Sunday, 10 May 2015

Information Security

1) Introduction to Information Security:

Security: the degree of protection against criminal activity, danger, damage, and/or loss.
Information Security: all the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

* Key Information Security Terms:
      - Threat: is any danger to which a system may be exposed.

      - Exposure: is the harm, loss or damage that can result if a threat compromises that resource.

      - Vulnerability: is the possibility that the system will suffer by a threat.

* Threats to Information Security:
    Today's interconnected, interdependent, wirelessly- networked business environment.
- Untrusted network: any network external to your organization.
    ● Smaller, faster, cheaper computers and storage devices (flash drives).
    ● Decreasing skills necessary to be a computer hacker.
       - Hacker: a person who finds out weaknesses in the computer system and exploits it.

    ● International organized crime turning to cybercrime.
       - Cybercrime: illegal activities conducted over computer networks, particularly the Internet.
 Example: iDefense.
    ● Lack of management support.
              - Insufficient funding.
              - Technological Obsolescence.
              - Lack of attention.

------------------------------------------------------------------------------------
2) Unintentional Threats to Information Systems:
- Information Systems are vulnerable to many potential hazards and threats.

- The two major categories of threats are:
   1) Deliberate threats
   2) Unintentional threats: are acts performed without malicious intent that nevertheless represent a serious threat to information security.
- A major category of unintentional threats is human error.
 ♢ Human Errors:
     • Carelessness with laptops and portable computing devices.
     • Opening questionable emails.
     • Careless Internet surfing.
     • Poor password selection.
 ♢ Social Engineering: an attack in which the perpetrator uses social skills to trick or manipulate a legitimate employee into providing confidential information such as passwords.

     • Tailgating: it occurs when an unauthorized person slips in through a door before it closes.

     • Shoulder surfing: it occurs when the attacker watches another person's computer screen over that person's shoulder.

------------------------------------------------------------------------------------
3) Deliberate Threats to Information Systems:

      1. Espionage or Trespass: occurs when an unauthorized individual attempts to gain illegal access to organizational information.

      2. Information Extortion: occurs when an attacker either threatens to steal, or actually steals, information from a company.

      3. Sabotage or Vandalism: are deliberate acts that involve defacing an organization's website, possibly damaging the organization's image and causing its customers to lose faith.

     4. Theft of Equipment or Information:
          • Pod slurping: perpetrator plugs portable device into a USB port in a computer and downloads sensitive information.

          • Dumpster diving: rummaging through commercial or residential trash to find information that has been discarded.

    5. Identity theft: is the deliberate assumption of another person's identity, usually to gain access to their financial information or to frame them for a crime.

    6. Compromises to Intellectual Property (IP):
           • Trade secret: is an intellectual work such as business plan, that is a company secret and not based on public information.
            • Patent: a document that grants the holder exclusive rights on an invention or process for 20 years.
           • Copyright: a statuary grant that provides the creator of IP with ownership of the property for the life of the creator plus 70 years.
           • Piracy: the illegal copying of software.

    7. Software Attacks:
           Virus: a segment of computer code that performs malicious actions by attaching to another computer program.

            • Worm: a segment of computer code that spreads by itself and performs malicious actions without requiring another computer program.

            • Trojan horse: a software program that hides in other computer programs and reveal its designed behavior only when it is activated. A typical behavior of a Trojan horse is to capture your sensitive information (e.g., passwords, account numbers, etc.) and send them to the creator of the Trojan horse.

            • Logic Bomb: a segment of computer code that is embedded within an organization’s existing computer programs and is designed to activate and perform a destructive action at a certain time and date.

           • Phishing attacks: use deception to acquire sensitive personal information by masquerading as official-looking emails.

           • Denial-of-service attack: attackers sends so many information requests to a target computer system that the system cannot handle them successfully, and typically crashes.

    8. Alien Software: is clandestine software that is installed on your computer through duplicitous methods.
            Spyware: software that collects personal information about users without their consent.
                    ▪ Keystroke loggers: records your keystrokes and your Web browsing history.
                    ▪ Screen scrapers: record a continuous "movie" of what you do on a screen.

