Info systems quiz #2
Vulnerability
(of an information resource): is the possibility that the system will be harmed by a threat.
Threat
(to an information resource): any danger to which a system may be exposed.
Two main rules of privacy
1. The right of privacy is not absolute. Privacy must be balanced against the needs of society. 2. The public's right to know supersedes the individual's right of privacy.
Carelessness with one's office
Leaving desks and filing cabinets unlocked when employees go home at night; not logging off the company network when leaving the office for any extended period of time.
Carelessness with laptops
Losing or misplacing laptops, leaving them in taxis, and so on.
Carelessness with computing devices
Losing or misplacing these devices, or using them carelessly so that malware is introduced into an organization's network.
Electronic Surveillance
Tracking people's activities with the aid of computers. Is conducted by employers, governments, and other institutions. • Examples: • Surveillance cameras in airports, subways, banks, and other public venues.
Compromises to Intellectual Property
Trade secret patent copyright
Back Door
Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door).
Carelessness using unmanaged devices
Unmanaged devices are those outside the control of an organization's IT department and company security procedures. These devices include computers belonging to customers and business partners, computers in the business centers of hotels, and so on.
Data Aggregators
companies that collect public data such as real estate records and published telephone numbers, in addition to nonpublic information such as Social Security numbers; financial data; and police, criminal, and motor vehicle records.
Digital Dossier
data integrated from data gathered about you in a typical day (surveillance cameras located on toll roads, on other roadways, in busy intersections, in public places, and at work; credit card transactions; telephone calls (landline and cellular); banking transactions; queries to search engines; and government records (including police records).
Sabotage and Vandalism
deliberate acts that involve defacing an organization's Web site, potentially damaging the organization's image and causing its customers to lose faith.
Hacktivism
form of online vandalism, use of computer hacking to express political or sociological beliefs.
Hacktivists
group of individuals who plan to affect political change and damage their opponents.
Common Good Approach
highlights the interlocking relationships that underlie all societies. This approach argues that respect and compassion for all others is the basis for ethical actions. states that the morality of an action is based on whether that action itself is right or wrong under a series of rules, rather than based on the consequences of that action.
Privacy issues
involve collecting, storing, and disseminating information about individuals.
Accuracy issues
involve the authenticity, fidelity, and correctness of information that is collected and processed.
Property issues
involve the ownership and value of information.
Liability
is a legal concept that gives individuals the right to recover the damages done to them by other individuals, organizations, or systems.
Exposure
is the harm, loss, or damage that can result if a threat compromises an information resource.
Rights Approach
maintains that an ethical action is the one that best protects and respects the moral rights of the affected parties. Although these rights are not ones you are necessary entitled to... they are morally just
Responsibility
means that you accept the consequences of your decisions and actions.
DDoS
most common form of attack, denial-of-service. This form of attack is launched to take down a website by flooding it with fake traffic. • Examples: data theft to expose sensitive information, expose targets (individuals, corporations and governments).
what is unethical is...
not necessarily illegal. For example, a bank's decision to foreclose on a home can be technically legal, but it can raise many ethical questions.
Information Extortion
occurs when an attacker either threatens to steal, or actually steals, information from a company. The perpetrator demands payment for not stealing the information, for returning stolen information, or for agreeing not to disclose the information.
Espionage or Trespass
occurs when an unauthorized individual attempts to gain illegal access to organizational information.
Ransomware
or digital extortion, blocks access to a computer system or encrypts an organization's data until the organization pays a sum of money. There are numerous types of ransomware. Victims are told to pay the ransom in bitcoin or through MoneyGram to untraceable gift cards.
Spamware
pestware that uses your computer as a launch pad for spammers.
Fairness Approach
posits that ethical actions treat all human beings equally, or, if unequally, then fairly, based on some defensible standard. For example, most people might believe it is fair to pay people higher salaries if they work harder or if they contribute a greater amount to the firm.
Cyberterrorism and Cyberwarfare
refer to malicious acts in which attackers use a target's computer systems, particularly via the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda.
Supervisory Control and Data Acquisition Attacks (SCADA)
refers to a large-scale, distributed measurement and control system. SCADA systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants.
Accountability
refers to determining who is responsible for actions that were taken.
Cyber crime
refers to illegal activities conducted over computer networks, particularly the Internet.
Accessibility issues
revolve around who should have access to information and whether they should pay a fee for this access.
Dumpster Diving
rummaging through commercial or residential trash to find discarded information.
Alien Software
secret software that is installed on your computer through duplicitous methods.
Cookies
small amounts of information that Web sites store on your computer, temporarily or more or less permanently
Spyware
soft ware that collects personal information about users without their consent. Two common types of spyware are keystroke loggers and screen scrapers.
