ETHICAL HACKING

Managing and Using Information Systems: A Strategic Approach

ABHINAV PRAKASH-01 SIDDHARTH JAIN-26

Index
Introduction Control of information Theories of business ethics Emerging issues in the ethical governance Security and control in India Summary.

What is Ethical Hacking

Also Called Attack & Penetration Testing, White-hat hacking, Red teaming
Hacking
Process of breaking into systems for: Personal or Commercial Gains Malicious Intent Causing sever damage to Information & Assets

Ethical
Conforming to accepted professional standards of conduct
Black-hat Bad guys

White-hat - Good Guys

What is Ethical Hacking

It is Legal Permission is obtained from the target Part of an overall security program Identify vulnerabilities visible from Internet at particular point of time Ethical hackers possesses same skills, mindset and tools of a hacker but the attacks are done in a nondestructive manner

Defacement Statistics for Indian Websites

Defacement Statistics of January 2010 (TLD) Domains No of Defacements

.com
.org .net .in

206
22 12 327

others
Total

3
570

Contd
Defacement Statistics of January 2010 (.in ccTLD) Domains No of Defacements .in 192 .gov.in 27 .co.in 96 .ac.in 3 others 9 Total 327

Real World Examples

Blockbuster was chastised by the Wall Street Journal for its plan to sell customer movie preference information for targeted marketing campaigns. Information collected for one purpose shouldnt be used for another purpose without an individuals consent. This example is not illegal but raises issues of privacy and ethical handling of information.

CONTROL OF INFORMATION

Area Privacy

Critical Questions What information must a person reveal about ones self to others? What information should others be able to access about you with or without your permission? What safeguards exist for your protection? Who is responsible for the reliability and accuracy of information? Who will be accountable for errors? Who owns information? Who owns the channels of distribution, and how should they be regulated?

Accuracy Property

Accessibility

What information does a person or an organization have a right to obtain, under what conditions, and with what safeguards?

Masons areas of managerial concern.

Privacy
Those who possess the best information and know how to use it, win. However, keeping this information safe and secure is a high priority (see previous table ). Privacy the right to be left alone. Managers must be aware of regulations that are in place regarding the authorized collection, disclosure and use of personal information.
Safe harbor framework of 2000.

Accuracy
Managers must establish controls to insure that information is accurate. Data entry errors must be controlled and managed carefully. Data must also be kept up to date. Keeping data as long as it is necessary or legally mandated is a challenge.

Property
Mass quantities of data are now stored on clients. Who owns this data and has rights to it is are questions that a manager must answer. Who owns the images that are posted in cyberspace? Managers must understand the legal rights and duties accorded to proper ownership.

Accessibility
Access to information systems and the data that they hold is paramount. Users must be able to access this data from any location (if it can be properly secured and does not violate any laws or regulations). Major issue facing managers is how to create and maintain access to information for society at large.
This access needs to be controlled to those who have a right to see and use it (identity theft). Also, adequate security measures must be in place on their partners end.

NORMATIVE THEORIES OF BUSINESS ETHICS

Introduction
Managers must assess initiatives from an ethical view. Most managers are not trained in ethics, philosophy, and moral reasoning.
Difficult to determine or discuss social norms.

Three theories of business ethics are examined to develop and apply to particular challenges that they face (see Figure ):
Stockholder theory Stakeholder theory Social contract theory

Stockholder Theory
Stockholders advance capital to corporate managers who act as agents in advancing their ends. Managers are bound to the interests of the shareholders (maximize shareholder value). Managers duties:
Bound to employ legal, non-fraudulent means. Must take long view of shareholder interest.

Stakeholder Theory
Managers are entrusted with a fiduciary responsibility to all those who hold a stake in or a claim on the firm. Stakeholders are
Any group that vitally affects the corp. survival and success. Any group whose interests the corp. vitally affects.

Management must enact and follow policies that balance the rights of all stakeholders without impinging upon the rights of any one particular stakeholder.