            Spamware: alien software that is designed to use your computer as a launchpad for stammers. Spam is unsolicited (unwanted) email.
          Cookies.
    9. Supervisory Control and Data Acquisition (SCADA) Attacks.
   10. Cyber terrorism and Cyber warfare:
        - Attackers use a target's computer systems, particularly via the Internet, to cause physical, real world harm or server disruption, usually to carry out a political agenda.
-----------------------------------------------------------------------------------
4) What Organizations Are Doing to Protect Information Resources:

    • Risk: is the probability that a threat will impact an information resource.
    • Risk management: to identify, control, and minimize the impact of threats.
    • Risk analysis: to assess the value of each asset being protected, estimate the probability it might be compromised, and compare the probable costs of it being compromised with the cost of protecting it.
     • Risk mitigation: is when the organization takes concrete actions against risk. It has two functions:
              1. Implement controls to prevent identified threats from occurring.
              2. Develop a means of recovery should the threat become a reality.
      • Risk acceptance: accept the potential risk, continue operating with no controls, and absorb any damages that occur.
      • Risk limitation: limit the risk by implementing controls that minimize the impact of the threat.
      • Risk transference: transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.
------------------------------------------------------------------------------------
5) Information Security Controls:

- To protect their information assets, organizations implement controls, or defense mechanisms (countermeasures). These controls are designed to protect all of the components of an information system, including data, software, hardware, and networks. Because there are so many diverse threats, organizations utilize layers of controls, or Defense - in - depth.

- Controls are intended to prevent accidental hazards, deter intentional acts, detect problems as early as possible, enhance damage recovery, and correct problems.

- There are three major type of controls:
    1) Physical Controls: physical protection of computer facilities and resources ( walls, doors, fencing, gates, locks, guards, and alarm systems).

    2) Access Controls: restriction of unauthorized user access to computer resources.
          - There are two major Functions:
              1. Authentication: determines/confirms the identity of the person requiring access.
                  Something the user is: access controls that examine a user's physiological or behavioral characteristics.
                           • Biometrics:
                              - Voice verification.                                                        
                              - Fingerprints.                                                      
                              - Retina scan.



                 Something the user has: these access controls include regular ID cards, smart cards.

                 Something the user does: these access controls include voice and signature recognition.

                 Something the user knows:
                     - Password: a private combination of characters that only the user should know.
                            Example: nam3-beeS
                     - Passphrases: a series of characters that is longer than a password but can be memorized easily.
                            Example: Omanft2Brazilworldcup.

              2. Authorization: determines which actions, rights, or privileges the person has, do certain activities with information resources, based on his/her verified identity.
             ▪ Privilege: is a collection of related computer system operations that can be performed by users of the system.
             ▪ Least privilege: a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization.
 
   3) Communications (network) controls: protect the movement of data across networks and include border security controls, authentication and authorization.
           ▪ Firewall: is a system that enforces access - control policy between two networks.

           ▪ Anti-male ware Systems: software packages that attempt to identify and eliminate viruses, worms, and other malicious software.

          ▪ Whitelisting and Blacklisting:
                 - Whitelisting: is a process in which a company identified the software that it will allow to run and does not try to recognize.
                 - Blacklisting: a process in which a company allows all software to run unless it is on the blacklist.
         ▪ Encryption: process of converting an original message into a form that cannot be read by anyone except the intended receiver.

                 - Public-key encryption: uses two different keys: a public key and a private key.
                 - Certificate authorities: an electronic document attached to a file certifying that the file is from the organization that it claims to be from and has not been modified from its original format.
                 For Example of certificate authorities, see www.entrust.com.
                 - Digital Certificate: trusted intermediaries between two organizations, issue digital certificates.

         ▪ Virtual Private Networking (VPN): a private network that uses a public network (usually the Internet) to connect users.
                - Privacy: the right to be left alone and to be free of unreasonable personal intrusion.
                - Tunneling: encrypts each data Packet to be sent and places each encrypted packet inside another packet.

         ▪ Secure Socket Layer: now called transport layer security (TLS): is an encryption standard  used for secure transactions such as credit card purchases and online banking.
         ▪ Employee Monitoring Systems: which monitor their employees' computers, email activities, and Internet surfing activities.
-----------------------------------------------------------------------------------
♣ Information Systems Auditing:
      - Is independent or unbiased observers task to ensure that information systems work property.
      - Audit: examination of information systems, their inputs, outputs and processing.
      - Types of Auditors and Audits:
        • Internal: performed by corporate internal auditors.
        • External: reviews internal audit as well as the inputs, processing and outputs of information systems.




