BUSI 1401 - Ch 3,4

Ethics

Principles of right and wrong that individuals use to make choices that guide their behaviour

Utilitarian approach

An ethical action is the one that provides the most good or does the least harm

Rights approach

Maintains that an ethical action is the one that best protects and respects the moral rights of the affected parties

Fairness approach

Ethical actions treat all human beings equally, or if unequally, then fairly, based on some defensible standard

Common good approach

Highlights the interlocking relationships that underlie all societies

Deontology approach

Morality of an action is based on whether that action itself is right or wrong under a series of rules, rather than based on the action’s consequences

Code of ethics

Collection of principles intended to guide decision making by members of the organization

Fundamentals of ethics

Responsibility, accountability, liability

Responsibility

Accept consequences of your decisions and actions

Accountability

Determining who is responsible for actions that were taken

Liability

Legal concept that gives individuals the right to recover damages done to them

Privacy issues

Collecting, storing, and disseminating information about individuals

Accuracy issues

Authenticity, fidelity, and correctness of information that is collected and processed

Property issues

Ownership and value of information

Accessibility issues

Revolve around who should have access to information and whether they should pay a fee for this access

Information privacy

Right to determine when, and to what extent, information about you can be gathered or communicated to others

Digital dossier

Electronic profile of someone and their habits

Profiling

Process of forming a digital dossier

Data aggregators

Collect public data and integrate it to form digital dossiers on adults, selling them to law enforcement agencies and companies

Customer intimacy

Companies want to know their customers better

Electronic surveillance

Rapidly increasing, particularly with the emergence of new technologies

Privacy policies/privacy codes

Org’s guidelines for protecting the privacy of its customers, clients, and employees

Opt-out model

Permits company to collect personal information until the customer specifically requests that the data not be collected

Opt-in model

Prohibits an organization from collecting any personal information unless the customer specifically authorizes it

P3P

Automatically communicates privacy policies between an electronic commerce website and visitors to that site

Personal Information Protecting and Electronic Documents Act

Canada’s privacy legislation - organizations are required to establish a privacy policy and procedures

General Data Protection Regulation

World’s strongest data protection laws

Personal data

Info that can be used to identify a person

Sensitive personal data

Genetic data, racial information, religious and political views, sexual orientation, etc.

Data controllers

Orgs that have relationships with data subjects

Data processors

Orgs that work for data controllers and process natural data on the controllers’ behalf

Security

Degree of protection against criminal activity, danger, damage, or loss

Information security

Processes and policies designed to protect an organization’s information and IS

Threat

Any danger to which a system may be exposed

Exposure

Harm, loss, or damage that can result if a threat compromises that resource

Vulnerability

Possibility that a threat will harm an information resource

Scripts

Information and computer programs that users with limited skills can download and use to attack any information system that is connected to the Internet

Cybercrime

Illegal activities conducted over computer networks - typically nonviolent, but lucrative

Social engineering

Attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information

Tailgating

Technique designed to allow perpetrator to enter restricted areas that are controlled with locks or card entry

Shoulder surfing

Perpetrator watches employee’s computer screen over their shoulder

Espionage/trespass

Unauthorized individual attempts to gain illegal access to organizational information

Competitive intelligence

Legal info-gathering techniques (ex: studying a company’s website and press releases)

Industrial espionage

Crosses legal boundary (ex: theft)

Information extortion

Attacker threatens to steal or actually steals info from a company and demands payment in return

Sabotage/vandalism

Deliberate acts that involve defacing an organization

Identity theft

Deliberate assumption of another person’s identity, usually to gain access to their financial information or to frame them for a crime

Intellectual property

Property created by individuals or corporations that is protected under trade secret, patent, and copyright laws

Trade secret

Intellectual work that is a company secret and is not based on public information

Patent

Official document that grants holder exclusive rights on an invention or a process for 20 years

Copyright

Statutory grant that provides the creators or owners of intellectual property with ownership of the property for the life of the creator + 50 years

