rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 60
This information systems world we live in is filled with many types of people and organ-
izations. Unfortunately, not all of them are honest. Controls help honest people stay
honest and detect potential problems. What type of information systems problems should
we protect ourselves and our organizations against? What are the different types of con-
trols and how can information systems auditors help in the control evaluation process? This
chapter will first look at some ethical problems that can arise when using information
systems, and then at the threats and compensating controls that can be implemented in
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 61
ETHICS, PRIVACY, AND
CHAPTER OUTLINE AND LEARNING OBJECTIVES
3.1 ETHICAL ISSUES
Describe the major ethical issues related to information technology, and identify
situations in which they occur.
to use a particular website.
BUSINESS RISKS: A marketing department could sell private information without
3.2 THREATS TO INFORMATION SECURITY
Identify the many threats to information security.
BUSINESS OPPORTUNITIES: New anti-spyware products and innovative fraud
detection software can earn high revenues.
BUSINESS RISKS: Spyware could track your usage and capture your passwords for
unauthorized access to your financial information.
3.3 PROTECTING INFORMATION RESOURCES
Understand the various defence mechanisms used to protect information systems.
BUSINESS OPPORTUNITIES: Well-protected data and systems will enable websites to
serve customers without threat of interruption.
BUSINESS RISKS: Poorly designed or outdated firewalls will enable hackers to access
Explain IT auditing and planning for disaster recovery.
BUSINESS OPPORTUNITIES: Duplicated systems and alternative plans will enable
organizations to continue to serve customers even in the face of hardware or software
BUSINESS RISKS: Poorly designed disaster recovery systems will result in excess
downtime in the event of a hardware failure.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 62
THE WORST RETAIL DATA
the breach for years. Finally, TJX was unable to
ascertain what data was actually compromised,
Adding to TJX’s problems, Visa notified financial
institutions that issue credit cards and manage Visa
transactions that TJX had stored credit and debit
card data in violation of the Payment Card Industry
Data Security Standard (the PCI standard) created
by Visa and MasterCard. The PCI standard applies
to banks, clearinghouses, and merchants that
issue or accept credit cards. Merchants such as
TJX are not supposed to store cardholder data
because a thief can use that information to create
a counterfeit credit or debit card. Some TJX data
went back to 2003, which indicated that the com-
pany had been out of compliance with the PCI
standard for years.
Before the intrusion was even reported,
a California credit union noticed an increase in
counterfeit cards used to commit fraudulent trans-
actions. In fact, the TJX breach resulted in financial
THE BUSINESS PROBLEM
losses to the credit union. The credit union had to
The TJX Companies Inc. (www.tjx.com), a $16-billion
issue new cards for any cardholder accounts that
retail conglomerate, operates some 2,500 stores
Visa said were affected by the TJX compromise. As
around the world, including T.J. Maxx, Marshalls,
an issuer of Visa cards, the credit union—not Visa
HomeGoods, Bob’s Stores, and A.J. Wright stores
or TJX—had to pay for any fraudulent transactions
in the United States, and Winners and HomeSense
charged to members’ accounts.
stores in Canada. On January 17 2007 the com-
In addition, Visa encountered an increase in
pany reported that an intrusion into its customer
fraud activity on certain TJX accounts beginning in
transaction management systems had compro-
mid-November, 2006. After the breach was
mised the personal data of a number of its cus-
reported, many banks and credit unions around
tomers. The security breach involved systems that
the world reported compromises of customer
handle customer credit card, debit card, cheque,
accounts as a result of the breach.
and merchandise return transactions. At first, the
Also before the breach was announced, thieves
company did not state how many customers were
used data stolen from TJX to steal $8 million in
affected by the incident, but later revealed that
merchandise from Wal-Mart stores in Florida. The
credit card information on 46 million of its cus-
thieves created fake credit cards that they used to
tomers had been compromised.
buy Wal-Mart gift cards, and then used them to buy
The company said that the data involved was
related to people who shopped at its stores dur-
ing 2003 and 2004, as well as between May and
December of 2006. TJX learned of the breach in A VARIETY OF SOLUTIONS
mid-December 2006, but it did not release the TJX hired General Dynamics and IBM to help inves-
information at that time at the request of law tigate the intrusion, assess the volume and types
enforcement officials. of data that may have been stolen, and strength-
Investigators noted that TJX really had three en the company’s defences. TJX also worked with
problems. First, the company’s security was all major credit and debit card companies to help
originally breached and its data compromised. investigate any related fraud, and co-operated with
In fact, the intruders had the company’s encryp- law enforcement officials, including the U.S.
tion key. (We discuss encryption later in this chap- .
Department of Justice and the RCMP The compa-
ter.) Second, the company did not know about ny also bought full-page newspaper ads and put a
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 63
video message from its chairman on its website, customer information? Should the blame for the
assuring customers that rigorous steps had been breach be shared by TJX and its software suppli-
taken to protect their information. ers? How should TJX protect its information more
TJX identified a limited number of customers effectively? Does better protection involve technol-
whose private information was stolen and notified ogy, policy, or both?
them directly. TJX officials said that they did not The answers to these and other questions are
know if they could identify the names of other cus- not clear. As we discuss ethics, privacy, and secu-
tomers who are at risk. The company offered addi- rity in the context of information technology, you
tional customer support to people concerned that will acquire a better understanding of these
their data may have been compromised, and rec- issues, their importance, their relationships, and
ommended that its customers carefully review their trade-offs.
their credit card and debit card statements and Information technologies, properly used, can
other account information for evidence of unautho- have enormous benefits for individuals, organiza-
rized use. tions, and entire societies. In the first two chapters
we discussed the diverse ways in which IT has
THE RESULTS made businesses more productive, efficient, and
The company faced a stream of bad news. TJX responsive to consumers. We have also explored
had to record a fourth-quarter (2006) charge of areas such as medicine in which IT has improved
about $5 million related to the intrusion, includ- people’s health and well-being. Unfortunately,
ing the costs to investigate and contain the information technologies can also be misused,
breach, enhance information security, communi- often with devastating consequences. Consider
cate with customers, and legal fees. Many organ- the following:
izations have sued TJX over the compromise of its
• Individuals can have their identities stolen.
• Organizations can have customer information
Interestingly, TJX noted that the company relied
stolen, leading to financial losses, erosion of
on commercially available systems, software,
customer confidence, and legal action.
tools, and monitoring to provide security for pro-
• Countries face the threat of cyberwarfare (see
cessing, transmission, and storage of confidential
customer information. Further, the company noted
that systems it used for transmission and approval In fact, the misuse of information technologies
of payment card transactions were determined has come to the forefront of any discussion of IT.
and controlled by the payment-card industry, not Now that you are acquainted with the major capa-
by TJX. bilities of IT, we address the complex issues of
What really worries information security ethics, privacy, and security.
experts are these questions: What if TJX did almost
everything correctly? What if this massive data
breach was less of a case of TJX being careless and
more a case of the attackers being clever, Sources: Compiled from E. Schuman, “The Nightmare
Scenario: What If TJX Did Everything Right, eWeek, March 30,
resourceful, knowledgeable, and persistent? The
2007; M. Hines, “TJX Intrusion Highlights Pursuit of Corporate
implication here is that modern cyberthieves can Data, eWeek, January 18, 2007; K. Evans-Correia, “Top IT
execute a breach on any retailer, regardless of the Execs Could Take Heat for TJX Breach, SearchCIO.com,
security measures in place. January 18, 2007; L. Greenemeier, “Card Data, A Hack, and a
Rush to Contain the Damage, InformationWeek, January 22,
WHAT WE LEARNED 2007; p. 28; L. Greenemeier, “Maxxed Out, InformationWeek,
February 5, 2007 pp. 29-30; C. McCarthy, “T. J. Maxx Probe
FROM THIS CASE
Finds Broader Hacking, www.news.com, February 22, 2007;
The lessons we can learn from the massive, undis- E. Schuman, “Massachusetts Leads National TJX Data Probe, ”
covered security breach at TJX address the three eWeek, February 7 2007; E. Schuman, “TJX: Data Theft Began
major issues discussed in this chapter: ethics, pri- in 2005; Data Taken from 2003, eWeek, February 21, 2007; E.
vacy, and security. Each of these issues is closely Schuman, “Stolen TJX Data Used in $8M Scheme Before
related to IT and raises significant questions. For Breach Discovery, eWeek, March 21, 2007; B. Brenner,
“Mistakes to the Maxx, Information Security, March, 2007; L.
example, is it ethical (or even necessary) for TJX to
Greenemeier, “TJX Breach Hits Wal-Mart, InformationWeek,
gather and keep so much information on its cus-
March 26, 2007; E. Schuman, “TJX Intruder Had Retailer’s
tomers? Is this practice an invasion of its cus- Encryption Key, eWeek, March 29, 2007; E. Sutherland, “Data
tomers’ privacy? By using commercially available Breach Lawsuits Pile up on TJX, www.internetnews.com,
software, did TJX show due diligence in protecting February 2, 2007 .
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 64
64 Chapter 3 – Ethics, Privacy, and Information Security
3.1 ETHICAL ISSUES
Ethics refers to the principles of right and wrong that individuals use to make choices to guide
their behaviours. Deciding what is right or wrong is not always easy or clear-cut. For this rea-
son, many companies and professional organizations develop their own codes of ethics. A code
of ethics is a collection of principles intended to guide decision making by members of the organ-
ization. For example, the Association for Computing Machinery (www.acm.org), an organization
of computing professionals, has a thoughtful code of ethics for its members (see www.acm.org/
Fundamental tenets of ethics include responsibility, accountability, and liability.
Responsibility means that you accept the consequences of your decisions and actions.
Accountability provides for a determination of who is responsible for actions that were taken.
Liability is a legal concept implying that individuals have the right to recover the damages done
to them by other individuals, organizations, or systems.
Before we go any further, it is very important to realize that what is unethical is not neces-
sarily illegal. In most instances, an individual or organization faced with an ethical decision is
not considering whether to break the law. This does not mean, however, that ethical decisions
do not have serious consequences for individuals, organizations, or society at large.
Unfortunately, during the last few years we have seen a large number of extremely poor eth-
ical decisions, not to mention outright criminal behaviour. Three of the most highly publicized
fiascos in the U.S. occurred at Enron Corporation (now Enron Creditors Recovery Corporation),
WorldCom (now MCI Inc.), and Tyco International. At each company, executives were convicted
of various types of fraud using illegal accounting practices. These illegal acts resulted, at least
in part, in the passage of the Sarbanes-Oxley Act in 2002 in the United States. This law requires
that public companies implement financial controls and that, to ensure accountability, execu-
tives must personally certify financial reports. Similar problems occurred in Canada at compa-
nies like Nortel and Southam. In Canada, Bill 198, the Budget Measures Act, imposes similar
requirements of management.
Improvements in information technologies are causing an increasing number of ethical
problems. Computing processing power doubles about every 18 months, meaning that organ-
izations are more dependent than ever before on their information systems. Increasing
amounts of data can be stored at decreasing cost, meaning that organizations can store more
data on individuals for longer amounts of time. Computer networks, particularly those using
the Internet, enable organizations to collect, integrate, and distribute enormous amounts of
information on individuals, groups, and institutions. As a result, ethical problems are arising
about the appropriate use of customer information, personal privacy, and the protection of
All employees have a responsibility to encourage the ethical use of information and infor-
mation technology. Most, if not all, of the business decisions you will face at work will have an
ethical dimension. Consider these decisions you might have to make:
• Should your organization monitor employees’ web surfing and e-mail?
• Should your organization sell customer information to other companies?
• Should your organization audit employees’ computers for unauthorized software or
illegally downloaded music or video files?
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 65
Section 3.1 – Ethical Issues 65
The diversity and ever-expanding use of IT applications have created a variety of ethical
issues. These issues fall into four general categories: privacy, accuracy, property, and accessibility.
1. Privacy issues involve the collection, storage, and dissemination of information about
2. Accuracy issues involve the authenticity, integrity, and accuracy of information that is collect-
ed and processed.
3. Property issues involve the ownership and value of information.
4. Accessibility issues revolve around who should have access to information and whether they
should have to pay for this access.
Table 3.1 lists representative questions and issues for each of these categories. In addition,
Online Appendix W3.1 presents 14 several ethics scenarios for you to consider. These scenar-
ios will provide a context for you to consider situations that involve ethical or unethical behav-
iour. In the next section, we discuss privacy issues in more detail. We cover property issues
later in this chapter.
A FRAMEWORK FOR ETHICAL ISSUES
• What information about oneself should an individual be required to reveal to others?
• What kind of surveillance can an employer use on its employees?
• What types of personal information can people keep to themselves and not be forced to reveal to others?
• What information about individuals should be kept in databases, and how secure is the information there?
• Who is responsible for the authenticity, integrity, and accuracy of the information collected?
• How can we ensure that the information will be processed properly and presented accurately to users?
• How can we ensure that errors in databases, data transmissions, and data processing are accidental and not
• Who is to be held accountable for errors in information, and how should the injured parties be compensated?
• Who owns the information?
• What are the just and fair prices for its exchange?
• How should one handle software piracy (copying copyrighted software)?
• Under what circumstances can one use proprietary databases?
• Can corporate computers be used for private purposes?
• How should experts who contribute their knowledge to create expert systems be compensated?
• How should access to information channels be allocated?
• Who is allowed to access information?
• How much should companies charge for permitting accessibility to information?
• How can accessibility to computers be provided for employees with disabilities?
• Who will be provided with the equipment needed for accessing information?
• What information does a person or an organization have a right or a privilege to obtain, under what conditions, and
with what safeguards?
