Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | joshua-shepherd |
View: | 215 times |
Download: | 0 times |
Topic 5: Ethics and Security
Professor J. Alberto Espinosa
B u s in e s s W o r ldT r a n s a c t io n s
T r a n s a c t io n P r o c e s s in g
C l ie n tA p p l
D B
S e r v e rA p p l
D BD a ta b a s e
In fo r m a t io nD e c is io n S u p p o r tD is t r ib u te d C o l la b o r a t io nE n te r p r is e C o l la b o r a t io nF in a n c ia l M a n a g e m e n t
e t c .
E R P , S u p p ly C h a in M g t , e t c .
( I n te r / I n t r a ) N e t w o r k
The Edge of IT ITEC-200 Fall 2006
Security & ECommerce p.2
Agenda
• Introduction to Ethics in the use and management of IT and information
• Introduction to key Information Security issues
Follow up course:ITEC-350
Management Information Systems
Security & ECommerce p.3
Roadmap
IT &Business
ITIn
fra
stru
ctu
re
Database
DB DB
IT Infrastrucure: - HW & SW - Database - Telecom
Transaction ProcessingB
usi
nes
sA
ppl
ica
tion
s InformationDecision SupportDistributed CollaborationEnterprise CollaborationFinancial Management
etc.Client Appl
ServerAppl
Business Applications
IT, Business & Ethics
Security & ECommerce p.4
Ethics and IT
What are the ethical Issues affecting the design and use of of Information Technologies?
Security & ECommerce p.5
Ethic Issues in Information Systems
Greek: “ethos” = character, customEthicsEthics = principles or standards of human
conduct (right and wrong)
Key Concepts
1. Responsibility: accept the consequences of your actions
2. Accountability: to have mechanisms to see who is responsible for something
3. Liability: an obligation, usually with legal implications4. Due process: the administration of justice according to
established rules and principles
Security & ECommerce p.6
• One set of interests is pitted against another• One set of values competing with another• Examples (view them from various perspectives):
–
Ethical Dilemmas
– Do you copy software, music, gif files?– Is it OK for web sites to force popup screens on you?– Should companies have access to your SSN and every
piece of information connected to it (e.g., crime records, credit records, etc.)
– Should companies be able to collect and sell information about you and your purchase behavior?
Security & ECommerce p.7
How to Conduct an Ethical Analysis
1. Identify and describe the Facts (what does the IT do? How is it being
used?)
2. Define the conflict or dilemma and identify the higher order values
(privacy, intellectual property, etc.)
3. Identify the stakeholders (who are affected?)
4. Identify options you can take (find optimal balance, not an ideal for all)
5. Identify and weigh potential consequences of each option
Security & ECommerce p.8
INDIVIDUAL
SOCIETY
POLITY
ETHICAL ISSUES
SOCIAL ISSUES
POLITICAL ISSUES
QUALITY OF LIFEQUALITY OF LIFE
INFORMATION INFORMATION RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS
PROPERTY PROPERTY RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS
ACCOUNTABILITY ACCOUNTABILITY & CONTROL& CONTROL
SYSTEM SYSTEM QUALITYQUALITY
Ethical, Social & Political Issues
INFORMATION INFORMATION & &
TECHNOLOGYTECHNOLOGY
Security & ECommerce p.9
Information RightsPRIVACY: Right to be free from unwanted intrusion• IS makes invasion of privacy cheap, profitable and effective
FAIR INFORMATION PRACTICES (FIP):• A set of principles set forth in 1973• No secret personal records• Individuals can access, amend information about themselves• Use info only with prior consent• Managers accountable for damage done by systems• Governments can intervene
FIP is inadequate in the information age!!– FIP extended by FTC more applicable to on-line activities– Disclose data collection practices– And how your info will be used
Security & ECommerce p.10
Information Rights
INFORMED CONSENT: Consent given to others to use/share your information with knowledge of all facts needed to make a rational decision.
Two methods used by companies to inform you:
OPTING OUTOPTING OUTCollect data by default until the user requests not to do so
OPTING INOPTING INDon’t collect data unless specifically approved by the consumer
Security & ECommerce p.11
Internet Challenges to Privacy• Information passes through many systems capable of monitoring
and storing communications• Including: e-mail messages, newsgroups files accessed, web pages
visited, items purchased, etc.• If you reveal your identity, you can be monitored
• Cookies, Data Miners & Spyware: Cookies, Data Miners & Spyware: small files placed on your computer with information (interactive vs. privacy).
