Discussion
Wireless Convenience and risk
What risks and safeguards are associated with wireless communication? What is “war driving” or “war flying”? Are you comfortable (or would you use) a wireless “hot spot” to do computer work? What safeguards might you use in accessing an unprotected (public) wireless communications? Are you more at risk using a wireless connection via laptop or a connection via a smart phone?
Ethics
Computers, like any other tool, can be used for the best of purposes or manipulated to accomplish outcomes that are dangerous or illegal. There are well-established standards or guidelines that define the appropriate use of information technology (IT) and all the associated systems that support this technology—computers, networks, and so on. These guidelines form the basis of IT ethics.
Codes of Conduct: The Particular to the General
We will begin our study of ethics in the information technology setting by looking first at those issues that more immediately affect the employee in the document that describes use of the organization's IT resources: primarily computers and access to the internet. Subsequently, we will investigate the policies and guidelines that define the employee's expected behaviors related to more than just IT use—the employee code of conduct. Finally, we will look at the standards that outline the employee's relationship to the larger world outside the immediate organization.
User Access Agreements
Organizations expect employees to act ethically in all situations related to workplace behavior and use of the employer's resources. To act ethically means to make sound decisions about what is right and wrong and to act accordingly. Every time employees log onto their computers and click to accept the user access agreement, they agree to abide by the rules specified by the user access agreement.
Unauthorized "Surfing"
Rajiv is a new intern in the purchasing department at ABC Corporation. He completed orientation and systems training during the first week at work and is now eager to start working. Every morning Rajiv's manager promises to meet and give him assignments, but his manager just can't seem to fit Rajiv's training time into his schedule. Day after day, Rajiv comes to work, logs into his computer, clicks "I accept" on the user access agreement, then opens his company-provided email account and the internet browser installed on his work computer.
Rajiv has internet access at work for conducting company business by email and for ordering supplies and services. Since Rajiv doesn't have any work to do, he rationalizes that a little surfing on the computer wouldn't hurt anything, and it would keep him from getting so bored every day. The following week Rajiv's manager asks to speak with him privately. He tells Rajiv that he's been fired for surfing the internet, which violates the company's user access agreement. Each time Rajiv clicked "I accept" on the user access agreement, he agreed to abide by the company's policy.
The user access agreement consists of rules outlining the activities that are acceptable and those that are not when using the employer's computers, network, e-mail system, website, databases, and any other forms of IT-related resources. This agreement is often called an acceptable use policy. What type of language might such an agreement contain?
Acceptable Use Policy (adapted from UMUC, 2018):
Though the list here is brief, a well-written user access agreement will contain a longer and more exact list of acceptable and unacceptable behaviors related to use of the company's computers and IT resources. Effective user access agreements will also contain examples of what is considered acceptable and unacceptable use, along with the sanctions or penalties for misusing the company's resources. Generally, you will find specific sections that deal with security, online etiquette, and valid use or misuse of the organization's resources.
1. Employees should use only the computer systems, network accounts, and computer applications and files that they are authorized to use.
2. Employees may not use another employee's network account or attempt to steal or ascertain another employee's password.
3. Employees are responsible for all computer resources assigned to them, including both hardware and software, and shall not enable or assist unauthorized users to gain access to the company's network by using a computer.
4. Employees must not share their passwords with other employees or nonemployees and must take all reasonable steps to protect their passwords and secure their computer systems against unauthorized use.
5. Employees may not attempt to gain access to protected/restricted portions of the company's network or operating system, including security software and administrative applications, without authorization.
6. Employees must not use the company's computer resources to deploy programs, software, processes, or automated transaction-based commands that are intended to disrupt other computer or network users or damage software or hardware components of a system.
7. Employees are responsible to promptly report any theft, loss, or unauthorized access of the company's network system, or illegal disclosure of any proprietary information.
Note: If you conduct additional research on the topics here, you may find differences in how the components or documents are labeled: agreements, policies, guidelines, standards.
An example of a modifiable template for a complete user access agreement (more commonly called an acceptable use policy), is provided by the SANS Institute (2014).
Rajiv's mistake was that he violated the user access agreement by surfing on the internet when he didn't have any work to do. Clicking "I accept" on the user access agreement is necessary to gain computer access. It is of paramount importance to know and comply with the terms of the agreement to maintain your computer access.
You might argue that Rajiv was never warned that his actions were violating the user access agreement, or that his supervisor was at fault for not finding the time to complete Rajiv's training. The scenario is lacking several critical details as to why this action was taken. The language of the user access agreement must be specific as to the actions to be taken when a violation occurs. For example, Rajiv's employment termination might have been a result of a sanction such as this: "Failure to observe these policies will result in immediate disciplinary action or termination at the discretion of the offending party's supervisor or department head."
Rajiv had completed orientation and system training, and it is assumed that he knew the contents of the user access agreement. And when Rajiv clicked on the "accept" button when logging onto the internet, he was acknowledging that he understood the actions allowed and prohibited by the user access agreement.
The Employee Code of Conduct
Expected Behaviors in an Organization
Compliance with the user access agreement is one of an employee's expected behaviors within the organization. A user access agreement is typically part of a larger document that outlines both the mission of the organization and the organization's approach to employee behavior on the worksite. This document, often called the "employee code of conduct," contains the following (New South Wales Government, Industrial Relations, n.d.):
So the user access agreement previously discussed would be a specific example of a set of guidelines that might be found in such a document.
· policies that outline the principles and practices that enable an organization to meet its stated mission or purpose
· the steps the organization will take in dealing with operational activities and how to respond to requirements to comply with federal and state legislation and regulations
· procedures that explain how to perform tasks and duties, who is responsible for what tasks, and how the duties are to be accomplished
· guidelines listing appropriate behaviors (and sanctions for violation of these behaviors) related to a range of topics: harassment, safety, workplace attendance, drug and alcohol use in the workplace, religious exercise, and computer use, for example
These policies, steps, procedures and guidelines define the "what and when" for running the organization and also define the organization's expectations of all employees collectively. The "what and when" in the organization means what needs to be done and when it needs to be finished.
What's the Difference Between Policies and Guidelines?
In an organization, employees are responsible for complying with both policies and guidelines. Both are binding and are enforced, and both concern the organization's operation. The major differences between the two have to do with the authoring body and specificity. Policies tend to be larger, relatively static documents authored and approved by an organization's governing body, most often its board of directors. Policies are intended to be useful and applicable over time. To that end, they are normally written with some degree of flexibility so that they can be adapted to changing circumstances. Specific penalties and expectations are not usually included in a policy.
Guidelines are based on policy, but they tend to focus on a specific series of steps in the functional area. Guidelines are normally approved and changed by the department or division most affected by them. This approach puts authority in the hands of knowledgeable staff. Because fewer individuals are involved in the drafting and approval process, guidelines can be changed and adapted more quickly than policies. Guidelines are typically much more explicit than policies in defining what's allowed and specifying the penalties for particular violations.
For example, an organization's policy may state that everyone needs to have a user ID and password to access a desktop computer. The organization's guidelines may state that the password must contain eight characters with at least two numeric digits and two uppercase letters.
As a general rule, an employer expects you to behave as a responsible, mature, and ethical person. In day-to-day terms, this means being respectful of your coworkers and of the organization's resources. Be aware that your use of the organization's resources can have an effect on others' use of them. Broadly, it's expected that you will:
As it relates specifically to use of computer resources, the code of conduct outlines the employer's expectation that computers, email, and the internet will be used primarily to conduct the company's business.
· maintain the security and confidentiality of your user ID and password
· take care of any property assigned to you
· use your knowledge of organizational information in a responsible way
· use the organization's supplies and services for official purposes only
· be respectful of others' property and privacy rights
Professional Associations and Codes of Conduct
Codes of Conduct
We've covered the user access agreement and learned about an organization's policies and guidelines as applicable to the employee code of conduct within an organization. Another way to look at what we've covered is that we first described the expected, ethical behavior of the individual as outlined in the user access agreement. Next, we learned that policies and guidelines define the "what and when" for running the organization and also define the organization's expectations of all employees collectively (as found in an employee code of conduct).