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 66
66 Chapter 3 – Ethics, Privacy, and Information Security
In general, privacy is the right to be left alone and to be free of unreasonable personal intru-
sion. Information privacy is the right to determine when, and to what extent, information about
yourself can be gathered or communicated to others. Privacy rights apply to individuals, groups,
The definition of privacy can be interpreted quite broadly. However, court decisions in many
countries have followed two rules fairly closely:
1. The right of privacy is not absolute. Privacy must be balanced against the needs of society.
2. The public’s right to know supersedes the individual’s right of privacy.
These two rules show why it is difficult in some cases to determine and enforce privacy regu-
lations. The right to privacy is recognized today in all Canadian provinces and by the federal
government through privacy legislation.
Rapid advances in information technologies have made it much easier to collect, store, and inte-
grate data on individuals, in large databases. On any given day, data is generated in many ways:
surveillance cameras in public places and at work; credit card transactions; telephone calls (land-
line and cellular); banking transactions; queries to search engines; and government records (includ-
ing police records). This data can be integrated to produce a digital dossier, which is an electronic
description of a person’s habits. The process of forming a digital dossier is called profiling. This
information also helps companies know their customers better, to achieve customer intimacy.
Data aggregators in the U.S., such as LexisNexis (www.lexisnexis.com), ChoicePoint Inc.
(www.choicepoint.com), and Acxiom Corporation (www.acxiom.com), are good examples of profil-
ers. These companies collect public data such as real estate records and published telephone
numbers, in addition to non-public information such as U.S. Social Security numbers (and Social
Insurance numbers in Canada), financial data, and police, criminal, and motor vehicle records.
Many Canadian organizations use large volumes of survey data to create and rent out targeted mail-
ing lists such as Lifestyle Selector Canada (http://lists.nextmark.com), which has data on about a mil-
lion Canadians. ICOM Information & Communications’ product Targetsource (www.i-com.com) has
North American data, including information on about two million Canadians. Statistics Canada
(www.statscan.ca), Canada’s national statistics agency, provides aggregated information about busi-
nesses and individuals.
Data aggregators integrate this data to form digital dossiers, or profiles, on adults in North
America. They sell these dossiers to law enforcement agencies and companies conducting back-
ground checks on potential employees. They also sell the dossiers to companies that want to
know their customers better, a process called customer intimacy.
Electronic surveillance is rapidly increasing, particularly with the emergence of new technolo-
gies. Monitoring is done by employers, the government, and other institutions.
In general, employees have very limited protection against surveillance by employers. The
law supports the right of employers to read their employees’ e-mail and other electronic doc-
uments and to monitor their Internet use. Today, many organizations are monitoring employ-
ees’ Internet usage. Organizations also use software to block connections to inappropriate
websites, a practice called URL filtering. Organizations are installing monitoring and filtering soft-
ware to enhance security by stopping malicious software and improve employee productivity
by discouraging employees from wasting time.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 67
Section 3.1 – Ethical Issues 67
In one organization, before deploying a URL filtering product, the chief information officer
(CIO) monitored about 13,000 people for three months to determine the types of activities they
engaged in on the network. He then passed the data to the chief executive officer (CEO) and the
heads of the Human Resources and Legal departments. They were shocked at the questionable
websites the employees were visiting, as well as the amount of time employees spent on those
sites. The executives quickly made the decision to implement the filtering product.
Surveillance is also a concern for private individuals regardless of whether it is conducted
by corporations, government bodies, or criminals. As a country we are still trying to determine
the appropriate balance between personal privacy and electronic surveillance, especially where
threats to national security are involved.
PERSONAL INFORMATION IN DATABASES
Information about individuals is being kept in many databases. Perhaps the most visible loca-
tions of such records are credit-reporting agencies. Other institutions that store personal infor-
mation include: banks and financial institutions; cable TV, telephone, and utilities companies;
employers; mortgage companies; hospitals; schools and universities; retail establishments;
government agencies (Canada Revenue Agency, your province, your municipality); and many
There are several concerns about the information you provide to these record keepers. Some
of the major concerns are:
• Do you know where the records are?
• Are the records accurate?
• Can you change inaccurate data?
• How long will it take to make a change?
• Under what circumstances will personal data be released?
• How is the data used?
• To whom is the data given or sold?
• How secure is the data against access by unauthorized people?
INFORMATION ON INTERNET BULLETIN BOARDS, NEWSGROUPS,
AND SOCIAL NETWORKING SITES
Every day we see more and more electronic bulletin boards, newsgroups, electronic discussion sites
such as chat rooms, and social networking sites (discussed in Chapter 5). These sites appear on
the Internet, within corporate intranets, and on blogs. A blog, short for weblog, is an informal,
personal journal that is frequently updated and intended for general public reading. How does
society keep the owners of bulletin boards from disseminating information that may be offen-
sive to readers or simply untrue? This is a difficult problem because it involves the conflict
between freedom of speech on the one hand and privacy on the other.
There is no better illustration of the conflict between free speech and privacy than
the Internet. Some websites contain anonymous, derogatory information on individuals, who
typically have little recourse in the matter.
PRIVACY CODES AND POLICIES
Privacy policies or privacy codes are an organization’s guidelines with respect to protecting the
privacy of customers, clients, and employees. In many corporations, senior management has
begun to understand that when they collect vast amounts of personal information, they must
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 68
68 Chapter 3 – Ethics, Privacy, and Information Security
protect it. Many organizations provide opt-out choices for their customers. The opt-out model
of informed consent permits the company to collect personal information until the customer
specifically requests that the data not be collected. Privacy advocates prefer the opt-in model
of informed consent, where a business is prohibited from collecting any personal information
unless the customer specifically authorizes it.
The Platform for Privacy Preferences (P3P) (see www.w3.org/TR/P3P/) was developed by the World
Wide Web Consortium, a group that creates standards for the web. P3P automatically communi-
cates privacy policies between an electronic commerce website and visitors to that site. P3P enables
visitors to determine the types of personal data that can be extracted by the websites they visit. It
dards, such as the Canadian Standards’ Association (CSA) Model Code for the Protection of Personal
Information (see www.csa.ca/standards/privacy/default.asp?load=code&language=english) or the
European Union Directive on Data Protection.
Canada’s privacy legislation is called the Personal Information Protection and Electronic
Documents Act (PIPEDA). It became effective January 1, 2004. The legislation applies to businesses
and other organizations, such as non-profit organizations. PIPEDA is based upon the principles in
the Canadian Standards’ Association Model Code. As part of the legislation, organizations are
inals do not pay attention to privacy codes and policies, as IT’s About Business 3.1 shows.
• Data should be collected on individuals only for the purpose of accomplishing a legitimate business objective.
• Data should be adequate, relevant, and not excessive in relation to the business objective.
• Individuals must give their consent before data pertaining to them can be gathered. Such consent may be implied
from the individual’s actions (for instance, in applications for credit, insurance, or employment).
• Sensitive data gathered on individuals should be verified before it is entered into the database.
• Data should, where and when necessary, be kept current.
• The file should be made available so the individual can ensure that the data is correct.
• If there is disagreement about the accuracy of the data, the individual’s version should be noted and included with any
disclosure of the file.
• Computer security procedures should be implemented to ensure against unauthorized disclosure of data. These
procedures should include physical, technical, and administrative security measures.
• Third parties should not be given access to data without the individual’s knowledge or permission, except as required
• Disclosures of data, other than the most routine, should be noted and maintained for as long as the data is
• Data should not be disclosed for reasons incompatible with the business objective for which it is collected.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 69
Section 3.1 – Ethical Issues 69
IT’S ABOUT BUSINESS 3.1
SECURITY OUTSIDE THE PERIMETER: LEXISNEXIS
LexisNexis (www.lexisnexis.ca and www.lexisnexis.com), services for each of them. The company provided credit
a $2 billion international data aggregator, collects and counsellors and $20,000 worth of identity theft insurance to
integrates information from public sources such as anyone who ultimately became a victim of fraud as a result
telephone books and real estate records and non-public of the theft.
sources such as criminal records and financial institutions. The real lesson learned by LexisNexis was that hackers
It has data on millions of people–even their Social can use ingenious ways to get inside an internal network.
Insurance numbers. This information is very valuable, both Organizations need to protect not only their own data
to black-market operators who promote identity theft, and networks, but those of customers and business partners.
to the company’s 4.5 million legitimate customers, Therefore, LexisNexis had to address the vulnerabilities on
including direct marketers and law enforcement agencies. the edges of its network by making its customers more
In 2005, the personal records of 310,000 individuals, secure. This effort represented a major challenge, however,
including names, U.S. Social Security numbers, and because the company’s network included more than 4.5
driver’s licence numbers, were stolen from LexisNexis million customers and business partners, many of whom
databases in 59 separate incidences. The theft unfolded in came from government agencies.
this manner. As a result, the company implemented the LexisNexis
A group of hackers sent out an e-mail promising an Customer Security Program, which is designed to push more
attached file of pornographic images. Among those who of the burden for the security of LexisNexis’ information to its
responded were an employee in a police department in customers. The program consists of several action items,
Florida and one in a constable's office in Texas. When they which include more stringent login requirements, monthly
clicked on the attachment, they unknowingly downloaded user verification, and restricted access to full Social Security
keystroke logging software (also called keylogging numbers and driver’s licence information.
software or keyloggers) onto their computers. The Sources: Compiled from D. Briody, “Lexis-Nexis: Ground Zero for War vs. Data
software tracked their every keystroke and click of the Thieves, CIO Insight, September 5, 2005; E. Nee, “Making Legitimate
Business from Data Theft, CIO Insight, September 5, 2005; B. Krebs, “Five
mouse. Like personnel in many police departments, the
Arrested in Theft of LexisNexis Data, Washington Post, July 1, 2006; J. Kirk,
employees had accounts with LexisNexis to obtain “LexisNexis Finds Disclosure Meant Less Pain in Data Theft, Information
background information on criminal suspects. When the Security News; April 25, 2006; “LexisNexis in the Security Hot Seat, Baseline
Magazine, June 1, 2006.
employees signed in to their accounts, the hackers
captured their passwords and user names.
The problem wasn't discovered until weeks later. One of QUESTIONS
the police departments involved spotted a heavier than 1. Should LexisNexis be held legally liable for security
usual amount of activity on its LexisNexis account and breaches outside its perimeter? Support your answer.
notified the company. LexisNexis contacted U.S. federal 2. Do you think that the LexisNexis Customer Security
government authorities and the media. LexisNexis notified Program is sufficiently powerful to reduce security
the people whose personal data had been stolen and breaches that occur through its customers? Why or
provided a consolidated credit report and credit monitoring why not?
INTERNATIONAL ASPECTS OF PRIVACY
As the number of online users has increased globally, governments have enacted a large num-
ber of inconsistent privacy and security laws. This highly complex global legal framework is caus-
ing regulatory problems for companies. Approximately 50 countries have some form of data
protection law. Many of these laws conflict or require specific security measures. Other coun-
tries have no privacy laws at all.
The absence of consistent or uniform standards for privacy and security obstructs the flow
of information among countries. The European Union (EU), for one, has taken steps to over-
come this problem. In 1998 the European Community Commission (ECC) issued guidelines to
all its member countries regarding the rights of individuals to access information about them-
selves. The EU data protection laws are similar to Canadian laws, but stricter than U.S. laws
and therefore may create problems for U.S.-based multinational corporations, which may face
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 70
70 Chapter 3 – Ethics, Privacy, and Information Security
lawsuits for privacy violation unless they follow the “Safe Harbor” framework that was jointly
developed between the U.S. and the EU (see www.export.gov/safeharbor).
The transfer of data in and out of a nation without the knowledge of either the authorities
or the individuals involved raises a number of privacy issues. Whose laws have jurisdiction when
records are stored in a different country for reprocessing or retransmission purposes? For exam-
ple, if data is transmitted by a Polish company through a Canadian satellite to a British corpo-
ration, which country’s privacy laws control the data, and when? Questions like these will
become more complicated and frequent as time goes on. Governments must make an effort to
develop laws and standards to cope with rapidly changing information technologies in order to
solve some of these privacy issues.
BEFORE YOU GO ON...
1. Define ethics, and list its four categories as they apply to IT.
2. Describe the issue of privacy as it is affected by IT.
3. What does a code of ethics contain?
4. Describe the relationship between IT and privacy.
3.2 THREATS TO INFORMATION SECURITY
A number of factors are contributing to the increasing vulnerability of organizational informa-
tion assets. Before we discuss these factors, we list them here:
• today’s interconnected, interdependent, wirelessly networked business environment;
• government legislation;
• smaller, faster, cheaper computers and storage devices;
• decreasing skills necessary to be a computer hacker;
• international organized crime taking over cybercrime;
• downstream liability;
• increased employee use of unmanaged devices; and
• lack of management support.
The first factor is the evolution of the information technology resource from mainframe-only
to today’s highly complex, interconnected, interdependent, wirelessly networked business envi-
ronment. The Internet now enables millions of computers and computer networks to freely and
seamlessly communicate with one another. Organizations and individuals are exposed to a
world of untrusted networks and potential attackers. A trusted network, in general, is any net-
work within your organization that is adequately protected. An untrusted network, in general, is
any network external to your organization. In addition, wireless technologies enable employ-
ees to compute, communicate, and access the Internet anywhere and any time. Making mat-
ters worse, wireless is an inherently non-secure broadcast communications medium.
