1 / 35

Computer Ethics & Social Issues

Computer Ethics & Social Issues. Computer & Internet Crime. Anarchy in Cyberspace. “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.” Eric Schmidt, former Google CEO How is this true??.

hakan
Télécharger la présentation

Computer Ethics & Social Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Ethics & Social Issues Computer & Internet Crime

  2. Anarchy in Cyberspace • “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.” • Eric Schmidt, former Google CEO • How is this true??

  3. Can You Define Internet Ethics?

  4. Hackers, Hacktivists, Cybercriminals • Hackers • Discover vulnerabilities and exploit them in computer systems and software, may be criminal in action but not necessarily motive • Hacktivists • Hackers who perform their activities in pursuit of a political or social goal • Cybercriminals • Hackers or otherwise perpetrators of illegal activity with the goal of personal gain

  5. Further classifications… • Malicious Insider • Employees, contractors, or consultants who have inside access to a system and perform damage for personal gain • Industrial Spy • Captures trade secrets, competitive advantage • Cyberterrorist • Destroys critical infrastructure components of financial systems, utilities, and emergency response • All provide increasing levels of threat to EVERY businessand government entity

  6. Movies portray as…

  7. The Reality is… http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/

  8. All IT Security Incidents are a Concern • Malware infection • Denial-of-Service (DoS) attack • Password sniffing • Web site defacement • Physical theft of computing devices • Laptops • Mobile devices • Phones

  9. Phases of an Attack • Planning • Why attack? For what purpose? • Scoping • How do you measure victory or failure? • Reconnaissance • Who, what, when, where, why, how? • Scanning • Find vulnerabilities in software, system, and/or organization • Exploitation • Deliver the attack, receive the result

  10. Planning, Scoping, Recon • Not always perfomed!! • Is this a targeted attack? • Deliberate attempts against a specific target almost always involve these three steps • UNLESS performed by less educated, ethically or morally motivated hacktivists or script kiddies • Is this a random drive-by? • Generally more automated and wide-reaching • Spam • Phishing • Botnet

  11. Planning, Scoping, Recon • Threat landscape • Does the target have ties to political, social, or financial institutions? • Has a higher threat value • Threat impact • Would the disruption of service have political, social, or financial repercussions? • Has a higher threat value • Threat resilience • Does the target actively protect itself from information gathering or does it offer organizational data willingly? • Facebook, Linkedin, Twitter, Social engineering • Websites displaying employee contact information or information security policies, etc.

  12. Scanning • Enumerate vulnerabilities • Software • Out of date or unpatched OS or applications • Applications with known vulnerabilities • Flash, Java, Adobe Reader, etc. • System • Network access vulnerabilities • Unsecured wireless, easy access to network ports • Computer access vulnerabilities • Boots to USB, DVD, or via network

  13. Exploitation • Take advantage of discovered vulnerabilities through the use of one or more of the following: • Malware • DoS • Rootkits • Spam • Phishing • Other methods beyond the scope of this course: • SQL injection, Cross-Site Scripting, Man-in-the-Middle, Cryptographic attacks, etc., etc., etc.

  14. Malware

  15. Types of Malware • Virus • Stand-alone program, payload or macro which causes a computer to behave in an unexpected and usually undesirable manner • Worm • Self-replicating stand-alone program which propagates itself via email • Trojan Horse • Malicious program which hides itself within another program which appears benign • Logic Bomb • A type of Trojan which only executes its malicious code as a result of a specific event

  16. DoS Attack • Denial-of-Service • Communication flood sent from an attacker machine to a victim machine • Ping of Death • “Are we there yet?” • Abuse of TCP/IP handshake • SYN/ACK flood

  17. Botnet • Large collection of computers housing small software clients which are actively in communication with one or more remote controllers. • Botnet “infected” machines are called zombies • Capable of large-scale Distributed DoS (DDoS) • Example: The Low-Orbit Ion Cannon & Operation Payback

  18. Rootkits • Set of programs which enable its user to gain admin rights to a target computer without the end-user’s consent or knowledge • RAT – remote administration tool • Some are legitimate – Go To My PC • Some are not – Poison Ivy • Jail breaking or Rooting phones

