Date post: | 13-Dec-2015 |
Category: |
Documents |
Upload: | martin-andres-salgado-valdes |
View: | 221 times |
Download: | 7 times |
Ethics, Privacy and Information Security Professors: Fernando Vásquez & Claudio Díaz
Ethical Issues
• Ethics
• Code of Ethics
Ethics
• A set of moral principles, especially ones relating to or affirming a specified group, field, or form of conduct
Ethics Code
• A system or collection of rules or regulations on any subject, in this case, ethical
Fundamental Tenets of Ethics
• Responsibility • Accept the consequences of your decisions and
actions • Accountability
• Determining who is responsible for actions that were taken
• Liability • Legal concept that gives individuals the right to
recover the damages done to them by other individuals, organizations, or systems
Unethical vs. Illegal
What is unethical is not necessarily illegal.
Ethical Issues Categories • Privacy
• Collect, store and disseminate information of people
• Veracity • Authenticity, accuracy and truthfulness of the
information collected and processed
• Property • Owners of information and its value
• Accessibility • Who should have access to information and whether
they should pay for this
Privacy
• Scope of privacy you have the right to protect any interference – RAE
• Two rules have been followed by Courts of the World,
1. The right of privacy is not absolute , must be balanced with the needs of society
2. The public right to knowledge is superior to individual privacy
Video
Threats to Privacy • Data aggregators (lexisnexis.com), digital dossiers, and profiling
• Electronic Surveillance
• Personal InformaIon in Databases
• InformaIon on Internet BulleIn Boards, Newsgroups, and Social Networking Sites
Personal InformaIon in Databases
• Banks
• UIlity companies
• Government agencies
• Credit reporIng agencies
Social Networking Sites Can Cause You Problems Anyone can post derogatory informaIon about you anonymously.
You can also hurt yourself.
Ejemplo • Name: Luciano Caramori Gonzalez • At Facebook, Twitter(@LucianoCaramori), LinkedIn • Origin: Santiago, Chile • Lives: Santiago de Chile • Studies: Colegio Alcántara de Los Altos de Peñalolen, Los
Andes Country Day College and UAI • Travels: Uruguay (2013) • Family: Bruno Caramori (Brother) • Girlfriend: Dani Riquelme Herrera, In a relationship since
24 February 2015 • Likes: Motorcycles (as his brother), Colo-Colo, Soccer,
Reggae, Rap&HipHop, Friends, House
Ethics?
What Can You Do? First, be careful what informaIon you post on social networking sites.
Second, a company, ReputaIonDefender, says it can remove derogatory informaIon from the Web.
ProtecIng Privacy
• Privacy Codes and Policies
• Opt-‐out Model
• Opt-‐in Model
Factors Increasing the Threats to Information Security
• Today’s interconnected, interdependent, wirelessly-‐networked business environment
• Government legislaIon
• Smaller, faster, cheaper computers and storage devices
• Decreasing skills necessary to be a computer hacker
Factors Increasing the Threats to Information Security (continued)
• Downstream liability
• InternaIonal organized crime taking over cyber-‐crime
• Unmanaged devices
• Lack of management support
Key InformaIon Security Terms
• Threat • Danger to be exposed
• Exposure • Harm, loss, or damage if real
• Vulnerability • Possibility of harm
• Risk • Likehood o threat occur
• InformaIon system controls • Prevent compromise
Categories of Threats to InformaIon Systems
• UnintenIonal acts
• Natural disasters
• Technical failures
• Management failures
• Deliberate acts
UnintenIonal Acts
• Human errors
• DeviaIons in quality of service by service providers (e.g., uIliIes)
• Environmental hazards (e.g., dirt, dust, humidity)
Terremoto 2010 • NetGlobalis y S&A: Sin problemas; los tres operadores de NetGlobails funcionaron con el
generador eléctrico del datacenter tras el terremoto y no tuvieron caída alguna.
• Adexus (Miraflores 383, piso 2): Funciona sin problemas ni interrupciones desde el día ”D” y posteriores.
• NOC Telefónica Chile (San Martin 50): Sin problemas.