Ethical and Privacy

1) Ethical Issues:
- Ethical: deal with what is considered to be right and wrong. Deciding what is right or wrong is not always easy or clear cut.

♣ Ethical Frameworks:
      ● Utilitarian approach: an ethical action is the one that provides the most good or does the least harm.
      ● Right approach: an ethical action is the one that best protects and respects the moral rights of the affected people.
        - Moral Rights:
            ♢ The right to make your own choices.
            ♢ The right to be told the truth.
            ♢ The right of privacy.
       ● Fairness approach: ethical actions treat all human beings equally, or, if unequally, then fairly, based on some defensible standard.
       ● Common good approach: highlights the interlocking relationships that underlie all societies. This approach argues that respect and compassion for all is the basis for ethical actions.
------------------------------------------------------------------------------------
♣ Ethical in the Corporate Environment:

- Code of Ethical: a collection of principle that are intended to guide decision making by members of an organization.
(http://www.acm.org/about/code-ofethics)

Fundamental Tenets of Ethics:
     • Responsibility: mean that you accept the consequences of your decisions and actions.
     • Accountability: a determination of who is responsible for actions that were taken.
     • Liability: is a legal concept that gives individuals the right to recover the damages done to them by other individual, organizations, or systems.
-----------------------------------------------------------------------------------
♣ Ethical and Information Technology :
- All employees have a responsibility  to encourage ethical uses of information and information technology.
- The diversity and ever - expanding use of IT applications have created a variety of Ethical issues.
-These issues fall into four general categories:
    • Privacy issues: involve collecting, storing, and disseminating information about individuals.
   • Accuracy issues: involve the authenticity, fidelity, and accuracy of information that is collected and processed.
   • Property issues: involve the ownership and value of information.
   • Accessibility issues: revolve around who should have access to information and whether a fee should be paid for this access.
------------------------------------------------------------------------------------
2) Privacy:
- Privacy: is the right to be left alone and to be free of unreasonable personal intrusions.

- Information Privacy: is the right to determine when, and what, and to what extent, information about you can be gathered and/or communicated to others.
  The definition of privacy can be interpreted quite broadly. However, court decisions in many countries have followed two rules fairly closely:
      1. The right of privacy is not absolute. Privacy must be balanced against the needs of society.
      2. The public's right to know supersedes the individual's right of privacy.
- These two rules illustrate why determining and enforcing privacy regulations can be difficult.
----------------------------------------------
- Data aggregators: companies that collect public data (e.g. real estate records, telephone numbers) and non public data (e.g. social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.

- Digital dossiers: an electronic description of you and your habits.

- Profiling: use of computers to combine data from multiple sources and create digital dossiers of detailed information on individuals.
- NORA (non obvious relationship awareness): new data and analysis technique for even more powerful profiling.

----------------------------------------------------------------
♣ Electronic Surveillance: the tracking of people's activities, online, or offline, with the aid of computers.
- cookies.

- URL filtering.

♣ Personal Information in Databases.
- Information about individuals is being kept in many databases:
      • Banks, Utility companies, government agencies, Credit reporting companies.

♣ Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites.

♣ Privacy Codes and Policies: an organization's guidelines with respect to protecting the privacy of customers, clients, and employees.
     - Opt - out Model: informed consent permits the company to collect personal information until the customer specifically requests that the data not be collected.
     - Opt - in Model: informed consent means that organizations are prohibited from collecting any personal information unless the customer specifically authorizes it.

๐Ÿ”น Platform for Privacy Preferences (P3P): a protocol that automatically communicates privacy policies between an electronic commerce website and visitors to that site.
     - P3P enables visitors to determine the types of personal data that can be extracted by the websites they visit.




E-Commerce: Applications and issues

1) Overview of E-Business and E-Commerce:
⭐E-Commerce (EC): describe the process of buying, selling, transferring or exchanging products, service, or information via computer networks, including the Internet.

⭐ E-Business: is a broader definition of EC, including:
       ✅ Buying and selling of goods and services.
       ✅ Servicing customers.
       ✅ Collaborating with partners.
       ✅ Conducting e-learning.
       ✅ Conducting electronic transactions within an organization.

  - Pure versus Partial EC depends on the degree of digitization involved:
       ๐Ÿ”นThe product can physical or digital.
       ๐Ÿ”นThe process can be physical or digital.
       ๐Ÿ”นThe delivery agent can be physical or digital.