The second factor, governmental legislation, dictates that many types of information must
be protected by law. In Canada, PIPEDA applies to customer information that is collected by busi-
nesses or non-profit organizations. Each province also has a health privacy act, normally called
a Personal Health Information Protection Act (PHIPA), that protects medical records and other
individually identifiable health information.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 71
Section 3.2 – Threats to Information Security 71
The third factor results from the fact that modern computers and storage devices (such as
thumb drives or flash drives) are becoming smaller, faster, cheaper, and more portable, with
greater storage capacity. These characteristics make it much easier to steal or lose a computer
or storage device that contains huge amounts of sensitive information. Also, far more people
are able to afford powerful computers and connect inexpensively to the Internet, thus raising
the potential of an attack on information assets.
The fourth factor is that the computing skills necessary to be a hacker are decreasing. The
reason for this is that the Internet contains information and computer programs called scripts,
which even relatively unskilled users can download and use to attack any information system
connected to the Internet.
The fifth factor is that international organized crime is taking over cybercrime. Cybercrime
refers to illegal activity taking place over computer networks, particularly the Internet. For exam-
ple, cyberextortion occurs when individuals attack an organization’s website, and then demand
money from the website owners to call off the attack.
iDefense Labs (http://labs.idefense.com) is an international company that specializes in provid-
ing security information to governments, financial services firms, and other large companies.
The company states that groups of well-organized criminals have taken control of a global
billion-dollar crime network. The network, powered by skillful hackers, targets known software
security weaknesses. These crimes are typically non-violent, but quite lucrative. For example,
the losses from armed robberies average hundreds of dollars and those from white collar crimes
average tens of thousands of dollars. In contrast, losses from computer crimes average hundreds
of thousands of dollars. Also, these crimes can be committed from anywhere in the world, at
any time, effectively providing an international safe haven for cybercriminals. Computer-based
crimes cause billions of dollars in damages to businesses each year, including the costs to repair
information systems and the costs of lost business.
The sixth factor is downstream liability. Downstream liability occurs in this manner. If com-
pany A’s information systems were compromised by a perpetrator and used to attack compa-
ny B’s systems, then company A could be liable for damages to company B. Note that company
B is “downstream” from company A in this attack scenario. A downstream liability lawsuit
would put company A’s security policies and operations on trial. Under tort law, the plaintiff
(injured party or company B) would have to prove that the offending company (company A)
had a duty to keep its computers secure and failed to do so, as measured against generally
accepted standards and practices.
Legal experts think it is only a matter of time before victims of computer crime start suing
the owners of systems and networks used as launchpads in cyberattacks. Information securi-
ty’s first downstream liability lawsuit will likely come from a catastrophe. For example, an online
retailer may be hit with a devastating attack that disrupts its business.
At some point, all companies will have some minimal set of standards they have to meet
when operating information systems that connect to the Internet and when accessing or
collecting customer information. The models already exist in the form of regulations and laws
(such as PIPEDA in Canada). In the U.S. the Gramm-Leach-Bliley Act mandates the disclosure of
security breaches. Such legislation does not exist in Canada.
Contractual security obligations, particularly service level agreements (SLAs), which spell out
very specific requirements, might also help establish a security standard. Courts or legislatures
could cite typical SLA terms, such as maintaining up-to-date antivirus software, implementing
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 72
72 Chapter 3 – Ethics, Privacy, and Information Security
software patches on a timely basis, and the use of adequate firewalls in crafting minimum secu-
A company being sued for downstream liability will have to convince a judge or jury that its
security measures were reasonable. That is, the company must demonstrate that it had prac-
tised due diligence in information security. Due diligence can be defined in part by what your
competitors are doing that defines best practices.
Verizon, a carrier that provides long distance, data and Internet services, learned about due
diligence in April 2003, when the Maine Public Utilities Commission in the U.S. rejected its request
for relief from $62,000 in fees owed to local carriers after the SQL Slammer Worm shut down its
networks. Verizon had applied for a steep break on the fees owed under its service agreement,
arguing that the worm “was an event that was beyond its control” (like a lightning strike). The
commission’s rejection rested, in part, on comments submitted by then-competitors WorldCom
and AT&T. They handled Slammer with minimal interruption, they said, because they did a bet-
ter job patching their systems than Verizon did. Why should Verizon, or potentially any compa-
ny, be an exception?
The seventh factor is the increased employee use of unmanaged devices—devices that are
outside the control of an organization’s IT department. These include customer computers, busi-
ness partners’ mobile devices, computers in the business centres of hotels, and many others.
The eighth, and final, factor is management support. For the entire organization to take secu-
rity policies and procedures seriously, senior managers must set the tone. Ultimately, however,
lower-level managers may be even more important. These managers are in close contact with
employees every day and thus are in a better position to determine whether employees are
following security procedures.
Before we discuss the many threats to an organization’s information resources, let’s look at
some key terms. Organizations have many information resources (for example, computers and
the information on them, information systems and applications, databases, and so on). These
resources are subject to a huge number of threats. A threat to an information resource is any
danger to which a system may be exposed. The exposure of an information resource is the harm,
loss, or damage that can result if a threat compromises that resource. A system’s vulnerability
is the possibility that the system will suffer harm by a threat. Risk is the likelihood that a threat
will occur. Information systems controls are the procedures, devices, or software aimed at pre-
venting a compromise to the system. We discuss these controls in Section 3.3.
Information systems are vulnerable to many potential hazards or threats. Figure 3.1 illustrates
the major threats to the security of an information system. There are many threats, so the fol-
lowing outline should help you follow our discussion.
THREATS TO INFORMATION SYSTEMS
Michael Whitman and Herbert Mattord (2003) classified threats into five general categories to
enable us to better understand the complexity of the threat problem. Their categories are:
1. unintentional acts,
2. natural disasters,
3. technical failures,
4. management failures, and
5. deliberate acts.
We discuss the five threat categories in the next sections.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 73
Section 3.2 – Threats to Information Security 73
FIGURE 3.1 Security threats.
Unintentional acts are those with no malicious intent. There are three types of unintentional acts:
human errors, deviations in the quality of service from service providers, and environmental
hazards. Of these three types of acts, human errors are by far the most serious threats to infor-
HUMAN ERRORS. Before we discuss the various types of human errors, we consider the different
categories of organizational employees. The first category comprises regular employees, spanning
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 74
74 Chapter 3 – Ethics, Privacy, and Information Security
the breadth and depth of the organization, from mail clerks to the CEO, and in all functional areas.
There are two important points to be made about regular employees. First, the higher the level of
employee, the greater the threat the employee poses to information security. This situation exists
because higher-level employees typically have greater access to corporate data and enjoy greater
privileges on organizational information systems. Second, employees in two areas of the organi-
zation pose significant threats to information security: human resources and information sys-
tems. Human resources employees generally have access to sensitive personal information about
all employees. Likewise, information systems employees not only have access to sensitive organi-
zational data, but they often control the means to create, store, transmit, and modify that data.
The second category includes contract labour, consultants, and janitors and guards. Contract
labour, such as temporary hires, may be overlooked in information security. However, these
employees often have access to the company’s network, information systems, and information
assets. Consultants, while technically not employees, do work for the company. Depending on
the nature of their work, these people may also have access to the company’s network, infor-
mation systems, and information assets.
Finally, janitors and guards are the most frequently ignored people in information security.
Companies might outsource their security and janitorial services, meaning that, while these indi-
viduals technically are not employees, they nevertheless do work for the company. Moreover,
they are usually present when most—if not all—other employees have gone home. They typi-
cally have keys to every office, and nobody questions their presence in even the most sensitive
parts of the building.
Human errors or mistakes by employees pose a large problem as the result of laziness, care-
lessness, or a lack of information security awareness. This lack of awareness comes from poor
education and training efforts by the organization. Human mistakes manifest themselves in
many different ways, as we see in Table 3.3.
The human errors we have just discussed are unintentional on the part of the employee.
However, employees can also make mistakes as a result of deliberate actions by an attacker. Such
deliberate actions are called social engineering and reverse social engineering.
SOCIAL ENGINEERING AND REVERSE SOCIAL ENGINEERING
Social engineering is an attack in which the perpetrator uses social skills to trick or manipu-
late a legitimate employee into providing confidential company information such as passwords.
The most common example of social engineering occurs when the attacker impersonates some-
one else on the telephone, such as a company manager or information systems employee. The
attacker says he forgot his password and asks the legitimate employee to give him a password
to use. Other common exploits include posing as an exterminator, air conditioning technician,
or fire marshal. Examples of social engineering abound.
In one company, a perpetrator entered a company building wearing a company ID card that
looked legitimate. He walked around and put up signs on bulletin boards saying, “The help desk
telephone number has been changed. The new number is 555-1234.” He then exited the build-
ing and began receiving calls from legitimate employees thinking they were calling the compa-
ny help desk. Naturally, the first thing the perpetrator asked for was user name and password.
He now had the information necessary to access the company’s information systems.
In another company, an attacker loaded a Trojan horse program (discussed later in this chapter)
on 20 thumb drives. The Trojan horse was designed to collect passwords and login information
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 75
Section 3.2 – Threats to Information Security 75
HUMAN MISTAKE DESCRIPTION AND EXAMPLES
Tailgating A technique designed to allow the perpetrator to enter restricted
areas that are controlled with locks or card entry. The perpetrator
follows closely behind a legitimate employee and, when the employee
gains entry, asks them to “hold the door. ”
Shoulder surfing The perpetrator watches the employee’s computer screen over that
person’s shoulder. This technique is particularly successful in public
areas such as airports, commuter trains, and on airplanes.
Carelessness with laptops Losing laptops, misplacing laptops, leaving them in taxis, and so on.
Carelessness with portable devices Losing or misplacing these devices, or using them carelessly so that
malware is introduced into an organization’s network.
Opening questionable e-mails Opening e-mails from someone unknown, or clicking on links
embedded in e-mails (see phishing attacks, Table 3.4).
Careless Internet surfing Accessing questionable websites; can result in malware and/or alien
software being introduced into the organization’s network.
Poor password selection and use Choosing and using weak passwords (see strong passwords, p. 87).
Carelessness with one’s office Unlocked desks and filing cabinets when employees go home at
night; not logging off the company network when away from the
office for any extended period of time.
Carelessness using unmanaged devices Unmanaged devices are those outside the control of an organization’s
IT department and company security procedures. These devices
include computers belonging to customers and business partners,
computers in the business centres of hotels, and computers in retail
Carelessness with discarded equipment Discarding old computer hardware and devices without completely
wiping the memory. This includes computers, cell phones,
BlackBerrys, and digital copiers and printers.
from an employee’s computer and then e-mail the information to the attacker. Early one morn-
ing, he scattered the thumb drives in the parking lots, designated smoking areas, and near walk-
ways of the target company. Employees found 15 of the drives and plugged them into company
computers without first scanning them with security software. The Trojan horse software trans-
mitted their user names and passwords to the attacker and enabled him to compromise addi-
tional systems in the company.
In social engineering, the attacker approaches legitimate employees. In reverse social engi-
neering, the employees approach the attacker. For example, the attacker gains employment at
a company and, in informal conversations with his co-workers, lets it be known that he is “good
with computers.” As is often the case, they ask him for help with their computer problems. While
he is helping them, he loads Trojan horses on their computers, which e-mail him with their pass-
words and information about their machines.
DEVIATIONS IN THE QUALITY OF SERVICE FROM SERVICE PROVIDERS
This category consists of situations in which a product or service is not delivered to the organi-
zation as expected. There are many examples of such deviations in quality of service. For exam-
ple, heavy equipment at a construction site severs a fibre optic line to your building or your
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 76
76 Chapter 3 – Ethics, Privacy, and Information Security
Internet service provider has availability problems. Organizations may also experience service
disruptions from various providers, such as communications, electricity, telephone, water,
wastewater, garbage pickup, cable, and natural gas.
Environmental hazards include dirt, dust, humidity, and static electricity. These hazards are
harmful to the safe operation of computing equipment.
Natural disasters include floods, earthquakes, hurricanes, tornadoes, lightning, and in some
cases, fires. In many cases, such weather disturbances can cause catastrophic loss of systems
and data. To avoid such losses, companies must engage in proper planning for backup and recov-
ery of information systems and data, a topic we discuss later in this chapter.
Technical failures include problems with hardware and software. The most common hardware
problem is the crash of a hard disk drive. Another notable hardware problem occurred when
Intel released a Pentium chip with a defect that caused the chip to perform some mathemati-
cal calculations incorrectly.
The most common software problem is errors—bugs—in computer programs. Software bugs
are so common that application programs or websites are dedicated to documenting them. For
example, see www.bug-track.com and www.bugaware.com.
Management failures involve a lack of funding for information security efforts and a lack of
interest in those efforts. Such lack of leadership will cause the information security of the organ-
ization to suffer.
Deliberate acts by employees (i.e., insiders) account for a large number of information security
breaches. There are so many types of deliberate acts that we provide a brief list here to guide
our discussion of these acts in this section.
• espionage or trespass
• information extortion
• sabotage or vandalism
• theft of equipment or information
• identity theft
• compromises to intellectual property
• software attacks
• supervisory control and data acquisition (SCADA) attacks
• cyberterrorism and cyberwarfare
ESPIONAGE OR TRESPASS
Espionage or trespass occurs when an unauthorized person attempts to gain illegal access to orga-
nizational information. When we discuss trespass, it is important that we distinguish between
competitive intelligence and industrial espionage. Competitive intelligence consists of legal
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 77
Section 3.2 – Threats to Information Security 77
information-gathering techniques, such as studying a company’s website and media releases,
attending trade shows, and so on. In contrast, industrial espionage crosses the legal boundary
and involves theft or illegal duplication of information assets.
Information extortion occurs when an attacker either threatens to steal, or actually steals, infor-
mation from a company. The perpetrator demands payment for not stealing the information,
for returning stolen information, or for agreeing not to disclose the information.
