Legal, ethical, and professional issues in information security

1. Legal, Ethical, and Professional Issues in Information Security

LEGAL, ETHICAL, AND PROFESSIONAL
ISSUES IN INFORMATION SECURITY
ALIMZHAN SATYBAEV

2.

Outline
• Types of Law
• Relevant Laws ( Computer Crime, IP, Licensing, Privacy)
• International Laws and Legal Bodies
• Ethical Concepts in Information Security
• Codes of Ethics, Certifications, and Professional Organizations

3. Law and Ethics in Information Security

LAW AND ETHICS IN INFORMATION SECURITY
• Laws: rules that mandate or prohibit certain societal
behavior
• Ethics: define socially acceptable behavior
• Cultural mores: fixed moral attitudes or customs of a
particular group; ethics based on these
• Laws carry sanctions of a governing authority; ethics
do not

4. Ethical Issues

ETHICAL ISSUES
• Ethical
1. pertaining to or dealing with morals or the principles of morality;
pertaining to right and wrong in conduct.
2. in accordance with the rules or standards for right conduct or practice,
esp., the standards of a profession.
• Examples:
• Should companies collect and/or sell customer data?
• Should IT specialists monitor and report employee computer use?
4

5. Types of Law

TYPES
OF
LAW
• Civil law represents a wide variety of laws that are recorded in
volumes of legal “code
• Criminal law addresses violations harmful to society and is
actively enforced through prosecution by the state.
• Tort law allows individuals to seek recourse against others in the
event of personal, physical, or financial injury.
• Private law regulates the relationship between the individual and
the organization, and encompasses family law, commercial law,
and labor law.
• Public law regulates the structure and administration of
government agencies and their relationships with citizens,
employees, and other governments, providing careful checks and
balances. Examples of public law include criminal, administrative,
and constitutional law.

6. Computer Related Offences

COMPUTER RELATED OFFENCES
• To Pirate, Destroy or Alter computer source code
• Unauthorized Access in Computer Materials
• Damage to any Computer and Information System
• Publication of illegal materials in electronic form
• Confidentiality to Divulge (disclose)
• To commit computer fraud
• Punishment in an offence committed outside Nepal

7. Policy Versus Law

POLICY VERSUS LAW
• Most organizations develop and formalize a body of
expectations called policy
• Policies serve as organizational laws
• To be enforceable, policy must be distributed,
readily available, easily understood, and
acknowledged by employees

8. Ethics and Information Security “The Ten Commandments of Computer Ethics from The Computer Ethics Institute

ETHICS AND INFORMATION SECURITY
“THE TEN COMMANDMENTS OF COMPUTER ETHICS FROM
THE COMPUTER ETHICS INSTITUTE
• 1) Thou shalt not use a computer to harm other people: If it is
unethical to harm people by making a bomb, for example, it is
equally bad to write a program that handles the timing of the
bomb. Or, to put it more simply, if it is bad to steal and destroy
other people’s books and notebooks, it is equally bad to access
and destroy their files.
• 2) Thou shalt not interfere with other people's computer work:
Computer viruses are small programs that disrupt other people’s
computer work by destroying their files, taking huge amounts of
computer time or memory, or by simply displaying annoying
messages. Generating and consciously spreading computer viruses
is unethical.

9.

• 3) Thou shalt not snoop around in other people's
files: Reading other people’s e-mail messages is as
bad as opening and reading their letters: This is
invading their privacy. Obtaining other people’s nonpublic files should be judged the same way as
breaking into their rooms and stealing their documents.
Text documents on the Internet may be protected by
encryption.
• 4) Thou shalt not use a computer to steal: Using a
computer to break into the accounts of a company or a
bank and transferring money should be judged the
same way as robbery. It is illegal and there are strict
laws against it.