Piracy

Copying a software program without making payment to the owner

Malware

Malicious software that infects computers

Virus

Segment of computer code that performs malicious actions by attaching to another computer program

Worm

Segment of computer code that performs malicious actions and will replicate or spread by itself

Phishing attack

Uses deception to acquire sensitive personal information by pretending to seem official

Spear phishing

Perpetrators find out as much info as they can about an individual, usually done through email

Denial-of-service attack

An attacker sends so many information requests to a target computer system that the target cannot handle them successfully and typically crashes

Distributed denial-of-service attack

Attacker takes over many computers (bots) and uses these bots (form a botnet) to send info requests to a computer, making it crash

Trojan horse

Software programs that hide in another computer programs and reveal their behaviour only when they are activated

Back door

A password only known to the attacker that allows them to access a computer system at will

Logic bomb

Segment of computer code that is embedded within an organization’s computer programs and is designed to activate and perform a destructive action under specific conditions

Ransomware

Digital extortion that blocks access to a computer system or encrypts an org’s data until the org pays a sum of money

The most common method for ransomware attacks is…

Spear phishing

Ransomware-as-a-service

Type of ransomware where original creators publish the software on the Dark Web, allowing other criminals to use it in return for some of the ransom profits

Doxxing

Threatening to release encrypted data to the public

Alien software

Clandestine software that is installed on your computer through deceitful methods

The vast majority of pestware is…

Adware

Adware

Software that causes pop-up advertisements to appear on your screen

Spyware

Software that collects personal info about users without their consent

Keystroke loggers

Record both your individual keystrokes and your Internet web browsing history

Screen scraper/grabber

Software that records a continuous movie of a screen’s contents rather than simply recording keystrokes

Spamware

Pestware that uses your computer as a launchpad for spammers

Spam

Unsolicited email

Cookies

Small amounts of information that websites store on your computer, temporarily or permanently - can be useful and innocuous

SCADA

Large-scale distributed measurement and control system - link physical world and electronic world

Cyberterrrorism/cyberwarfare

Malicious acts in which attackers use a target’s computer systems to cause physical, real-world harm or severe disruption, often to carry out a political agenda

Risk

Probability that a threat will impact an information resource

Risk management

Identify, control, and minimize the impact of threats

3 processes of risk management

Risk analysis, risk mitigation, and controls evaluation

Risk analysis steps

Assessing the value of each asset being protected, estimating the probability that each asset will be compromised, and comparing the probability costs of the asset’s being compromised with the costs of protecting that asset

Risk mitigation

Organization takes concrete actions against risks - implements controls to prevent threats from occurring, and developing a means of recovery if the threat happens

Risk acceptance

Accept the potential risk, continue operating with no controls, and absorb any damages that occur

Risk limitation

Limit the risk by implementing controls that minimize the impact of the threat

Risk transference

Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance

Controls evaluation

Organization identifies security deficiencies and calculates the costs of implementing adequate control measures to compare against the value of those control measures

Controls/countermeasures/defence mechanisms

Safeguards assets, optimizes use of org’s resources, and prevents errors or fraud

Defence-in-depth

Orgs use layers of control to protect info systems against diverse threats

Most valuable control

User education and training

Control environment

Management attitudes towards controls, and stated policies and procedures

General Controls

Apply to more than one functional area

Application controls

Controls specific to one application

Security controls

Protect all components of an IS - includes data, software, hardware, and networks

Physical controls

Prevent unauthorized individuals from gaining access to a company’s facilities

Access controls

Restrict unauthorized individuals from using information resources - can be physical or logical

Logical controls

Implemented by software

Authentication

Confirms the identity of the person requiring access

Authorization

Determines which actions, rights, or privileges the person has, based on their verified identity

Biometrics

Authentication method that examines a person’s innate physical characteristics - active and passive categories

Passphrase

Series of characters that is longer than a password but still easy to memorize