SABOTAGE OR VANDALISM
Sabotage and vandalism are deliberate acts that involve defacing an organization’s website, pos-
sibly tarnishing the organization’s image and causing it to experience a loss of confidence by
its customers. One form of online vandalism is a hacktivist or cyberactivist operation. These are
cases of high-tech civil disobedience to protest the operations, policies, or actions of an organ-
ization or government agency.
The reasons for website defacement vary. One recent survey listed these reasons: just for fun;
to be the best defacer; political reasons; and patriotism. In 2006, a Danish newspaper published
a cartoon of Muhammad. This resulted in over 800 Danish websites being hacked into and defaced
with messages relating to Islamic war. (For further information, see www.itworldcanada.com.)
THEFT OF EQUIPMENT AND INFORMATION
Computing devices and storage devices are becoming smaller yet more powerful with vastly
increased storage (for example, laptops, BlackBerrys, personal digital assistants, smart phones,
digital cameras, thumb drives, and iPods). As a result, these devices are becoming easier to steal
and easier for attackers to use to steal information.
The uncontrolled proliferation of portable devices in companies has led to a type of attack
called pod slurping. In pod slurping, perpetrators plug an iPod or other portable device into a USB
port on a computer and download huge amounts of information very quickly and easily. An iPod,
for example, can contain 60 gigabytes of storage and can download most of a computer’s hard
drive in a matter of minutes.
Another form of theft, known as dumpster diving, involves the practice of rummaging through
commercial or residential garbage to find information that has been discarded. Files, letters,
memos, photographs, IDs, passwords, credit cards, and other forms of information can be found
in dumpsters. Unfortunately, many people never consider that the sensitive items they throw
in the garbage may be recovered. Such information, when recovered, can be used for fraudu-
Dumpster diving is possible theft, because the legality of this act varies. Because dumpsters
are usually located on private premises, dumpster diving is illegal in some parts of the coun-
try, although the law is enforced with varying degrees of rigour.
Identity theft is the deliberate assumption of another person’s or an organization’s identity, usu-
ally to gain access to financial information and assets or to frame someone for a crime.
Techniques for obtaining information include:
• stealing mail or dumpster diving,
• stealing personal information in computer databases,
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 78
78 Chapter 3 – Ethics, Privacy, and Information Security
• infiltrating organizations that store large amounts of personal information (e.g., data aggre-
gators such as Acxiom, www.acxiomcanada.ca), and
• impersonating a trusted organization in an electronic communication (phishing).
The Office of the Privacy Commissioner of Canada provides instructions for businesses and
individuals to help reduce their risk of identify theft (see www.privcom.gc.ca/id/business_e.asp).
Additional information and articles are also available at the Better Business Bureau website
Recovering from identity theft is costly, time-consuming, and difficult. A survey by the Identity
Theft Resource Center (www.idtheftcenter.org) found that victims spent an average of 330 hours
repairing the damage from identity theft. Victims reported difficulties in obtaining credit and
obtaining or holding a job, as well as adverse effects on insurance or credit rates. In addition,
victims stated that it was difficult to remove negative information from their records, such as
their credit reports.
Your personal information can be compromised in other ways. For example, AOL released
detailed keyword search data for approximately 658,000 anonymized users. AOL said that the
release of the data, which amounted to about 20 million search queries, was an innocent attempt
to help academic researchers interested in search queries. The data, which was mirrored on mul-
tiple websites, represented a random selection of searches conducted over a three-month peri-
od. It included user ID, the actual query, the time of the search, and the destination domain
visited. In some cases, the data included personal names, addresses, and U.S. Social Security
numbers. Although AOL apologized for the action and withdrew the site, the damage was done.
The ability to analyze all searches by a single user can enable a criminal to identify who the
user is and what he or she is doing. To show how easy this is, The New York Times tracked down
a particular person based solely on her AOL searches.
Once criminals have stolen personal information, they can use it in a variety of nefarious
activities. One such activity, illustrated in IT’s About Business 3.2, is the “hack, pump, and dump”
COMPROMISES TO INTELLECTUAL PROPERTY
Protecting intellectual property is a vital issue for people who make their livelihood in knowl-
edge fields. Intellectual property is the property created by individuals or corporations that is
protected under trade secret, patent, and copyright laws.
A trade secret is an intellectual work, such as a business plan, or private product formula-
tion, that is a company secret and is not based on public information. An example is a corpo-
rate strategic plan. A patent is a document that grants the holder exclusive rights on an invention
or process for 20 years. Copyright is a statutory grant that provides the creators of intellectual
property with ownership of the property for the life of the creator plus 50 years. Owners are
entitled to collect fees from anyone who wants to copy the property.
The most common intellectual property related to IT deals with software. In Canada, the
Canadian Copyright Act protects a variety of intellectual property, including written work. A com-
puter program is considered to be a written work, as it is written instructions that are used to
have the computer system perform specific functions. However, copyright law does not protect
similar concepts, functions, and general features such as pull-down menus, colours, and icons.
Under copyright law, copying a software program—including giving a disk to a friend to install
on his or her computer—without making payment to the owner is a copyright violation. Not
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 79
Section 3.2 – Threats to Information Security 79
IT’S ABOUT BUSINESS 3.2
THE “HACK, PUMP AND DUMP” SCHEME
Criminals have discovered yet another way to steal where it remained. Subsequently, TD Ameritrade, an online
money. They are combining phishing attacks, Trojan broker, restricted online trade on the company’s stock. The
horses, and keyloggers to steal identities for use in company’s owner had planned to make a large acquisition,
investment fraud. The scheme works like this: hackers but the declining stock price forced a cancellation of the
first gain the personal information of legitimate investors, purchase.
including names, account numbers, passwords, and ,
In March 2007 U.S. federal regulators temporarily
PINs. These criminals then hack into the investment stopped stock trading in 35 companies that had inflated
accounts of unsuspecting investors, selling off their prices due to a variation on this scheme using spam
holdings in various companies to purchase shares in e-mail. Rather than hacking into investment accounts,
penny stocks. (A penny stock is a low-priced, speculative spam is sent to many potential investors telling them
stock of a small company.) As they buy the penny stocks, about the value of the stock. They invest, increasing the
the share price increases. After a short time, the hackers prices, and then lose money when the stock price falls.
sell the penny stocks for a profit and transfer the money Sources: Compiled from M. Gordon, “35 Firms Suspended for E-mail
to offshore accounts. ‘Spamming,’” Toronto Star, March 9, 2007 p. F8; E. Nakashima, “Hack, Pump,
and Dump, Washington Post, January 26, 2007; R. Naraine, “Pump and
Aleksey Karmardin, for example, used this scheme 14 Dump Spam Surge Linked to Russian Bot Herders, eWeek, November 16,
times to defraud investors of more than $80,000. He and 2006; J. Libbenga, “Pump and Dump Blues, The Register; November 21,
2006; E. Sutherland, “Fraudsters Update Pump and Dump, Internet News,
his accomplices allegedly hacked into four legitimate
January 31, 2007 .
online trading accounts, sold their holdings, and purchased
shares in a penny stock. The stock’s price went from 26
cents to 80 cents in less than a day. The hackers promptly QUESTIONS
sold the shares and moved the profits to an offshore 1. How can investors protect themselves from hack,
account. pump, and dump schemes?
The fraud affects not only investors, but also 2. How can companies protect themselves from hack,
companies whose stocks are pumped and then dumped. pump, and dump schemes?
One firm had its stock price go from 88 cents to $1.28 in 3. Should online brokers be held liable for hack, pump,
one day. The following day, the stock fell to 13 cents, and dump schemes? Why or why not?
surprisingly, this practice, called piracy, is a major problem for software vendors. The global trade
in pirated software amounts to hundreds of billions of dollars.
The Canadian Alliance Against Software Theft (CAAST, see www.caast.org) is an organization
representing the commercial software industry that promotes legal software and conducts
research on software piracy in an attempt to eliminate it. CAAST is affiliated with the Business
Software Alliance (BSA, see www.bsa.org), which identifies Vietnam, China, Indonesia, Ukraine,
and Russia as the countries with the highest percentage of illegal software compared with legal
software. In those countries, more than 85 percent of the software used consists of illegal copies.
Software attacks have evolved from the outbreak era, where malicious software tried to infect
as many computers worldwide as possible, to the profit-driven, web-based attacks of today.
Malware attacks can be used to make money as they use sophisticated, blended attacks typi-
cally via the web. Table 3.4 shows a variety of software attacks.
ALIEN SOFTWARE. Many personal computers have alien software (also called pestware) run-
ning on them that the owners do not know about. Alien software is clandestine software that
is installed on your computer through duplicitous methods. Alien software is typically not as
malicious as a virus, worm, or Trojan horse, but it does use up valuable system resources. In
addition, it can report on your web surfing habits and other personal behaviour.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 80
80 Chapter 3 – Ethics, Privacy, and Information Security
TYPES OF SOFTWARE ATTACKS DESCRIPTION
Virus Segment of computer code that performs malicious actions by attaching to
another computer program.
Worm Segment of computer code that performs malicious actions and will replicate,
or spread, by itself (without requiring another computer program).
Trojan Horse Software programs that hide in other computer programs and reveal their
designed behaviour only when they are activated.
Back Door Typically a password, known only to the attacker, that allows him or her to
access a computer system at will, without having to go through any security
procedures (also called trap door).
Logic Bomb Segment of computer code that is embedded within an organization’s existing
computer programs and is designed to activate and perform a destructive
action at a certain time or date.
Dictionary Attack Attacks that try combinations of letters and numbers that are most likely to
succeed, such as all words from a dictionary.
Brute Force Attack Attacks that use massive computing resources to try every possible
combination of password options to uncover a password.
Denial-of-Service Attack Attacker sends so many information requests to a target computer system that
the target cannot handle them successfully and typically crashes (ceases to
Distributed Denial-of-Service An attacker first takes over many computers, typically by using malicious
(DDoS) Attack software. These taken-over computers are called zombies, or bots. The attacker
uses these bots to deliver a coordinated stream of information requests (called
a botnet) to a target computer, causing it to crash.
Phishing Attack Phishing attacks use deception to acquire sensitive personal information by
masquerading as official-looking e-mails or instant messages.
Zero-Day Attack A zero-day attack takes advantage of a newly discovered, previously unknown
vulnerability in a software product. Perpetrators attack the vulnerability before
the software vendor can prepare a patch for the vulnerability.
One clear indication that software is pestware is that it does not come with an uninstaller
program. An uninstaller is an automated program that allows you to remove a particular soft-
ware package systematically and entirely. The different types of alien software include adware,
spyware, spamware, and cookies.
The vast majority of pestware is adware—software that is designed to help pop-up adver-
tisements appear on your screen. The reason adware is so common is that it works. According
to advertising agencies, for every 100 people who delete such an ad, three click on it. This “hit
rate” is extremely high for Internet advertising.
Spyware is software that collects personal information about users without their consent.
We discuss two types of spyware here: keystroke loggers and screen scrapers.
Keystroke loggers (also called key loggers) record your keystrokes and record your Internet
web browsing history. The purposes range from criminal (for example, theft of passwords and
sensitive personal information such as credit card numbers) to annoying (for example, record-
ing your Internet search history for targeted advertising).
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 81
Section 3.2 – Threats to Information Security 81
Companies have attempted to counter key loggers by switching to other forms of input for
authentication. For example, rather than typing in a password, the user has to accurately select
each character in turn from a series of boxes, using a mouse. As a result, attackers have turned
to screen scrapers (or screen grabbers). This software records a continuous “movie” of a screen’s
contents rather than simply recording keystrokes.
Spamware is pestware that is designed to use your computer as a launch pad for spammers.
Spam is unsolicited e-mail, usually for the purpose of advertising products and services. When
your computer is used this way, e-mails from spammers appear to come from you. Even worse,
spam will be sent to everyone in your e-mail address book.
Not only is spam a nuisance, but it wastes time and money. Effective January 2005, over
83 percent of Internet traffic was estimated to be spam (www.messagelabs.com). These
costs come from productivity losses, clogged e-mail systems, additional storage, user sup-
port, and anti-spam software. Spam can also carry viruses and worms, making it even more
Cookies are small amounts of information that websites store on your computer, temporar-
ily or more-or-less permanently. In many cases, cookies are useful and innocuous. For exam-
ple, some cookies are passwords and user IDs that you do not have to retype every time you
load a new page at the website that issued the cookie. Cookies are also necessary if you want
to shop online, because they are used for your shopping carts at various online merchants.
Tracking cookies, however, can be used to track your path through a website, the time you spend
there, what links you click on, and other details the company wants to record, usually for mar-
keting purposes. Tracking cookies can also combine this information with your name, purchas-
es, credit card information, and other personal data, to develop an intrusive profile of your
Most cookies can be read only by the party that created them. However, some companies that
manage online banner advertising are, in essence, cookie-sharing rings. These companies can
track information such as which pages you load and which ads you click on. They then share
this information with their client websites (which may number in the thousands).
SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA) ATTACKS
SCADA refers to a large-scale, distributed, measurement and control system. SCADA systems
are used to monitor or to control chemical, physical, or transport processes such as oil
refineries, water and sewage treatment plants, electrical generators, and nuclear power
SCADA systems consist of multiple sensors, a master computer, and communications infra-
structure. The sensors connect to physical equipment. They read status data such as the
open/closed status of a switch or a valve, as well as measurements such as pressure, flow,
voltage, and current. By sending signals to equipment, sensors control that equipment, such as
opening or closing a switch or valve or setting the speed of a pump.