Social Contract Theory

Consider the needs of a society with no corporations or other complex business arrangements. What conditions would have to be met for the members of a society to agree to allow a corporation to be formed? Corporations are expected to create more value to society that it consumes. Social contract:
1. Social welfare corporations must produce greater benefits than their associated costs. 2. Justice corporations must pursue profits legally, without fraud or deception, and avoid actions that harm society.

Theory
Stockholder

Definition
Maximize stockholder wealth, in legal and nonfraudulent manners.

Metrics
Will this action maximize stockholder value? Can goals be accomplished without compromising company standards and without breaking laws?

Stakeholder

Maximize benefits to all stakeholders while weighing costs to competing interests.

Create value for society in a manner that is just and nondiscriminatory.

Does the proposed action maximize collective benefits to the company? Does this action treat one of the corporate stakeholders unfairly?
Does this action create a net benefit for society? Does the proposed action discriminate against any group in particular, and is its implementation socially just?

Social contract

Three normative theories of business ethics.

EMERGING ISSUES IN THE ETHICAL GOVERNANCE OF INFORMATION SYSTEMS

Emerging Issues
Email, instant messaging, and the Internet have replaced traditional communications but pose their own set of issues.
Many companies are turning to programs that monitor employees online activities (web sites visited, etc.).

Two distinct spheres in which managers operate when dealing with ethical issues:
Outward transactions of the business with a focus on the customer. Issues related to managing employees and information inside the corporation.

 Many programs are available to accomplish the monitoring. Employers can exert a higher level of control over their employees. Managers must be careful to create an atmosphere that is amenable to IS use. Ethically, managers are obliged to consider the welfare of their workers.

Some causal connections between identified areas of ethical concern.

1.Thou shalt not use a computer to harm other people. 2.Thou shalt not interfere with other peoples computer work. 3.Thou shalt not snoop around in other peoples computer files. 4.Thou shalt not use a computer to steal. 5.Thou shalt not use a computer to bear false witness. 6.Thou shalt not use or copy software for which you have not paid. 7.Thou shalt not use other peoples computer resources without authorization. 8.Thou shalt not appropriate other peoples intellectual output. 9.Thou shalt think about the social consequences of the program you write. 10.Thou shalt use a computer in ways that show consideration and respect.

Ten Commandments of Computer Ethics

SECURITY AND CONTROLS IN INDIA

Security and Controls

Ernst and Young survey suggests that most companies rely on luck rather than proven IS controls. Companies turn to technical responses to deal with security threats (worms, viruses, etc.). Managers go to great lengths to make sure that their systems are secure.
Firewalls, IDS systems, password systems, and more.

Future solutions will include hardware and software. Managers must be involved in the decisions about security and control.

Information technology act 2008

CERT-In has been formed as a national agency to perform following functions1. Collection, analysis, and dissemination of information on cyber incidents. 2. Forecasts and alerts of cyber security incidents. 3. Emergency measures of handling cyber security incidents. 4. Issuing guidelines, advisories, etc. relating to information security practices.

Services of CERT-In
CERT-In provides1.Proactive services in nature of advisories, security alerts, security guidelines etc. 2.Reactive services so as to minimize damage when the incident has happened.

Incidents handled by CERT-In during 2008

Contd..

Contd..

Ethics and the Internet

The Internet crosses international boundaries posing challenges that are not readily resolved. Different cultures, laws, customs, and habits insure that different countries police the Internet in very different ways. Managers face challenges in navigating their organizations through the murky waters of ethical use of the Internet. Example: Free speech and censorship.
India provides for free speech protection, but other countries do not. An Internet code of ethics by the IFIP is being debated.

SUMMARY

Summary
1. Ethics is important to the IS field particularly since new technologies and innovations are arriving at an untold pace. 2. IS professionals must seek to uphold the ethical handling and dissemination of information adhering to international, federal, state, and local laws concerning the ethical handling of data under their supervision. 3. Improper handling and use of IS can lead not only to internal organization problems but to legal problems as well. 4. Dont jeopardize your future by the mishandling of IS

References
Laudon and laudon CIA website Wikipedia CERT.org.in