10. Ethical Differences Across Cultures

ETHICAL DIFFERENCES ACROSS CULTURES
• Cultural differences create difficulty in determining
what is and is not ethical
• Difficulties arise when one nationality’s ethical
behavior conflicts with ethics of another national
group

11. Deterrence to Unethical and Illegal Behavior

DETERRENCE TO UNETHICAL AND ILLEGAL
BEHAVIOR
• Deterrence: best method for preventing an illegal or unethical
activity; e.g., laws, policies, technical controls
• Laws and policies only deter if three conditions are present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered

12. Codes of Ethics and Professional Organizations

CODES OF ETHICS AND PROFESSIONAL
ORGANIZATIONS
• Several professional organizations have established
codes of conduct/ethics
• Codes of ethics can have positive effect; unfortunately,
many employers do not encourage joining of these
professional organizations
• Responsibility of security professionals to act ethically
and according to policies of employer, professional
organization, and laws of society

13. Security Organizations

SECURITY ORGANIZATIONS
• Internet Society (ISOC): promotes development and
implementation of education, standards, policy and
education to promote the Internet
• Computer Security Division (CSD): division of
National Institute for Standards and Technology
(NIST); promotes industry best practices and is
important reference for information security
professionals

14. Summary

SUMMARY
• Laws: rules that mandate or prohibit certain behavior in
society; drawn from ethics
Ethics: define socially acceptable behaviors; based on cultural
mores (fixed moral attitudes or customs of a particular group)
Many organizations have codes of conduct and/or codes of
ethics
Organization increases liability if it refuses to take measures
known as due care
Due diligence requires that organization make valid effort to
protect others and continually maintain that effort

15. Types of Security Vulnerabilities

TYPES OF SECURITY VULNERABILITIES

16.

• Buffer overflow – This vulnerability occurs when data is
written beyond the limits of a buffer. Buffers are memory
areas allocated to an application. By changing data
beyond the boundaries of a buffer, the application
accesses memory allocated to other processes. This can
lead to a system crash, data compromise, or provide
escalation of privileges.

17.

• Non-validated input – Programs often work with data
input. This data coming into the program could have
malicious content, designed to force the program to
behave in an unintended way. Consider a program that
receives an image for processing. A malicious user could
craft an image file with invalid image dimensions. The
maliciously crafted dimensions could force the program to
allocate buffers of incorrect and unexpected sizes.

18.

Race conditions – This vulnerability is when the output of an
event depends on ordered or timed outputs. A race condition
becomes a source of vulnerability when the required ordered or
timed events do not occur in the correct order or proper timing.
Weaknesses in security practices – Systems and sensitive data
can be protected through techniques such as authentication,
authorization, and encryption. Developers should not attempt to
create their own security algorithms because it will likely
introduce vulnerabilities. It is strongly advised that developers
use security libraries that have already created, tested, and
verified.

19.

• Access-control problems – Access control is the process of
controlling who does what and ranges from managing
physical access to equipment to dictating who has access
to a resource, such as a file, and what they can do with it,
such as read or change the file. Many security
vulnerabilities are created by the improper use of access
controls.

20.

•Types Of Deception

21.

Dumpster Diving
это интересная атака, которая производит огромное количество
информации об организации, фирме, человеке или организации.
Вы можете многое узнать о человеке или компании из мусора,
который они выбрасывают. Также крайне удивительно, как много
личной и частной информации выбрасывается для тех, кто ее
находит.
Погружение в мусорный контейнер не ограничивается поиском в
мусоре очевидных сокровищ, таких как коды доступа или пароли,
записанные на липких заметках. Такая, казалось бы, невинная
информация, как список телефонов, календарь или
организационная схема, может быть использована для того, чтобы
помочь злоумышленнику, использующему методы социальной
инженерии, получить доступ к сети.

22.

Shoulder surfing
Плечевой серфинг-это самая низкая техническая атака,
но он предоставляет учетные данные для входа и пинкоды. Злоумышленник стоит за спиной жертвы и смотрит
через ее плечо, чтобы увидеть свой пин-код или пароль.
Этот тип атаки отлично работает с администраторами,
которые входят на компьютеры локально.
Злоумышленник, как правило, является инсайдером,
поскольку большинство экранов сотрудников обращены
в сторону от публичного просмотра (мы надеемся).
Понаблюдайте за людьми у банкомата: некоторые
используют свои тела, чтобы защитить клавиатуру, пока
они набирают свои ПИН-коды, в то время как другим на
самом деле все равно, кто смотрит..