The sensors are connected in a network, and each sensor typically has an Internet (Internet
Protocol, or IP) address. (We discuss IP addresses in Technology Guide 4). If an attacker can gain
access to the network, he or she can disrupt the power grid over a large area or disrupt the oper-
ations of a large chemical plant. Such actions could have catastrophic results.
Although experts see little chance of a SCADA system being attacked, at least one such event
has already occurred—in Australia in 2000. There, a disgruntled sewage-treatment plant job reject
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 82
82 Chapter 3 – Ethics, Privacy, and Information Security
hacked the sewage plant’s pump control systems. He repeatedly sent torrents of effluent into
nearby rivers and parks and at least one hotel.
CYBERTERRORISM AND CYBERWARFARE
With both cyberterrorism and cyberwarfare, attackers use a target’s computer systems, partic-
ularly via the Internet, to cause physical, real-world harm or severe disruption, usually with a
political agenda. Cyberterrorism and cyberwarfare range from gathering data to attacking crit-
ical infrastructure (via SCADA systems). We discuss the two synonymously here, even though
cyberterrorism typically involves individuals or groups, whereas cyberwarfare involves nations.
Terrorist groups around the world have expanded their activities on the Internet, increasing
the sophistication and volume of their videos and messages, in an effort to recruit new mem-
bers and raise money.
The Canadian Security Intelligence Service (CSIS, see www.csis.gc.ca) presents information on
its website about the potential use of the Internet by terrorists. CSIS speculates that as of 2006
there were more than 5,000 active terrorist websites. It is the Internet’s easy access and lack of
regulation that makes such sites possible.
CSIS believes that SCADA attacks are not a major cyberterrorism threat, but that distributed
denial-of-services attacks are a far greater threat. Such attacks can bring a website to a tem-
porary halt, or slow down the data communication systems of an organization or a govern-
ment, significantly rendering them unable to effectively respond to an emergency. As IT’s About
Business 3.3 shows, a distributed denial-of-services attack can be difficult and expensive to
WHAT COMPANIES ARE DOING
Why is it so difficult to stop cybercriminals? One reason is that the online commerce indus-
try is not particularly willing to install safeguards that would make it harder to complete trans-
actions. It would be possible, for example, to demand passwords or personal identification
numbers for all credit card transactions. However, these requirements might discourage peo-
ple from shopping online. Also, there may be little incentive for companies to share leads on
criminal activity either with one another or with the FBI. For credit card companies, it is like-
ly less expensive to block a stolen credit card and move on than to invest time and money on
Despite these difficulties, the information security industry is battling back. Companies are
developing software and services that deliver early warnings of trouble on the Internet. Unlike
traditional antivirus software, which is reactive, early-warning systems are proactive, scanning
the web for new viruses and alerting companies to the danger.
And new systems are emerging in response to ever-more-effective virus writers. As virus writ-
ers become more expert, the gap between the time when they learn of vulnerabilities and when
they exploit them is closing quickly. Hackers are now producing new viruses and worms in a
matter of hours (see zero-day attacks).
Technicians at TruSecure Corporation (www.cybertrust.com) and Symantec Corporation
(www.symantec.com) are working around the clock to monitor web traffic. Symantec’s team
taps into 20,000 sensors placed at Internet hubs in 180 countries to spot e-mail and other data
packets that seem to be carrying viruses. TruSecure sends technicians posing as hackers into
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 83
Section 3.2 – Threats to Information Security 83
IT’S ABOUT BUSINESS 3.3
DON’T PAY THAT RANSOM—DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
All this foreign software! It almost seems unsafe to be large sum of money, with regular monthly payments to
connected to the Internet. E-mails can have viruses, junk “prevent” such attacks in the future. But if you pay, how
mail clogs our networks, and spyware spreads nasty do you know they will not attack you again and then ask
software. Where is it all going to go? for an even larger amount?
If the source can be located, that company could be There is specific technology and expertise available that
held liable. A Montreal-based distributor called Integrated can combat DDoS attacks, but it is expensive. Cisco
Search Technologies was investigated by the Canadian Systems, Inc. sells something called a Cisco Guard DDoS
Competition Bureau in response to a complaint that the mitigation appliance. This solution is sold together with
company planted software that performed functions not software that monitors Internet traffic, so potential attacks
documented in its promotional material. Unfortunately, can be detected early, and the offending traffic can be
there is no law in Canada against spyware, so prosecution blocked. There are also software specialists who deal with
could occur only if damage arose or if there was a mis- DDoS attacks, such as the SANS Technology Institute and
representation by the company with respect to how Prolexic Technologies Inc. What Prolexic does is take all of the
private information was handled. company’s incoming data, analyze it, and then send
Spyware can be planted on any computing device—not “sanitized” or “scrubbed” data forward to the company. If a
just a computer. The worst spyware is the kind that DDoS attack does occur, then there could be hundreds of
obtains information on how to run your computer, and thousands of messages arriving within seconds of each
then takes over your computer. It uses it to attack another other, bringing the volume of data up well beyond what a
system by sending it thousands of messages, which can normal Internet server could handle. High capacity computing
overload the target system and take it down. The power is needed to handle the peaks of the DDoS attacks.
investigation of one such distributed denial-of-service Sources: Compiled from G. Buckler, “Is Your Printer Spying on You?” The
(DDoS) attack found that at one location, four of these Globe and Mail, April 18, 2007 p. B12; N. Carniol, “Probe of Software Firm
Sought, The Toronto Star, November 4, 2005, p. F1; J. MacDonald, “Attack of
computer bots were actually Hewlett-Packard JetDirect the Killer Bots, Canadian Business, June 4, 2007 p. 51-52; www.cisco.com
printer controllers. accessed August 18, 2007 .
So what do you do when your company, which has
been operating a successful website and business for QUESTIONS
many years, suddenly struggles under terabytes of e-mail 1. Which websites would be most at risk for DDoS
messages flooding the system over a period of a few attacks? Why?
minutes, bringing the system down? In Canada, you would 2. Describe the activities that a business could perform to
call the computer crime unit of your local police force. You reduce the likelihood of a DDoS attack.
could also call someone in from the computer crimes 3. Assume that it costs $25,000 to purchase a DDoS
investigation unit of the RCMP They would likely tell you mitigation product and about $4,000 per month to run
that, unfortunately, these crimes are frequent, and difficult the DDoS mitigation service. If you are a small company
to stop if you do not know where they are coming from or with only $10,000 in sales a month from the Internet,
who is initiating them. and someone attacked your website, demanding $1,000
Likely, if your business is brought down by a DDoS a month in “insurance” so you would not be attacked
attack, you will receive an extortion e-mail, asking for a again, what would you do? Why?
online virus-writer chat rooms to find out what they are planning. TruSecure boasts that it
even contributed to the arrests of the authors of the Melissa, Anna Kournikova, and Love
In addition, many companies hire information security experts to attack their own systems.
These surprise attacks are called penetration tests or white hacking. A penetration test is a method
of evaluating the security of an information system by simulating an attack by a malicious per-
petrator. The idea is to proactively discover weaknesses before real attackers exploit them.
Despite the difficulties involved in defending against attacks, organizations spend a great deal
of time and money protecting their information resources. We discuss these methods of pro-
tection in the next section.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 84
84 Chapter 3 – Ethics, Privacy, and Information Security
BEFORE YOU GO ON...
1. Give an example of one type of unintentional threat to a computer system.
2. Describe the various types of software attacks.
3. Describe the issue of intellectual property protection.
3.3 PROTECTING INFORMATION RESOURCES
Before spending money to apply controls, organizations must perform risk management. As we dis-
cussed earlier in the chapter, a risk is the probability that a threat will impact an information resource.
The goal of risk management is to identify, control, and minimize the impact of threats. In other
words, risk management seeks to reduce risk to acceptable levels. There are three processes in risk
management: risk analysis, risk mitigation, and controls evaluation. We consider each one below.
Risk analysis is the process by which an organization assesses the value of each asset being
protected, estimates the probability that each asset will be compromised, and compares the
probable costs of the asset’s being compromised with the costs of protecting that asset.
Organizations perform risk analysis to ensure that their information systems’ security programs
are cost effective. The risk analysis process prioritizes the assets to be protected based on each
asset’s value, its probability of being compromised, and the estimated cost of its protection. The
organization then considers how to mitigate the risk.
In risk mitigation, the organization takes concrete actions against risks. Risk mitigation has
two functions: (1) implementing controls to prevent identified threats from occurring and
(2) developing a means of recovery should the threat become a reality. There are several risk
mitigation strategies that organizations may adopt. The three most common are risk accept-
ance, risk limitation, and risk transference.
• Risk acceptance: Accept the potential risk, continue operating with no controls, and absorb
any damages that occur.
• Risk limitation: Limit the risk by implementing controls that minimize the impact of the threat.
• Risk transference: Transfer the risk by using other means to compensate for the loss, such
as by purchasing insurance.
In controls evaluation, the organization identifies security deficiencies and calculates the costs
of implementing adequate control measures. If the costs of implementing a control are greater
than the value of the asset being protected, then control is not cost effective.
For example, an organization’s mainframe computers are too valuable for risk acceptance.
As a result, organizations limit the risk to mainframes through controls, such as access con-
trols. Organizations also use risk transference for their mainframes by purchasing insurance and
having off-site backups.
The purpose of controls is to safeguard assets, optimize the use of the organization’s resources,
and prevent or detect errors or fraud. Organizations protect their systems using “layers” of
control systems. First comes the control environment, and then general controls, followed by
application controls. The control environment encompasses management attitudes toward con-
trols, as evidenced by management actions, as well as by stated policies and procedures that
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 85
Section 3.3 – Protecting Information Resources 85
address ethical issues and the quality of supervision. Using the analogy of a house, the control
environment provides the roof and walls of the house, the general controls provide the plumbing
and electricity, while the application controls cover each room (functional area). General controls
apply to more than one functional area. For example, passwords are general controls. Controls
specific to one application, such as payroll, are application controls. A typical payroll applica-
tion control would be the approval of payroll wage rates.
Information systems security encompasses all of the types of controls, as organizations need
to have security policies and procedures, to protect all applications using physical and software
controls such as anti-virus or firewalls, and to protect individual applications with controls over
how information is entered and managed.
Because it is so important to the entire enterprise, organizing an appropriate defence system
is one of the major activities of any prudent CIO and of the functional managers who control infor-
mation resources. As a matter of fact, IT security is the business of everyone in an organization.
The following is a list of the major difficulties involved in protecting information resources:
• Hundreds of potential threats exist.
• Computing resources may be situated in many locations.
• Many individuals control information assets.
• Computer networks can be located outside the organization and difficult to protect.
• Rapid technological changes make some controls obsolete as soon as they are installed.
• Many computer crimes go undetected for a long period of time, so it is difficult to learn from
• People tend to violate security procedures because the procedures are inconvenient.
• The amount of computer knowledge necessary to commit computer crimes is usually
minimal. As a matter of fact, one can learn hacking, for free, on the Internet.
• The cost of preventing hazards can be very high. Therefore, most organizations simply can-
not afford to protect against all possible hazards.
• It is difficult to conduct a cost-benefit justification for controls before an attack occurs
because it is difficult to assess the value of a hypothetical attack.
Controls that protect information assets are called defence mechanisms or countermeasures.
Security controls are designed to protect all of the components of an information system, includ-
ing data, software, hardware, and networks.
Controls are intended to prevent accidental hazards, deter intentional acts, detect problems
as early as possible, enhance damage recovery, and correct problems. Before we discuss con-
trols in more detail, we emphasize that the single, most effective control is user education and
training, leading to increased awareness of the vital importance of information security on the
part of every organizational employee.
We will look at three categories of general controls: physical controls, access controls, and
communications controls. Figure 3.2 illustrates these controls. Then, we will look at examples
of application controls.
Physical controls prevent unauthorized individuals from gaining access to a company’s facilities.
Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm sys-
tems. More sophisticated physical controls include pressure sensors, temperature sensors, and motion
detectors. One weakness of physical controls is that they can be inconvenient to employees.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 86
86 Chapter 3 – Ethics, Privacy, and Information Security
FIGURE 3.2 Various locations of defence mechanisms.
Guards deserve special mention because they have very difficult jobs. First, their jobs are bor-
ing and repetitive and they are typically not highly paid. Second, if they do their jobs thorough-
ly, other employees may harass them, particularly if their being conscientious slows down the
process of entering a facility.
Access controls can be physical controls or logical controls. Both types restrict unauthorized indi-
viduals from using information resources. Logical controls are implemented by software. For
example, access control programs limit users to acceptable login times and acceptable login loca-
tions. These controls can limit the number of unsuccessful login attempts and they require
everyone to log off their computers when they leave for the day. In addition, computers are set
to automatically log the user off after a certain period of disuse.
These controls involve two major functions: authentication and authorization.
Authentication determines the identity of the person requiring access and authorization
determines which actions, rights, or privileges the person has, based on verified identity.
Organizations use many methods to identify authorized personnel (i.e., authenticate someone).
These methods include something the user is, something the user has, something the user does,
and something the user knows.
SOMETHING THE USER IS. Also known as biometrics, these authentication methods examine
a person’s innate physical characteristics. Common biometric applications are fingerprint
scans, palm scans, retina scans, iris recognition, and facial recognition. Of these, fingerprints,
retina scans, and iris recognition provide the most definitive identification.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 87
Section 3.3 – Protecting Information Resources 87
SOMETHING THE USER HAS. These authentication mechanisms include regular identification
(ID) cards, smart ID cards, and tokens. Regular ID cards, or dumb cards, typically have the per-
son’s picture, and often, his or her signature. Smart ID cards have a chip embedded in them
with pertinent information about the user. (Smart ID cards used for identification differ from
smart cards used in electronic commerce; see Chapter 6. Both types of card have embedded
chips, but they are used for different purposes.) Tokens have embedded chips and a digital dis-
play that presents a login number employees use to access the organization’s network. The
number changes with each login.