Now, we take one step further in our discussion to describe general standards applicable to and the behaviors that are expected of individuals who belong to professional associations or who have obtained certifications in a particular field of expertise. How do these codes of conduct differ from those written for a particular company, business, or institution?
Many professional careers are not regulated by any external bodies such as federal and state governments. Unlike doctors or accountants, for example, IT professionals do not have specific regulations that govern their behavior, outside of established laws regarding any type of illegal activity. Thus, professional organizations like those supporting IT professionals develop a code of ethics, which is intended to guide and govern the behaviors of its members. This, in one sense, is an attempt at self-regulation and ensuring that the members demonstrate behaviors that reflect positively on the organization and that profession as a whole.
When you look at the codes of ethics for such groups such as the Association for Computing Machinery or the SANS Institute, you will find many of the same topics addressed as those found within any single organization's employee code of conduct—being respectful of others' property and privacy rights, using resources only when authorized to do so, using knowledge of organizational information in a responsible way, and the like. The basic elements of the code of ethics in professional associations revolve around members conducting themselves "honorably, responsibly, ethically, and lawfully so as to enhance the honor, reputation, and usefulness of the profession" (NSPE, 2007).
These professional associations provide a collective voice for members who are focused on a particular field of expertise. The associations attempt to promote professional ethical standards among their members. But the code of ethical conduct for a professional association is written with less specificity than an employee code of conduct. The contents are presented as standards of behavior and do not include the details of "who, what, and when" that are found in an employee code of conduct. In a code of ethical conduct for a professional organization, you might find phrases such as:
Of course, these same standards of behavior are part of any employee code of conduct, but in that setting, there are generally specific policies and guidelines to be followed in support of these standards. If we look at one item in all three documents (the ethical code of conduct for a professional association, the employee code of conduct, and the user access agreement), the same topic might be addressed in the following ways:
· "I shall perform with honesty and integrity in all my professional relationships."
· " I shall not use my knowledge and experience in the field to take advantage of others, thereby achieving personal gain."
· " I shall be willing to share my knowledge and expertise with others and always act in such a way that reflects favorably on my profession."
An IT professional with a network engineering certification, faculty members in a university with membership in the Middle States Association of College and Schools, or a union plumber working on a construction site are a few examples of individuals who, by virtue of their membership in a particular professional association, have subscribed to the code of ethical conduct for that organization. Professional certifications and memberships convey an assurance that the individual with the certification or membership has agreed to abide by the established code of conduct.
|
Ethical Code of Conduct for a Professional Association |
Employee Code of Conduct |
User Access Agreement |
|
"I shall protect the privacy and confidentiality of all information entrusted to me." |
"The employee will maintain the security and confidentiality of his/her user ID and password." |
"The user ID and password are to be used only by the authorized owner of the account and only for the authorized purpose specified by the owner's job description." |
One reason organizations hire certified professionals is to establish themselves as organizations with competent and ethical professional employees. The rapidly changing nature of technology makes a general standards approach very practical—it's much easier for organizations to rely on the credentials established by the certifying professional organizations and boards than to hire employees without knowing their level of expertise or their ethical and moral standing. An organization with a highly ethical and competent staff distinguishes itself because the general standards of competency have a high level of credibility in the workplace.
Standards and Behavior
Jenna is a network engineer and holds a Microsoft Certified Solutions Expert (MCSE) certification. This certification attests to Jenna's ability to design and implement computer network systems. Chad holds several Certified Information Systems Security Professional (CISSP) credentials. These credentials signify that Chad has the experience to handle all issues related to information systems in business environments, particularly those that relate to security of the systems. To obtain these professional certifications and credentials, Jenna and Chad had to agree to act in accordance with high moral and ethical standards in all activities related to that profession. They also had to pass examinations to prove that they had the appropriate subject knowledge. Therefore, a professional certification attests not only to Jenna's and Chad's subject knowledge, but also to their high ethical standards and behavior in their professional lives.
IT Ethical Issues
Software Piracy
Even though you have purchased a legitimate copy of this software for your use, lending it to another person, even for a short time, is a violation of the license agreement you agreed to when you installed the software on your machine. You are not allowed to lend (or borrow) software, and doing so is a violation of copyright law. In general, US copyright law makes it illegal to distribute or reproduce copyrighted work without the consent of the copyright holder. These laws have a long history in the United States, and they are rooted in the idea that strong intellectual property rights encourage invention and creativity.
Legal to Lend?
Jeff is upgrading his computer and has an old version of a document creation/editing program. He asks to borrow your installation CDs for the newer version of the same software application to load onto his machine until he has a chance to purchase his own copy. You give him the CDs, and he loads the program on his machine. But when he attempts to open the program, he gets notification that he needs to register the application. He uses the activation code that is still attached to the back of the set of CDs you lent him. Eventually, Jeff purchases his own copy of the software and loads it on his machine.
It can be difficult to understand that software piracy is theft because the thief isn't taking anything physically, and because retail merchants are not present when the theft occurs. It may seem strange that you can purchase something legally (like an iTunes song or an e-book), and its use will become illegal if you load it more than the allowed number of times. On the other hand, If you purchased a hardcover or paperback book, a music CD, or a movie on a DVD, you can lend that item to as many people as you wish (as long as they do not make copies).
Piracy, a type of software theft, occurs when software is illegally copied, registered, activated, released, or sold. Software includes data files, music files, videos, pictures, game files, e-books, computer applications, and operating system programs.
Software owners register or copyright their work to protect it. Software owners specify the method and terms by which the software is distributed or shared with users. So if you purchase a song from the iTunes store, you can load it or sync it with as many Apple devices as you own and up to five computers that you own, but you cannot legally sync or load songs from someone else's computer or Apple device to yours. To do so would constitute an infringement of the copyright on the song and transfer process claimed by Apple. Or you can purchase an e-book and download it to your computer and then transfer it to one or more electronic readers that you own—but you cannot transfer the book legally to someone else's electronic reader.
The victims of piracy are software manufacturers, writers, programmers, and owners of the software. Ultimately, legitimate customers who purchase software are victims of piracy as well, because the purchase price of software must increase in order to cover the losses incurred by theft.
What Is Copyright and Does It Really Apply to Digital Media?
What Is Copyright?
Copyright refers to a series of rights that are granted to the author of an original work. These rights focus on the reproduction and distribution of the work—specifically, "the right to control copying." Copyright owners are essentially given two specific entitlements: the right to exploit their own copyrighted work, and the right to stop others from doing so.
In the United States, copyright is automatically granted to the creator of a work. Copyright protection remains in effect for the life of the author plus an additional 70 years. Although individuals and companies concerned about protecting their copyright will often place an explicit copyright notice on the work (e.g., "© 2010, all rights reserved"), this notice is not required for the work to qualify for copyright protection.
What Can Be Copyrighted?
US law specifies eight general types of works that are copyrighted. These works are specified below:
These include CDs, DVDs, video games, software, songs, poems, movies, plays, books, databases, label designs, photographs, and websites.
· literary works
· musical works
· dramatic works
· pantomimes and choreographic works
· pictorial, graphic, and sculptural works, including fabric designs
· motion pictures and other audiovisual works
· sound recordings
· architectural works
What Cannot Be Copyrighted?
According to the US Copyright Office, "Copyright does not protect facts, ideas, systems, or methods of operation, although it may protect the way these things are expressed."
