or disrupt services
 Consider themselves to be at war
 Have a very high acceptance of risk
 Seek maximum impact
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
Strategies to Reduce Online Credit
Card Fraud
 Use encryption technology
 Verify the address submitted online against the
issuing bank
 Request a card verification value (CVV)
 Use transaction-risk scoring software
 Use smart cards
 Smart cards: Memory chips are updated with
encrypted data every time the card is used

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
Table 3.6 - Federal Laws that Address
Computer Crime

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
Trustworthy Computing

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
Risk Assessment
 Assessing security-related risks to an
organization’s computers and networks from
internal and external threats
 Identify investments that will protect the
organization from most likely and serious threats
 Asset - Hardware, software, information system,
network, or database used by an organization to
achieve its business objectives
 Loss event - Any occurrence that has a negative
impact on an asset
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Figure 3.5 - General Security Risk
Assessment

Source Line: General Security Risk Assessment Guidelines, ASIS International (2003). See the Standards and Guidelines page of the ASIS International website
(www.asisonline.org) for revisions and/or updates. Reprinted by permission.

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
Security Policy
 Defines an organization’s security requirements
and the controls and sanctions needed to meet
those requirements
 Delineates responsibilities and expected behavior
 Outlines what needs to be done and not how it
should be done

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
Establishing a Security Policy
 Areas of concern
 Use of email attachments
 Use of wireless devices
 Virtual private network (VPN): Works by
using the Internet to relay communications
 Encrypts data at the sending end and decrypts it at the
receiving end

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
Educating Employees and Contract
Workers
 Motivates them to understand and follow the security
policies
 Users must help protect an organization’s
information systems and data by:
 Guarding their passwords
 Prohibiting others from using their passwords
 Applying strict access controls
 Reporting all unusual activity to the organization’s IT
security group
 Ensuring that portable computing and data storage devices
are protected
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
Prevention
Install a corporate firewall
• Limits network access based on the organization’s access
policy
Intrusion detection system (IDS)
• Monitors system and network resources and activities
• Notifies network security personnel when network traffic
attempts to circumvent the security measures
Antivirus software
• Scans for a specific sequence of bytes, known as a virus
signature
• Virus signature: Indicates the presence of a specific
virus 27
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Prevention

Implement safeguards against attacks by malicious insiders

• Promptly delete the computer accounts, login IDs, and passwords of
departing employees and contractors
Defend against cyberterrorism
• Department of Homeland Security (DHS):Aims to secure critical
infrastructure and information systems
Address critical internet security threats
• High-impact vulnerabilities should be fixed on priority basis

Conducting periodic it security audits

• Security audit: Evaluates whether an organization has a well-considered
security policy in place and if it is being followed

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
United States Computer Emergency
Readiness Team (US-CERT)
 Partnership between the Department of Homeland
Security and the public and private sectors
 Protect the nation’s Internet infrastructure against
cyberattacks
 Serves as a clearinghouse for information on new
viruses, worms, and other computer security topics

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
Figure 3.6 - Intrusion Detection
System

Credit: Monkey Business Images/Shutterstock.com.

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
Detection Systems

Minimize the
Catch Intruders
Impact of
in the Act
Intruders

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
Response Plan
 Incident notification
 Define who to notify and who not to notify
 Refrain from giving out specific information about a
compromise in public forums
 Protection of evidence and activity logs
 Document all details of a security incident to help with
future prosecution and incident eradication
 Incident containment
 Determine if an attack is dangerous enough to warrant
shutting down the systems

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
Response
 Eradication
 Collect and log all criminal evidence from the system
 Verify that all backups are current, complete, and free of
any virus
 Incident follow-up
 Determine how the security was compromised
 Conduct a review to evaluate how the organization
responded
 Create a detailed chronology of all events
 Estimate the monetary damage
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
Computer Forensics
 Combines elements of law and computer science
to:
 Identify, collect, examine, and preserve data from
computer systems
 Collect data in a manner that preserves the integrity of
the data gathered so that it is admissible as evidence in
a court of law

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
Table 3.10 - Partial List of Constitutional Amendments
and Statutes Governing the Collection of Evidence

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
Summary
 Ethical decisions in determining which
information systems and data most need
protection
 Most common computer exploits
 Viruses and worms
 Trojan horses
 Distributed denial-of-service attacks
 Rootkits and spam
 Phishing and spear-fishing
 Smishing and vishing
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
Summary
 Perpetrators include:
 Hackers
 Crackers
 Malicious insider
 Industrial spies
 Cybercriminals
 Hacktivist
 Cyberterrorists

©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
Summary
 Must implement multilayer process for managing
security vulnerabilities, including:
 Assessment of threats
 Identifying actions to address vulnerabilities
 User education
 IT must lead the effort to implement:
 Security policies and procedures
 Hardware and software to prevent security breaches
 Computer forensics is key to fighting computer
crime in a court of law
©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38