• Web BugsWeb Bugs or Invisible GIFs—when the invisible GIF loads it sends information back to the server: (IP address of your computer, the URL of the page that you are viewing, the time you viewed it, cookie information, etc.)
• Under what conditions can someone invade the privacy of others?
Security & ECommerce p.12
Technical Solutions to Privacy Issues
•Cookies, data miners and spyware: block or limit cookies AdAware (Lavasoft):
http://www.lavasoftusa.com/software/adaware/ P3P: http://www.w3.org/P3P/
•Ads that pop up: control based on user profiles Ex. AdSubtract: http://www.adsubtract.com/
•Encrypting e-mail or dataPGP: http://www.pgp.com/index.phpSafeMessage.com: http://www.safemessage.com/
•Anonymizers: browse the web without being identifiedAnonymizer.com: http://www.anonymizer.com/
Security & ECommerce p.13
Property Rights: Intellectual Property
• Intellectual PropertyIntellectual Property– Intangible property created by individuals or
corporations that is subject to protections under trade secret, copyright, and patent law
– Trade secrets: unique or novel elements, procedures, etc.
– Copyright: copying a product; how it can be used– Patent: grant owner exclusive monopoly on an
invention for 20 years– Again, do you copy software? music? images?
Security & ECommerce p.14
Professional Codes Of ConductRecognition of professional status by the public
depends not only on skill and dedication but also on adherence to a recognized code of professional conduct (like AU’s Academic Integrity Code)
Promulgated by associations, e.g.:
Assoc of Information Technology (AITP):http://www.aitp.org/
Assoc of Computer Machinery (ACM):
http://www.acm.org/
Security & ECommerce p.15
Information Security
Is your system and information safe? How can you protect them?
Security & ECommerce p.16
The cost of cyber attacks
Security & ECommerce p.17
Sources of Vulnerability:
• Intruders (confidentiality)• Hackers (system integrity)• Eavesdroppers (privacy)• Impostors (fraud)
Security Issues
Security & ECommerce p.18
Security Threats
Passive Attacks:• Eavesdropping, intrusion• Monitoring transmissions• No harm to system or data• Vulnerable points: wiring closets, exposed
network cables, physical connection links, etc.
Active Attacks:• Modification of the system or data• Unauthorized access to the system or data• A new trend: “Tools of Attack”
Security & ECommerce p.19
Solutions to Security Threats
• Encryption: modify data to prevent eavesdropping, intrusion, etc.
• Secure access to site: firewalls, passwords, authentication
• Secure access to applications: passwords, secure connections
• Secure transmissions: VPNs, encryption (SSL, SHTTP)
• Verify identities: authentication, digital certificates, digital signatures
Questions:• Are you concerned about using your credit card to purchase
books over the Internet from Amazon?• Are you concerned about giving your credit card to a suspicious-
looking waiter at a unknown restaurant?
Security & ECommerce p.20
Data Encryption
• Plaintext: a readable message (what we type/read)
• Cyphertext: a scrambled message after encryption (what is sent)
• Encryption algorithm: a program that alters plaintext into unreadable form [cyphertext]
• Decryption algorithm: a program that recovers the original plaintext from the cyphertext
• Encryption key: a specific pattern to be used to alter some bits in the plaintext via substitution and/or permutation. The exact alteration depends on the specific key and algorithm used
Security & ECommerce p.21
2 Types of Attacks on Encryption
• Brute Force: use of fast computers to try millions of bit pattern alterations on cyphertext until plaintext is recovered
• Cryptanalysis: analysis of cyphertext based on some knowledge of the encryption algorithm used.
