Ethics in Information

Technology, Fourth Edition

Chapter 3
Computer and Internet Crime
 Objectives
• As you read this chapter, consider the following
questions:
– What key trade-offs and ethical issues are
associated with the safeguarding of data and
information systems?
– Why has there been a dramatic increase in the
number of computer-related security incidents in
recent years?
– What are the most common types of computer
security attacks?

Ethics in Information Technology, Fourth Edition

 Objectives (cont’d.)
– Who are the primary perpetrators of computer crime,
and what are their objectives?
– What are the key elements of a multilayer process
for managing security vulnerabilities based on the
concept of reasonable assurance?
– What actions must be taken in response to a
security incident?
– What is computer forensics, and what role does it
play in responding to a computer incident?

Ethics in Information Technology, Fourth Edition

IT Security Incidents: A Major Concern
• Security of information technology is of utmost
importance
– Safeguard:
• Confidential business data
• Private customer and employee data
– Protect against malicious acts of theft or disruption
– Balance against other business needs and issues
• Number of IT-related security incidents is
increasing around the world

Ethics in Information Technology, Fourth Edition

 Why Computer Incidents Are So
Prevalent
• Increasing complexity increases vulnerability
– Computing environment is enormously complex
• Continues to increase in complexity
• Number of entry points expands continuously
• Cloud computing and virtualization software
• Higher computer user expectations
– Computer help desks under intense pressure
• Forget to verify users’ IDs or check authorizations
• Computer users share login IDs and passwords

Ethics in Information Technology, Fourth Edition

 Why Computer Incidents Are So
Prevalent (cont’d.)
• Expanding/changing systems equal new risks
– Network era
• Personal computers connect to networks with
millions of other computers
• All capable of sharing information
– Information technology
• Ubiquitous
• Necessary tool for organizations to achieve goals
• Increasingly difficult to match pace of
technological change

Ethics in Information Technology, Fourth Edition

 Why Computer Incidents Are So
Prevalent (cont’d.)
• Increased reliance on commercial software with
known vulnerabilities
– Exploit
• Attack on information system
• Takes advantage of system vulnerability
• Due to poor system design or implementation
– Patch
• “Fix” to eliminate the problem
• Users are responsible for obtaining and installing
• Delays expose users to security breaches
Ethics in Information Technology, Fourth Edition
 Why Computer Incidents Are So
Prevalent (cont’d.)
• Zero-day attack
– Before a vulnerability is discovered or fixed
• U.S. companies rely on commercial software with
known vulnerabilities

Ethics in Information Technology, Fourth Edition

 Types of Exploits
• Computers as well as smartphones can be target
• Types of attacks
– Virus
– Worm
– Trojan horse
– Distributed denial of service
– Rootkit
– Spam
– Phishing (spear-phishing, smishing, and vishing)

Ethics in Information Technology, Fourth Edition

 Viruses
• Pieces of programming code
• Usually disguised as something else
• Cause unexpected and undesirable behavior
• Often attached to files
• Deliver a “payload”
• Spread by actions of the “infected” computer user
• Infected e-mail document attachments
• Downloads of infected programs
• Visits to infected Web sites

Ethics in Information Technology, Fourth Edition

 Worms
• Harmful programs
– Reside in active memory of a computer
– Duplicate themselves
• Can propagate without human intervention
• Negative impact of worm attack
– Lost data and programs
– Lost productivity
– Additional effort for IT workers

Ethics in Information Technology, Fourth Edition

 Cost Impact of Worms

Ethics in Information Technology, Fourth Edition 12

 Trojan Horses
• Malicious code hidden inside seemingly harmless
programs
• Users are tricked into installing them
• Delivered via email attachment, downloaded from a
Web site, or contracted via a removable media
device
• Logic bomb
– Executes when triggered by certain event