It's important to point out that as a university student, you are likely going to be creating original work throughout your academic career. Copyright law applies to you not just as a consumer, but also as a creator of original work. In that capacity, copyright can protect the work you own from being used without your permission. Do you think asserting your rights under copyright law in your student work is never worth the time and effort? Consider these cases:
What's Special About Digital Media?
· Student Sues Professors Over Intellectual Theft
Given that copyright law has more than 300 years of history behind it, why has this issue suddenly become so contentious and prominent in the news? Has copyright law always been as problematic as it is today? For most of its history, the topic of copyright has been reasonably established and settled. It's only recently that the topic has become so newsworthy. Much of this attention is the result of changes in technology that make reproduction and distribution much easier. Think of how much easier it is to distribute a document digitally than in paper form, or to send friends a digital image compared to mailing a printed photograph.
Since that case, technology has continued to lower the cost and burden of reproducing copyrighted work, most particularly media files—text, images, and audio and video recordings. Similarly, advances in telecommunications have reduced the cost of distributing such files. Much of the current controversy stems from the combination of personal computers and the internet. Together, these technologies make reproducing and distributing copyrighted work exceptionally inexpensive. These technologies have enough potential to affect copyrighted works for which laws were put in place in the United States specifically to address the issue.
Current concerns over copyright have their roots in the 1970s, when Sony popularized videocassette recorders (VCRs). Until then, reproducing and distributing most forms of copyrighted work required expensive equipment. The expense of reproduction generally protected copyright holders from easy reproduction of their work. The widespread consumer adoption of the VCR suddenly made reasonably high-quality reproduction of copyrighted works easy and inexpensive. Concerned movie studios filed lawsuits against Sony, culminating in a Supreme Court case that protected the use of potentially copyright-infringing technology when the technology in question had other (noninfringing) uses.
The Digital Millennium Copyright Act (DMCA) of 1998
As advances in technology made copyright infringement easier and less expensive, major copyright owners sought additional protections to make such infringements easier to penalize. At the same time, because the internet plays such a prominent role in this potential infringement, both internet service providers (ISPs) and online service providers (OSPs, those that host websites on the internet) sought limits on their own liability if their networks and systems were used as a conduit to infringe on copyright.
Congress was concerned that without limiting the liability of online service providers, the efficiency and growth of the internet as an important technology would be stifled. The Digital Millennium Copyright Act (DMCA) was the legislative product of this controversy. The law specifically sets out expectations and safe harbors for ISPs. Under the DMCA, ISPs are encouraged to provide and improve online services such as network access (thereby allowing their users to transfer files), but if illegal activity is detected, the ISP is obligated to ensure that these illegal transfers or publications of copyrighted materials do not continue.
So does the DMCA protect the copyright holder or just set the liability limits for OSPs and ISPs? If you find that digital material for which you hold the copyright is appearing on a site owned/managed by an online service provider (OSP) such as Facebook, Twitter, YouTube, etc., you have the right to demand that the OSP remove the material. This is called a "takedown notice," and when an OSP receives such a notice, it is required to remove or disable access to the accused material to avoid being held liable. This portion of the DMCA "gives individual authors more power to protect their rights. At the same time, the DMCA takedown mechanism has certain safeguards in place to protect the rights of those who have a right to publish material that is not infringing" (Liu, 2013).
Under the DMCA, copyrighted works are given specific protections that prohibit the circumvention of technological measures that control access to and prevent unauthorized duplication of copyrighted works. The law also increased penalties for copyright violations.
The DMCA goes beyond penalizing those for reproducing copyrighted software. Under the law, it is illegal to bypass any protection the software manufacturer built into the software. Developing, selling, and owning the tools to carry out the bypass are also illegal under the law.
Prosecutions for copyright infringement and related news coverage of the issues of copyright protection and enforcement have increased dramatically in the past decade. These increases reflect the importance of this issue and the hard line contemporary copyright owners take on copyright violations.
It may seem remote that you'd be caught violating the DMCA because your actions would be on such a small scale. Consider that if you are caught violating these laws, you can be liable for civil penalties of up to $150,000 per violation. You could also face criminal prosecution, with fines and penalties. Is the risk of getting a criminal record and paying a hefty fine worth the reward of having pirated software?
A Specific Issue Related to Software Piracy: File Sharing
File sharing is the process of transferring files across a network (often the internet). Although any type of file can be shared, most file sharing revolves around media files: music, movies, and video games. Many different applications can be used to share files, including FTP, Internet Relay Chat (IRC), operating system sharing capabilities, web pages, and peer-to-peer (P2P) applications.
Any type of file sharing that infringes on copyright is illegal, but most media and legal attention is focused on the use of P2P applications. Although there are legal uses for P2P technology, these applications are especially popular for exchanging files illegally. This popularity stems from their efficiency—many popular P2P applications offer a fast way to download and upload information—and also from a perception of anonymity. Because users are sending or receiving files with other users (peers), many users mistakenly believe that their identities can't be tracked. In reality, computers that use P2P applications to upload or download files can be identified by their IP addresses.
Given all of the risks and possible repercussions, why would anyone ever use P2P to share digital files? Are there any legitimate uses for the technology? In fact, there are. File-sharing applications can be an efficient and effective way to share information. As a mechanism for sharing content that you've created yourself—whether informational, multimedia, or software—P2P applications represent a legal and effective approach.
This same technology can be a useful way to gain access to material that is not copyrighted, or that has licensing such that it's legal to share it. Sometimes it seems as though P2P file sharing is mentioned solely in conjunction with downloading movies and music illegally, but these applications have plenty of legal uses. P2P programs provide an efficient method for obtaining files that are in the public domain or are licensed to allow electronic distribution. If you choose to use file-sharing technologies, the onus is on you to make sure that you are doing so legally and safely.
Social Networking Issues
The Benefits of Social Networking
Social networking is ongoing communication between people, and in that form has existed ever since humans joined together in communities. However, now the term has taken on a particular meaning since it more often refers to groups that communicate on the internet. The reasons for joining these online groups are varied and include sharing of interests, photos, videos, stories, affiliations, and product and service reviews. Such sites are also used as a forum for professional contacts with the purpose of exchanging work-related information, posting jobs, or posting resumes from those seeking jobs. Another use, made possible by the large number of public databases that store information about individuals, is searching for information about persons, including police records, tax records, and other details.
One of the positive outcomes of this new form of social networking is the ability to contact and come to know people from any part of the world, exposing the participant to countries, cultures, languages, and customs that might never be made available in the individual's local community. Some of the most popular networking sites are Facebook, Instagram, Twitter, Flickr, LinkedIn, YouTube, Pinterest, and Meetup. Participation in any of these can lead to an expanded list of friends and a sense of belonging to a community. It can provide a source of information to help with a problem. It gives you a voice for your opinions and a place to connect with people who like the same things.
The Dangers of Social Networking
While conventional social networking follows accepted normal behavior, there are unethical and even criminal uses made of the information that is available on social networking sites. An individual can become the victim of data theft or unwittingly download a virus. One of the more significant dangers involves online predators or those who claim to be someone they are not. We will take a look at two such dangers—cyberbullying and cyberstalking.
Cyberbullying
Cyberbullying is defined as actions that use information and communication technologies—the internet, web pages, discussion groups, instant messaging, or text messaging—to support deliberate, repeated, and hostile behavior by an individual or group that is intended to harm another or others. These communications seek to intimidate, control, manipulate, put down, falsely discredit, or humiliate the recipient ("Cyberbullying," 2016).
Although we most often hear about this negative use of social networking among minors, resulting in disastrous actions such as school shootings, suicides, or even murders, adults can be victims of cyberbullying as well. Cyberbullying has an advantage of anonymity. The bully or bullies do not face the victim but communicate from untraceable cell numbers, fake email accounts, or fake online IDs at popular social networking sites. The online actions can include such content as sexual remarks, hate speech, false accusations, gossip or rumors, online ridicule, or threats of harm or death. Victims often suffer in silence rather than face being ostracized by their peers.
