Ethics, Privacy and Information Security Professors: Fernando Vásquez & Claudio Díaz

Ethical  Issues  

• Ethics  

• Code  of  Ethics  

Ethics

• A set of moral principles, especially ones relating to or affirming a specified group, field, or form of conduct

Ethics Code

• A system or collection of rules or regulations on any subject, in this case, ethical

Fundamental  Tenets  of  Ethics  

• Responsibility  • Accept the consequences of your decisions and

actions  • Accountability  

• Determining who is responsible for actions that were taken  

• Liability  •  Legal concept that gives individuals the right to

recover the damages done to them by other individuals, organizations, or systems  

Unethical  vs.  Illegal  

What  is  unethical  is  not  necessarily  illegal.            

Ethical Issues Categories • Privacy

• Collect, store and disseminate information of people

• Veracity • Authenticity, accuracy and truthfulness of the

information collected and processed

• Property • Owners of information and its value

• Accessibility • Who should have access to information and whether

they should pay for this

Privacy

• Scope of privacy you have the right to protect any interference – RAE

• Two rules have been followed by Courts of the World,

1.  The right of privacy is not absolute , must be balanced with the needs of society

2.  The public right to knowledge is superior to individual privacy

Video

   Threats  to  Privacy  • Data  aggregators  (lexisnexis.com),  digital  dossiers,  and  profiling  

•  Electronic  Surveillance  

•  Personal  InformaIon  in  Databases  

•  InformaIon  on  Internet  BulleIn  Boards,  Newsgroups,  and  Social  Networking  Sites  

Personal  InformaIon  in  Databases  

•  Banks  

• UIlity  companies  

• Government  agencies  

•  Credit  reporIng  agencies  

Social Networking Sites Can Cause You Problems    Anyone  can  post  derogatory  informaIon  about  you  anonymously.    

     You  can  also  hurt  yourself.    

Ejemplo • Name: Luciano Caramori Gonzalez • At Facebook, Twitter(@LucianoCaramori), LinkedIn • Origin: Santiago, Chile •  Lives: Santiago de Chile • Studies: Colegio Alcántara de Los Altos de Peñalolen, Los

Andes Country Day College and UAI • Travels: Uruguay (2013) • Family: Bruno Caramori (Brother) • Girlfriend: Dani Riquelme Herrera, In a relationship since

24 February 2015 •  Likes: Motorcycles (as his brother), Colo-Colo, Soccer,

Reggae, Rap&HipHop, Friends, House

Ethics?

           What  Can  You  Do?    First,  be  careful  what  informaIon  you  post  on  social  networking  sites.  

   Second,  a  company,  ReputaIonDefender,  says  it  can  remove  derogatory  informaIon  from  the  Web.  

ProtecIng  Privacy  

•  Privacy  Codes  and  Policies  

•  Opt-­‐out  Model  

•  Opt-­‐in  Model  

Factors Increasing the Threats to Information Security

•  Today’s  interconnected,  interdependent,  wirelessly-­‐networked  business  environment  

• Government  legislaIon  

•  Smaller,  faster,  cheaper  computers  and  storage  devices  

• Decreasing  skills  necessary  to  be  a  computer  hacker  

Factors Increasing the Threats to Information Security (continued)

• Downstream  liability  

•  InternaIonal  organized  crime  taking    over  cyber-­‐crime    

• Unmanaged  devices  

•  Lack  of  management  support  

Key  InformaIon  Security  Terms  

•  Threat  •  Danger  to  be  exposed  

•  Exposure  •   Harm,  loss,  or  damage  if  real      

•  Vulnerability  •  Possibility  of  harm  

•  Risk  •  Likehood  o  threat  occur  

•  InformaIon  system  controls  •  Prevent  compromise  

Categories  of  Threats  to  InformaIon  Systems  

• UnintenIonal  acts  

• Natural  disasters  

•  Technical  failures  

• Management  failures  

• Deliberate  acts  

         UnintenIonal  Acts  

• Human  errors  

• DeviaIons  in  quality  of  service  by  service  providers  (e.g.,  uIliIes)  

•  Environmental  hazards  (e.g.,  dirt,  dust,  humidity)  

Terremoto 2010 •  NetGlobalis y S&A: Sin problemas; los tres operadores de NetGlobails funcionaron con el

generador eléctrico del datacenter tras el terremoto y no tuvieron caída alguna.

•  Adexus (Miraflores 383, piso 2): Funciona sin problemas ni interrupciones desde el día ”D” y posteriores.

•  NOC Telefónica Chile (San Martin 50): Sin problemas.

•  Entel: El datacenter y centro de operaciones principal de la ex empresa estatal están ubicados bajo la torre de 127 metros que coordina la comunicación entre los diversos puntos del país, y ambos respondieron sin problemas. Luego del terremoto de 1960 se tomaron las precauciones necesarias a nivel constructivo, las que fueron aplicadas en la construcción de la emblemática estructura.