Ethics in Information Technology, Fourth Edition

 Distributed Denial-of-Service (DDoS)
Attacks
• Malicious hacker takes over computers on the
Internet and causes them to flood a target site with
demands for data and other small tasks
– The computers that are taken over are called
zombies
– Botnet is a very large group of such computers
• Does not involve a break-in at the target computer
– Target machine is busy responding to a stream of
automated requests
– Legitimate users cannot access target machine

Ethics in Information Technology, Fourth Edition

 Rootkits
• Set of programs that enables its user to gain
administrator-level access to a computer without
the end user’s consent or knowledge
• Attacker can gain full control of the system and
even obscure the presence of the rootkit
• Fundamental problem in detecting a rootkit is that
the operating system currently running cannot be
trusted to provide valid test results

Ethics in Information Technology, Fourth Edition

 Spam
• Abuse of email systems to send unsolicited email
to large numbers of people
– Low-cost commercial advertising for questionable
products
– Method of marketing also used by many legitimate
organizations
• Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM) Act
– Legal to spam if basic requirements are met

Ethics in Information Technology, Fourth Edition

 Spam (cont’d.)
• Completely Automated Public Turing Test to Tell
Computers and Humans Apart (CAPTCHA)
– Software generates tests that humans can pass but
computer programs cannot

Ethics in Information Technology, Fourth Edition

 Phishing
• Act of using email fraudulently to try to get the
recipient to reveal personal data
• Legitimate-looking emails lead users to counterfeit
Web sites
• Spear-phishing
– Fraudulent emails to an organization’s employees
• Smishing
– Phishing via text messages
• Vishing
– Phishing via voice mail messages
Ethics in Information Technology, Fourth Edition
Ethics in Information Technology, Fourth Edition
 Types of Perpetrators
• Perpetrators include:
– Thrill seekers wanting a challenge
– Common criminals looking for financial gain
– Industrial spies trying to gain an advantage
– Terrorists seeking to cause destruction
• Different objectives and access to varying
resources
• Willing to take different levels of risk to accomplish
an objective

Ethics in Information Technology, Fourth Edition

 Types of Perpetrators (cont’d.)

Ethics in Information Technology, Fourth Edition

 Hackers and Crackers
• Hackers
– Test limitations of systems out of intellectual curiosity
• Some smart and talented
• Others inept; termed “lamers” or “script kiddies”
• Crackers
– Cracking is a form of hacking
– Clearly criminal activity

Ethics in Information Technology, Fourth Edition

 Malicious Insiders
• Major security concern for companies
• Fraud within an organization is usually due to
weaknesses in internal control procedures
• Collusion
– Cooperation between an employee and an outsider
• Insiders are not necessarily employees
– Can also be consultants and contractors
• Extremely difficult to detect or stop
– Authorized to access the very systems they abuse
• Negligent insiders have potential to cause damage
Ethics in Information Technology, Fourth Edition
 Industrial Spies
• Use illegal means to obtain trade secrets from
competitors
• Trade secrets are protected by the Economic
Espionage Act of 1996
• Competitive intelligence
– Uses legal techniques
– Gathers information available to the public
• Industrial espionage
– Uses illegal means
– Obtains information not available to the public
Ethics in Information Technology, Fourth Edition
 Cybercriminals
• Hack into corporate computers to steal
• Engage in all forms of computer fraud
• Chargebacks are disputed transactions
• Loss of customer trust has more impact than fraud
• To reduce potential for online credit card fraud:
– Use encryption technology
– Verify the address submitted online against the
issuing bank
– Request a card verification value (CVV)
– Use transaction-risk scoring software
Ethics in Information Technology, Fourth Edition
 Cybercriminals (cont’d.)
• Smart cards
– Contain a memory chip
– Updated with encrypted data each time card is used
– Used widely in Europe
– Not widely used in the U.S.

