Computer Monitoring - computers are being used employees while they work 1.

PRIVACY ISSUES

to monitor the productivity and behavior of millions of

1.1 Privacy in the Internet - the Internet is notorious for giving its users a feeling of anonymity, when in actuality, they are highly visible and open to violations of their privacy. Corporate E-mail Privacy - companies differ on their privacy policies, especially as they apply to their corporate electronic mail systems. Some view the E-mail correspondence as private. Some retains the right to monitor employee E-mail on its networks. Some exercise their right only if there is reason to suspect that an employee is involved in illegal or unauthorized activity. Some ban all use of computers for personal business. 1.2 Computer Matching Examples: - individuals have been mistakenly arrested and jailed, and people have been denied credit because their physical profiles or Social Security numbers have been used to match them incorrectly or improperly with the wrong individual. - Unauthorized matching of computerized information extracted from the databases of sales transaction processing systems, and sold to information brokers or other companies 1.3 Spamming and Flaming Computer Crime Spamming - the indiscriminate sending of unsolicited E-mail to many Internet users. - favorite tactic of mass-mailers of unsolicited advertisements, or junk E-mail How to Fight Spam 1. Use mail filters to automatically dump messages with headers that contain hints of spam, such as xxx, make money, or !!!. 2. Sort incoming mail into folders to make deleting spam easier. 3. Dont respond to spam, even if the author promises to remove you from the mailing list. 4. Use dual E-mail accounts one for public surfing, one for key correspondence with colleagues and family. 5. Use spam blockers provided on America Online and CompuServe. 6. Dont fill in the members profile on AOL. Spammers troll those for leads. 7. Dont fill in registration forms at Web sites unless the purveyor promises not to sell or exchange your name and information. 8. Dont complain about spam in Usenet newsgroups or on mailing lists. Doing so wastes more resources. 9. Complain to legislators. 10. Dont counterspam the offenders mailbox. The reply address usually doesnt work. Flaming - the practice of sending extremely critical, derogatory and often vulgar E-mail messages (flame mail), or electronic bulletin board postings to other users on the Internet or online services.

2. COMPUTER CRIME - the threat caused by the criminal or irresponsible actions of computer users who are taking advantage of the widespread use of computer networks in our society. - poses serious threats to the integrity, safety and quality of most business information systems and thus, makes the development of effective security methods a top priority. 2.1 Crime in the Internet Types of Computer Crime a. External 1. Visual spying 2. Misrepresentation 3. Physical scavenging b. Hardware misuse 4. Logical scavenging 5. Eavesdropping 6. Interference 7. Physical attack 8. Physical removal c. Masquerading 9. Impersonation 10. Piggybacking attacks 11. Spoofing attacks 12. Network weaving d. Pest Programs 13. Trojan horse attacks 14. Logic bombs 15. Malevolent worms 16. Virus attacks e. Bypasses 17. Trapdoor attacks 18. Authorization attacks f. Active misuse 19. Basic active misuse 20. Incremental attacks 21. Denials of service g. Passive misuse 22. Browsing 23. Inference, aggregation 24. Covert channels h. Inactive misuse i. Indirect misuse 2.2 Money Theft - involves fraudulent alteration of computer databases to cover the tracks of the employees involved 2.3 Service Theft - the unauthorized use of computer systems and networks - e.g. unauthorized use of company-owned computer networks by employees Sniffers - frequently used to monitor network traffic to evaluate network capacity, as well as reveal evidence of improper use

2.4 Software Theft - or software piracy, unauthorized copying of software 2.5 Data Alteration / Theft - making illegal changes or stealing data - e.g. using computer networks to make changes in credit information 2.6 Malicious Access - or hacking, obsessive use of computers, or the unauthorized access and use of networked computer systems 2.7 Computer Viruses - destruction of data and software Virus vs. Worm - a virus is a program code that cannot work without being inserted into another program while a worm is a distinct program that can run unaided. SECURITY AND CONTROLS ISSUES IN INFORMATION SYSTEMS 1. IMPORTANCE OF CONTROLS Effective controls provide: a. information system security - accuracy, integrity and safety of information system activities and resources b. quality assurance - computer-based information system more free of errors and fraud - information products of higher quality than manual types of information processing. Three major types of controls that must be developed to ensure quality and security of information systems: a. Information System Controls b. Procedural Controls c. Facility Controls 2. INFORMATION SYSTEM CONTROLS - methods and devices that attempt to ensure the accuracy, validity and propriety of information system activities. - designed to monitor and maintain the quality and security of input, processing, output and storage activities of any information system. a. Input Controls e.g. passwords, security codes, formatted data entry screens, audible error signals, templates over the keys of key driven input devices, prerecorded and prenumbered forms, reasonable checks such as control totals (record count, batch total, hash totals) b. Processing Controls - developed to identify errors in arithmetic calculations and logical operations - used to ensure that data are not lost or do not go unprocessed - examples include:

1) Hardware Controls 2) Software Controls Hardware Controls - special checks built into the hardware to verify the accuracy of computer processing - e.g. a) Malfunction Detection Circuitry - e.g. parity checks, echo checks, redundant circuitry checks, arithmetic sign checks, CPU timing, voltage checks b) Redundant Components - e.g. multiple read-write heads on magnetic tape and disk devices check c) Special-Purpose Microprocessors and Associated Circuitry - used to support remote diagnostics and maintenance Software Controls - ensure that the right data are being processed, e.g. OS or SW checking the internal file labels at the beginning and end of magnetic disk and tape files - establishment of checkpoints during the processing of a program Checkpoints - intermediate points within a program on magnetic tape or disk or listed on a printer - minimize the effect of processing errors or failures, since processing can be restarted from the last checkpoint (called a rollback) rather than from the beginning of the program - also help build an audit trail which allows transactions being processed to be traced through all of the steps of their processing c. Output Controls - developed to ensure that information products are correct and complete and are available to authorized users in a timely manner - several are similar to input controls, e.g. control totals - other e.g. pre-numbered output forms used to control the loss of output documents such as stock certificates or payroll

d. Storage Controls How to protect data resources 1) control responsibilities for files of computer programs and organizational databases may be assigned to data center specialists and database administrators 2) databases and files are protected from unauthorized or accidental use by security programs that require proper identification before they can be used. e.g. account codes, passwords, security codes, password encryption, smart cards