Professional Ethics in Information

Technology

Chapter 3
Computer Threats and Risks
Terminology
 Threat---a potential cause of an incident that may result in
harm to a system or organization
 Vulnerability---a weakness of an asset (resource) or a group
of assets that can be exploited by one or more threats
 Risk---potential for loss, damage, or destruction of an asset
as a result of a threat exploiting a vulnerability
 Example: In a system that allows weak passwords,
 Vulnerability---password is vulnerable for dictionary or exhaustive
key attacks
 Threat---An intruder can exploit the password weakness to break
into the system
 Risk---the resources within the system are prone for illegal
access/modify/damage by the intruder.
 Threat agent---entities that would knowingly seek to
manifest a threat
Who is the enemy? Why do
they do it?
 Offenders
 Crackers---mostly teenagers doing as
intellectual challenge
 Information system’s criminals---Espionage
and/or Fraud/abuse---for a nation/company to
gain a competitive advantage over its rivals
 Vandals---authorized users and strangers
(cracker or a criminal)---motivated by anger
directed at an individual/organization/life in
general
Types of Perpetrators
 Perpetrators include:
 Thrill seekers wanting a challenge
 Common criminals looking for financial gain
 Industrial spies trying to gain an advantage
 Terrorists seeking to cause destruction
 Different objectives and access to varying
resources
 Willing to take different levels of risk to
accomplish an objective
Ethics in Information Technology, Fourth Edition
Malicious Insiders
 Major security concern for companies
 Fraud within an organization is usually due to
weaknesses in internal control procedures
 Collusion
 Cooperation between an employee and an
outsider
 Insiders are not necessarily employees
 Can also be consultants and contractors
 Extremely difficult to detect or stop
 Authorized to access the very systems they abuse
 Negligent insiders have potential to cause
damage
Ethics in Information Technology, Fourth Edition
Industrial Spies
 Use illegal means to obtain trade secrets from
competitors
 Trade secrets are protected by the Economic
Espionage Act of 1996
 Competitive intelligence
 Uses legal techniques
 Gathers information available to the public
 Industrial espionage
 Uses illegal means
 Obtains information not available to the public
Ethics in Information Technology, Fourth Edition
Cybercriminals
 Hack into corporate computers to steal
 Engage in all forms of computer fraud
 Chargebacks are disputed transactions
 Loss of customer trust has more impact than fraud
 To reduce potential for online credit card fraud:
 Use encryption technology
 Verify the address submitted online against the
issuing bank
 Request a card verification value (CVV)
 Use transaction-risk scoring software

Ethics in Information Technology, Fourth Edition

Hacktivists and Cyberterrorists
 Hacktivism
 Hacking to achieve a political or social goal
 Cyberterrorist
 Attacks computers or networks in an attempt to
intimidate or coerce a government in order to
advance certain political or social objectives
 Seeks to cause harm rather than gather
information
 Uses techniques that destroy or disrupt services

Ethics in Information Technology, Fourth Edition

Motives of Cyber Criminal
 Power assurance---to restore criminal’s self-
confidence or self-worth through low-aggression
means;---e.g. cyber stalking
 Power assertive---to restore criminal’s self-
confidence or self-worth through moderate- to
high-aggression means---not to harm the victim
but to get control of the victim;
 Anger (retaliatory)---rage towards a person, group,
institution, or a symbol---the offender may believe
that they are correcting some injustice
 Sadistic---derive gratification from the
pain/suffering of others
 Profit-oriented---material or personal gain
Types of Perpetrators (cont’d.)

Ethics in Information Technology

Risk = Threats x Vulnerabilities
Ref: [Link]
Types of Damage
 Interruption---destroyed/unavailable
services/resources
 Interception---unauthorized party
snooping or getting access to a resource
 Modification--- unauthorized party
modifying a resource
 Fabrication---unauthorized party inserts a
fake asset/resource
Components of a Threat
 Components
 Threat agents---criminals, terrorists, subversive or secret groups, state
sponsored, disgruntled employees,, hackers, pressure groups,
commercial groups
 Capability---software, technology, facilities, education and training,
methods, books and manuals
 Threat inhibitors---fear of capture, fear of failure, level of technical
difficulty, cost of participation, sensitivity to public perception, law
enforcement activity, target vulnerability, target profile, public
perception, peer perception
 Threat amplifiers---peer pressure, fame, access to information,
changing high technology, deskilling through scripting, skills and
education levels, law enforcement activity, target vulnerability,
target profile, public perception, peer perception
 Threat catalysts---events, technology changes, personal
circumstances
 Threat agent motivators---political, secular, personal gain, religion,
power, terrorism, curiosity
Threat Agents
 Types
 Natural---fire, floods, power failure, earth
quakes, etc.
 Unintentional---insider, outsider---primarily non-
hostile
 Intentional---Insider, outsider---hostile or non-
hostile (curious)
 Foreign agents, industrial espionage, terrorists,
organized crime, hackers and crackers, insiders,
political dissidents, vendors and suppliers
Vulnerabilities
 “Some weakness of a system that could allow
security to be allowed.”
 Types of vulnerabilities
 Physical vulnerabilities
 Natural vulnerabilities
 Hardware/software vulnerabilities
 Media vulnerabilities (e.g., stolen/damaged
disk/tapes)
 Emanation vulnerabilities---due to radiation
 Communication vulnerabilities
 Human vulnerabilities
Why Computer Incidents Are
So Prevalent
 Increasing complexity increases vulnerability
 Computing environment is enormously complex
 Continues to increase in complexity
 Number of entry points expands continuously
 Cloud computing and virtualization software