•  Sin embargo el más nuevo Data Center de la epoca, Ciudad de Los Valles, sufrio varias caidas debido a que no partiieron los grupos generadores.

•  Synapsis: No presentaron problema alguno, y aseguraron que tuvieron un uptime del 100%. Las maquinas no hicieron failover, ni se utilizaron los enlaces de contingencia o backup disponibles.

•  Fuente: El mostrador, 2010

           Human  Errors  • Tailgating • Shoulder surfing • Carelessness with laptops and portable computing

devices • Opening questionable e-mails • Careless Internet surfing • Poor password selection and use • And more

     Shoulder  Surfing  

Shoulder surfing occurs when…

Most  Dangerous  Employees  Human  resources  and  MIS  

Remember, these employees hold ALL the information

Threats

Social  Engineering  

•  Social  engineering  

•  Kevin  Mitnick  served  several  years  in  a  federal  prison.    Upon  his  release,  he  opened  his  own  consulIng  firm,  advising  companies  on  how  to  deter  people  like  him  

 

Kevin Mitnick

Deliberate  Acts  

•  Espionage  or  trespass  

•  InformaIon  extorIon  

•  Sabotage  or  vandalism  

•  TheY  of  equipment  or  informaIon  •  For  example,  dumpster  diving  

 

Deliberate  Acts  (conInued)  

• SoYware  aZacks  • Virus    

• Worm    

• Logic  Bomb  

•  SoYware  aZacks  (conInued)  

•  Phishing  aZacks  

•  Distributed  denial-­‐of-­‐service  aZacks    

Deliberate  Acts  (conInued)  

•  Alien  SoYware  

•  Spyware  •  Ex:  Keyloggers    

•  Spamware  •  Zombie  

•  Cookies    

 

Deliberate  Acts  (conInued)  •  Supervisory  control  and  data  acquisiIon  (SCADA)  aZacks    

Deliberate  Acts  (conInued)  •  Supervisory  control  and  data  acquisiIon  (SCADA)  aZacks    

Sabotage and Vandalism • Cyberterrorism

• Premeditated politically motivated attacks against information systems , programs, and data

• Cyberwar • Type of war in which the information systems of a

country could be paralyzed by a massive attack made by destructive software

• Theft •  Illegal property belonging to another person or

organization takes .

Example: Norse • We can see some attacks using HoneySpots

27 de Enero 2015

http://www.armada.mil.bo/

Risk  Management  

•  Risk  

•  Risk  management  

•  Risk  analysis  

•  Risk  miIgaIon  

Risk  MiIgaIon  Strategies  

•  Risk  Acceptance  

•  Risk  limitaIon  

•  Risk  transference  

Defense Mechanisms

Controls  

•  Physical  controls  

•  Access  controls  

•  CommunicaIons  (network)  controls  

•  ApplicaIon  controls  

Access  Controls  •  AuthenIcaIon  

•  Something  the  user  is    •  Something  the  user  has  •  Something  the  user  does  •  Something  the  user  knows  

•  Passwords  

•  passphrases  

Access  Controls  (conInued)  

•  AuthorizaIon  

•  Privilege  

•  Least  privilege  

CommunicaIon  or  Network  Controls  • Firewalls

• Anti-malware systems • Whitelisting and Blacklisting

•  Intrusion detection systems

• Encryption

Firewalls

Private and Public Keys

How  Digital  CerIficates  Work  • Digital  CerIficate  

•  CerIficate  AuthoriIes  

Digital Certificates

CommunicaIon  or  Network  Controls  (conInued)  

• Virtual private networking

• Secure Socket Layer (now transport layer security)

• Vulnerability management systems

• Employee monitoring systems

Virtual Private Network

Business Continuity Planning, Backup, and Recovery

• Hot  Site  

• Warm  Site  

•  Cold  Site  

• Off-­‐Site  

InformaIon  Systems  AudiIng  •  InformaIon  systems  audiIng  

•  Audit  

•  Types  of  Auditors  and  Audits  •  Internal  

•  External  

Procedimiento de Auditoría de un SI

• Auditoría alrededor de la computadora •  Verificar el procesamiento de control por outputs conocidos a

inputs específicos

• Auditoría a través de la computadora •  Tanto entradas, salidas y procesamiento son verificados

• Auditoría con la computadora •  Consiste en utilizar una combinación de datos de los clientes, el

software de auditor, y el hardware del cliente y el auditor

Activity •  Imagine you are the CIO of and you are in

charge of personal and private data from clients

1.  Answer the 2nd question of 1.  Privacy 2.  Acurracy 3.  Property 4.  Accesability

(Cap 3, Table 3.1, Page 77)

2.  What mechanisms would you use to defend the personal information of customers?