SOMETHING THE USER DOES. These authentication mechanisms include voice and signature
recognition. In voice recognition, the user speaks a phrase (e.g., his or her name and depart-
ment) that has been previously recorded under controlled, monitored conditions. The voice
recognition system matches the two voice signals.
In signature recognition, the user signs his or her name, and the system matches this sig-
nature with one previously recorded under controlled, monitored conditions. Signature recog-
nition systems also match the speed of the signature and the pressure of the signature.
SOMETHING THE USER KNOWS. These authentication mechanisms include passwords and
passphrases. Passwords present a huge information security problem in all organizations. All
users should use strong passwords so that the password cannot be broken by a password
attack, which we discussed earlier. Strong passwords have the following characteristics:
• They should be difficult to guess.
• They should be longer rather than shorter.
• They should have uppercase letters, lowercase letters, numbers, and special characters.
• They should not be a recognizable word.
• They should not be the name of anything or anyone familiar, such as family names or names
• They should not be a recognizable string of numbers, such as a Social Insurance number or
Unfortunately, strong passwords are irritating. If the organization mandates longer (stronger)
passwords and/or frequent password changes, they become more difficult to remember, caus-
ing employees to write them down. What is needed is a way for a user to create a strong pass-
word that is easy to remember. A passphrase can help, either by being a password itself, or by
helping you create a strong password.
A passphrase is a series of characters that is longer than a password but can be memorized
easily. Examples of passphrases include “maytheforcebewithyoualways,” “goaheadmakemyday,”
“livelongandprosper,” and “aman’sgottoknowhislimitations.” A user can turn a passphrase into
a strong password in this manner. Start with the last passphrase above and use the first letter
of each word. You will have amgtkhl. Then capitalize every other letter, to have AmGtKhL. Then
add special characters and numbers, to have 9AmGtKhL//*. Now you have a strong password
that you can remember.
MULTIFACTOR AUTHENTICATION. Many organizations are using multifactor authentication to
more efficiently and effectively identify authorized users. This type of authentication is partic-
ularly important when users are logging in from remote locations.
Single-factor authentication, which is notoriously weak, commonly consists simply of a pass-
word. Two-factor authentication consists of a password plus one type of biometric identification
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 88
88 Chapter 3 – Ethics, Privacy, and Information Security
(e.g., a fingerprint). Three-factor authentication is any combination of three authentication
methods. We should keep in mind that stronger authentication is more expensive, and can be
irritating to users as well.
Once users have been properly authenticated, then the rights and privileges that they have
on the organization’s systems are established, a process called authorization. Companies use
the principle of least privilege for authorization purposes. A privilege is a collection of related
computer system operations that can be performed by users of the system. Least privilege is a
principle that users be granted the privilege for some activity only if there is a justifiable need
to grant this authorization. This means that employees would have access to only those func-
tions they need to complete their job effectively. The accounts payable data entry clerk, for exam-
ple, would be unable to access wage rates.
Communications (network) controls secure the movement of data across networks.
Communications controls consist of firewalls, anti-malware systems, intrusion detection sys-
tems, encryption, virtual private networking (VPN), and vulnerability management systems.
Firewalls, anti-malware systems, intrusion detection systems, encryption, and VPNs are reac-
tive. Only vulnerability management systems provide a proactive approach, identifying network
and device vulnerabilities before networks are compromised.
FIREWALLS. A firewall is a system that prevents a specific type of information from moving
between untrusted networks, such as the Internet, and private networks, such as your compa-
ny’s network. Put simply, firewalls prevent unauthorized Internet users from accessing private
networks. Firewalls can consist of hardware, software, or a combination of both. All messages
entering or leaving your company’s network pass through a firewall. The firewall examines
each message and blocks those that do not meet specified security rules.
Firewalls range from simple, for home use, to very complex for organizational use. Figure 3.3a
shows a basic firewall for a home computer. In this case, the firewall is implemented as soft-
ware on the home computer. Figure 3.3b shows an organization that has implemented an exter-
FIGURE 3.3 (a) Basic firewall for home computer. (b) Organization with two firewalls and demilitarized zone.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 89
Section 3.3 – Protecting Information Resources 89
nal firewall, which faces the Internet, and an internal firewall, which faces the company net-
work. A demilitarized zone (DMZ) is located between the two firewalls. Messages from the
Internet must first pass through the external firewall. If they conform to the defined security
rules, then they are sent to company servers located in the DMZ. These servers typically han-
dle web page requests and e-mail. Any messages designated for the company’s internal network
(for example, its intranet) must pass through the internal firewall, again with its own defined
security rules, to gain access to the company’s private network.
The danger from viruses and worms is so severe that many organizations are placing fire-
walls at strategic points inside their private networks. In this way, if a virus or worm does get
through both the external and internal firewalls, then the internal damage may be contained.
ANTI-MALWARE SYSTEMS. Anti-malware systems, also called AV, or antivirus, software, are
software packages that attempt to identify and eliminate viruses, worms, and other malicious
software. This software is implemented at the organizational level by the Information Systems
department. There are currently hundreds of AV software packages available. Among the best
known are Norton AntiVirus (www.symantec.com), McAfee VirusScan (www.mcafee.com), and
Trend Micro PC-cillin (www.trendmicro.com).
As mentioned above, anti-malware systems are generally reactive. These products work by
creating definitions, or signatures, of various types of malware, and then updating these signa-
tures in their products. The anti-malware software then examines suspicious computer code to
see if it matches a known signature. If it does, then the anti-malware software will remove it.
This is the reason organizations update their malware definitions so often.
Because malware is such a serious problem, the leading vendors are rapidly developing anti-
malware systems that function proactively as well as reactively. These systems evaluate behav-
iour rather than relying on signature matching. In theory, therefore, it is possible to catch
malware before it can infect systems. Cisco, for example, has a product called Cisco Security
Agent. This product functions proactively by analyzing computer code to see if it functions like
malware (see www.cisilion.com/cisco-security-agent.htm). Prevx is another vendor offering this type
of proactive malware system (www.prevx.com).
WHITELISTING AND BLACKLISTING. A report by Yankee Group Research, Inc. (www.yankee-
group.com), a technology research and consulting firm, stated that 99 percent of organizations
had anti-malware systems installed, but 62 percent of companies still suffered successful mal-
ware attacks. As we have discussed, anti-malware systems are usually reactive, and malware
continues to infect companies.
One solution to this problem is whitelisting. Whitelisting is a process in which a company iden-
tifies the software that it will allow to run and does not try to recognize malware. Whitelisting
permits acceptable software to run and either prevents anything else from running or lets new
software run in a quarantined environment until the company can verify its validity.
Where whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows
everything to run unless it is on the blacklist. A blacklist, then, includes certain types of soft-
ware that are not allowed to run in the company environment. For example, a company might
blacklist peer-to-peer file sharing on its systems. In addition to software, people, devices, and
websites can also be whitelisted and blacklisted.
INTRUSION DETECTION SYSTEMS. Intrusion detection systems are designed to detect all
types of malicious network traffic and computer usage that cannot be detected by a firewall.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 90
90 Chapter 3 – Ethics, Privacy, and Information Security
These systems capture all network traffic flows and examine the contents of each packet
for malicious traffic. An example of this type of malicious traffic is a denial-of-service attack
ENCRYPTION. When organizations do not have a secure channel for sending information,
they use encryption to stop unauthorized eavesdroppers. Encryption is the process of con-
verting an original message into a form that cannot be read by anyone except the intended
All encryption systems use a key, which is the code that scrambles, and then decodes, the mes-
sages. The majority of encryption systems use public-key encryption. Public-key encryption—also
known as asymmetric encryption—uses two different keys: a public key and a private key (see
Figure 3.4). The public key and the private key are created simultaneously using the same math-
ematical formula or algorithm. Because the two keys are mathematically related, the data
encrypted with one key can be decrypted using the other key. The public key is publicly available
in a directory that all parties can access. The private key is kept secret, never shared with any-
one, and never sent across the Internet. In this system, if Alice wants to send a message to Bob,
she first obtains Bob’s public key, which she uses to encrypt (scramble) her message. When Bob
receives Alice’s message, he uses his private key to decrypt (unscramble) it.
FIGURE 3.4 How
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 91
Section 3.3 – Protecting Information Resources 91
Public key systems also show that a message is authentic. That is, if you encrypt a message
using your private key, you have electronically “signed” it. A recipient can verify that the mes-
sage came from you by using your public key to decrypt it.
Although this system is adequate for personal information, organizations doing business over
the Internet require a more complex system. In such cases, a third party, called a certificate
authority, acts as a trusted intermediary between companies. As such, the certificate authori-
ty issues digital certificates and verifies the worth and integrity of the certificates. A digital cer-
tificate is an electronic document attached to a file certifying that the file is from the organization
it claims to be from and has not been modified from its original format. As you can see in
Figure 3.5, Sony requests a digital certificated from VeriSign, a certificate authority, and uses this
certificate when doing business with Dell. Note that the digital certificate contains an identifi-
cation number, the issuer, validity dates, and the requester’s public key. For examples of certifi-
cate authorities, see www.entrust.com, www.verisign.com, www.cybertrust.com, www.secude.com, and
www.thawte.com. One way of improving access controls is by combining a variety of techniques.
IT’s About Business 3.4 provides a discussion of biometrics and video surveillance software that
are increasingly being used around the world.
VIRTUAL PRIVATE NETWORKING. A virtual private network (VPN) is a private network that
uses a public network (usually the Internet) to connect users. As such, VPNs integrate the glob-
al connectivity of the Internet with the security of a private network, and thereby extend the
reach of the organization’s networks.
VPNs are labelled “virtual” because the connections (among organizations, between remote
sites of one organization, or between an organization and its off-site employees) are created
when a transmission needs to be made and terminated when the transmission has been sent.
VPNs are handled by common carriers (i.e., telephone service providers).
FIGURE 3.5 How digital certificates work. Sony and Dell, business partners, use a digital certificate from VeriSign for authentication.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 92
92 Chapter 3 – Ethics, Privacy, and Information Security
IT’S ABOUT BUSINESS 3.4
NO SURVEILLANCE SYSTEMS IN ANTARCTICA
Montreal-based Genetec, Inc. has surveillance systems on The difficulty with biometrics is that there are both
every other continent, though. Genetec’s website “false acceptance” and “false rejection” errors. A false
(www.genetec.com) states that the company is a physical acceptance means that someone could be incorrectly
security leader. It has three major products, all used in the identified as an authorized individual. A false rejection
security industry. The first is Omnicast, which manages means that you could incorrectly be rejected as being
digital audio, video, and data across an Internet network, you—perhaps due to a cut finger or an eye infection. A
allowing users to monitor up to tens of thousands of video false rejection at the office could mean that you do not get
cameras. It boasts video camera systems on every access to your systems, but at a border crossing it could
continent except Antarctica, at airports, royal palaces, and mean you are accused of being a terrorist or having a fake
many other locations. The second product, Synergis, passport.
promises a full solution to access controls, using products Sources: Compiled from D. Butler, “Big Bio Is Watching You, The Montreal
such as reader cards, software for workstations, and Gazette, June 17 2007 p. A 10; S. Delacourt, “Ottawa Takes ‘Big Step’ to
Biometric ID, The Toronto Star, June 30, 2006, p. A6; S. Rabinovitch, “Big
hardware for servers. Finally, AutoVu is touted as being Brother to the World, Globe and Mail, October 8, 2006; www.genetec.com
able to recognize licence plates from any country—useful accessed August 19, 2007 .
for security firms and police forces around the world.
Together with this type of software, agencies such as
country border crossings can scan your licence plate as
you arrive, and then use your biometrically enhanced QUESTIONS
passport to check on your identity. Various countries have 1. What security precautions should be used for biometric
already included, or are considering including, biometric data that is stored on passports or organizational
information (such as retina scans, face structure or systems? What risks do these security precautions
fingerprints) on passports. British passports already have prevent?
such information. Canadian airports and land-based 2. How does combining biometric information with a
customs entry points have a pass program whereby password improve control over organizational systems?
individuals can have retina scans embedded in their 3. What actions should governments take to help prevent
documents. This is now required for Canadians working in individuals from being falsely accused of being a
the U.S. and it is part of the speed-pass cards that are terrorist?
used for fast entry when driving to and from the U.S.
VPNs have several advantages. First, they allow remote users to access the company network.
Second, they allow flexibility. That is, without being constrained by the need for dedicated con-
nections, mobile users can access the organization’s network from properly configured remote
devices. Third, organizations can impose their security policies through VPNs. For example, an
organization may dictate that only corporate e-mail applications are available to users when
they connect from unmanaged devices.
To provide secure transmissions, VPNs use a process called tunnelling. Tunnelling encrypts
each data packet to be sent and places each encrypted packet inside another packet. In this
manner, the packet can travel across the Internet with confidentiality, authentication, and
integrity. Figure 3.6 shows a VPN and tunnelling.
SECURE SOCKET LAYER (SSL). Secure socket layer, now called transport layer security (TLS),
is an encryption standard used for secure transactions such as credit card purchases and
online banking. TLS is indicated by a URL that begins with https rather than http and it often
has a small padlock icon in the browser’s status bar. TLS encrypts and decrypts data between
a web server and a browser end-to-end.