Cyberstalking
Cyberstalking, also called cyberharassment, is a pattern of behavior that involves repeated continuous, unwanted communication to an adult. It is the adult version of cyberbullying. In the workplace, it can take place via company websites, blogs, or product reviews. It can escalate to criminal behavior if the stalker's behavior is threatening or invades the privacy of the victim.
This cyberharassment or stalking results from many of the same factors that give rise to cyberbullying: professional or sexual obsession, perceived failure with life or job, wanting to make others feel inferior, a delusional belief that he/she "knows" the target, and the assumption of anonymity. In the workplace, the cyberstalker may also be motivated for economic reasons—perhaps the victim is an affiliate or a competitor ("Cyberbullying," 2016). Under the US federal cyberstalking law, anyone who uses electronic means to repeatedly harass or threaten someone online can be prosecuted.
Whether it is called cyberbullying or cyberstalking, there are several key identifiers for this type of behavior:
Perhaps one of the greatest dangers involves an invitation to a meeting between the victim and the cyberstalker ("Cyberstalking," 2016).
· The perpetrator seeks to damage the reputation of the victim by posting false information about the victim on websites.
· He or she may gather personal information about the victim through the victim's friends, family, and/or coworkers.
· A technically savvy stalker may attempt to trace the victim's IP address to gather more information about the victim's online presence.
· Sometime cyberstalkers involve others; they may even claim that the victim is harassing them to encourage others to join in the harassment of the victim.
· The cyberstalker may try to damage the victim's computer by sending viruses.
· Purchases or magazine subscriptions (often involving pornography) may be made in the victim's name.
There are some elementary steps you can take to keep yourself and the information about you safe. Think about these:
· Look at your postings through the eyes of employers or potential employers. Do not post anything that might be embarrassing in your current or potential employment situations.
· Never post private information (phone numbers, addresses). These details can be used to track you down, possibly by someone who wishes to exploit your identification.
· Control who has access to your postings by adjusting privacy settings.
· Use strong passwords and change them regularly.
· Check to see how visible your name or identity is by "Googling" your name.
References
Cyberbullying. (2016). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberbullying
Cyberstalking. (2016). In Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Cyberstalking
Liu, K. (2013, March 6). The DMCA takedown notice demystified [Blog post]. Retrieved from http://www.sfwa.org/2013/03/the-dmca-takedown-notice-demystified/
National Society of Professional Engineers (NSPE). (2007, July). Code of ethics. Retrieved from http://www.nspe.org/resources/ethics/code-ethics
New South Wales Government, Industrial Relations (n.d.). Workplace policies and procedures. Retrieved from http://www.industrialrelations.nsw.gov.au/oirwww/Employment_info/Managing_employees/Workplace_policies_and_procedures.page
SANS Institute Consensus Policy Resource Community. (2014). Acceptable use policy. Retrieved from https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
University of Maryland University College. (2018). Acceptable use of technology policy. Used under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license.
Privacy
Introduction to Privacy
You might say that your entire life is stored somewhere online—in medical records, tax records, driver's license records, credit reports, and so on. Because so many of the records that contain identifying information about you are stored on computers, it is important that the places where these records are kept are readily accessible but still secure from unauthorized users. You have a role as well in keeping your own information secure. In this module, we will look at what constitutes personally identifiable information (PII) and the steps to ensure it is accessed only by those who have a need to see it.
Consequences of Identity Theft
A Host of Emails
Maya's friends and family started asking her about the barrage of emails she was sending to everyone. The subject lines in the e-mails were blank, and the messages contained only links to unknown websites.
Maya checked her sent messages and found that numerous messages had been sent to her friends and family from her account without her knowledge. She started to think something was wrong. She didn't know what to do.
Later that day, Maya was checking Facebook and noticed that a message had been sent to all her friends on Facebook with a link to a video she had never seen before. "What is going on?" she wondered.
Finally, she got a call from her friend Alvin, who told her that he had received one of the suspicious emails, and he recognized it as a malware infection.
Many people find themselves in situations similar to Maya's. This scenario addresses some of the threats and consequences encountered in the online environment. They parallel the threats and consequences of everyday life. We all know there are bad people in the world. We learn at a young age not to take candy from strangers, not to let a stranger in the door, and not to leave valuables unattended. We lock our doors, park in well-lit areas, and avoid seedy neighborhoods at night. We learn how to be safe and avoid the threats in the world. The same goes for the online world.
Personally Identifiable Information
So, what are the threats you might encounter in the online world? Theft, particularly of your personally identifiable information (PII), tops the list of information data thieves are after. PII is any piece of information that can potentially be used to uniquely identify, contact, or locate a particular person. PII includes your full name, or first initial with your last name, linked to your social security, bank account, credit card, or driver's license number. PII is generally kept private and is often used for financial, medical, or research identification.
Personally Identifiable Information (PII)
Source: Janet Zimmer.
With this kind of information, malicious individuals and intruders can commit identity theft. Identity theft occurs when someone uses another person's PII to take on that person's identity in order to commit fraud or other crimes. Imagine the inconvenience of having to close your bank account and open a new one, or trying to convince your credit card company that you are not responsible for certain charges.
Your online user ID and password are at the top of the list of information that malicious people are after. You probably have multiple user IDs and passwords for websites you visit, various online accounts, and your email account. User IDs and passwords can provide access to additional PII or other information you would like to keep confidential. For example, you may have stored personal information in your email account profile, privacy settings, and security settings. If someone gets access to your e-mail ID and password, he or she may gain access to additional PII. Also, users sometimes include their calendars or vacation plans in email or online postings, which can make those users potential targets for home robberies.
Other than trying to access your account and personal information, malicious individuals may also be interested in compromising your computer and other connected resources, such as an iPad, smartphone, or Xbox. What do intruders do when they compromise these resources? They send spam, launch attacks on others, store files, advertise services, capture keystrokes, snoop for additional targets of value, and generally exploit whatever is available or profitable.
Why Would Someone Want to Trick You into Providing PII?
An attacker may be trying to steal your personal information for financial gain. For example, an attacker could use your bank account number, or the username and password for your online banking site, to withdraw money from your account.
Stolen PII can also be used to obtain and create personal documents, such as obtaining a birth certificate to create a driver's license, and then using the documents to get a fake passport. An attacker might steal your social security number to open a credit card in your name. For this and other reasons, it is recommended that you provide only the last four digits of your social security number to verify your identity.
Social Engineering
The "Lost" USB Drive
On the floor of a hallway in her office building, Mary finds a USB drive, also called a USB flash drive. Thinking that it must belong to one of her coworkers, she plugs the USB drive into her computer so that she can look at what is stored on it and attempt to find its owner. Two days later, Mary's computer is suspended from the network due to a malware infection. A malicious person had left the USB drive on the floor, hoping to lure someone into launching the malware that was set up to run automatically when the USB drive was plugged into a computer.
Social engineering is a technique whereby a malicious person uses deception to gain your trust and to trick you into providing information you would not freely give. Social engineering is usually associated with identity theft.
Trying to Help
For instance, if a stranger calls your cell phone to ask for your company ID and password, you would likely refuse to provide the information and hang up. But when the same person calls you and introduces himself as a staff member from the help desk, you might not hesitate to provide any information the caller is asking for, even your personally identifiable information.
Types of Social Engineering
Social engineering by e-mail. You may receive an email explaining that your Yahoo account is about to be disconnected. In order to prevent this from happening, you are prompted to provide personal information such as your user ID, password, and full name. If you respond to this phishing email with the requested information, you will have given a hacker access to your email and to PII located within your account.
Social engineering by phone. Pretending to be someone in a position of authority at a phone company or bank, a hacker calls to persuade the user to provide sensitive information.