 Higher computer user expectations

 Computer help desks under intense pressure
 Forget to verify users’ IDs or check authorizations
 Computer users share login IDs and passwords
Ethics in Information Technology, Fourth Edition
Why Computer Incidents Are
So Prevalent (cont’d.)
 Expanding/changing systems equal new risks
 Network era
 Personal computers connect to networks with
millions of other computers
 All capable of sharing information
 Information technology
 Ubiquitous
 Necessary tool for organizations to achieve
goals
 Increasingly difficult to match pace of
technological change
Ethics in Information Technology,
Why Computer Incidents Are
So Prevalent (cont’d.)
 Increased reliance on commercial software
with known vulnerabilities
 Exploit
 Attack on information system
 Takes advantage of system vulnerability
 Due to poor system design or implementation
 Patch
 “Fix” to eliminate the problem
 Users are responsible for obtaining and installing
 Delays expose users to security breaches

Ethics in Information Technology, Fourth Edition

Types of Exploits/Threats
 Computers as well as smartphones can be
target
 Types of attacks
 Virus
 Worm
 Trojan horse
 Distributed denial of service
 Rootkit
 Spam
 Phishing (spear-phishing, smishing, and vishing)
Ethics in Information Technology,
Botnets
Botnets
 What they are:
A collection of software robots, or 'bots', that
creates an army of infected computers (known
as ‘zombies') that are remotely controlled by
the originator. Yours may be one of them and
you may not even know it.
 What they can do:
 Send spam emails with viruses attached.
 Spread all types of malware.
 Can use your computer as part of a denial of
service attack against other systems.
Ethics in Information Technology, Fourth Edition
 Distributed denial-of-service
(DDoS) attack
 What it is:
 A distributed denial-of-service (DDoS) attack — or DDoS attack — is
when a malicious user gets a network of zombie computers to
sabotage a specific website or server. The attack happens when
the malicious user tells all the zombie computers to contact a
specific website or server over and over again. That increase in the
volume of traffic overloads the website or server causing it to be
slow for legitimate users, sometimes to the point that the website or
server shuts down completely.
 It could be possible for malicious users to use your computer in one
of these attacks. By taking advantage of security vulnerabilities or
weaknesses, an attacker could take control of your computer. He
or she could then force your computer to send huge amounts of
data to a website or send spam to particular email addresses. The
attacks are "distributed" because the attacker is using multiple
computers, including yours, to launch the denial-of-service attacks.

Ethics in Information Technology,

 Hacking

 What it is:
The process by which cyber criminals gain
access to your computer.
Hacking is a term used to describe actions
taken by someone to gain unauthorized
access to a computer. The availability of
information online on the tools, techniques,
and malware makes it easier for even non-
technical people to undertake malicious
activities.
Ethics in Information Technology
 Malware

Malware is one of the more common ways to infiltrate or damage your

computer.
 What it is:
Malicious software that infects your computer, such as computer viruses,
worms, Trojan horses, spyware, and adware.

 What it can do:

 Intimidate you with scareware, which is usually a pop-up message
that tells you your computer has a security problem or other false
information.
 Reformat the hard drive of your computer causing you to lose all your
information.
 Alter or delete files.
 Steal sensitive information.
 Send emails on your behalf.
 Take control of your computer and all the software running on it.

Ethics in Information Technology,

 Pharming
Pharming is a common type of online fraud.

 What it is:
A means to point you to a malicious and illegitimate
website by redirecting the legitimate URL. Even if the
URL is entered correctly, it can still be redirected to a
fake website.
 What it can do:
Convince you that the site is real and legitimate by
spoofing or looking almost identical to the actual site
down to the smallest details. You may enter your
personal information and unknowingly give it to
someone with malicious intent.

Ethics in Information Technology

 Phishing

Phishing is used most often by cyber criminals because it's easy to

execute and can produce the results they're looking for with very little
effort.
 What it is:
Fake emails, text messages and websites created to look like they're
from authentic companies. They're sent by criminals to steal personal
and financial information from you. This is also known as “spoofing”.

