Topic 5: Ethics and Security Professor J. Alberto Espinosa The Edge of IT ITEC-200 Fall 2006.

Topic 5: Ethics and Security

Professor J. Alberto Espinosa

B u s in e s s W o r ldT r a n s a c t io n s

T r a n s a c t io n P r o c e s s in g

C l ie n tA p p l

D B

S e r v e rA p p l

D BD a ta b a s e

In fo r m a t io nD e c is io n S u p p o r tD is t r ib u te d C o l la b o r a t io nE n te r p r is e C o l la b o r a t io nF in a n c ia l M a n a g e m e n t

e t c .

E R P , S u p p ly C h a in M g t , e t c .

( I n te r / I n t r a ) N e t w o r k

The Edge of IT ITEC-200 Fall 2006

Security & ECommerce p.2

Agenda

• Introduction to Ethics in the use and management of IT and information

• Introduction to key Information Security issues

Follow up course:ITEC-350

Management Information Systems


Roadmap

IT &Business

ITIn

fra

stru

ctu

re

Database

DB DB

IT Infrastrucure: - HW & SW - Database - Telecom

Transaction ProcessingB

usi

nes

sA

ppl

ica

tion

s InformationDecision SupportDistributed CollaborationEnterprise CollaborationFinancial Management

etc.Client Appl

ServerAppl

Business Applications

IT, Business & Ethics


Ethics and IT

What are the ethical Issues affecting the design and use of of Information Technologies?


Ethic Issues in Information Systems

Greek: “ethos” = character, customEthicsEthics = principles or standards of human

conduct (right and wrong)

Key Concepts

1. Responsibility: accept the consequences of your actions

2. Accountability: to have mechanisms to see who is responsible for something

3. Liability: an obligation, usually with legal implications4. Due process: the administration of justice according to

established rules and principles


• One set of interests is pitted against another• One set of values competing with another• Examples (view them from various perspectives):

–

Ethical Dilemmas

– Do you copy software, music, gif files?– Is it OK for web sites to force popup screens on you?– Should companies have access to your SSN and every

piece of information connected to it (e.g., crime records, credit records, etc.)

– Should companies be able to collect and sell information about you and your purchase behavior?


How to Conduct an Ethical Analysis

1. Identify and describe the Facts (what does the IT do? How is it being

used?)

2. Define the conflict or dilemma and identify the higher order values

(privacy, intellectual property, etc.)

3. Identify the stakeholders (who are affected?)

4. Identify options you can take (find optimal balance, not an ideal for all)

5. Identify and weigh potential consequences of each option


INDIVIDUAL

SOCIETY

POLITY

ETHICAL ISSUES

SOCIAL ISSUES

POLITICAL ISSUES

QUALITY OF LIFEQUALITY OF LIFE

INFORMATION INFORMATION RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS

PROPERTY PROPERTY RIGHTS & RIGHTS & OBLIGATIONSOBLIGATIONS

ACCOUNTABILITY ACCOUNTABILITY & CONTROL& CONTROL

SYSTEM SYSTEM QUALITYQUALITY

Ethical, Social & Political Issues

INFORMATION INFORMATION & &

TECHNOLOGYTECHNOLOGY


Information RightsPRIVACY: Right to be free from unwanted intrusion• IS makes invasion of privacy cheap, profitable and effective

FAIR INFORMATION PRACTICES (FIP):• A set of principles set forth in 1973• No secret personal records• Individuals can access, amend information about themselves• Use info only with prior consent• Managers accountable for damage done by systems• Governments can intervene

FIP is inadequate in the information age!!– FIP extended by FTC more applicable to on-line activities– Disclose data collection practices– And how your info will be used


Information Rights

INFORMED CONSENT: Consent given to others to use/share your information with knowledge of all facts needed to make a rational decision.

Two methods used by companies to inform you:

OPTING OUTOPTING OUTCollect data by default until the user requests not to do so

OPTING INOPTING INDon’t collect data unless specifically approved by the consumer


Internet Challenges to Privacy• Information passes through many systems capable of monitoring

and storing communications• Including: e-mail messages, newsgroups files accessed, web pages

visited, items purchased, etc.• If you reveal your identity, you can be monitored

• Cookies, Data Miners & Spyware: Cookies, Data Miners & Spyware: small files placed on your computer with information (interactive vs. privacy).