Ethics in Information Technology, Fourth Edition

 Hacktivists and Cyberterrorists
• Hacktivism
– Hacking to achieve a political or social goal
• Cyberterrorist
– Attacks computers or networks in an attempt to
intimidate or coerce a government in order to
advance certain political or social objectives
– Seeks to cause harm rather than gather information
– Uses techniques that destroy or disrupt services

Ethics in Information Technology, Fourth Edition

 Federal Laws for Prosecuting
Computer Attacks

Ethics in Information Technology, Fourth Edition

 Implementing Trustworthy Computing
• Trustworthy computing
– Delivers secure, private, and reliable computing
– Based on sound business practices

Ethics in Information Technology, Fourth Edition

 Implementing Trustworthy Computing
(cont’d.)
• Security of any system or network
– Combination of technology, policy, and people
– Requires a wide range of activities to be effective
• Systems must be monitored to detect possible
intrusion
• Clear reaction plan addresses:
– Notification, evidence protection, activity log
maintenance, containment, eradication, and
recovery

Ethics in Information Technology, Fourth Edition

 Risk Assessment
• Process of assessing security-related risks:
– To an organization’s computers and networks
– From both internal and external threats
• Identifies investments that best protect from most
likely and serious threats
• Focuses security efforts on areas of highest payoff

Ethics in Information Technology, Fourth Edition

 Risk Assessment (cont’d.)
• Eight-step risk assessment process
– #1 Identify assets of most concern
– #2 Identify loss events that could occur
– #3 Assess likelihood of each potential threat
– #4 Determine the impact of each threat
– #5 Determine how each threat could be mitigated
– #6 Assess feasibility of mitigation options
– #7 Perform cost-benefit analysis
– #8 Decide which countermeasures to implement

Ethics in Information Technology, Fourth Edition

 Risk Assessment (cont’d.)

Ethics in Information Technology, Fourth Edition

 Risk Assessment (cont’d.)

Ethics in Information Technology, Fourth Edition

 Establishing a Security Policy
• A security policy defines:
– Organization’s security requirements
– Controls and sanctions needed to meet the
requirements
• Delineates responsibilities and expected behavior
• Outlines what needs to be done
– Not how to do it
• Automated system policies should mirror written
policies

Ethics in Information Technology, Fourth Edition

Establishing a Security Policy (cont’d.)
• Trade-off between:
– Ease of use
– Increased security
• Areas of concern
– Email attachments
– Wireless devices
• VPN uses the Internet to relay communications but
maintains privacy through security features
• Additional security includes encrypting originating
and receiving network addresses
Ethics in Information Technology, Fourth Edition
 Educating Employees, Contractors,
and Part-Time Workers
• Educate and motivate users to understand and
follow policy
• Discuss recent security incidents
• Help protect information systems by:
– Guarding passwords
– Not allowing sharing of passwords
– Applying strict access controls to protect data
– Reporting all unusual activity
– Protecting portable computing and data storage
devices
Ethics in Information Technology, Fourth Edition
 Prevention
• Implement a layered security solution
– Make computer break-ins harder
• Installing a corporate firewall
– Limits network access
• Intrusion prevention systems
– Block viruses, malformed packets, and other threats
• Installing antivirus software
– Scans for sequence of bytes or virus signature
– United States Computer Emergency Readiness
Team (US-CERT) serves as clearinghouse
Ethics in Information Technology, Fourth Edition
 Prevention (cont’d.)

Ethics in Information Technology, Fourth Edition

 Prevention (cont’d.)