Social engineering by dumpster diving. Also known as trashing, a hacker searches for sensitive information such as bank statements, preapproved credit cards, and student loan paperwork in the garbage. To prevent becoming a victim of dumpster diving, it is wise to shred documents with sensitive information.
Online social engineering. Hackers often try to trick users into providing sensitive information via e-mail, instant messaging, chat rooms, social networking sites, and the like. For instance, a hacker will send a fraudulent email claiming to be a banking institution, credit card company, or department store. The hacker requests that the user verify his or her user name, password, and user ID, either by responding to the email or by clicking on a link that directs the user to a legitimate-looking, but fake, website.
Reverse social engineering. A hacker poses as a technical aide to fix a computer problem that he or she actually created, or that doesn't exist at all. The user contacts this aide and is then prompted to give sensitive information to the aide in order to fix the problem. The user provides the required information and the problem seems to be solved.
Social engineering with USB drives . Hackers can also use USB drives to gain access to sensitive information kept on a computer or network. Hackers may infect one or more USB drives with a virus or Trojan horse, that, when run, will provide hackers with access to log-ins, passwords, and information on a user's computer. The hacker may then leave the infected USB unattended on the floor, in or next to a computer in an open lab, in hallways, in restrooms, or in any other area with a relatively high volume of traffic. A user who finds the USB drive may install the device in order to locate its owner, thus allowing the virus or Trojan horse to infect the computer. The hacker is then able to get PII from the infected computer and proceeds to victimize the user of that machine.
Note that social engineering, as illustrated in these examples, does not rely on technical prowess, but rather on tricking other people into deviating from normal security procedures. Being aware of some of the commonly used social engineering schemes should make you more alert and help you avoid becoming a victim.
Phishing
The most common online social engineering method is "phishing," when an attacker goes "fishing" for personal information, such as a user account name and password, a credit card number, a social security number, or some other piece of information that is considered valuable. Typically, an attacker lures victims into providing this information using fraudulent emails or websites as bait.
In this section, you will be introduced to the most common methods of phishing, some key indicators that can help you recognize phishing attempts, and strategies to protect yourself from falling victim to a phishing attack.
In a study conducted at Carnegie Mellon University in 2009, researchers found that across university departments, years of study, and gender, students aged 18 to 25 were consistently more vulnerable to phishing attacks than older participants. A complete presentation of the study results can be found at http://www.cs.cmu.edu/~jasonh/publications/soups2009-school-of-phish-final.pdf
Here is a summary of the study (Blair, Cranor, & Kumaraguru, 2009):
Some Study Findings
· In 2005, it was estimated that 73 million US adults received more than 50 phishing emails each.
· 2007 statistics estimate that 3.6 million adults lost $3.2 billion in phishing attacks.
· Financial institutions, corporations, and military communities are also victims.
Why Phishing Works
· Phishers take advantage of internet users' trust in legitimate organizations.
· Internet users may lack computer and security knowledge.
· Not all internet users use good strategies to protect themselves.
What Are Antiphishing Strategies?
· Find and take down phishing websites.
· Detect and delete phishing emails.
· Warn other users about the threat.
· Use antiphishing toolbars and web browser features.
· Train users not to fall for attacks.
Carnegie Mellon designed a training package and a laboratory experiment to determine if training helped users detect phishing emails.
Things learned from the laboratory experiment (Blair, Cranor, & Kumaraguru, 2009):
· Security notices are ineffective for training users.
· Users with embedded training make better decisions than those sent security notices.
· Participants retained knowledge after seven days.
· Training does not increase false positive errors.
· Before training, traditional-age students (18-22 years of age) are significantly more likely than staff to fall for phishing schemes.
How Would a Cyber Criminal Attempt to Phish Your Personal Information?
Email is one of the most common vehicles for phishing. You may receive an email that looks and feels legitimate—from a friend, an entity with whom you have an account (such as eBay, PayPal, or Citibank), or a business contact. The message might prompt you to verify your account number or your user ID and password, either by immediately replying to the email or by clicking a link that directs you to a fraudulent web page.
Sample Phishing Email
Recently, many Fakebank account holders received an email message from "onlineupdate@state.com" with the subject "Important Security Update." The message, shown below, claimed to be from Fakebank and prompted recipients to validate their "account ownership security" to avoid suspension by clicking on a link to a fake version of Fakebank's web log-in page. Account holders who visited the fake website and provided their user IDs and passwords gave a cyber criminal access to their online financial records.
Subject: Important Security Update Date: Monday, 5 April 5, 2016 From: Fakebank (onlineupdate@fakebank.com)
Dear Valued User,
Your Account security validation has expired. This may be as a result of wrong or incomplete data entered during the last update.
It's strongly required that you should validate your account ownership security, to avoid service suspension.
Login to Fakebank at www.fakebank.com
We apologize for any inconveniences caused.
Security Department, Fakebank
Protecting Yourself Against Phishing
Since protecting your PII is important in protecting yourself against identity theft, let's take a deeper look at how you can distinguish legitimate emails from phishing attempts. Keep in mind that most phishing messages have an urgency, warning you to respond immediately.
The email is most likely a phishing attempt if:
· the message is alarmist and warns you to respond immediately to verify account information or take advantage of an offer. Often there's a threat of dire consequences.
· the message does not address you by name or include other identifying information.
· the message includes long links that don't make sense or misspells the company name in a URL.
· the message includes misspellings and grammatical errors.
If you suspect you received a phish, simply delete the email. Do not respond to the email, click on an embedded link, or open the attachment. If you are not sure, verify the legitimacy of the message by contacting the supposed sender through an alternate communication channel. Don't use the contact information provided in the suspicious email; instead, use a phone number you obtain directly from a bank statement, use an existing bookmarked URL to log in to your provider's site, or use an email address that you've successfully used before.
Putting It All Together
Threats on the internet are similar in concept to threats on the highway. You are better protected when you follow traffic regulations and take certain precautions. Good safety measures include keeping your car maintained, fastening your seatbelt, stopping at stop signs and traffic lights, and avoiding potholes. To avoid theft, you keep your valuables locked away, out of sight. You lock your car.
Take the same types of security and safety measures with your computer and on the network. Keep your computer running well by updating your software and backing up your files regularly. Install antivirus software and make sure it updates daily. Avoid opening the door to untrusted sources by not opening their attachments, not clicking on their links, not installing their software, and not providing them with your sensitive data or password. Protect your personal information from theft by locking it behind strong passwords that you do not share with others. Physically lock your computing devices when unattended.
Remember, prevention is the best protection.
Visit the Federal Trade Commission's website at https://www.consumer.ftc.gov/topics/privacy-identity-online-security for resources on deterring, detecting, and defending against identity theft.
Protecting Your Privacy
Considering every possible threat to your information and resources is probably not realistic. Most of us don't have the time or resources to commit to predicting the long-term outcomes of our every action.
Rather than trying to analyze every action, it's helpful to rely on some general rules to protect your PII.
· Keep your passwords to yourself and change them regularly. Most cases of PII can be avoided simply by maintaining a strong password and not sharing it.
· Use different passwords for different accounts. Remembering multiple passwords can be a challenge, and it's often convenient to use the same password for multiple accounts, from Facebook and your bank account to your UMUC ID and Twitter accounts. The danger is that a compromise of any one of these accounts could also result in the compromise of others, if the same password is used for multiple accounts.
· Use strong passwords . Many of your user IDs require strong passwords to gain entry into one or more systems. In those instances when you can choose any password configuration, pick a strong password to protect your information. Changing strong passwords often is the most important thing you can do to keep your PII safe.
· Check your credit reports annually. Sometimes people don't learn that they are victims of identity theft until their credit rating and identity are destroyed. It's proactive to get copies of your credit reports from the credit bureaus and review them for errors. Follow up with the credit bureaus to make corrections to your reports if needed. By law, you can get one free credit report from each of the three credit bureaus every year.