 What it does:
 Trick you into giving them information by asking you to update,
validate or confirm your account. It is often presented in a manner
than seems official and intimidating, to encourage you to take
action.
 Provides cyber criminals with your username and passwords so that
they can access your accounts (your online bank account,
shopping accounts, etc.) and steal your credit card numbers.

Ethics in Information Technology

 Ransomware

 What it is:
Ransomware is a type of malware that restricts access to your computer or your
files and displays a message that demands payment in order for the restriction to
be removed. The two most common means of infection appear to be phishing
emails that contain malicious attachments and website pop-up advertisements.

 What it can do:

 Lockscreen ransomware: displays an image that prevents you from accessing
your computer
 Encryption ransomware: encrypts files on your system's hard drive and
sometimes on shared network drives, USB drives, external hard drives, and
even some cloud storage drives, preventing you from opening them

Ransomware will display a notification stating that your computer or data have
been locked and demanding a payment be made for you to regain
access. Sometimes the notification states that authorities have detected illegal
activity on your computer, and that the payment is a fine to avoid prosecution.

Ethics in Information Technology,

 Spam
Spam is one of the more common methods of both sending
information out and collecting it from unsuspecting people

 What it is:
The mass distribution of unsolicited messages, advertising or
pornography to addresses which can be easily found on the
Internet through things like social networking sites, company
websites and personal blogs.
 What it can do:
 Annoy you with unwanted junk mail.
 Create a burden for communications service providers and
businesses to filter electronic messages.
 Phish for your information by tricking you into following links
or entering details with too-good-to-be-true offers and
promotions.
 Provide a vehicle for malware, scams, fraud and threats to
your privacy.

Ethics in Information Technology,

 Spoofing
This technique is often used in conjunction with phishing
in an attempt to steal your information

 What it is:
A website or email address that is created to look like it
comes from a legitimate source. An email address may
even include your own name, or the name of someone
you know, making it difficult to discern whether or not
the sender is real.
 What it does:
 Spends spam using your email address, or a variation
of your email address, to your contact list.
 Recreates websites that closely resemble the
authentic site. This could be a financial institution or
other site that requires login or other personal
information.

Ethics in Information Technology,

 Spyware & Adware
Spyware and adware are often used by third
parties to infiltrate your computer

 What it is:
Software that collects personal information about you without you
knowing. They often come in the form of a ‘free' download and are
installed automatically with or without your consent. These are difficult
to remove and can infect your computer with viruses.

 What it can do:

 Collect information about you without you knowing about it and
give it to third parties.
 Send your usernames, passwords, surfing habits, list of applications
you've downloaded, settings, and even the version of your
operating system to third parties.
 Change the way your computer runs without your knowledge.
 Take you to unwanted sites or inundate you with uncontrollable
pop-up ads.

Ethics in Information Technology

 Trojan Horses

 What it is:
A malicious program that is disguised as, or embedded
within, legitimate software. It is an executable file that
will install itself and run automatically once it's
downloaded.
 What it can do:
 Delete your files.
 Use your computer to hack other computers.
 Watch you through your web cam.
 Log your keystrokes (such as a credit card number
you entered in an online purchase).
 Record usernames, passwords and other personal
information.
Ethics in Information Technology,
 Viruses

 What they are:

Malicious computer programs that are often sent as an email
attachment or a download with the intent of infecting your computer,
as well as the computers of everyone in your contact list. Just visiting a
site can start an automatic download of a virus.

 What they can do:

 Send spam.
 Provide criminals with access to your computer and contact lists.
 Scan and find personal information like passwords on your
computer.
 Hijack your web browser.
 Disable your security settings.
 Display unwanted ads.

Ethics in Information Technology

 Wi-Fi Eavesdropping

WiFi eavesdropping is another method used by

cyber criminals to capture personal information

 What it is:
Virtual “listening in” on information that's shared over
an unsecure (not encrypted) WiFi network.

 What it can do:

 Potentially access your computer with the right
equipment.
 Steal your personal information including logins
and passwords.
Ethics in Information Technology
 Worms
 Harmful programs
 Reside in active memory of a computer
 Duplicate themselves
 Can propagate without human
intervention
 Negative impact of worm attack
 Lost data and programs
 Lost productivity
 Additional effort for IT workers
Ethics in Information Technology,
Rootkits
 Set of programs that enables its user to gain
administrator-level access to a computer
without the end user’s consent or knowledge
 Attacker can gain full control of the system
and even obscure the presence of the rootkit
 Fundamental problem in detecting a rootkit is
that the operating system currently running
cannot be trusted to provide valid test results

Ethics in Information Technology, Fourth Edition

Summary
 Ethical
decisions in determining which
information systems and data most need
protection

Ethics in Information Technology,