 - Brick-and-mortar: purely physical organizations.
 - Click-and-mortar: organizations are those that conduct some EC activities, yet their business is primarily done in the physical world [multichanneling].
- Pure play: organiztions that are engaged only in EC.

-----------------------------------------------------------------------------------
♣ Types of E-Commerce:
      ▶Business - to - customer (B2C): the sellers are organizations, and the buyers are individuals.
      ▶Business- to - Business  (B2B): both sellers and buyers are business organization's.
      ▶Consumer- to - consumer (C2C): both the sellers and buyers are individuals.
      ▶Business- to - Employee (B2E): An organization uses e-commerce internally to provide information and services to its employees.
      ▶E - Government (E- Gov.): the use of internet technology to deliver information about public services to citizens (Government - to - Citizen [G2C]), business partners and suppliers (called government - to - business [G2B]) and between governments [G2G].

     ▶Mobile Commerce (m- commerce): e-commerce that is conducted using a mobile phone.

--------------------------------------------------------------------------------
♣ E-Commerce Business Models:
- Business Models: is the method by which a company generates revenue to sustain itself.
     ๐Ÿ”น Online direct marketing: manufacturers sell directly to customers.

     ๐Ÿ”น Electronic tendering system: businesses (or governments) request quotation from suppliers (uses B2B or G2B)
     ๐Ÿ”น E-auction: an auction which is held over the Internet.
          - Forward Auction: the highest bidder wins the auction.
          - Reverse Auction: the lowest bidder wins the auction.

     ๐Ÿ”น Name-your-own-price: customers decide how much they want to pay.

     ๐Ÿ”น Find-the-best-price: customers specify a need and an intermediary compares providers and shows the lowest price.
     ๐Ÿ”น Affiliate marketing: vendors ask partners to place logos or banners on partner's site. If customers click on logo, go to the vendor's site, and buy, then the vendor pays commission to partners.
    ๐Ÿ”น Viral marketing: receivers send information about your product to their friends.
    ๐Ÿ”น Group purchasing: small buyers aggregate demand to get a large volume discount [E- Coops].
    ๐Ÿ”น Product customization: customers use the Internet to self- configure products or services. Sellers then price them and fulfill them quickly.
    ๐Ÿ”น Deep discounters: company offers deep price discount. Appeals to customers who consider only price in their purchasing decisions.
    ๐Ÿ”น Membership: only members can use the services provided, including access to certain information, conducting trades, etc.(www.egreetings.com).

---------------------------------------------------------------------------------
♣ Benefits of E-Commerce:
    ● Benefits to organizations:
      ✅ Makes national and international markets more accessible.
      ✅ Lowering costs of processing, distributing, and retrieving information.
    ● Benefits to customers:
      ✅ Access a vast number of products and services around the clock (24/7/365).
   ● Benefits to society:
      ✅ Ability to easily and conveniently deliver information, services and products to people in cities, rural areas and developing countries.

♣ Limitations of E-Commerce:
     ● Technological Limitations:
         ✖ Lack of universities accepted security standards.
         ✖ Insufficient telecommunications bandwidth.
         ✖ Expensive accessibility.
     ● Non - Technological Limitations:
         ✖ Perception that EC is unsecure.
         ✖ Unresolved legal issues.
         ✖ Lacks a critical mass of sellers and buyers.
------------------------------------------------------------------------------------
2) Business-to-Consumer (B2C) Electronic Commerce:

♣ Electronic Storefronts and Malls:
      • Electronic Retailing (e-tailing): is the direct sale of products and services through Internet.

      • Electronic Marketplace: a central, virtual market space on the web where many buyers and sellers can conduct E-Commerce and E-Business activities.
      • Electronic Storefront: is a Web site that represent a single store.
            - Example: www.dell.com
      • Electronic Mall/ Cybermall: is a collection of individual shops grouped under a single Internet address.
           - Example: www.bing.com/shopping

♣ Online Service Industries:
   - One of the most pressing EC issues relating to online services is disintermediation.
   ๐Ÿ”น Cyberbanking: involves conducting banking activities from home, a place of business or on the road instead of at a physical bank location.

   ๐Ÿ”น Virtual Bank/ Cyber Bank: a bank is dedicated only to Internet transactions.
   ๐Ÿ”น Online Securities Trading.