• Web BugsWeb Bugs or Invisible GIFs—when the invisible GIF loads it sends information back to the server: (IP address of your computer, the URL of the page that you are viewing, the time you viewed it, cookie information, etc.)

• Under what conditions can someone invade the privacy of others?


Technical Solutions to Privacy Issues

•Cookies, data miners and spyware: block or limit cookies AdAware (Lavasoft):

http://www.lavasoftusa.com/software/adaware/ P3P: http://www.w3.org/P3P/

•Ads that pop up: control based on user profiles Ex. AdSubtract: http://www.adsubtract.com/

•Encrypting e-mail or dataPGP: http://www.pgp.com/index.phpSafeMessage.com: http://www.safemessage.com/

•Anonymizers: browse the web without being identifiedAnonymizer.com: http://www.anonymizer.com/

http://www.lavasoftusa.com/software/adaware/

http://www.w3.org/P3P/

http://www.adsubtract.com/

http://www.pgp.com/index.php

http://www.pgp.com/index.php

http://www.safemessage.com/

http://www.anonymizer.com/


Property Rights: Intellectual Property

• Intellectual PropertyIntellectual Property– Intangible property created by individuals or

corporations that is subject to protections under trade secret, copyright, and patent law

– Trade secrets: unique or novel elements, procedures, etc.

– Copyright: copying a product; how it can be used– Patent: grant owner exclusive monopoly on an

invention for 20 years– Again, do you copy software? music? images?


Professional Codes Of ConductRecognition of professional status by the public

depends not only on skill and dedication but also on adherence to a recognized code of professional conduct (like AU’s Academic Integrity Code)

Promulgated by associations, e.g.:

Assoc of Information Technology (AITP):http://www.aitp.org/

Assoc of Computer Machinery (ACM):

http://www.acm.org/

http://www.american.edu/academics/integrity/index.htm

http://www.american.edu/academics/integrity/index.htm

http://www.aitp.org/

http://www.acm.org/


Information Security

Is your system and information safe? How can you protect them?


The cost of cyber attacks


Sources of Vulnerability:

• Intruders (confidentiality)• Hackers (system integrity)• Eavesdroppers (privacy)• Impostors (fraud)

Security Issues


Security Threats

Passive Attacks:• Eavesdropping, intrusion• Monitoring transmissions• No harm to system or data• Vulnerable points: wiring closets, exposed

network cables, physical connection links, etc.

Active Attacks:• Modification of the system or data• Unauthorized access to the system or data• A new trend: “Tools of Attack”


Solutions to Security Threats

• Encryption: modify data to prevent eavesdropping, intrusion, etc.

• Secure access to site: firewalls, passwords, authentication

• Secure access to applications: passwords, secure connections

• Secure transmissions: VPNs, encryption (SSL, SHTTP)

• Verify identities: authentication, digital certificates, digital signatures

Questions:• Are you concerned about using your credit card to purchase

books over the Internet from Amazon?• Are you concerned about giving your credit card to a suspicious-

looking waiter at a unknown restaurant?


Data Encryption

• Plaintext: a readable message (what we type/read)

• Cyphertext: a scrambled message after encryption (what is sent)

• Encryption algorithm: a program that alters plaintext into unreadable form [cyphertext]

• Decryption algorithm: a program that recovers the original plaintext from the cyphertext

• Encryption key: a specific pattern to be used to alter some bits in the plaintext via substitution and/or permutation. The exact alteration depends on the specific key and algorithm used


2 Types of Attacks on Encryption

• Brute Force: use of fast computers to try millions of bit pattern alterations on cyphertext until plaintext is recovered

• Cryptanalysis: analysis of cyphertext based on some knowledge of the encryption algorithm used.