• Entel: El datacenter y centro de operaciones principal de la ex empresa estatal están ubicados bajo la torre de 127 metros que coordina la comunicación entre los diversos puntos del país, y ambos respondieron sin problemas. Luego del terremoto de 1960 se tomaron las precauciones necesarias a nivel constructivo, las que fueron aplicadas en la construcción de la emblemática estructura.
• Sin embargo el más nuevo Data Center de la epoca, Ciudad de Los Valles, sufrio varias caidas debido a que no partiieron los grupos generadores.
• Synapsis: No presentaron problema alguno, y aseguraron que tuvieron un uptime del 100%. Las maquinas no hicieron failover, ni se utilizaron los enlaces de contingencia o backup disponibles.
• Fuente: El mostrador, 2010
Human Errors • Tailgating • Shoulder surfing • Carelessness with laptops and portable computing
devices • Opening questionable e-mails • Careless Internet surfing • Poor password selection and use • And more
Shoulder Surfing
Shoulder surfing occurs when…
Most Dangerous Employees Human resources and MIS
Remember, these employees hold ALL the information
Threats
Social Engineering
• Social engineering
• Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulIng firm, advising companies on how to deter people like him
Kevin Mitnick
Deliberate Acts
• Espionage or trespass
• InformaIon extorIon
• Sabotage or vandalism
• TheY of equipment or informaIon • For example, dumpster diving
Deliberate Acts (conInued)
• SoYware aZacks • Virus
• Worm
• Logic Bomb
• SoYware aZacks (conInued)
• Phishing aZacks
• Distributed denial-‐of-‐service aZacks
Deliberate Acts (conInued)
• Alien SoYware
• Spyware • Ex: Keyloggers
• Spamware • Zombie
• Cookies
Deliberate Acts (conInued) • Supervisory control and data acquisiIon (SCADA) aZacks
Deliberate Acts (conInued) • Supervisory control and data acquisiIon (SCADA) aZacks
Sabotage and Vandalism • Cyberterrorism
• Premeditated politically motivated attacks against information systems , programs, and data
• Cyberwar • Type of war in which the information systems of a
country could be paralyzed by a massive attack made by destructive software
• Theft • Illegal property belonging to another person or
organization takes .
Example: Norse • We can see some attacks using HoneySpots
27 de Enero 2015
http://www.armada.mil.bo/
Risk Management
• Risk
• Risk management
• Risk analysis
• Risk miIgaIon
Risk MiIgaIon Strategies
• Risk Acceptance
• Risk limitaIon
• Risk transference
Defense Mechanisms
Controls
• Physical controls
• Access controls
• CommunicaIons (network) controls
• ApplicaIon controls
Access Controls • AuthenIcaIon
• Something the user is • Something the user has • Something the user does • Something the user knows
• Passwords
• passphrases
Access Controls (conInued)
• AuthorizaIon
• Privilege
• Least privilege
CommunicaIon or Network Controls • Firewalls
• Anti-malware systems • Whitelisting and Blacklisting
• Intrusion detection systems
• Encryption
Firewalls
Private and Public Keys
How Digital CerIficates Work • Digital CerIficate
• CerIficate AuthoriIes
Digital Certificates
CommunicaIon or Network Controls (conInued)
• Virtual private networking
• Secure Socket Layer (now transport layer security)
• Vulnerability management systems
• Employee monitoring systems
Virtual Private Network
Business Continuity Planning, Backup, and Recovery
• Hot Site
• Warm Site
• Cold Site
• Off-‐Site
InformaIon Systems AudiIng • InformaIon systems audiIng
• Audit
• Types of Auditors and Audits • Internal
• External
Procedimiento de Auditoría de un SI
• Auditoría alrededor de la computadora • Verificar el procesamiento de control por outputs conocidos a
inputs específicos
• Auditoría a través de la computadora • Tanto entradas, salidas y procesamiento son verificados
• Auditoría con la computadora • Consiste en utilizar una combinación de datos de los clientes, el
software de auditor, y el hardware del cliente y el auditor
Activity • Imagine you are the CIO of and you are in
charge of personal and private data from clients
1. Answer the 2nd question of 1. Privacy 2. Acurracy 3. Property 4. Accesability
(Cap 3, Table 3.1, Page 77)
2. What mechanisms would you use to defend the personal information of customers?