VULNERABILITY MANAGEMENT SYSTEMS. Users need access to their organization’s
network from anywhere and at any time. To accommodate these needs, vulnerability manage-
ment systems, also called security on demand, extends the security perimeter that exists for the
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 93
Section 3.3 – Protecting Information Resources 93
FIGURE 3.6 Virtual private
network and tunnelling.
organization’s managed devices. That is, vulnerability management systems handle security
vulnerabilities on unmanaged, remote devices. Recall that we discussed the dangers inherent
in using unmanaged devices earlier. Vendors of vulnerability management software include
Symantec (www.symantec.com), Trend Micro (www.trendmicro.com), McAfee (www.mcafee.com),
and Genetec (www.genetec.com).
Vulnerability management systems scan the remote system and decide whether to allow the
user access to it. These systems allow the user to download anti-malware software to the remote
computer for the user’s protection. The systems will also implement virtual user sessions
on the remote computer. These sessions separate and encrypt data, applications, and networks
from the main system of the unmanaged computer. After the user is finished, the vulnerability
management system clears the unmanaged computer’s browser cache and temporary files.
EMPLOYEE MONITORING SYSTEMS. Many companies are taking a proactive approach to pro-
tecting their networks from what they view as one of their major security threats, namely
employee mistakes. These companies are implementing employee monitoring systems, which
monitor their employees’ computers, e-mail activities, and Internet surfing activities. These
products are useful to identify employees who spend too much time surfing on the Internet for
personal reasons, who visit questionable websites, or who download music illegally. Vendors
that provide monitoring software include SpectorSoft Corporation (www.spectorsoft.com) and
Websense, Inc. (www.websense.com).
Application controls, as their name suggests, are security countermeasures that protect specific
applications. Application controls include three major categories: input controls, processing con-
trols, and output controls. Input controls are programmed routines that are performed to edit input
data for errors before it is processed. For example, Social Insurance numbers should not contain
any alphabetic characters. Processing controls, for example, might match entered quantities of
goods received in the shipping area to amounts ordered on authorized purchase orders. Processing
controls also balance the total number of transactions processed with the total number of trans-
actions input or output. An example of output controls is documentation specifying that author-
ized recipients have received their reports, paycheques, or other critical documents.
BUSINESS CONTINUITY PLANNING, BACKUP, AND RECOVERY
An important strategy for organizations is to be prepared for any eventuality. A critical element
in any security system is a business continuity plan, also known as a disaster recovery plan.
Business continuity is the chain of events linking planning to protection and to recovery. The
purpose of the business continuity plan is to keep the business operating after a disaster occurs.
The plan prepares for, reacts to, and recovers from events that affect the security of informa-
tion assets and the subsequent restoration to normal business operations. The plan ensures that
critical business functions continue.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 94
94 Chapter 3 – Ethics, Privacy, and Information Security
In the event of a major disaster, organizations can employ several strategies for business conti-
nuity. These strategies include hot sites, warm sites, cold sites, and off-site data storage. A hot site is
a fully configured computer facility, with all services, communications links, and physical plant oper-
ations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and
workstations. A warm site provides many of the same services and options of the hot site. However,
a warm site typically does not include the actual applications the company needs. A warm site does
include computing equipment such as servers, but it often does not include user workstations. A
cold site provides only rudimentary services and facilities. This type of site provides no computer
hardware or user workstations. Hot sites reduce risk to the greatest extent, but they are the most
expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option.
In addition to hot, warm, and cold sites, organizations also use off-site data storage services.
IT’s About Business 3.5 shows how disasters come in various flavours—hardware failure,
human error, or business-unfriendly programming. A well-designed business continuity plan
should be able to deal with many different types of problems.
INFORMATION SYSTEMS AUDITING
Companies implement security controls to ensure that information systems work properly.
These controls can be installed in the original system, or they can be added after a system is
IT’S ABOUT BUSINESS 3.5
WHAT FLAVOUR IS YOUR DISASTER?
How about a construction site accidentally knocking down a What happens when your e-mail is rejected by a firewall
hydro-electric pole and accidentally cutting several fibre optic because the firewall thinks that you are a spammer? Well,
cables? (Fibre optic cables are high speed lines used for data the recipient clearly does not get your
communications.) On July 12, 2006, this happened in e-mail. Performance Communications Group Inc., a
Toronto, resulting in the disruption of cable communications marketing organization, was blacklisted from one of its
traffic to Roger Communications Inc.’s data network. Rogers clients. It turned out that there were several organizations
Communications, in turn, provides data network services to sharing the same server, and one of the organizations had
Research in Motion Limited (RIM), the company that sells sent out mail that looked like spam. All of the organizations
BlackBerry personal digital assistants and provides e-mail using that server were blacklisted by the firewall, since it
and other electronic services. The damage occurred early in used source addresses to do the automatic blacklisting.
the morning, and it took until 5:30 p.m. for the bulk of the Your organization can also be blacklisted if it does not keep
BlackBerry services to downtown Toronto to be rerouted its e-mail listings current and too many e-mails bounce
through other carriers. So, backup procedures were in place back as invalid, one of the signs of spammers that send e-
(the traffic was routed around the damaged area), but it took mail to random addresses. If your e-mail cannot get
many hours for this to happen. Poorly trained, or poorly through, then your backup systems are telephone and
instructed, employees cost money—but usually not facsimile—not quite as fast or convenient as e-mail.
hundreds of thousands of dollars for one error. Sources: Compiled from Associated Press, “Oops! Techie Wipes Out $38-
A typical procedure in most organizations is to erase Billion Fund, www.msnbc.msn.com, March 20, 2007; K. J. Bannan, “When
They Say You Are a Spammer, The New York Times, May 24, 2007 p. C10; T.
old backup drives to make them available for new Perkins, “BlackBerry Black-Out Dismays Bay Streeters, The Toronto Star,
processing. But care has to be taken so that it’s the www.thestar.com, July 13, 2006.
backup data that is erased rather than live data. An
operator for the Alaska Department of Revenue was doing QUESTIONS
this type of maintenance, and accidentally reformatted the 1. Think about the different computing resources and
hard drive for a large oil fund used to issue cheques to information that you have. What risks of failure are they
residents for oil fund royalties. Unfortunately, he also exposed to?
reformatted the hard drive for the backup to this infor- 2. Compare this with a large financial services organization,
mation. Specialists were unable to recover the data, so it perhaps where you bank. What additional risks of
had to be labouriously re-entered from paper records, for a information system failure is this organization exposed to?
total cost of $220,700. The moral of the story? Keep your 3. What new methods of backup are you going to initiate
paper backup. With the electronic versions all erased, the now that you are aware of some of the risks
paper was the bottom-line backup for this organization. associated with information loss?
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 95
Section 3.3 – Protecting Information Resources 95
in operation. Installing controls is necessary but not sufficient to provide adequate security. In
addition, people responsible for security need to answer questions such as: Are all controls
installed as intended? Are they effective? Has any breach of security occurred? If so, what actions
are required to prevent future breaches?
These questions must be answered by independent and unbiased observers. Such observers
perform the task of information systems auditing. An audit involves the accumulation and evalu-
ation of evidence that is used to prepare a report about the information or controls that are being
examined, using established criteria and standards. In an IS environment, an audit is an exam-
ination of information systems, their control environment, general controls, or application con-
trols (inputs, outputs, and processing).
TYPES OF AUDITORS AND AUDITS
There are several types of auditors. External auditors, also referred to as independent auditors,
work at a public accounting firm, auditing primarily financial statements. Government auditors
work for the provincial or federal auditors general offices. Canada Revenue Agency auditors audit
compliance with tax legislation. Internal auditors work for specific organizations, and may have
the Certified Internal Auditor (CIA) designation. Specialist auditors can be from a variety of fields.
Information systems auditors, for example, may work for any of the above organizations, and
may have a Certified Information Systems Auditor (CISA) designation.
IS auditing is usually conducted as part of the controls evaluation for the financial statement
audit or as part of internal auditing, which looks at the efficiency or effectiveness of systems.
IS auditing is a broad topic, so we present only its essentials here. Auditing focuses on top-
ics such as operations, data integrity, software applications, security and privacy, budgets and
expenditures, cost control, and productivity. Guidelines are available to assist auditors in their
jobs, such as those from the Institute of Internal Auditors (www.theiia.org) or the Information
Systems Audit and Control Association (www.isaca.org).
HOW DOES THE AUDITOR DECIDE ON AUDITS?
IS auditors conduct their work using a risk-based approach. They consider the likelihood of errors
or fraud, or the risk of organizations not following their procedures. Then, they design proce-
dures to test compliance or the percentages of errors. Information systems audits could be part
of the evaluation of controls for a financial statement audit, which are required by statute for
organizations that sell shares to the public, or for publicly accountable organizations such as
Internal auditors conduct their audits based on a plan approved by management. This plan
may look at areas where there are high risks of theft, such as an electronic commerce system,
or at new systems development projects where there is an elevated potential for error, such as
a new point-of-sale system. Where legislation is relatively new, such as privacy legislation, audi-
tors could conduct a privacy audit to evaluate whether the organization is in compliance with
Auditors could use computers in the actual conduct of their audit, by using software to cre-
ate reports or by creating test data that is run through systems to evaluate their functioning.
BEFORE YOU GO ON...
1. Describe the major types of controls for information systems.
2. What is information system auditing?
3. What is the purpose of a disaster recovery plan?
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 96
WHAT’S IN FOR ME?
FOR THE ACCOUNTING MAJOR
Public companies, their accountants, and their auditors now have significant information secu-
rity responsibilities. Accountants are now being held professionally responsible for reducing risk,
assuring compliance, reducing the risk of fraud, and increasing the transparency of transactions
according to generally accepted accounting principles (GAAP). Regulatory agencies require infor-
mation security, fraud prevention and detection, and internal controls over financial reporting
and the privacy of information. Forensic accounting, a combination of accounting and informa-
tion security, is one of the most rapidly growing areas in accounting today.
FOR THE FINANCE MAJOR
Because information security is essential to the success of organizations today, it is no longer
just the concern of the CIO. As a result of national and global regulatory requirements, respon-
sibility for information security also lies with the CEO and Chief Financial Officer (CFO).
Consequently, the security audit, including the security of information and information systems,
are a key concern for financial managers.
In addition, CFOs and treasurers are increasingly involved with investments in information
technology. They know that a security breach of any kind can have devastating financial effects
on a company. Banking and financial institutions are prime targets for computer criminals.
A related problem is fraud involving stocks and bonds that are sold over the Internet. Finance
personnel must be aware of both the hazards and the available controls associated with these
FOR THE MARKETING MAJOR
Marketing professionals have new opportunities to collect data on their customers, for exam-
ple, through business-to-consumer electronic commerce. Business ethics clearly state that this
be adequately protected. Marketers clearly do not want to be sued because of an invasion of
privacy concerning data collected for the company’s marketing database.
Customers expect their data to be properly secured. Profit-motivated criminals want that data.
Therefore, marketing managers must participate in the the risk analysis of their operations.
Failure to protect corporate and customer data will cause significant public relations problems
and make customers very angry, causing them to go elsewhere.
FOR THE PRODUCTION/OPERATIONS MANAGEMENT MAJOR
Every process in a company’s operations—inventory purchasing, receiving, quality control, pro-
duction, and shipping—can be disrupted by an information technology security breach or an IT
security breach at a business partner. Any weak link in supply chain management or enterprise
resource management systems puts the entire chain at risk. Companies may be held liable for
IT security failures that impact other companies.
POM professionals help to decide whether to outsource (or offshore) manufacturing opera-
tions. In some cases, these operations are sent overseas to countries that do not have strict
labour laws. This situation raises serious ethical questions. For example, is it ethical to hire peo-
ple as employees in countries with poor working conditions in order to reduce labour costs?
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 97
POM managers must answer other difficult questions: To what extent do security efforts reduce
productivity? Are incremental improvements in security worth the additional costs?
FOR THE HUMAN RESOURCES MANAGEMENT MAJOR
Ethics is critically important to HR managers. HR policies describe the appropriate use of infor-
mation technologies in the workplace. Questions arise such as: Can employees use the Internet,
e-mail, or chat systems for personal purposes while at work? Is it ethical to monitor employ-
ees? If so, how? How much? How often? HR managers help to formulate and enforce such
policies while at the same time maintaining trusting relationships between employees and
HR managers also have responsibilities to maintain security over confidential employee data
and provide a non-hostile work environment. In addition, they must ensure that all employees
explicitly verify that they understand the company’s information security policies and proce-
FOR THE MIS MAJOR
Ethics might be more important for MIS personnel than for anyone else in the organization,
because they have control of the information assets. They also have control over a huge amount
of personal information on all employees. As a result, the MIS function must be held to the high-
est ethical standards.
The MIS function provides the security infrastructure that protects the organization’s infor-
mation assets. This function is critical to the success of the organization, even though it is almost
invisible until an attack succeeds. All application development, network deployment, and intro-
duction of new information technologies have to be guided by IT security considerations. MIS
personnel must customize the risk exposure security model to help the company identify secu-
rity risks and prepare responses to security incidents and disasters.
Senior executives look to the MIS function for help in maintaining internal controls over
information systems management and security. Other functional areas also look to the MIS
function to help them meet their security responsibilities.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 98
1. Describe the major ethical issues related to information technology, and identify situations
in which they occur. The major ethical issues related to IT are privacy, accuracy, property
(including intellectual property), and accessibility to information. Privacy may be violated
when data is held in databases or transmitted over networks. Privacy policies that address
issues of data collection, data accuracy, and data confidentiality can help organizations
avoid legal problems. Intellectual property is the intangible property created by individuals
or corporations that is protected under trade secret, patent, and copyright laws. The most
common intellectual property related to IT deals with software. Copying software without
paying the owner is a copyright violation, and it is a major problem for software vendors.
2. Describe the many threats to information security. There are numerous threats to informa-
tion security, which fall into the general categories of unintentional and intentional.