Encryption Methods

1. “Conventional”, “Symmetric” or “Private Key” Encryption• Both parties use the same key• Key previously exchanged thru secure channel

2. “Asymmetric” or “Public Key” Encryption• 2 separate, but mathematically related keys• Either of the 2 keys can be used to encrypt• But decryption can only be done with the other key• One key is called “Public Key” anyone can acquire to encrypt

messages for the “key owner”• The other key is called “Private Key” which the “key owner”

uses to decrypt the message


Conventional, Private Key or Symmetric Encryption

Plaintext PlaintextEncryption Cyphertext

%#†µ& !=÷#%%#†#%=÷†µ&

Decryption

User A User B

Private key “previously” exchanged via secure channel

Private Key Private Keysame key


Advantages and Disadvantages

Advantages• Fast• Good for on-line encrypted communications• Safe if private key not compromised

Disadvantages• Difficult to distribute keys securely• Need one private key for every 2 people• Inconvenient when key is compromised


Asymmetric or Public Key Encryption

Plaintext PlaintextEncryption Cyphertext

%#†µ& !=÷#%%#†#%=÷†µ&

Decryption

User A User B

B’s Private Key

B’s Public Key

Wide Distribution ofB’s Public Key

Can only be used to encrypt messages for User B

B’s Public Key

B’s Public Key


Advantages and Disadvantages

Advantages• Easy distribution of public key• 1 public key can be used to communicate with many• Useful for high volume electronic transactions• Easy to generate and distribute new keys when a

private key is compromised

Disadvantages• Very slow


Problem: How to get the benefits of Public Key encryption while getting around the problem of slow speed?

• Establish contact with the other party• Generate a temporary private key for the “session”• Send session key encrypted using public key• Other party decrypts session key• Encrypt/decrypt what follows using the session key• Destroy session key when session ends• The software takes care of all this

Creative Uses of Public Key Encryption (1)


Creative Uses of Public Key Encryption (2)Problem: How do I know a message (e.g., credit card number) from

User A is really from User A and not from an impostor?

Solution: “Digital Signatures”

• Remember: you can use “either” key to encrypt• User A encrypts some sort of user ID using his/her private key

(only A has this private key)• A sends this ID with the message to B• B decrypts User A’s ID using A’s public key• B now is assured that the message was sent by A• Because only A has access to A’s private key• All this is done by software


Digital Signatures

Plaintext Encryption •Cyphertext(Signature)•PlaintextMessage

User A

ToUser B

A’s Private Key

%#†µ& !=÷#%%#†#%=÷†µ&

%#†µ& !=÷#%%

A’s Public Key

A’s EncryptedSignature

Encryption Cyphertext


Problem: How do know User A is a legitimate user/client?

Solution: “Digital Certificates”• Provides further assurance that a user is legitimate• Good for large volume electronic commerce transactions• Need a 3rd party certification authority or agent

(e.g., person, organization, computer—a certificate server, etc.)• Agent holds “official copies” of all public keys• Agent certifies authenticity of all keys before session• Agent transmits public keys to parties before they communicate

Digital Certificates


Web Security Products:Secure Socket Layer (SSL)

• Developed by Netscape• Internet applications connect to TCP layer• Connecting points are called “sockets”• Encrypts transmissions between TCP layers• For entire TCP transmission• For any application that supports TCP

(e.g., FTP, HTTP, Telnet, SMTP, etc.)


Web Security Products:Secure HTTP (SHTTP)

• Security enhancements for HTTP protocol

• i.e., web documents only

• Provides encryption, digital signatures, authentication, etc.

• Encrypts each web document separately

• SSL and SHTTP can be used jointly for added security


Using SHTTP and SSLon the Internet

The Internet

Physical Layer

Network Access Layer

IP

HTTP, SHTTP

TCP

Physical Layer

Network Access Layer

IP

TCP

Internet Application

Ex: EMail, Web, etc.

HTTP, SHTTPSSL

No SSL

Encrypted Communications

Non-Encrypted Communications

EncryptedWeb Pages

Non-EncryptedWeb Pages


Authentication: can be Biometric - Eye

Eye (Iris) scanning device at passport control in Netherlands

http://i.cnn.net/cnn/2002/WORLD/europe/03/27/schiphol.security/story.irisscan.jpg


Authentication: can be Biometric - fingerprint

• Thriftway Supermarkets in Seattle, 2002Installed fingerprint device which

authenticates use of card


Authentication: can be Biometric -

hand geometry

Date post:	26-Dec-2015
Category:	Documents
Upload:	joshua-shepherd
View:	215 times
Download:	0 times

Topic 5: Ethics and Security Professor J. Alberto Espinosa The Edge of IT ITEC-200 Fall 2006.

Documents