  19. Spam • Abuse of email systems to send unsolicited email to large numbers of people • Low-cost commercial advertising • “Tired of the college bookstore prices? Get a better deal at…” • Not necessarily malicious • Porn, get-rich-quick schemes, stock info • Entices recipient to navigate to a malicious website or access a malicious attached file

  20. Phishing • The act of fraudulently using email to try to get the recipient to disclose personal data • Con artist scam • The Nigerian Prince • “I can transfer $1,000,000 to your account…” • The Account Update • “Your information is out of date. Just click here…” • The New Email System • “Click here to access your new email. Just provide your old login and password…” • Spear-phishing  Target UNG’s new email system

  21. Punishing Cybercrime

  22. Federal Laws • USA PATRIOT Act • Defines cyberterrorism and its penalties • Identity Theft and Assumption Deterrance Act • Makes identity theft a federal crime with penalties up to 15 years imprisonment and a maximum fine of $250,000

  23. Federal Laws • Fraud and Related Activity in Connection with Access Devices Statute • Criminalizes the possession, trafficking and or use of counterfeit communications devices • Stored Wire and Electronic Communications and Transactional Records Access Statutes • Criminalizes unlawful access to stored communications to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage

  24. Federal Laws • Computer Fraud and Abuse Act • Criminalizes fraud and related activities in association with computers: • Accessing a computer without authorization or exceeding authorized access • Transmitting a program, code, or command that causes harm to a computer • Trafficking of computer passwords • Threatening to cause damage to a protected computer

  25. Laws outside of the U.S.A • Germany • Section 303b. Computer Sabotage • 5 years imprisonment or fines are imposed for interfering with essential data processing to another business, another's enterprise or an administrative authority • Malaysia • Computer Crimes Act • Unauthorized modification of the contents of any computer results in 10 years imprisonment for each offense

  26. Cybercrime is Bad • Deterrents exist via legal systems • So why is there still so much crime? • ID Theft • DoS • Espionage • Child Pornography • Extortion • Fraud • It is easy to perform and get away with it, relative to other crimes due to virtualization

  27. Preventing Cyber Attacks

  28. Risk Assessments • Process of assessing security-related risks to an organization’s computers and networks from both internal and external threats • Schedule regular internal audits • Hire outside consultants to perform fresh assessments every few years • Reasonable Assurance • The cost of the control does not exceed the system’s benefits or the risks involved

  29. Security Policy • Defines an organization’s security requirements as well as the controls and sanctions needed to meet those requirements • Ethics Policy • Information Sensitivity Policy • Risk Assessment Policy • Personal Communications Devices Policy

  30. Employee Education • User awareness • Is the Ethics Policy well understood or is it just another item in the handbook, unread? • Have you ever read a Employee (or Student) Handbook? • Being constantly reminded about password policies can be annoying, but effective • Adherence to policy • If Big Brother is watching, are you more cautious?

  31. Prevention of Cyberattack • Firewalls • Actively blocks communication via identified ports and protocols • Intrusion Prevention System (IPS) • Actively blocks malware, malformed packets and other threats via signature database comparison • Antivirus Software • Identity Management • Keep current on current vulnerabilities • US-CERT • Security Audits

  32. Detection and Response • Intrusion Detection System (IDS) • Software/Hardware which monitors computer and network behavior for malicious activity • Passive • Requires after-action audit to identify & respond • Incident Response • Contain malicious activity or damage done • Remove the offensive activity or repair damage in a timely fashion • Follow up with a detailed after-action review for future defense or quicker detection/response

  33. Computer Forensics • Discipline which combines elements of law and computer science to identify, collect, examine, and preserve data from computer systems, networks, and storage devices in a manner that preserves the integrity of the data gathered so that it is admissible as evidence in a court of law.

  34. Applicable Constitutional Amendments and Statutes • Fourth Amendment • Protects against unreasonable search and seizure • Fifth Amendment • Protects against self-incrimination • Wiretap Act • Pen Registers and Trap and Trace Devices Statute • Stored Wired and Electronic Communications Act

  35. Questions • When are certain communications illegal? • Think DoS vs email • When is an electronic communication malicious and when is it not? Who decides? • Whose responsibility is it to secure a computing system? • Are the IT guys responsible for locking your computer while you are away from your desk? • Is there a policy stating that they must?

More Related