Chapter Three: Ethics, Privacy and Information Security

Question One: Provide an IT example that relates to the ethical issues for the ideas of privacy, accuracy, property, and accessibility.

Privacy Issues: Using information about individuals, when the information collected was not for that reason

Accuracy Issues: Incorrect information stored in a database that affects the authenticity, fidelity and accuracy of the results

Property Issues: Software piracy

Accessibility Issues: Security clearances for sensitive information

Question Two: What are the 4 general types of IT threats? Provide an example for each one.

The four general types of IT threats are:

• Human Error (examples include: tailgating, shoulder surfing, poor password selection and use)
• Natural Disasters (examples include: floods, earthquakes, terrorist attacks)
• Technical Failures (examples include: software bugs, hardware crashes)
• Deliberate Acts (examples include: sabotage and white collar crimes)

Below is a diagram of IT threats:

Question Three: Describe/discuss three types of software attack and a problem that may result from them.

Three types of software attacks and their resulting problems include:

• Distributed Denial-of-Service Attack: An attacker first takes over many computers typically by using malicious software. These computers are known as zombies or bots. The attacker uses these bots, which form a botnet, to deliver a coordinated stream of information requests to a target computer causing it to crash.

• Phishing Attack: Phishing attacks use deception to acquires sensitive personal information by masquerading as official looking emails or instant messages. Here sensitive personal information is gained by the attacker

• Back Door: Typically a password, known only to the attacker, that allows him or her to access a computer system at will, without having to go through any security procedures (also called a trap door); here sensitive information is gained by the attacker

Question Four: Describe the four major types of security controls in relation to protecting information systems.

1. Physical Controls: prevent unauthorized individuals from gaining access to company's facilities. Examples of physical controls include: walls, doors, fencing, gates, locks, guards and alarm systems. More advanced physical controls include pressure sensors, temperature sensors and motion detectors.
2. Access Controls: restrict unauthorized individuals from using information resources. These controls have to major functions: authorization and authentication. Examples include: passwords, voice recognition, biometrics and smart ID cards.
3. Communication Controls: secure the movement of data across networks. Examples of communication controls include firewalls, anti-malware systems, intrusion detection systems, encryption and virtual privacy networking.
4. Application Controls: security counter-measures that protect specific applications. There are three major categories of these controls: input, processing, and output controls. Input controls are programmed routines that are performed to edit input data for errors before they are processed. Processing controls balance the total number of transactions processed with the total number of transactions input or output. An example of output controls is the documentation specifying that authorized recipients have received their reports, paychecks, or other critical documents.

Question Five: Name one recent software threat and briefly discuss it's effects and resolutions?

A phishing attack on the social networking site Twitter has become one of the latest phishing attacks that use social networking sites to gain information into users accounts. It has been said that 70 per cent of these attacks are successful.

The phishing attack has been done through its direct messages saying “rofl this you on here?” followed by a link that appears to be a video on a Twitter page. Twitter acknowledged the scam through a tweet on Wednesday, 23^rd September 2009 saying: "A bit o'phishing going on--if you get a weird direct message, don't click on it and certainly don't give your login cred”

Twitter also advises those that have given their login password to immediately change their passwords.

Question Six: What is the difference between authentication and authorization and why are they important to e-Commerce/give an example of their relevance to e-Commerce

Authentication determines the identity of the person requiring access. Authorization determines which actions, rights, or privileges the person has, based on verified identity.

Authentication and authorization are important in e-commerce because without these security controls sensitive business information for example a business plan or customer information could be easily hacked into or sabotaged. If a business is not careful with this information they could lose their competitive advantages to competitors.