IT security is a key concern in software industry. Thus whatever role you are playing or technology you are working on, maintaining IT security is an essential job too! Additionally, you must be ready to meet these challenges. But why is this increased concern? Well,the first thing that comes in mind is with the increased use of information technology, it has become an essential part of daily life. But somewhere it is not being used ethically and that’s the point when it breaches the security. Let’s explain the terms in real life perspectives.
The term security and ethical issue for IT cover the system management, security policies, and its implementation to protect organizations, their employees, customers and all other stakeholders from external malicious threats. This also covers the internal threats like noncompliance with company’s IT policy. Additionally,this has enormous implications for the emerging IT areas like Big Data, social media and BYOD (Bring Your Device).
Furthermore, with the advancement of IT, more updated technologies are popping up on the market whereas IT professionals and users are not aware of how to face the risk factors with these upcoming technologies as there are many loopholes. Not to mention, criminals have been using these flip sides and as result ,cybercrime is at its high pace.Interestingly, it has turned into a rising profession too,as information technology gives the speed, easy access to information.
Not only that,threats also come from inside of an organization from the unfaithful employees who use information technology to serve their personal goals.
Types of crimes happened by the Internet access
IT crimes can be categorized into following types –
1. Hacking
Hacking is the unauthorized use of computer access. In hacking activity the hackers generally –
-Access or steal confidential data from a website or some profile
-Access files from a computer without proper authorization.
-Access computers remotely using some services.
-Plant virus programs which can help to access the computer by intruders.
2. Cyber theft
This fraudulent activity by unauthorized access of network and alternation of a database and stealing money from it.
3. Unauthorized use at work
This is misuse or unauthorized use of computer resources for entertainment, especially in a workplace by employees.
-Playing video games
-Unauthorized use of the internet for the personal purpose
-No work-related upload or download of the document
-Sharing confidential data over the Internet
-Moonlighting
Software Piracy
Every software is protected by individual copyright and user license that protects software to be made for a limited number of times. So, software piracy means unauthorized copying of software.
Piracy of intellectual property –
This involves unauthorized copying of videos, articles, images, music, etc.
Privacy Issues:
Information technology has enabled us to find and share relevant information through online mode. On the other hand, it has also exploited the value of privacy. There are so many ways privacy is exploited. Some examples are:
(1) By using internet webcams, proficient computer users can use any webcam of any computer online, and it will have access to people’s private life. Many celebrities have become victims of these online scams.
(2) Although the main concept of this networking is to connect with friends and relatives and to share life with them, however, the flaw in this is that using your private profile anyone can share your confidential information like photos, or can send fake friend requests to unknown people. This might expose one to users with wrong intentions. Also some companies use social media for spying on their employees. Cybercrime has increased these days through social media which is alarming for the society.
Copyright issue:
Using information technology it is now easy for users to access any information or artifact at any given point of time. With the enhanced development of music sharing networks and photo bookmarking sites, the original creators of these artifacts are losing the credibility of their work, because IT users of can easily get access and share that data with friends. Availability of free music and different file downloading sites are increasing on the internet every day.
Besides, users can freely download music albums, files, books, etc. In this scenario, one genuine user will purchase the item by onetime payment, and they will submit it to a free download site. From these sites, other users can simply download that data freely. It is profitable and useful news for the users as it saves their money, but it is copyright infringement for the original creator of the work. Though Government has closed some of these sites, but many are still there and running successfully.
Rising pressure on IT experts:
As the information technology service is committed to providing the service 24hrs a day, so there is immense pressure on the IT people. Most of the IT giants need a standby IT team to operate for 24 hours. Overwork and an increased amount of stress create imperfection among the employees.
Security
With the advancement of the internet, it has become very easy for hackers to hack into any computer or related system as long when it is connected on the internet. Using an IP address hackers can easily access a user’s computer and use data for unethical reasons. Also, the wide usage of internet cookies which is used to collect information whenever we use the internet has given IT users to high risks of fraudulent activities and conflicting interests.