· "Google" yourself. Enter your name in a search engine and see what data comes up. Investigate postings about yourself in the information that you find. Look for suggestions that your PII may be compromised.
· Remember that people can be a weak link in security. No matter how secure you make passwords and how careful you are with technology, there is always a human element to protecting your information.
· Control physical access to your devices. It's important not to leave laptops and other mobile devices unattended in public locations, like a coffee shop or other places with free Wi-Fi. An unattended machine is at risk, both for theft and for other security threats. When you aren't controlling physical access to your machine (by locking it in your room), don't let it out of your sight.
· Remember to log out or lock your computer when you are finished using it. Whether it's your email, bank account, Target shopping account, or library account, always remember to log out when you leave the website.
· Remember to lock your computer with a password when you are finished using it. By requiring a password to access your computer or other electronic device, you are helping to protect your information. You are also making your computer useless to a thief who cannot break password locks.
References
Blair, M. A., Cranor, L. F., & Kumaraguru, P. (2009). Results from "Help us protect the Carnegie Mellon community from identity theft" study. Retrieved from https://www.cmu.edu/iso/aware/presentation/identitytheftstudy_041009.pdf
Kumaraguru, P., Cranshaw, J., Acquisti, A., Cranor, L., Hong, J., Blair, M. A., & Pham, T. (2009). School of phish: A real-world evaluation of anti-phishing training. Retrieved from http://www.cs.cmu.edu/~jasonh/publications/soups2009-school-of-phish-final.pdf
Licenses and Attributions
Personally Identifiable Information (PII) by Janet Zimmer is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license.
Security
Most people think of security as a protective measure that's physical, like a home security alarm to prevent theft, or a door with a lock and key to prevent unauthorized entry. While it's true that security is physical, we'll be looking at security from an information technology (IT) perspective. Moreover, we'll focus on the IT view: security is a safeguard. Security is something that we need online—to protect personally identifiable information (PII) and to protect our computers from cyber criminal attack.
Security in practice applies to all types of information. However, in this module we will discuss protecting a specific type of information—PII.
Understanding Compromise and Risk
Many people assume that protecting their information is strictly about safeguarding PII by using strong passwords, making sure to log out of online accounts, using a password to lock your computer, and keeping your computer physically secured. These habits are important, but blindly using these methods ignores other components of your responsibility and capability to protect information and resources. Two of the most important aspects are:
· having a clear understanding of just what is at risk—how extensive and sensitive are the information and resources that you are protecting, and how accessible are they?
· recognizing the role that your personal behaviors and decisions play in increasing or mitigating the risk to your information and resources.
When we talk about risk, in most cases we're considering the threat of compromising the resource. In the context of information security, compromise may have a slightly different meaning than you are used to:
Compromise
In the field of information security, a compromise is a breach in the security of a specific resource—potentially a computer, an account, a file or another resource. A resource can be compromised in many ways, including actions by a malicious attacker hacking into a system, but also by a well-intentioned user forgetting to log out of a machine.
Confidentiality, Integrity, and Availability
We have already talked about compromise and risk, but let's quickly summarize the concepts. A compromise is a specific breach in security. Risk is a threat that the potential security compromise may actually occur.
So what comes first: a compromise or a risk?
If there's a risk to security, does that mean it might happen, or that it already happened? Of course, a risk means that something might happen. Taking a risk or chance comes before acting on that risk. For example, since I left the computer unprotected (taking a risk), a virus infected the computer.
On the other hand, if there's a security compromise, does it mean that it might happen, or that it already happened? Yes, it already happened. A compromise or security breach is a completed action. It's a done deal. For example, since someone took advantage of the unprotected computer to install and activate a virus, the computer is compromised.
Since risk is a chance that something might happen, and compromise is a completed action, then risk comes before compromise.
Why do you need to know that risk comes before compromise? To answer that question, let's zero in on risk. Risk is key to how the compromise happened. Risk isn't singular; it has three dimensions—confidentiality, integrity, and availability (often referred to as "CIA").
Let's look at an example of each of the three risk dimensions. Keep in mind that we're looking at one example of each. In reality, each dimension can have lots of examples.
· Confidentiality risk: exposing a secret password and user ID
· Example: Gabe gives Taylor his user ID and password so that she can finish the report they are coauthoring by the end of the day. Gabe's user ID and password are compromised because they aren't secret once he gives them to Taylor. When the user ID and password are no longer secret, that's a breach of confidentiality.
· Integrity risk: an unauthorized change to shared documents
· Example: Evelyn accidentally changes the wrong pages on a shared document at work; she changes Robin's pages instead of her own. Robin is furious because she had spent all day making changes to the document, and now she doesn't know whether she can remember all of them.
· Availability risk: improper control of physical access
· Example: Thomas, a supervisor, finds that he cannot access the data in a personnel file because the permissions for access to that database and the data contained therein have been changed by another supervisor, Martha. The data has not been compromised (there is no security breach), nor has there been a violation of the integrity of the data. But that data is not available to Thomas, and thus there has been a breach of availability.
Each example has a different risk and a single compromise or breach.
Why do we need to know that risk comes before compromise? When we know the risk, we can sometimes prevent the compromise.
Now, we have a preview into the dimensions of risk—confidentiality, integrity, and availability. Our next step is to learn more about each dimension so we can apply some techniques and best practices to making good decisions using risk and compromise.
Dimensions of Risk
How Is Risk Assessed?
Assessing risk involves a consideration of how well protected a resource might be, and what the consequences could be if the resource is compromised. Simply asking yourself whether you are doing something that might "put resources at risk" is probably not a useful approach for most people, though. To some extent, all actions have a degree of risk; your real goal is to assess that risk in a useful way.
That assessment can be a real challenge—security and risk are complicated and multifaceted. Because information protection can seem like a large and all-encompassing issue, security experts break the problem of security into three distinct aspects, considering the confidentiality, integrity, and availability of resources, first as discrete pieces and then collectively.
Confidentiality, Integrity, Availability (CIA)
Source: Janet Zimmer
By focusing on one specific dimension at a time, you're able to break the process of evaluation down into more manageable parts. And by then considering these parts collectively, you can make decisions that can best reflect your own priorities and responsibilities.
Confidentiality
Confidentiality
Source: Janet Zimmer
Confidentiality
The confidentiality of a resource refers to who is able to read or access it. Maintaining the confidentiality of a resource does not require that it be completely secret or inaccessible; rather, it is about ensuring that only authorized users—the right people—have access and that unauthorized users—the wrong people—do not. Confidentiality is at risk whenever unauthorized users have access to information, whether explicitly (such as password sharing) or unintentionally (such as mistaken file-sharing permissions or a virus accessing files). "A loss of confidentiality is an unauthorized disclosure of information" (NIST, 2008).
A Loss of Confidentiality
Morgan provides computer support for the HiTech organization. She gets a request from Robert, the human resources director, to recover files that were accidentally deleted. After Morgan successfully finishes the file recovery process, she opens a file to make sure its contents are complete. Morgan opens the file and sees the annual salary of each employee at HiTech.
Although Robert authorized Morgan to recover the deleted files, he did not intend to release any information about employees' salaries—so the confidentiality of the salary information has been compromised or breached.
Integrity
Source: Janet Zimmer
Integrity
Maintaining the integrity of information means ensuring that the data has not been changed inappropriately, whether these changes are accidental and innocent or intentional and malicious. As the name implies, integrity addresses the question of how confident you can be about the state of your resources and information. "A loss of integrity is the unauthorized modification or destruction of information" (NIST, 2008).
A Loss of Integrity
Nicholas, a technical writer on the systems development team, is writing the new user guide for the Masters Plumbing Supplies inventory system. He sends the Version 1 draft of the user guide to the development team for review, received all of their editorial changes two weeks ago, and incorporated them into a new Version 2 of the user guide. He sent Version 2 of the guide to team members for review last week and has already incorporated some of their changes into the next version of the user guide.