Adware
software that causes pop-up advertisements to appear on your screen.
Utilitarian Approach
states that an ethical action is the one that provides the most good or does the least harm.
Deontology Approach
states that the morality of an action is based on whether that action itself is right or wrong under a series of rules, rather than based on the consequences of that action. example of deontology is the belief that killing someone is wrong, even if it was in self-defen
Security
the degree of protection against criminal activity, danger, damage, and/or loss.
Intellectual Property
the property created by individuals or corporations that is protected under trade secret, patent, and copyright laws.
Spam
unsolicited e-mail, usually advertising for products and services
Five Factors Contributing to VulnerabilitY
• Today's interconnected, interdependent, wirelessly networked business environment • Smaller, faster, cheaper computers & storage devices • Decreasing skills necessary to be a computer hacker • International organized crime taking over cybercrime • Lack of management support
Remote Attacks Needing No User Action
-Denial-of-Service Attack -Distributed Denial-of-Service Attack
Attacks by a Programmer Developing a System
-Trojan horse -back door -logic bomb
Remote Attacks Requiring User Action
-virus -worm -phishing attack -spear phishing
Five Steps in Ethical Decision Making Framework
1. Recognize an ethical issue: does this decision hurt someone, good/bad alts, etc 2. Get the facts: sufficient info to make decision, who has a stake in outcome, etc 3. Evaluate alternative actions: produce most good least harm, respects stakeholders, etc 4. Make a Decisions and Test It 5. Act and Reflect on the Outcome of Decisions: how did the decision turn out
Code of ethics
A collection of principles intended to guide decision making by members of an organization.
Logic bomb
A segment of computer code that is embedded within an organization's existing computer programs and is designed to activate and perform a destructive action at a certain time or date.
Careless Internet surfing
Accessing questionable Web sites; can result in malware and/or alien software being introduced into the organization's network.
Ethics in the Corporate Environment
According to a 2018 CareerBuilder survey, 70 percent of employers use social media to screen candidates during the hiring process, and about 43 percent of employers use social media to check on current employees
Distributed Denial-of-Service Attack
An attacker first takes over many computers, typically by using malicious soft ware. These computers are called zombies or bots. The attacker uses these bots—which form a botnet—to deliver a coordinated stream of information requests to a target computer, causing it to crash.
Denial-of-Service Attack
An attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (ceases to function).
2. Place yourself as a victim in the Equifax breaches. What should you do when you are notified (when you think) that your personal data has been compromised?
Anyone concerned that they were affected by the hack should check their credit accounts immediately for any suspicious activity, set up a fraud alert, and watch their credit card and bank accounts. You could also freeze your credit account to prevent anyone from fraudulently applying for your credit. It's also a good idea to set up two-factor authentication on important financial accounts to deflect hackers with stolen information.
Common human errors
Carelessness with: laptops, tablets, smartphones, computing devices, Internet surfing, office, discarded equipment, monitoring environmental hazards, poor password selection, opening questioning emails
Poor password selection and use
Choosing and using weak passwords (see strong passwords in the "Authentication" section later in this chapter).
Theft of Equipment or Information
Computing devices and storage devices are becoming smaller yet more powerful with vastly increased storage and as a result these devices are becoming easier to steal and easier for attackers to use to steal information.
Carelessness with discarded equipment
Discarding old computer hardware and devices without completely wiping the memory; includes computers, smartphones, and digital copiers and printers
Describe the role that information technology plays as Google moves forward in its efforts to integrate online search data with offline purchase data.
Google being the large company that they are has to keep up with all of the online trends and ads that are posted. Google uses information technology in phones through the google maps technology. With this they get information on where the customers are. After that they can analyze what they buy with the credit card information that is shared with Google and they can see if the customers are buying what they had looked at previously online.
Human errors
Higher level employees + greater access privileges = greater threat • Two areas pose significant threats • Human Resources • Information Systems • Other areas of threats: • Contract Labor, consultants, janitors, & guards
Identity Theft
Is the deliberate assumption of another person's identity, usually to gain access to his or her financial information or to frame him or her for a crime.
Opening questionable e-mails
Opening e-mails from someone unknown, or clicking on links embedded in e-mails
Four general categories of ethical issues related to IT
Privacy issues, Accuracy issues, property issues, and accessibility issues.
The fundamental tenets of ethics include responsibility, accountability, and liability. Discuss each of these tenets as it applies to Google's actions in integrating online search data and offline purchase data.
Responsibility would apply because google has to accept the consequences of deciding to look into people information so deeply, and possibly making people angry if there is a data breach. -Accountability is shown because it would show that google as a company is responsible for anything that happens with the data because they are the ones using it for their advantage. Liability would come in to play whenever google does something wrong such as a data breach and people sensitive information is now out in the world. People could then sue google for leaking the information.