These cookies are used by big companies to determine the products or services they can use for advertisement. A hacker can easily interrupt online banking operation in between the transaction, and the whole transacted amount can be transferred to hackers’ account. This can have severe implication to both the bank as well as their customers. This is a misuse of technology.
Digital divide
Information technology has immense opportunities, and it has reformed many industries in developed and developing countries. But developing countries have difficulties taking the same benefits of Information technology. To get proper benefits, they need to train their human resources and end users. They should also have to adopt the new culture which is a bit costly comparing the economic conditions of the society of these developing countries.
Also,there are remote areas in these countries where they do not even have power, so information technology tools like computers cannot be used. In other sectors like education, most of these developing countries have poor old education systems, so a student will not be aware of new information technologies.
Ethical Issues faced by IT
Ethical issues of IT arise when “one party in pursuit of its goals engages in behavior that materially affects the ability of another party to pursue its goals. When the effect is helpful – good, right, just – we say the behavior is praiseworthy or exemplary. When, however, the effect is harmful – bad, wrong, unjust – the behavior is unethical” (Mason, 1995).
In fact, many IT professionals don’t even realize that their jobs involve ethical issues. So, decisions are taken on a daily basis that raise ethical questions.
With the rising demand for Big Data, it has become one of the ethical issue concerns for IT organizations. At the one side, it enables companies to compete in the market in an efficient way when used ethically. But it has a big concern over data privacy if not used securely. According to Davis & Patterson (2012), just three data points – gender, date of birth and zip code – can identify 87% of US citizens in any given data set. If companies have one of three data points, they can correlate that data with other sets and identify specific individuals.
IT Security challenges faced by Industry
The security problems of an IT organization fall into many categories which can affect overall function, almost at every level.
Any cyberspace is comprised of computer resources with a network of and all the fixed and mobile devices which are connected to the global Internet. A country’s cyberspace is a segment of the global cyberspace and which cannot be separated which makes it unique. Also,every nation is investing widely in their ICT infrastructures to providing higher accessibility to people. This also helps to integrate a country’s economy with the global marketplace and to enable citizens to access maximum e-services to make life easier.
However,with emerging security threats, there is increased stress on the security of the cyberinfrastructure. As the Internet protocols are not secure, and the mobile devices are using the same systems which are not secured,hence it has become more vulnerable in current cyberspace. Thus, it is now a major challenge to protect critical infrastructure operations.
On an average day there are a huge number of dollars are transacted for business and personal use in almost every sector of the global economy. From electricity to water distribution, different utility services are based on ICT infrastructure. Moreover, the defense sector of any country highly relies on internet systems.
Responsibility and Ownership of IT system
Although in present days mainly private sectors own and operate critical security infrastructure, the government is also liable to play a significant role to handle cybersecurity. Due to the lack of governmental intervention, nations are struggling with cybercrimes. In an organization level also, cybersecurity is not only a technological issue, rather it’s a management problem. Assessing enterprise risk management is essential for the understanding process, law, resources, and network and last but not the least ICT security scenarios.
For securing ICT infrastructure, multiple agencies can take charge which may include private operators also for the respective parts of the infrastructure. But to make it a success, all their efforts must be firmly coordinated with each other. This can only create a unifying structure which may be accountable for cybersecurity.
Hence, roles and responsibilities must be clearly defined for each of the parties. At the same time, an appropriate policy with legal structures must be established by the government. Nations, like the United States, have declared for a market-based, voluntary approach for industry cyber security which is a part of the National Strategy to secure its Cyberspace.
But this has not worked successfully, as the security investments made by industry, as per its corporate needs, are not found to be matched with the broader national interest. But to generate additional private investments some initiative from government, like incentive program may be a need to bridge the gap between the already invested security measures and for the additional ones, to secure critical infrastructure.Several security surveys reveal a lack of proper knowledge among executives about security policy and incidents, the updated technological solutions, data hacking, financial issue, and the training that is required for their employees.