   ๐Ÿ”น The Online Job Market: the Internet offers a promising new environment for job seekers and for companies searching for hard - to- find employees.

   ๐Ÿ”น Travel Services: the Internet is an ideal place to plan, explore and arrange almost any trip economically.

   ๐Ÿ”น Online Advertising:
        - Advertising: an attempt to disseminate information in order to influence a buyer - seller transaction.
       - Online Advertising methods:
         • Banner: simply electronic billboard [can be customized].
         • Pop up ad: appears in front of the current browser window.
         • Pop under ad: appears underneath the active window.
         • Permission marketing: asks consumers to give their permission to voluntarily accept online advertising and e-mail. [ sometimes customers are paid to view online advertisements].
        • Viral marketing: refers to online "word - of -mouth" marketing.
-----------------------------------------------------------------------------------
♣ Issues in E-Tailing:
     ● Channel conflict: occurs when manufacturers disintermediate their channel partners such as distributors, retailers, dealers, and sales representatives, by selling their products directly to consumers, usually over the Internet through e-commerce.
       - Example: Ford allows customers to configure a car online but requires them to pick it up from a dealer, where they arrange financing, warranties and services.
    ● Multichanneling: is a process in which a company integrates its offline and online channels.
    ● Order fulfillment: finding the product to be shipped, packaging the product; arrange for speedy delivery to the customer; and handle the return of unwanted or defective products.
------------------------------------------------------------------------------------
3) Business-to-Business (B2B) Electronic Commerce:
- In business to business (B2B) e-commerce,  the buyers and sellers are business organizations.
- There are several business models for B2B applications:
     ๐Ÿ”น Sell - Side Marketplaces: organizations attempt to sell their products or services to other organizations electronically from their own web site and/or from a third party web site.
      - This method is similar to the B2C model in which the buyer is expected to come to the seller's site, view catalogs, and place an order. In the B2B sell side marketplace,however, the buyer is an organization.
     - The key mechanisms are electronic catalogs and forward auctions.


      ๐Ÿ”น Buy - Side Marketplaces: is a model in which organizations buy needed products and services from other organizations electronically.
    - The key mechanism is reverse auctions.
    - Example: E - procurement.

      ๐Ÿ”น Electronic Exchanges:
            • Exchange: independently own by a third party and connect many buyers and many sellers.
             - Vertical Exchanges: connects buyers and sellers in a given industry.(www.plasticsnet.com)             - Horizontal Exchanges: connects buyers and sellers across many industries, and are used mainly for MRO materials.(www.alibaba.com)
            - Functional Exchanges: needed services such as temporary help or extra office space are traded on an "as-needed" basis.(www.emloyease.com)

------------------------------------------------------------------------------------
4) Electronic Payments:
- Implementing EC typically requires electronic payments.
- Electronic payment systems enable you to pay for goods and services electronically.

Electronic Check: encrypted check with digital signature that is similar to a paper check, and is used mostly in B2B.
Electronic Credit Card: allows customers to charge online payments to their credit card account, and is used mostly in B2B.

Purchasing Card: is the B2B equivalent of electronic credit cards and is typically used for unplanned B2B purchases.
Electronic Cash: appears in three major forms:
         ♢ Stored - Value Money Cards: allow you to store a fixed amount of prepaid money and then  spend it as necessary.
         ♢ Smart Cards: contain a chip called a microprocessor that can store a considerable amount of information and are multipurpose- can be used as a debit card, credit card or a stored - value money card.

         ♢ Person-to- Person Payments: are a form of card that enables two individuals or an individual and a business to transfer funds without using a credit card.

         ♢ E-wallet.

-----------------------------------------------------------------------------------
5) Ethical and Legal Issues:

   ● Privacy: e-commerce provides opportunities for businesses to track online consumers using cookies or special spy ware.
   ● Fraud on the Internet.
      - Internet fraud has grown even faster than Internet use itself.

  ● Domain Names: are assigned by central nonprofit organizations that check for conflicts and possible infringement of trademarks.
  ● Cybersquatting: refers to the practice of registering domain names solely for the purpose of selling them later at a higher price.
    - The original owner of www.tom.com received $8 million for the name.
  ● Taxes and other Fees: when and where (and in some cases whether) Electronic sellers should pay taxes.
  ● Copyright: protecting intellectual property in e-commerce and enforcing copyright laws is extremely difficult.