Ethics in Information Technology, Fourth Edition

 Prevention (cont’d.)
• Safeguards against attacks by malicious insiders
• Departing employees and contractors
– Promptly delete computer accounts, login IDs, and
passwords
• Carefully define employee roles and separate key
responsibilities
• Create roles and user accounts to limit authority

Ethics in Information Technology, Fourth Edition

 Prevention (cont’d.)
• Defending against cyberterrorism
– Department of Homeland Security and its National
Cyber Security Division (NCSD) is a resource
• Builds and maintains a national security
cyberspace response system
• Implements a cyber-risk management program
for protection of critical infrastructure, including
banking and finance, water, government
operations, and emergency services

Ethics in Information Technology, Fourth Edition

 Prevention (cont’d.)
• Conduct periodic IT security audits
– Evaluate policies and whether they are followed
– Review access and levels of authority
– Test system safeguards
– Information Protection Assessment kit is available
from the Computer Security Institute

Ethics in Information Technology, Fourth Edition

 Detection
• Detection systems
– Catch intruders in the act
• Intrusion detection system
– Monitors system/network resources and activities
– Notifies the proper authority when it identifies:
• Possible intrusions from outside the organization
• Misuse from within the organization
– Knowledge-based approach
– Behavior-based approach

Ethics in Information Technology, Fourth Edition

 Response
• Response plan
– Develop well in advance of any incident
– Approved by:
• Legal department
• Senior management
• Primary goals
– Regain control and limit damage
– Not to monitor or catch an intruder
• Only 56% have response plan

Ethics in Information Technology, Fourth Edition

 Response (cont’d.)
• Incident notification defines:
– Who to notify
– Who not to notify
• Security experts recommend against releasing
specific information about a security compromise in
public forums
• Document all details of a security incident
– All system events
– Specific actions taken
– All external conversations
Ethics in Information Technology, Fourth Edition
 Response (cont’d.)
• Act quickly to contain an attack
• Eradication effort
– Collect and log all possible criminal evidence
– Verify necessary backups are current and complete
– Create new backups
• Follow-up
– Determine how security was compromised
• Prevent it from happening again

Ethics in Information Technology, Fourth Edition

 Response (cont’d.)
• Review
– Determine exactly what happened
– Evaluate how the organization responded
• Weigh carefully the amount of effort required to
capture the perpetrator
• Consider the potential for negative publicity
• Legal precedent
– Hold organizations accountable for their own IT
security weaknesses

Ethics in Information Technology, Fourth Edition

 Computer Forensics
• Combines elements of law and computer science
to identify, collect, examine, and preserve data and
preserve its integrity so it is admissible as evidence
• Computer forensics investigation requires
extensive training and certification and knowledge
of laws that apply to gathering of criminal evidence

Ethics in Information Technology, Fourth Edition

 Cybercrime Offenses
-offenses against the confidentiality,
integrity and availability of computer
data and systems
a.Illegal access
b.Illegal interception
c.Data interference
d.System interference
e.Misuse of Devices
Ethics in Information Technology, Fourth Edition
 ILLEGAL ACCESS

• The intentional access to the whole or any part

of a computer system
A computer system means any device or a group
of interconnected or related devices, one or more of
which pursuant to a program, performs automatic
processing of data. It covers any type of computer
device including devices with data processing
capabilities like mobile phones and also computer
networks. (banking systems, enrolment system)

Ethics in Information Technology, Fourth Edition

 Elements of a Computer System

1. There must be a device, a group of

interconnected or related devices;
2. At least one of the device performs automatic
processing of data pursuant to a program;
3. The device needs not be connected in a network
as long as it consists of both hardware and
software and have input, output and storage
facilities.

Ethics in Information Technology, Fourth Edition

 Elements of Illegal Access

1. There must be an intentional access in whole or in

part of a computer system
2. The person who attempts to, or is accessing, or
had already access the data has no right of
access to the system

Ethics in Information Technology, Fourth Edition

 ILLEGAL INTERCEPTION
• The intentional interception made by technical
means without right of any non-public transmission
of computer data to, from, or within a computer
system including electromagnetic emissions from a
computer system carrying such computer data:
provided however, that it shall not be unlawful for
an officer, employee, or agent of service provided
whose facilities are used in the transmission of
communications, to intercept, disclose,

Ethics in Information Technology, Fourth Edition

or use that communication in the normal course of his
employment while engaged in any activity that is
necessary to the rendition of is service or to the
protection of the rights or property of the service
provider, except that the latter shall not utilize
service observing or random monitoring except for
mechanical or service control checks.