Besides,legal concepts for “standards of care” do not apply in cyberspace as it is a new concept. In this area also the government can intervene with incentive plans to industries to tighten their security level. They can bring new regulatory requirement and compliances to improve security.
How to protect information
Administering Legal Counsel:
Legal guidance is necessary to respond in case of a possible data breach. Legal obligations can vary based on business to business scenarios. One cannot get a prompt response from an attorney who is specialized in privacy and data security issues. So every company should have a data breach action and response plan prepared in advance by the legal advisor. This can help to protect confidential information from security threats.
Taking Technical Help:
Investigating technical loopholes in advance can protect information and defend security breach. The purposes of the technical investigation are:
-To reconstruct the attack for uncovered vulnerabilities.
-To find out the scope of the attack
-To find out specific data which are already exposed
-To determine immediate and long-term remedies to protect data.
-To identify the responsible parties
Preserve the Evidence:
The quality of collected pieces of evidence measure the success of an investigation. The criminals can delete the relevant files or can do modifications to foil potential pieces of evidence to cover their traces. A forensic investigation can although uncover the pieces of evidence after any change done in the systems after the breach. So preserving pieces of evidence is essential after discovering a possible breach. Although defining exact steps is difficult, but advisable steps may be taken which include:
-Turning off the server(s), that may not be a proper shut down of the server.
-Discard all hard drives out of the affected servers
-Appoint a properly-trained forensic consultant to create forensic images of server and hard drives which can be used as court-defensible evidence.
-The rebuilding of a secured system using new drives
-Create forensically-sound pieces of evidence of backup media, networking details such as network logging, firewall logs, intrusion detection systems, all relevant log files, may contain evidence of the crime over time
-Documenting and preserving copies of network configuration with the layout at the time of the attack, which should include network topology, as well configuration of any routers and firewalls
-If removing of hard drives is not possible immediately, taking backup of the entire system is necessary before modifying it. This enhances system security. There is no need to copy the entire data completely ; rather preserving originals of files which have been modified files can take care to ensure that the preservation process can retain metadata such as file creation and last-modified dates.
Copies of any system should also be stored along with application, server, FTP, database, and other logs as soon as possible. Useful information even after attackers have done modification in those log files. So, backups of data and logs must be preserved as there are high possibilities of those being deleted or modified over time.
-Documenting any changes in system settings, accounts, firewall settings, etc. is necessary to avoid confusion with fraudulent activities. For example, one could take a screenshot of particular configuration settings or back up the related configuration files both before and after a change is made. One of the major benefits of this activity is this evidence can demonstrate remediation process to any other person who may assess the efforts to mitigate the breach.
-When working with a specialist regarding data breach, the specialist has a duty to provide his independent analytical thoughts. They may include:
-Interrogating about the operations
-Asking the organization to make their IT staff and policies available to further proceeding in an investigation
-Asking the organization to show the confidential data belonging to the organization as well of the clients. This may request for contracts between both the parties.
-Suggesting additional ways of protecting your system, this may not be related to the investigation but can reduce the potential risk of possible future attacks.
-Presenting evidence that confirms the possible scope of the attack
-Preservation of evidence can make security process as painless as possible, to helping an organization to achieve the goal of protecting data and the trust of their customers.
In most of the cases, organizations learn to respond only after facing security attacks. Early prevention can reduce the security cost concerning data and money; that is why appropriate incident response must be an essential part of an organization’s complete security policy with risk-minimizing strategy. The organization can also get benefit from the insurance company if they can show that they are capable of handling attacks efficiently.
Process with procedures to use for responding to threats identified
To effectively respond to security incidents following steps to be followed:
-Try to reduce the number as well as he severity of incidents.
-Prepare a team for Computer Security Incident Response Team (CSIRT).
-Make a response plan for any incident and make it ready.
-Restrain the risk and damage of security attack.
