CS 405

WHAT IS INFORMATION?

Information is expressed either as the content of a message or through direct or

indirect observation. That which is perceived can be constructed as a message, and
in that sense, all information is always conveyed as the content of a message.

WHAT IS SECURITY?

It is a state of being secure and free from danger or harm, the actions taken to
make someone or something secure.

INFORMATION SECURITY?

The protection of information and its critical elements including systems and
hardware that is use and transmit information.

It includes information security management, data security and network security.

A successful organization should have multiple layers of security in place to protect.

1. Operations
2. Physical Infrastructure
3. People
4. Functions
5. Communications
6. Information

KEY INFORMATION SECURITY CONCEPTS

1. Access – is permission, liberty, or ability to enter.

2. Asset – property owned by a person or a company, regarded as having
value.
3. Attack – take aggressive action against (a place or enemy forces) with
weapons or armed force.
4. Control/Safeguard/Countermeasure – ensure protection against danger,
damage like a document authorizing safe-conduct.
5. Exploit – is a program, or a piece of code, designed to find and take
advantage of a security flaw or vulnerability in company’s computer system,
typically for malicious purposes such as installing malwares.
6. Exposure – the state of being exposed to contact with something
7. Loss – the fact or process of losing something
8. Protection Profile or Security Posture – refers to an organization’s overall
state of cybersecurity readiness.
9. Risk – uncertainty about the effect/implication of an activity or the possibility
of something bad.
 10.Threat – an expression of intention to inflict evil, injury, or damage
11.Vulnerability – is the quality of being easily hurt or attacked.

CRITICAL CHARACTERISTIC OF INFORMATION

1. Availability
 Enables authorized users’ people or computer systems to access
information without interference or obstruction and to receive it in the
required format.
2. Accuracy
 Information has an accuracy when it is free from mistakes or errors and
has the value that the end user expects. If information has been
intentionally or unintentionally modified, it is no longer accurate.
3. Authenticity
 Authenticity of information is the quality or state of being genuine or
original, rather than a reproduction or fabrication. Information is
authentic when it is in the same state in which it was created, placed,
stored or transferred.
4. Confidentiality
 Information has confidentiality when it is protected from disclosure or
exposure to unauthorized individuals or systems.
5. Integrity
 Information has integrity when it is whole, complete and uncorrupted.
6. Utility
 The utility of information is the quality or state of having value for
some purpose or end. In other words, infrastructure has a value when
it can serve a purpose.
7. Possession
 The possession of information is the quality or state of ownership or
control.

COMPONENTS OF INFORMATION SYSTEM

Information System (IS) is the entire set of people, procedures and technology that
enables business to use information.

1. Software
2. Hardware
3. Data
4. People
5. Procedures
 6. Networks

COMPUTER SECURITY

Computer security also known as cybersecurity, focuses on protecting computer

systems, networks, and data from unauthorized access, attacks, damage, or theft. It
ensures that sensitive data remains protected, operations are not disrupted, and
resources are used appropriately.

IMPORTANCE OF COMPUTER SECURITY

Computer security is critical for safeguarding information, maintaining operational

functionality, and ensuring user trust. It reduces the risk of unauthorized access,
data breaches, financial losses, and reputational harm.

3 CORE PRINCIPLES OF COMPUTER SECURITY

 Confidentiality
Confidentiality ensures that sensitive information is only accessible to
authorized individuals or systems. It prevents unauthorized disclosure of
information, safeguarding privacy and secrecy.
KEY PRACTICES:
o ENCRYPTION: transforming data into unreadable formats to prevent
unauthorized access.
o ACCESS CONTROL: Implementing policies to restrict access to data
based on user roles and permissions.
o MULTI-FACTOR AUTHENTICATION (MFA): Adding an extra layer of
security by requiring multiple verification steps.

REAL-WORLD EXAMPLES:

o Secure messaging apps like Signal or WhatsApp use end-to-end

encryption.
o Banks encrypt data during online transactions to protect customer
information.

 Integrity
Integrity ensures that data is accurate, and consistent, and cannot be
altered or tampered with without detection. It prevents unauthorized
modification, ensuring that data remains trustworthy.
KEY PRACTICES:
o CHECKSUMS: Verifying data integrity by comparing hash values.
o DIGITAL SIGNATURES: Ensuring authenticity and integrity of
electronic communications.
 o SECURE HASH ALGORITHMS (E.G., SHA-256): Preventing
unauthorized data modification.

REAL-WORLD EXAMPLE:

o Software update files are signed digitally to verify their authenticity

and integrity.
o Blockchain technology ensures integrity through its decentralized
ledger system.
 Availability
Availability ensures that systems, data, and resources are accessible to
authorized users whenever needed. It minimizes downtime and downtime
and disruptions to ensure continued functionality.
KEY PRACTICES:
o REDUNDANT SYSTEM: Deploying backup servers and systems to
prevent single points of failure.
o BACKUPS: Regularly creating data copies to restore systems after
disruptions.
o DDoS MITIGATION: Implementing strategies to prevent Distributed
Denial-of-service (DDoS) attacks.

