week 10 Security and Ethics Lecture Notes

Project Management Recap

Last week's focus was on project management, highlighting two key concepts:

  • Waterfall vs. Agile Methodology:
    • Agile: Adaptable, responsive to changes.
    • Waterfall: Strict adherence to standards (e.g., health and safety, building a plane).
  • Project Management Triangle (Three Constraints):
    • Quality delivery requires balancing time, cost, and scope.
    • Scope: Often misunderstood; understand how changes impact other constraints.

Practical Application: Answers must be practical in exams. For example, avoid simply stating "costs will go up." Instead, specify why costs will increase (e.g., hiring more personnel).

Security and Ethics

Ethics

While the theory of ethics is important, real understanding comes from facing ethical dilemmas firsthand. The example used is from law enforcement, the reality of facing a threat (such as a gun pointed at your head) changes everything. We will touch on it briefly, but there won't be an exam question focused on ethics.

Data Collection: A Double-Edged Sword

The ability to track and use data offers immense value but carries risks if misused.

  • Wi-Fi Tracking Example:
    • Universities use Wi-Fi to track people's locations, useful for decisions like bathroom cleaning frequency.
    • However, it can be used to track individual devices, if someone names their phone with personally identifiable information it could be misused.
  • Safeguards are Crucial:
    • Systems must restrict unauthorized access to data.
    • Auditing and logging are essential when accessing specific devices.

Data Privacy in the Age of AI

The combination of data collection and AI poses significant privacy risks.

  • Historical Context:
    • Early social media (e.g., Facebook) lacked privacy controls, leading to data exposure.
    • An example used is an employee who lied to his boss about a family emergency but was caught because his boss saw photo's of him on vacation.

The Reach of Tech Organizations

Tech giants have extensive access to personal data.

  • Google Example:
    • Google's reach spans search, email, devices, and even internet infrastructure.
    • Concerns exist about data tracking, advertising, and potential privacy breaches. Google tracks records of everything you look at online for 18 months.
  • Microsoft Example:
    • Microsoft faced backlash for an AI tool that monitored user activity.

ISPs (e.g., Spark) also track browsing history.

Addressing Security and Ethical Issues

  • A Flow Chart for Security/Ethical Questions
    1. Recognize Security Implications
    2. Outline Facts
    3. List Alternative Solutions
    4. Make a Decision

CSR (Corporate Social Responsibility)

Businesses should consider stakeholders beyond shareholders, including people and the environment.

  • Shifting Legal Landscape (New Zealand): Recent legislation emphasizes maximizing shareholder profits, potentially conflicting with CSR principles.

Security Threats

  • Frequency of Attacks: Universities face frequent hacking attempts.
  • Sophistication: Attacks range from high-level system breaches to compromising individuals.
  • Physical Security: Weak points often lie in human interactions (e.g., employees granting unauthorized access).

Example given of someone wearing a high-vis vest gaining access to a building's server room without being asked for identification.

Natural Disasters

Security measures must also address natural disasters.

  • Data Backup: Maintaining offsite backups is crucial (e.g., backing up university data in Europe).
  • Christchurch Earthquake Example: Businesses with safe employees were unable to work due to damaged infrastructure.

Social Engineering

Social engineering exploits human psychology to gain access to systems or information.

  • Example: A hacker used a persona to trick a customer service representative into revealing personal information.
    Social engineering is considered to be very easy to perform, with most of the holes coming from employees not thinking and giving away information or doing things they shouldn't be doing without a second thought.
  • Low-Value Targets: Hackers target low-value accounts (e.g., Domino's) to gather personal information for accessing high-value targets (e.g., banks).
    As an example, if a hacker gets into someone's Domino's account, they can then use that information to target an ASB (bank) account.
  • Email Addresses: Use separate email addresses for banking/official purposes to prevent breaches.
Have I Been Pwned

Website (https://haveibeenpwned.com/) to check if an email address has been compromised in data breaches. Some examples given include:

  • Adobe.
  • Canva.
  • Club Penguin.
  • Daily Motion.

Used to check if your email has been subject to any data breaches.

Security Camera Security

  • Default Passwords: Change default passwords on home security cameras and Wi-Fi routers.
  • Wi-Fi Router Security: Securing your Wi-Fi router prevents unauthorized access.

Risk Management Responses

Responses to Breaches

Four responses to dealing with a potential or existing breach:

  1. Mitigate: Implement internal controls.
  2. Accept: Do nothing (valid in certain situations).
  3. Transfer: Hire consultants or get insurance (insurance is less useful if brand value matters).
  4. Avoid: Don't do the risky thing (useful if the activity isn't core to the business).
Disney Example

Disney's wearable bands with RFID chips were vulnerable to hacking. Here's how to apply the risk management responses:

  • Accept: Not appropriate due to the potential for widespread credit card theft.
  • Transfer: Purchasing insurance wouldn't address brand damage.
  • Avoid: Eliminating wristbands would remove the risk, but could impact competitive advantage.
  • Mitigate: Implementing effective controls would be the best approach.
Controls

Some controls include:

  • Physical Access Controls.
  • System Access Controls.
  • Encryption.
  • Firewalls.
  • Intrusion Detection Systems.
VPNs

VPNs mask your IP address, enhancing security and privacy. They can also be used to access geographically restricted content.

Passwords

PIN Numbers

The most common PIN number is 1234. To increase your own security, you don't have to be that secure; just more secure than the person next to you.

Having one symbol, one number and one capital letter is considered useles. The one thing you can do is make your password longer.

Password cracking
  • 7 character password can be cracked in less than a second.
  • 12 character password can take centuries to crack.