Monday, September 21, 2009

Week 5: Chapter 3 questions - Ethics Privacy, and Information Security

1. Provide an IT example that relates to the ethical issues for the ideas of privacy, accuracy, property, and accessibility.

The major ethical issues related to IT are privacy, accuracy, property (including intellectual property), and accessibility to information. Privacy may be violated when data are held in database or are transmitted over networks. Privacy policies that address issues if data collection, data accuracy, and data confidentiality can help organizations avoid legal problems. Intellectual property is the intangible property created by individuals or corporations that is protected under trade secret, patent, and copyright laws. The most common intellectual property related to IT deals with software. Copying software without paying the owner is a copyright violation, and it is a major problem for software vendors.

· Privacy: involve collecting, storing, and disseminating information about individuals
· Accuracy: involves the authenticity, fidelity, and accuracy of information that is collected and processed
· Property: involves the ownership and value of information
· Accessibility: revolve around who should have access to information and whether they should have to pay for this access.


2. What are the 4 general types of IT threats? Provide an example for each one

The 4 main types of IT threats include natural disasters, human error, management behaviour and technical failure.

The first type of IT threat and least impact includes human error occurs when employees are not proficient in their duties, for instance an employee deletes an important customer records or sensitive company data is lost due to the lack of adequate training in procedures, or leaving a public computer logged on or even when it is poorly written applications. Thus human error occurs by an individual which is not malicious. Examples of human errors include: tailgating “hold the door”, shoulder surfing, carelessness with laptops, opening questionable emails and poor password selection.

In addition, the second IT hazard includes natural disaster includes the events that lead to destruction of data system for example fires, floods, earthquakes and tsunamis. As a result blackouts, brownouts and system failures occur. Thought from the examples given terrorism is the worst major threat for instance the 9/11 incident destroyed the entire companies personal and computer systems.

Additionally, technical behaviour is another IT threat with greater risk as it includes the problems with hardware and software. The most common hardware problem is a crash of a hard disk. A notable hardware problem occurred when Intel released a Pentium chip with a defect that caused the chip to 0erform some mathematical incorrectly. The most common software problem is errors called bugs in computer programs.

Finally management behaviour, is the most highest risk of an IT menace as it involve a lack of funding for information security efforts and lack of interest in those efforts. Such lack of leadership will cause the information security of the organisation to suffer.

Virus Portal -www.virusportal.com/com/training/train_dat3.shtml

3. Describe/discuss three types of software attack and a problem that may result from them

There are many types of software attacks for instance; worms, Trojan horses, back door, logic bomb, and password attack just to mention a few though the main software attacks include Virus, Denial-Of-Service attack and Phishing attack.

Viruses are a segment of computer code that performs malicious actions by attaching to another computer program. Therefore, viruses are malevolent code that spreads by making copies of themselves. The results can be simply annoying messages or they can steal data or damage your computer system. As a result the use of a firewall, and up to date Anti Virus will assist the computer in protecting from these software attacks.

Secondly, Denial-Of-Service Attack is when attackers send so many information requests to a target computer system that the target cannot handle them successfully and typically crashes (i.e. ceases to function). It prevents a user from accessing a computer or website. For example, the front of a company network is overloaded with fake hits which results in denying any real business data from accessing the website.


Thirdly, phishing attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages. It is the use of bogus websites and emails to trick you into supplying confidential information. The most common are fake bank websites that appear to be the real thing and steal your credit card details. Spear phishing is more directed attempts at a specific employee of companies.

4. Describe the four major types of security controls in relation to protecting information systems.

In order to protect the information system organizations implement four different types of controls (countermeasures), as they are designed to protect all of the components of an information system, including data, software, hardware and networks.

The four main categories include: physical, access, communications and application controls.

· Physical controls: prevent unauthorized individuals from gaining access to a company’s facilities. The main controls include walls, doors, fencing, gates, locks, and alarm systems. Techniques that are more sophisticated include: motion detectors and temperature sensors.
· Access controls: restrict unauthorized individuals from using information resources. This involves two major functions: authentication (identity of the person requiring access) and authorization (determinants of the actions, rights, or privileges the person has).
· Communication Controls: secure the movement of data across networks. Communications controls consist of firewalls, anti-malware systems, intrusion detection systems, encryption, viral private networking (VPN), and vulnerability management systems.
· Application controls: are security counter measures that protect specific applications. The three major categories are input (e.g. Social Security), processing (e.g. matching time and employment cards) and output (documentation specifying) control.

5. Name one recent software threat and briefly discuss its effects and resolutions ?



A recent attack on Windows Live Messenger a social networking site was one of the most recent software attacks of phishing. It demonstrated the attempt to obtain insightful information for instance passwords, usernames and personal information of the user. With recent research it has been stated that 75% of these (phishing) attacks are successful.



Though on the 15th September 2009, this attack was evidently seen; as when these scams were sending instant messages to the user to enter the password in order to see who has ‘blocked’ them, or in other cases messages appearing stating that your friend is ‘inviting you to see pictures of yourself’. Nevertheless, this has not only been the case as on June 5th 2008, offline friends sent links to inexplicable sites demanding for their username and password. Examples of this “phishing” attacks can be seen on the following link: http://blog.trendmicro.com/see-who-blocked-you-on-msn-phishing-attacks/


6. What is the difference between authentication and authorization and why are they important to e-Commerce/give an example of their relevance to e-Commerce:


Authentication is the process that determines the identity of the person requiring access whereas, authorization is a process that determines which actions, rights, or privileges the person has, based on verified identity.

Thus the importance of authentication and authorization to e-commerce is that company’s need to know that it is safe and therefore there rights cannot be stolen.

No comments:

Post a Comment