Virus
Segment of computer code that performs malicious actions by attaching to another computer program
Trojan Horse
Software programs that hide in other computer programs and reveal their designed behavior only when they are activated.
2. The fundamental tenets of ethics include responsibility, accountability, and liability. Discuss each of these tenets as it applies to the Red Sox stealing signs.
The Boston Red Sox accepted their fine and have since stopped using their apple watches to steal signs from other teams. Having said this they did accept the consequences of their actions, which so happened to be borderline cheating to some. It isn't clear whether a manager, or anyone in particular took responsibility for the actions, or if the team as a whole had a census decision. At the end of it all the team quit using the apple watches but taking responsibility would mean owning up to what was done and making it right. The Red Sox could've attempted to make things right by giving the game to the teams they used this tactic with, if the scores would've been different if they hadn't. The Red Sox were held accountable for their actions because the team was fined for the whole ordeal. They also are being criticized in the public eye because of what they did, so everyone is aware of who is responsible. In a sense the were made liable because the team was fined, but they were also the reason other teams in the league lost, and they can't get those wins back. The league recovered their damage, but the teams who were "cheated" against can't recover their losses.
1.Discuss the ethicality and legality of the Red Sox's actions in stealing signs.
The Boston Red Sox's used apple watches to basically speed up communication between the team, so they were able to let the batter know what the next pitch was going to be, and from that he could adjust his swing. As far as the legalities of stealing signs from other teams it wouldn't technically be considered an illegal act because they weren't using binoculars or any means to see further, so the Red Sox's ended up just being fined. When it comes to discussing the ethics of stealing signs it's not exactly black and white because to some extent the MLB allows their players to watch signs and notify the batter so long as it's only with their eyes. The Red Sox were still only using their eyes to see what was happening, so they didn't technically break a rule, but they did find a way around that rule. Whether this is ethical or not ultimately depends on who you're asking. I don't think it's ethical to give a player a heads up so they can have a better chance of hitting the ball, but to some extent the league allows that, so it's completely understandable if other individuals disagree and think it is ethical
Ethics
The principles of right and wrong that individuals use to make choices that guide their behavior.
Profiling
The process of forming a digital dossier.
Privacy
The right to be left alone and to be free of unreasonable personal intrusions. Apply to individuals, groups and institutions
Information Privacy
The right to determine when, and to what extent, information about you can be gathered and/or communicated to others.
4. What are the implications for the continued use of Social Security numbers as universal, unique identifiers? What measures might take the place of Social Security numbers as unique identifiers
The solution to the Social Security number problem may lie in utilizing additional layers of security. For example, we might start to see security questions and one-time security codes sent via e-mail or text message to our smartphones. The problem with added security is that it is more difficult to conduct transactions over the Web—specifically, electronic commerce. As long as we keep using SSN as unique qualifiers, companies put people at greater risk for identity fraud as well as greater risk to be targeted by hackers looking for information.
alien software
clandestine software that is installed on your computer through duplicitous methods.
3. Can the three credit-reporting agencies (Equifax, Experian, and TransUnion) survive in the face of this breach?
Yes and no. Any data breach harms a company's reputation. This problem is particularly critical for Equifax because its entire business model involves providing a complete financial profile of consumers that lenders and other businesses can trust. Not only has Equifax's credibility been severely damaged, but the breach also undermines the integrity of the data collected by the other two major credit bureaus: Experian (www.experian.com) and TransUnion (www.transunion.com). Since Equifax's credit breach The credit bureau's shares declined 31 percent in value from September 7 to 13, 2017. However, by July 2019, Equifax shares traded at $131 per share, down 8 percent from $141 per share just prior to the breach. Equifax reported 2018 total revenue of $3.4 billion and net income of $300 million. Interestingly, net income decreased by almost 50 percent from 2017. However,people still need a credit bureau putting a rock in a hard place.
Copyright
a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period. Co
1. What actions should Equifax have taken to prevent the breaches?
a) Active monitoring of the incidents should have been done b) A fraud alert should have been sent within the company asap to work on the fraud c) Customers should have been notified to make their accounts safe before the fraud occurred d) Encryption had to be performed, as in why the information was leaked in plain text and no encryption was performed e) Freezing and locking out the customer information so that hackers cannot access any data.
Unintentional Threats
acts performed without malicious intent that nevertheless represent a serious threat to information security. • Human Errors • Social Engineering
Information Security
all of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
Social Engineering
an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords. • Example: • Kevin Mitnick, world famous hacker and former FBI's most wanted.
Trade Secret
an intellectual work, such as a business plan, that is a company secret and is not based on public information.
Patent
an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.