Ethics in Information Technology, Fourth Edition

 Interception

-refers to listening to, recording, monitoring or

surveillance of the content of communications,
including procuring of the content of data, either
directly, through access and use of a computer
system or indirectly, through the use of electronic
eavesdropping or tapping devices, a the same time
tat communication is occurring.

Ethics in Information Technology, Fourth Edition

 Elements of Illegal Interception

1. It must be intentional
2. It must be by technical means
3. The person involved is without any right to do the
interception
4. The transmission of computer data to, from, or
within a computer system is non-public
5. It must not fall in any exemption
 An officer, employee, or agent of a service provider, whose facilities are used in the
transmission of communications, to intercept, disclose, or use that communication in the
normal course of his employment while engaged in any activity that is necessary to the
rendition of his service or to the protection of the rights or property of the service provider.

Ethics in Information Technology, Fourth Edition

 DATA INTERFERENCE
• The intentional or reckless alteration of computer
data without right

Ethics in Information Technology, Fourth Edition

 SYSTEM INTERFERENCE
• The intentional or reckless hindering without right
of the functioning of a computer system by
inputting, transmitting, deleting or altering computer
data or program.

Ethics in Information Technology, Fourth Edition

 MISUSE OF DEVICES
• The use, production, sale, procurement,
importation, distribution, or otherwise making
available, without right of:
i. Device, including a computer program, designed or
adapted primarily for the purpose of committing any
of the offenses under this Act; or
ii. a computer password, access code or similar data
by which the whole or any part of a computer
system is capable of being accessed with intent
that it be used for the purpose of committing any of
the offenses under this Act.
Ethics in Information Technology, Fourth Edition
 Section 3,
Rule 31 of the Rules of Evidence
1. An unlawful act was done with an unlawful intent;
and
2. That a person intends the ordinary consequences
of his voluntary act

Ethics in Information Technology, Fourth Edition

 Cybersex and Child Pornography
• Cybersex. The willful engagement, maintenance,
control, or operation, directly or indirectly, of any
lascivious exhibition of sexual organs or sexual
activity, with the aid of a computer system, for favor
or consideration.

Ethics in Information Technology, Fourth Edition

• For a person to be guilty of cybersex, all elements
must be present:
1. There must be an operation for sexual activity or
arousal;
2. The sexual activity or arousal is done with the aid
of or through the use of a computer system
3. The activity is done for a favor or consideration
4. The operation is/was established, maintained or
controlled by a person directly or indirectly

Ethics in Information Technology, Fourth Edition

 Penalty for Committing Cybersex
• Imprisonment of prision mayor (6 years and 1 day
to 12 years Art. 27 of the Revised Penal Code) or
at least Two Hundred Thousand Pesos
(Php200,000.00) but not exceeding One Million
Pesos (Php1,000,000.00) or both.

Ethics in Information Technology, Fourth Edition

 Summary
• Ethical decisions in determining which information
systems and data most need protection
• Most common computer exploits
– Viruses
– Worms
– Trojan horses
– Distributed denial-of-service attacks
– Rootkits
– Spam
– Phishing, spear-fishing, smishing, vishing
Ethics in Information Technology, Fourth Edition
 Summary (cont’d.)
• Perpetrators include:
– Hackers
– Crackers
– Malicious insider
– Industrial spies
– Cybercriminals
– Hacktivist
– Cyberterrorists

Ethics in Information Technology, Fourth Edition

 Summary (cont’d.)
• Must implement multilayer process for managing
security vulnerabilities, including:
– Assessment of threats
– Identifying actions to address vulnerabilities
– User education
• IT must lead the effort to implement:
– Security policies and procedures
– Hardware and software to prevent security breaches
• Computer forensics is key to fighting computer
crime in a court of law
Ethics in Information Technology, Fourth Edition