Before beginning the task
System administrators are responsible for documenting the network environment and as they spend the majority of their work hours with network related devices. They are knowledgeable as well about the network system. So,they also keep the backups for all the related systems and operations in place. Besides,every organization must follow an audit process to monitor the performance along with their proper utilization of this administrator team. Moreover,the organization should achieve an appropriate level of knowledge and awareness before admitting an incident response team.
Lastly, it is necessary to make different case scenarios of security attacks while preparing a response plan because there is always a risk of security attack although adequate networking knowledge is available.
How to minimize the occurrences and impact of security attacks
Prevention is better than cure. It is expected that preventive measures should be taken care of before the event of any security incident. However, the reality is, it is not possible to prevent all such incidents. But with proper precautions, at least minimization of the impact can be possible. There are few points to be taken care while establishing a security measure in an organization:
1. All the policies related to security and procedures need to be developed and must be clearly stated to the employees. Because it is seen that many incidents happen due to the mistakes of IT people who are responsible for configuring security devices like firewalls, authentication systems, etc. They might not follow the proper procedures as guided by the management. So the security policies with procedures must be thoroughly checked to confirm that they have clarity and provide the appropriate level of security for the organization.
2. Management support is necessary for implementing security policies as well as incident management.
3. Routine assessment is needed to find out vulnerabilities in the environment. These assessments must be performed by security personnel with expertise in that field. He must have appropriate permission to perform the actions which may include bonds as well.
4. Routine check-up to all computers along with network devices is necessary to confirm that these devices have all of the latest security patches installed in it.
5. Arranging training programs related to the safety for IT people and end users is necessary to make them aware of the latest scenarios. Because it is extremely vulnerable if the end users are not experienced and efficient.
6. Security banners can play a significant role to take preventive measures. Because it can remind a user about their responsibilities and limitations.It also warns people about the possible prosecution in the case of any violation. Proper legal advice is necessary before posting such banners.
7. Developing and implementing a strong password is necessary to enforce security.
8. Monitoring network traffic system is needed to analyze the system performance.
9. Checking all log files including operating system logs, application logs, etc. are needed. Scrutinizing logging mechanism and performance is also necessary.
10. Maintaining a backup system is needed, besides that verifying those backup and restore procedures along with access rights should regularly be monitored.
11. Assigning a Computer Security Incident Response Team (CSIRT) to deal with security incidents is necessary for every organization.
Making a Core CSIR Team
The CSIRT(Computer Security Incident Response Team) is the key team who deals with computer security incidents of an organization. This team of people is consists of individuals who are responsible for dealing with all security incidents. The duties of team members should be defined precisely so that no area of response remains uncovered.
This CSIRT team assembling is critical to an organization, and this can influence positively how incidents are handled in any situation. The responsibilities of a CSIRT team are:
1. Monitoring systems for security breaches.
2. Serve as a central point of communication, as a receiver of security incident reports and to disseminate valuable information to proper channel about the incident.
3. Documenting security incidents.
4. Promoting security consciousness within the company to prevent incidents from occurring in an organization.
5. Auditing support system and network system using processes like risk assessment and penetration testing.
6. Learning about new risk and security threats.
7. Researching on implementing new software patches.
8. Analyzing and development of new technologies to minimize security threats and risks.
9. Providing security consulting services.
10. Continually help to update current systems and procedures.
When a CSIRT team is created, an organization needs to prepare the team in a way so that they are capable and equipped to handle incidents.
Following steps can be taken care while making the team :
-Train the people for the proper use and location-based with critical security tools. It is advisable to equip them with portable computers which are preconfigured with security tools.This can help to get a faster response in case of any security incident. These computers and associated tools must be protected appropriately.
-Relevant communication information must be assembled correctly. The contact details for all people who are to be notified in case of any incident, including the contact numbers of CSIRT people must be available. The details of ISP provider and national law enforcement agencies must be available with the organization. Taking help from local law enforcement is also necessary in a case of incident and advice from the organization’s legal counselor is important in this case.