Just as Nicholas finishes incorporating Jim's comments into the new Version 3 user guide, Jim, one of the team members, calls Nicholas and tells him that he incorporated his comments into the wrong version. Jim incorporated his Version 3 comments into Version 1 instead of Version 2.
Now Nicholas doesn't know the new information from the original information in the user guide. Since the information in the user guide is mixed up between versions 2 and 3, the information in the user guide has lost its integrity. Nicholas can't be sure which version of the user guide is correct; the integrity of the user guide is compromised because of Jim's error in using the wrong version for his editorial changes.
Availability
Availability
Source: Janet Zimmer
Availability
The availability of a resource refers to how timely and reliable access to that resource is. Maintaining the availability of a resource means that authorized users are able to reliably get to the specific machine or information when needed; availability can be threatened by technical malfunctions (such as a networking problem that prevents access) or by human factors, such as a changed password. "A loss of availability is the disruption of access to or use of information or an information system" (NIST, 2008).
A Loss of Availability
Xing had set up a workstation for new employees to use until their permanent computers are assigned, but he hasn't been diligent about keeping it up-to-date. This carelessness comes back to haunt him when someone maliciously attacks the computer by exploiting a software vulnerability to access his machine and change the passwords on it. Now Xing can't log in to the computer to perform the updates.
Because he has physical access to the machine, Xing will eventually be able to get the work done. The process won't be fast, and during that time he won't be able to perform the updates; the availability of this resource has been compromised.
As you can see, considering how you protect your information and resources using these three dimensions can allow for more focus in evaluating your risks. It can also help you more clearly identify the consequences if your resources are compromised.
Confidentiality, Integrity, and Availability in Practice
So far, we've learned about the three dimensions of risk—confidentiality, integrity, and availability—one at a time. The reality is that most threats and compromises can involve multiple dimensions. Sharing your password, for example, can compromise both the availability and the confidentiality of your information if someone changes your password and looks at what the password is protecting. It can also compromise the integrity of your information if someone changes it without your permission. In practice, this means you should consider possible dangers and threats in the context of all three of the dimensions.
What's at Stake?
Although some of the examples that are included above may seem extreme or unlikely, it's important to understand just what is at stake if your user ID and password are compromised. If you worked at Monumental Corporation with Michael and Sammy, what type of data can be exposed if your user ID and password are used without your permission? Is there really a danger of someone changing your files or information?
Recognize that your user ID and password are the key to an exceptional amount of corporate and personal information. With regard to confidentiality, for example, someone with your credentials may be able to see:
· your email
· your work schedule
· your salary and other human resource-related information
· your work records, including your active and inactive files
In addition to being able to review information that most people would consider confidential, your user ID and password allow you (and anyone who has your access) to change information, including:
· altering your work schedule for meetings
· sending and changing any emails
· changing or deleting your work files
Finally, using your user ID and password, someone can place severe limits on the availability of some of your resources by:
· changing your password
· deleting your files
· canceling or changing access to some programs or files
These are not just theoretical possibilities; all of the bullet points above represent actual resource compromises that have affected people. Sometimes these compromises have been the result of malicious actions. Sometimes they've occurred by mistake or been intended as pranks. However, they are situations that real people have had to face.
Cyber Criminal Tactics
A Damaging Link
Since starting his new job in another city, Gustaph finds himself relying on Facebook to stay connected with friends and family. Shortly after logging in one afternoon, Gustaph receives a Facebook message with a link to "Funny Party Pictures" from his cousin Vivian. Certain the pictures must be from his family's annual picnic that he missed the previous weekend, Gustaph clicks the link to view the pictures, but they don't appear. Then he tries to move and click the mouse again, but the mouse arrow freezes. Frustrated, he presses the power button until the computer turns off. When he powers it back on again, the computer boots to a blue screen, rather than the login screen Gustaph expected. He restarts his computer a few more times, only to get the same result. Giving up, Gustaph takes his computer to a computer repair shop in town, where he learns that his computer was infected with malware. A virus had erased his hard drive and all the information he had on it.
Gustaph ended up spending a lot of time finding all the CDs containing the software applications he had loaded on his machine. In some cases, he had to dig up records of legal copies he had downloaded from the software provider. He looked through his emails for links to software purchases. He did his best to give the repair shop all the software to configure his computer back to the way it was before the crash. Some software could not be recovered because Gustaph had obtained it from a friend without a user license. The cost of restoring his computer was more than $400. Since Gustaph had never backed up his files, all his personal files, resume, photos, music, and movies were lost. All he has left is the information in his emails.
Cyber Criminals
In computing, cyber criminals are people who circumvent security controls in order to gain unauthorized access to computers and networks. In the past, these individuals were often motivated by the intellectual exercise of defeating security controls. Today, cyber criminals are often motivated by money or political ambitions such as revenge or competitive advantage. Much like in the physical world, where thieves must use tools and specialized knowledge to bypass locks, alarm systems, guards, and other lines of defense, cyber criminals similarly use tools and specialized knowledge to bypass computer security controls.
In the previous module on privacy, you learned how cyber criminals try to lure you into providing access to your computing resources and personal information through social engineering scams, particularly phishing. It's important that you also know about other methods cyber criminals use to force their way into your computer.
Malware
The tools that cyber criminals often use can be generalized as "malware" and may consist of computer viruses, worms, Trojan horses, and spyware. These types of specialized software take advantage of vulnerabilities in computer hardware and software. Malware is short for "malicious software." Modern malware tends to combine from all four categories to the point that the terms have become nearly synonymous.
Computer viruses
Computer viruses piggyback on other programs or files in order to infect your computer. Viruses can spread to other computers via email, websites, file sharing, USB drives, and other removable media. Cyber criminals rely on social engineering and require user intervention to spread a computer virus, i.e., someone has to open an attachment or file, click on a link, or plug in a USB drive. Viruses may cause a computer's processing function to slow considerably.
Worms
Worms, unlike viruses, spread across networks by exploiting software vulnerabilities to launch copies of themselves on new victims without user intervention. Simply connecting to a network with a computer running outdated software may result in a worm infection.
Trojan horses
Trojan horses are malicious programs disguised as legitimate software. Victims are lured into installing them with promises of desired functionality. Viruses and worms may silently install Trojan horses to further compromise systems, or they may be buried deep within legitimate software. "Backdoor" Trojan horses can even facilitate unauthorized access to computers. Bolder Trojan horses may pretend to be security programs, which generate imaginary virus warnings and demand payment to remove viruses that in reality do not exist.
Spyware
Spyware is a type of malware that collects information about computers or their users and sends it to third parties without consent. Besides secretly monitoring user actions (e.g., logging keystrokes, emails, or instant messages), spyware can collect personally identifiable information (PII), which may lead to identity theft. Spyware may interfere with web browsing; even when using bookmarks or typing in the URL for a website, the browser will redirect to a fraudulent site designed to capture usernames and passwords or inject malicious content. An example of this would be a phony form on a legitimate-looking banking site asking for PII.
Spam
Spam messages are unsolicited messages sent to email accounts or cell phones from advertisers or cyber criminals. Advertisers use spam to attract attention to their products. Advertising spam can be a nuisance, but is often benign to computers. Spam messages can also contain fraudulent information, like check overpayment scams, foreign lotteries, investment schemes, and other cons. Although these kinds of spam can separate someone from their money, they won't harm computers. Other spam messages have malware attached or include links to malicious sites. Opening those attachments or clicking those links may install malware.
Protection from Cyber Criminal Attacks
How do you protect yourself and your computer from cyber criminal attacks?
Install Antivirus Software
Antivirus software scans your computer and files to protect it from known viruses. Since new malware is always being released, you'll need to update your antivirus software regularly and configure it to scan your computer at least once a week.