Unintentional threats include human errors, environmental hazards, and computer system
failures. Intentional failures include espionage, extortion, vandalism, theft, software attacks,
and compromises to intellectual property. Software attacks include viruses, worms, Trojan
horses, logic bombs, back doors, denial-of-service, alien software, and phishing. A growing
threat is cybercrime, which includes identity theft and phishing attacks.
3. Understand the various controls used to protect information systems. Information systems
are protected with a wide variety of controls such as security procedures, physical guards,
and detection software. Management is responsible for the control environment, the atti-
tudes, and the policies used as a framework to establish controls. General controls include
controls for the prevention, deterrence, detection, damage control, recovery, and correction
of information systems. The major types of general controls include physical controls,
access controls, administrative controls, and communications controls. Application controls
include input, processing, and output controls.
4. Explain IT auditing and planning for disaster recovery. Information systems auditing is a
specialization that helps financial, internal, government, or tax auditors evaluate or assess
controls or compliance with procedures or legislation. A detailed internal and external IT
audit may involve hundreds of issues and can be supported by both software and checklists.
Related to IT auditing is the preparation for disaster recovery, which specifically addresses
how to avoid, plan for, and quickly recover from a disaster.
access controls, 86 back door, 80
accountability, 64 biometrics, 86
adware, 80 blacklisting, 89
alien software, 79 brute force attack, 80
anti-malware systems (antivirus certificate authority, 91
software), 89 code of ethics, 64
application controls, 93 cold site, 94
audit, 95 communications control (see network
authentication, 86 control), 98
authorization, 86 control, 84
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 99
cookie, 81 privilege, 88
copyright, 78 profiling, 66
cybercrime, 71 public-key encryption, 90
cyberextortion, 71 regular ID card, 87
cyberterrorism, 82 responsibility, 64
cyberwarfare, 82 reverse social engineering, 75
demilitarized zone (DMZ), 89 risk, 72
denial-of-service (DoS) attack, 80 risk acceptance, 84
dictionary attack, 80 risk analysis, 84
digital certificate, 91 risk limitation, 84
digital dossier, 66 risk management, 84
distributed denial-of-service (DDoS), 80 risk mitigation, 84
electronic surveillance, 66 risk transference, 84
employee monitoring system, 93 SCADA, 81
encryption, 90 screen scraper, 81
ethics, 64 secure socket layer (SSL) (see transport layer
exposure, 72 security), 92
firewall, 88 signature recognition, 87
general control, 85 social engineering, 74
hot site, 94 smart ID card, 87
identity theft, 77 spam, 81
information systems control, 72 spamware, 81
intellectual property, 78 spyware, 80
intrusion detection system, 89 strong passwords, 87
keystroke logger (key logger), 80 threat, 72
least privilege, 88 token, 87
liability, 64 trade secret, 78
logic bomb, 80 transport layer security (TLS) (see secure
logical control, 86 socket layer), 92
malware, 75 trap door (see back door), 80
network control (see communications Trojan horse, 80
control), 88 tunnelling, 92
opt-in model, 68 virtual private network (VPN), 91
opt-out model, 67 virus, 80
passphrase, 87 voice recognition, 87
patent, 78 vulnerability, 72
penetration test, 83 vulnerability management system, 92
phishing attack, 80 warm site, 94
physical control, 85 whitelisting, 89
piracy, 79 worm, 80
privacy, 66 zero-day attack, 80
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 100
1. Why are computer systems so vulnerable?
2. Why should information security be of prime concern to management?
3. Compare information security in an organization with insuring a house.
4. Why are authentication and authorization important to e-commerce?
5. Why is cross-border cybercrime expanding rapidly? Discuss possible solutions.
6. Discuss why the Sarbanes-Oxley Act and its Canadian equivalent, Bill 198, The Budget
Measures Act, are having an impact on information security.
1. An information security manager routinely monitored the web surfing conducted by her
company’s employees. She discovered that many employees were visiting the “sinful six”
websites. (Note: The sinful six are websites with material related to pornography, gambling,
hate, illegal activities, tastelessness, and violence). She then prepared a list of the employ-
ees and their surfing histories and gave the list to management. Some managers punished
their employees. Some employees, in turn, objected to the monitoring, claiming that they
should have a right to privacy.
a. Is monitoring of web surfing by managers ethical? (It is legal?) Support your answer.
b. Is employee web surfing on the “sinful six” ethical? Support your answer.
c. Is the security manager’s submission of the list of abusers to management ethical? Why
or why not?
d. Is punishing the abusers ethical? Why or why not? If yes, then what types of punishment
e. What should the company do in order to rectify the situation?
2. Frank Abagnale Jr., the criminal played by Leonardo DiCaprio in the motion picture Catch Me If You
Can (2002), ended up in prison. However, when he left prison, he went to work as a consultant to
many companies on matters of fraud. Why do so many companies not report computer crimes?
Why do these companies hire the perpetrators (if caught) as consultants? Is this a good idea?
3. A critical problem is assessing how far a company is legally obligated to go in order to secure
personal data. Because there is no such thing as perfect security (i.e., there is always more
that you can do), resolving this question can significantly affect cost.
a. When are security measures that a company implements sufficient to comply with its
b. Is there any way for a company to know if its security measures are sufficient? Can you
devise a method for any organization to determine if its security measures are sufficient?
4. Assume that the daily probability of a tornado in Brampton is .07 percent. The chance of
your computer centre being damaged during such a tornado is five percent. If the centre is
damaged, the average estimated damage will be $4.0 million.
a. Calculate the expected loss in dollars.
b. An insurance agent is willing to insure your facility for an annual fee of $25,000. Analyze
the offer, and discuss whether to accept it.
5. A company receives 50,000 e-mail messages each year. Currently, the organization has no
firewalls. On the average, there are two successful hackings each year. Each successful hack-
ing results in loss to the company of about $150,000. A firewall is proposed at a cost of $75,000
and an annual maintenance fee of $6,000. The estimated useful life is three years. The chance
that an intruder will break through this firewall is 0.00002 percent. In such a case, there is a
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 101
30 percent chance that the damage will total $100,000, a 50 percent chance that the damage
will total $200,000, and a 20 percent chance that there will be no damage at all.
a. Should management buy this firewall?
b. A different firewall that is 99.9988 percent effective and that costs $90,000, with a useful
life of three years and an annual maintenance cost of $18,000, is available. Should the com-
pany purchase this firewall instead of the first one?
6. Complete the computer ethics quiz at http://web.cs.bgsu.edu/maner/xxicee/html/welcome.htm.
1. Enter http://sbinfocanada.about.com/od/insurancelegalissues/a/identitytheft.htm. Find out what
the organization does. Learn about identity theft, e-mail scams, and website scams. Report
2. Visit www.junkbusters.com and learn how to prohibit unsolicited e-mail (spam). Check out
Canada’s working group on anti-spam for the Canadian legal environment related to spam
http://e-com.ic.gc.ca/epic/site/ecic-ceac.nsf/en/h_gv00246e.html. Describe how your privacy is
3. Visit www.csis-scrs.gc.ca/en/index.asp (Canadian Security Intelligence Service). Go to the
Integrated Threat Assessment Centre (www.csis-scrs.gc.ca/en/itac/itac.asp) and find out about
the partner organizations involved. Do a search on “computer security” and document the
type of reports you find.
4. Enter www.e-axis-inc.com and other vendors of biometrics. Find the devices they make that
can be used to control access into information systems. Prepare a list of products and major
capabilities of each.
5. Access the website at www.cpsr.org/issues/ethics/cei. The site offers the “Ten Commandments
of Computer Ethics.” Study these 10 and decide if any should be added.
6. Software piracy is a global problem. Access the following websites: www.bsa.org and
www.microsoft.com/piracy/. What can organizations do to mitigate this problem? Are some
organizations dealing with the problem better than others?
1. Access www.consumer.gov/sentinel/ to learn more about how law enforcement agencies around
the world work together to fight consumer fraud. Each team should obtain current statistics on
one of the top five consumer complaint categories and prepare a report. Are any categories
growing faster than others? Are any categories more prevalent in certain parts of the world?
2. Read http://breachalerts.trustedid.com/?p 47, Canadian Bank Loses Data on 470,000 Customers,
and do a search on “Talvest security breach.” What else did you find? Describe the reaction of
Canada’s Privacy Commissioner to the breach. What could CIBC have done to prevent the loss
of the Talvest Mutual Funds information?
Big Brother or Necessary Security Measures? Go to the Interactivities section on the WileyPLUS
website and access Chapter 3: Ethics, Privacy, and Information Security. There you will find
some animated, hands-on activities that help you make some decisions about ethical issues
like privacy and electronic tracking at a hospital, manufacturing plant, and office.
Information and Ethics at Club IT Go to the Club IT link on the WileyPLUS website. On the web-
site, you will find some assigments that will help you learn how to apply IT solutions to a business.
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 102
(e.g., Yahoo! and Google) boost their profits by
recycling ads to millions of other websites, rang-
ing from the familiar, such as www.cnn.com, to
dummy web addresses that display lists of ads and
very little else. When someone clicks on these
recycled ads, companies such as MostChoice are
billed. Google or Yahoo! then share the revenue
with a chain of website hosts and operators. About
one penny trickles down to the actual people who
click on the ads.
“Paid to read” rings pay hundreds of thousands
of individuals for clicking on ads. One couple set
up dummy websites filled with only recycled
Google and Yahoo! advertisements. They paid oth-
ers small amounts to visit the sites, where they
would click on the ads.
In other cases, “clickbot” software generates
ad hits automatically and anonymously. Clickbots
use proxy, or anonymous, servers to disguise a
computer’s Internet protocol address (discussed in
THE BUSINESS PROBLEM Chapter 5), and they can space clicks minutes
Spending on Internet ads is growing faster than any apart to make them less conspicuous. Some crim-
other sector of the advertising industry and is pro- inals are creating botnets with thousands of zom-
jected to reach $29 billion in the U.S. alone by 2010. bie computers, each with clickbot software clicking
About half of these dollars are paid by the click. away on ads.
Google and Yahoo! are making billions of dollars
once collected by traditional print and broadcast THE SOLUTION
outlets, based on the assumption that clicks are a Google and Yahoo! say they filter out most ques-
reliable, quantifiable measure of consumer interest. tionable clicks and either do not charge for them,
MostChoice.com (www.mostchoice.com) offers or reimburse advertisers who have been incorrect-
consumers rate quotes and other information on ly billed. The two companies maintain that they use
insurance and mortgages. In 2006, the company sophisticated mathematical formulas and intelli-
paid Yahoo! and Google $2 million in advertising gence from advertisers to identify the vast major-
fees. The company is required to pay such fees only ity of fake clicks. However, they will not release
when prospective customers click on its ads. their specific methods, because criminals would
Over the past three years, however, MostChoice exploit the information. Yahoo! in Canada offers a
has seen an increasing number of clicks coming ”
“continental opt-out, so customers can prevent e-
from such places as Botswana, Mongolia, and Syria. mails from particular continents from clicking on
This was strange, because MostChoice steers cus- their sites.
tomers to insurance and mortgage brokers only in MostChoice assigned an in-house programmer
the United States. The validity of clicks on its ads is to design a system for analyzing every click on a
critically important to MostChoice, because the company ad: the web page where the ad
company pays up to $8 for each click. appeared, the clicker’s country, the length of the
The company is a victim of click fraud. Click clicker’s visit to the MostChoice website, and
fraud occurs in pay-per-click online advertising, whether the visitor became a customer. Using this
when a person or automated computer program data, the company continues to demand recom-
imitates a legitimate user clicking on an ad for the pense from Google and Yahoo!, noting that they
purpose of generating a fee per click without hav- have received refunds from the two Internet giants
ing any interest in the company of the advertise- totalling about $35,000 out of the $100,000 they
ment. MostChoice estimates that click fraud has say they are owed.
cost it more than $100,000 since 2003. The prob- Mailworkz, a small company based in Halifax,
lem is magnified when large Internet companies Nova Scotia, has written commercial software called
rainer_c03_060-103hr.qxd 7-02-2008 16:36 Page 103
Eztrackz that can track the location clicks are coming of the Internet as an advertising medium. In fact,
from, and analyze these clicks to warn about poten- some analysts are questioning the value of Google
tial click fraud. Dell Canada Corp. has its own propri- and Yahoo! stock because they see click fraud as a
etary software, called Landing Strip, that does the tangible risk to the profits of the two firms.
same thing for its own website.
Sources: Compiled from B. Helm, “Click Fraud Gets Smarter, ”
THE RESULTS BusinessWeek Online, February 27 2007; B. Helm, “How Do
The industry simply does not know exactly how You Clock the Clicks?” BusinessWeek, March 13, 2006; B. Grow
widespread click fraud is. The practice is skewing and B. Elgin, “Click Fraud, BusinessWeek, October 2, 2006;
M. Tutton, “Battling an Invisible Enemy, Globe and Mail, May
statistics on the popularity of an ad, draining mar-
9, 2007; D. Vise, “Clicking to Steal, Washington Post, April 17
keting budgets, and enriching the criminals behind
it. Both Google and Yahoo! have been targeted by
class-action lawsuits accusing the two companies
of (1) a lack of transparency in methods used to QUESTIONS
detect click fraud and (2) conflict of interest in that 1. How would Yahoo! and Google find people who
both companies can profit from the click fraud that are committing click fraud?
they are supposed to be filtering out. 2. Is it a stretch to think that the value of Yahoo!
If the click fraud problem is not fixed, then it will and Google can be decreased as a result of
present a major obstacle to the further development undetected click fraud? Support your answer.