-All emergency system information like passwords of systems, IP addresses, router details, firewall rules, certification authority keys, contact details, etc. must be stored in a central computer in offline mode. This information must both be readily available and be kept extremely physically secure. Additionally, this information must be kept in encrypted mode. Access to this particular system must be restricted to the high level authorized people like CSIRT leader or company CIO, CTO.
-The number of members in a CSIRT team depends on the size and complexity of an organization. But the organization should ensure that they have enough members in their CSIRT team to adequately cover all of the duties at any time.
Establishing the Team Roles in the CSIRT team
A CSIRT team consists of several prime members.
1.CSIRT Team Leader –
There should be one individual in charge of all activities called CSIRT team leader. He will be responsible for reviewing all the activities of his team and will be coordinate the actions.
2.CSIRT Incident Leader –
He is the person designated to take responsibility for coordination of response in the event of any incident. He must take ownership of the incident. He will play as the channel of all communication related to the incident. Along with that, he will represent the entire CSIRT team to the outside stakeholders.
CSIRT Associate Members-
These are the members who are not part of core CSIRT team but responsible for a particular incident and can handle that officially. These members are selected from various departments of an organization. They must have adequate specialization in the areas which are affected by security incidents. They can be involved directly in an incident or can be used as the entry point to delegate the tasks to a more appropriate person from the department. The following table shows a suggested list of associate members with their roles.
Associate Member | Role Description |
IT ContactPoint | This member is responsible for the coordination between the CSIRT Incident Lead and the remaining members of the IT group.He plays a key role in communication between these two teams. It is not necessary for him to be a technical expert, but he must be capable enough to assign the right people from the IT group to handle the particular incident. |
Legal Advisor | This member is responsible for the coordination between the CSIRT Incident Lead and the remaining members of the IT group. He plays the key role in communication between these two teams. It is not necessary for him to be a technical expert, but he must be capable enough to assign the right people from the IT group to handle the particular incident. |
Legal Advisor | This member must be a lawyer who must be well versed with the response policies for a particular event. He must be capable of determining the legal procedures. He must be informed about the organization’s response policies in advance.This can minimize the risk of an organization. Any communication regarding outside law enforcement and external investigative agencies should also be coordinated with the Legal Representative. |
Officer for Public Relations | This member is a part of the public relation department. He must be responsible for promoting and protecting the public image of an organization. He will be responsible for crafting the message for the management. |
Management | Depending on the impact and intensity of an incident departmental or managers across the organization might be involved to approve and direct the security policy. They can address which incidents can be disclosed to the media and which are not. |
Awareness of Incident Response Plan
CSIRT team is responsible for taking appropriate measures against an incident. But along with that all IT personnel of an organization must be aware of the required action plan in the event of an incident. They should know how to report a security incident internally. Besides, that end users are also responsible for bringing the attention of CSIRT members or IT stuff in case of any suspicious activity.
The threat modeling guide for IT Infrastructure provides an easy understanding of the method for developing threat models for an IT infrastructure security. The threat modeling guide helps IT professionals to accomplish the following:
-To identify threats that might affect an organization’ IT infrastructures.
-To discover and analyze design and implementation issues which could be the risks for an IT infrastructure.
-To define the most significant threats and set the budget and planning accordingly.
-The following figure shows an outline structure of a threat modeling process:
Conclusion
Most of the established professions such as medicine or law have their own ethical rules and regulations. They follow mandatory oversight governing bodies, such as the national or state medical association or bar association, which has established a detailed code of ethics.
But for IT no code of law is mandated as of now for the IT and security professionals. Also, there is no standard governing body. But, nowadays the question of ethical behaviour in the IT professions is also beginning to be addressed. The Association for Computing Machinery (ACM) which are voluntary professional associations have developed their own codes of ethics and professional conduct, which can serve as a guideline for individuals and other organizations.
Please share your valuable inputs in comment area to make the article more informative.