Install Firewall Software
As related to information technology, a firewall is a protective layer or "wall" between the computer and internet. While antivirus software scans your computer and files, firewall software monitors, blocks, and filters activity between your computer and the internet. Like antivirus software, firewall software needs to be updated regularly to maintain its effectiveness. Antivirus and firewall software may sometimes be purchased in a single package.
There are good, legal, and free software alternatives when considering antivirus and firewall software. Just type "free antivirus software" or "free firewall software" into a search engine. Be sure, however, that the site you choose is a trusted site such as a recognized product review site: PCWorld, CNET, and Comodo are some of the best-known.
Install Software Updates
Operating systems software developers continuously improve their products to add security and to fix errors in previously released versions. It is important to download and install updates as soon as you are notified that an update is available in order to keep your devices (phones,computers, tablets, etc.) secure.
Use a Strong Password
It's a good practice to change all your passwords every 90 days. If you suspect that any of your passwords have been compromised, change them immediately.
A strong password is reasonably difficult to guess in a short period of time, either through human guessing or through the use of specialized software.
Password Guidelines
The following are general recommendations for creating a strong password.
A strong password should:
· be at least eight characters in length
· contain both upper and lowercase alphabetic characters (A-Z, a-z)
· include at least one numeric character (0-9)
· use at least one special character (e.g., ~ ! @ # $ % ^ & * ( ) _ - + =)
A strong password should not:
· spell a word or series of words that can be found in a standard dictionary
· spell a word with a number added to the beginning and/or the end
· be based on any personal information such as user ID, family name, pet, birthday, etc.
The following are several recommendations for maintaining a strong password:
· Do not share your password with anyone for any reason. Passwords should not be shared with anyone, including any managers, coworkers, or friends. If someone needs information that's on your computer, email the file or place the file on a shared network. Passwords should not be shared even for the purpose of computer support or repair.
· Change your password periodically. As a general rule, changing your password every 90 days is recommended. If you suspect someone has compromised your account, change your password immediately. If you work in an office, report the incident to computer security personnel.
· Consider using a passphrase instead of a password. A passphrase is a password made up of a sequence of words with numeric and/or symbolic characters inserted throughout. A passphrase could be a lyric from a song or a favorite quote. Passphrases typically have additional benefits such as being longer and easier to remember. For example, the passphrase "My fav2rite N@SCAR dri4er!" is 26 characters long and includes alphabetic, numeric and special characters. It is also relatively easy to remember. It is important to note the placement of numeric and symbolic characters in this example as they prevent multiple words from being found in a standard dictionary. The use of blank spaces also makes a password more difficult to guess.
· Do not write your password down or store it in an insecure manner. To the extent possible, avoid writing down your passwords. In cases where it is necessary to write down a password, that password should be stored in a secure location and properly destroyed when no longer needed.
· Avoid reusing a password. When changing an account password, you should avoid reusing a previous password. If a user account was previously compromised, with or without your knowledge, reusing a password could allow that user account to become compromised once again. Similarly, if a password was shared for some reason, reusing that password could allow someone unauthorized access to your account.
· Avoid using the same password for multiple accounts. Though using the same password for multiple accounts makes it easier to remember your passwords, it can also have a chain effect, allowing an attacker to gain unauthorized access to multiple systems. This is particularly important when dealing with more sensitive accounts such as your credit card account or your online banking account.
· Do not use automatic log-on functionality. The option of storing your password so that you can save time by skipping your password entry the next time you log on is called automatic log-on functionality. Using automatic log-on functionality negates much of the value of using a password. If a malicious user is able to gain physical access to a system that has automatic log-on configured, he or she will be able to take control of the system and access potentially sensitive information.
· Consider using a strong password generator to create passwords. There are many such programs available. Type "strong password generator" into any search engine to find programs that are available for use.
· Consider using a password "base." Remembering a great number of different passwords is challenging. Consider using a base portion of a password and then changing some portion to use as a separate password. Do not just add numbers to the end of the base portion, however. Scatter the changes into the middle of the password base. For example, if the base is "UtahIowa" then one password might be: Uta4hIo9wa. Then change the numbers in the password to be used with the next site, keeping the Uta-hIo-wa.
Develop Good Security Habits
Throughout this module, you have been introduced to good security practices. Here's a summary of good security habits:
· Never open unexpected email attachments. If in doubt, verify the authenticity by calling or sending a new email to the sender using a phone number or address from a source other than the suspect email. An attachment could be malware in disguise.
· Beware of links sent to you via email, on social networking sites, or through text messages. Maliciously crafted links could direct you to malware or phishing sites.
· Be sure to use log-on passwords. Never leave your computer unattended without locking it, even if you're stepping away for only a minute.
· Consider locking up laptops in a desk or cabinet drawer when not in use. Unsecured laptops are easy targets.
· Always lock your doors and never leave your computer unattended in a public location.
· If you share your computer with friends, watch what they might be doing to your computer and with your identity.
· When visiting websites that require logging in, make sure you log out when you're done.
· When you finish using a computer, log out of it.
· Watch out for "shoulder surfing." Make sure no one is watching you enter your password or other personal information.
· Always back up your data and files, and lock the backups in a safe place.
· Use encryption (see below) for sensitive data storage and transmission.
Encryption
Encryption is the process of transforming information from plaintext into an unreadable format to keep it secret. Only authorized entities should be able to reverse the process. Using encryption, information can be stored or transmitted via shared media without risking disclosure.
When encrypting information, applications will typically ask for a password. The password is the key to locking and unlocking the information. If you lose the password, you won't be able to recover information. Certain applications like Microsoft Word provide optional encryption functionality. Find out whether the applications you use support encryption. If they don't, avoid using them when processing sensitive data including passwords and other PII.
Certain websites, especially ones that allow financial transactions, use encryption between your browser and their server. This can be discerned by looking at the URL. If the URL begins with "http://", then the communication between your browser and the web server is not encrypted. If the URL begins with "https://", then the communication is encrypted. The "s" after "http" stands for "secure." Some browsers may provide additional encryption indicators such as displaying lock icons and changing the color of the address bar.
Encryption provides a way to keep private information private in an increasingly public world.
What Are Some Signs That a Computer Is Compromised?
Symptoms computers may experience when compromised include system crashes (the computer doesn't turn on), unexplained disk activity, frequent error messages, lots of advertising pop-up windows that appear without actual web browsing, and unexplained variations in the computer's performance and behavior.
The following is a list of indicators of a possible computer compromise or infection:
· Pop-up ads increase in frequency.
· Pop-up ads appear even when you're not browsing the web.
· The home page of your web browser changes without your authorization.
· Your computer seems less responsive.
· Your internet access is persistently slower.
· Programs fail to start because Windows is "low on resources."
· Programs such as the Task Manager or the Control Panel fail to start and report "permission denied" errors, even though you have administrative rights to your machine.
· Your firewall cannot be started.
· Antivirus software cannot be updated or fails to enable.
· Your computer is crashing or "blue-screening" often.
Responding to a Compromise
If you believe that your computer has been compromised, you may be able to run an up-to-date antivirus scan and quarantine some of the infected files. There's a chance that file quarantining followed by removing the quarantined files can fix the problem.
In almost all cases of computer compromise, you'll need to have your computer serviced by a professional to get it working properly.
References
FIPS PUB 199 standards for security categorization of federal information and information systems. Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.
Licenses and Attributions
Integrity by Janet Zimmer is available under a Creative Commons Attribution-ShareAlike 3.0 Unportedlicense.
Confidentiality, Integrity, Availability (CIA) by Janet Zimmer is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license
Confidentiality by Janet Zimmer is available under a Creative Commons Attribution-ShareAlike 3.0 Unported license.
Availability by Janet Zimmer is available under a Creative Commons Attribution-ShareAlike 3.0 Unportedlicense.