Security & ECommerce p.22
Encryption Methods
1. “Conventional”, “Symmetric” or “Private Key” Encryption• Both parties use the same key• Key previously exchanged thru secure channel
2. “Asymmetric” or “Public Key” Encryption• 2 separate, but mathematically related keys• Either of the 2 keys can be used to encrypt• But decryption can only be done with the other key• One key is called “Public Key” anyone can acquire to encrypt
messages for the “key owner”• The other key is called “Private Key” which the “key owner”
uses to decrypt the message
Security & ECommerce p.23
Conventional, Private Key or Symmetric Encryption
Plaintext PlaintextEncryption Cyphertext
%#†µ& !=÷#%%#†#%=÷†µ&
Decryption
User A User B
Private key “previously” exchanged via secure channel
Private Key Private Keysame key
Security & ECommerce p.24
Advantages and Disadvantages
Advantages• Fast• Good for on-line encrypted communications• Safe if private key not compromised
Disadvantages• Difficult to distribute keys securely• Need one private key for every 2 people• Inconvenient when key is compromised
Security & ECommerce p.25
Asymmetric or Public Key Encryption
Plaintext PlaintextEncryption Cyphertext
%#†µ& !=÷#%%#†#%=÷†µ&
Decryption
User A User B
B’s Private Key
B’s Public Key
Wide Distribution ofB’s Public Key
Can only be used to encrypt messages for User B
B’s Public Key
B’s Public Key
Security & ECommerce p.26
Advantages and Disadvantages
Advantages• Easy distribution of public key• 1 public key can be used to communicate with many• Useful for high volume electronic transactions• Easy to generate and distribute new keys when a
private key is compromised
Disadvantages• Very slow
Security & ECommerce p.27
Problem: How to get the benefits of Public Key encryption while getting around the problem of slow speed?
• Establish contact with the other party• Generate a temporary private key for the “session”• Send session key encrypted using public key• Other party decrypts session key• Encrypt/decrypt what follows using the session key• Destroy session key when session ends• The software takes care of all this
Creative Uses of Public Key Encryption (1)
Security & ECommerce p.28
Creative Uses of Public Key Encryption (2)Problem: How do I know a message (e.g., credit card number) from
User A is really from User A and not from an impostor?
Solution: “Digital Signatures”
• Remember: you can use “either” key to encrypt• User A encrypts some sort of user ID using his/her private key
(only A has this private key)• A sends this ID with the message to B• B decrypts User A’s ID using A’s public key• B now is assured that the message was sent by A• Because only A has access to A’s private key• All this is done by software
Security & ECommerce p.29
Digital Signatures
Plaintext Encryption •Cyphertext(Signature)•PlaintextMessage
User A
ToUser B
A’s Private Key
%#†µ& !=÷#%%#†#%=÷†µ&
%#†µ& !=÷#%%
A’s Public Key
A’s EncryptedSignature
Encryption Cyphertext
Security & ECommerce p.30
Problem: How do know User A is a legitimate user/client?
Solution: “Digital Certificates”• Provides further assurance that a user is legitimate• Good for large volume electronic commerce transactions• Need a 3rd party certification authority or agent
(e.g., person, organization, computer—a certificate server, etc.)• Agent holds “official copies” of all public keys• Agent certifies authenticity of all keys before session• Agent transmits public keys to parties before they communicate
Digital Certificates
Security & ECommerce p.31
Web Security Products:Secure Socket Layer (SSL)
• Developed by Netscape• Internet applications connect to TCP layer• Connecting points are called “sockets”• Encrypts transmissions between TCP layers• For entire TCP transmission• For any application that supports TCP
(e.g., FTP, HTTP, Telnet, SMTP, etc.)
Security & ECommerce p.32
Web Security Products:Secure HTTP (SHTTP)
• Security enhancements for HTTP protocol
• i.e., web documents only
• Provides encryption, digital signatures, authentication, etc.
• Encrypts each web document separately
• SSL and SHTTP can be used jointly for added security
Security & ECommerce p.33
Using SHTTP and SSLon the Internet
The Internet
Physical Layer
Network Access Layer
IP
HTTP, SHTTP
TCP
Physical Layer
Network Access Layer
IP
TCP
Internet Application
Ex: EMail, Web, etc.
HTTP, SHTTPSSL
No SSL
Encrypted Communications
Non-Encrypted Communications
EncryptedWeb Pages
Non-EncryptedWeb Pages
Security & ECommerce p.34
Authentication: can be Biometric - Eye
Eye (Iris) scanning device at passport control in Netherlands
Security & ECommerce p.35
Authentication: can be Biometric - fingerprint
• Thriftway Supermarkets in Seattle, 2002Installed fingerprint device which
authenticates use of card
Security & ECommerce p.36
Authentication: can be Biometric -
hand geometry