REAL-WORLD EXAMPLES:

o Cloud service providers like AWS and Google Cloud offer

redundancy to ensure 99.9% uptime.
o Banks use high-availability systems to ensure 24/7 access to online
banking services.

WHY BUY SECURITY

In the context of computer security, "buying a security" typically refers to the

acquisition of security products, services, or solutions designed to protect computer
systems, networks, and data from cyber threats. This can include a wide range of
offerings, such as:

1. Software Solutions:

 Antivirus and Anti-malware Software: Programs that detect and

remove malicious software from computers and networks.

 Firewalls: Hardware or software that monitors and controls incoming

and outgoing network traffic based on predetermined security rules.
  Intrusion Detection and Prevention Systems (IDPS): Tools that
monitor network or system activities for malicious activities or policy
violations.

2. Hardware Solutions:

 Security Appliances: Dedicated devices that provide security

functions, such as firewalls, intrusion prevention systems, and unified
threat management (UTM) devices.

 Encryption Devices: Hardware that encrypts data to protect it from

unauthorized access.

3. Cloud Security Services:

 Cloud Access Security Brokers (CASBs): Solutions that provide

visibility and control over data and applications in the cloud.

 Security as a Service (SECaaS): Cloud-based security services that

provide various security functions, such as threat detection, data loss
prevention, and identity management.

4. Managed Security Services:

 Outsourced Security Operations: Services provided by third-party

vendors to monitor and manage an organization’s security posture,
including threat detection, incident response, and compliance
management.

5. Consulting and Training:

 Security Assessments and Audits: Services that evaluate an

organization’s security posture and identify vulnerabilities.

 Employee Training Programs: Programs designed to educate staff

about security best practices, phishing awareness, and incident
response.

6. Compliance Solutions:

 Tools and services that help organizations comply with industry

regulations and standards, such as GDPR, HIPAA, or PCI DSS.

In summary, "buying a security" in the realm of computer security involves

investing in various products and services that help protect an organization’s digital
assets from threats, ensuring the confidentiality, integrity, and availability of
information. This investment is crucial for mitigating risks associated with
cyberattacks and maintaining a secure computing environment.
IMPORTANCE OF BUYING SECURITY

Investing in computer security is essential to protect sensitive data from theft,

damage, and cyber threats. It safeguards your systems against malware, hacking,
and identity theft, ensuring the integrity and confidentiality of your
information. Importance of Buying Security in Computer Security

 Protection of Sensitive Data: Investing in security measures helps

safeguard sensitive information such as personal data, financial records, and
intellectual property from unauthorized access and breaches.

 Mitigation of Cyber Threats: With the rise of cybercrime, including

ransomware and phishing attacks, purchasing security solutions is crucial to
defend against these evolving threats that can compromise systems and
data.

 Regulatory Compliance: Many organizations are required to comply with

data protection regulations (e.g., GDPR, HIPAA). Investing in security ensures
adherence to these laws, avoiding potential fines and legal issues.

 Maintaining Business Continuity: Effective security measures help

prevent disruptions caused by cyber incidents, ensuring that business
operations can continue smoothly without significant downtime.

 Building Customer Trust: Demonstrating a commitment to security can

enhance customer confidence, as clients are more likely to engage with
businesses that prioritize the protection of their data.

 Cost-Effectiveness: While there is an upfront cost associated with

purchasing security solutions, the potential financial losses from data
breaches, including recovery costs and reputational damage, can far exceed
these initial investments.

 Holistic Risk Management: Security investments contribute to a

comprehensive risk management strategy, addressing not only technological
vulnerabilities but also human and process-related risks.

 Adaptation to Technological Changes: As technology evolves, so do the

methods used by cybercriminals. Investing in security ensures that
organizations can adapt to new threats and protect their assets effectively.

ELEMENTS OF COMPUTER SECURITY

Computer security involves protecting systems and data from threats

like hackers, viruses, and unauthorized access.
o Prevention: Measures to stop security breaches before they occur,
such as firewalls, antivirus software, and training.
 - The best way to handle security threats is to prevent them in the
first place. This is done by using:
- Firewalls: act like security gates to block harmful internet
traffic.
- Antivirus: detects and removes viruses and malware.
- Security training: educating employees on how to spot
phishing scams, use strong passwords, and follow company
security policies.

o Detection: Identifying potential security threats in real-time. Even

with strong security, some threats may still get through. The next
step is to detect them quickly before they can cause damage.
This is done by using:
- Intrusion detection systems (IDS): like security cameras that
monitor networks and alert the company with suspicious activity
is detected.
- Monitoring tools: track login attempts, file access, and
network traffic for unusual behavior.
o Response: acting fast when an attack happens. If a security threat
is detected, companies need to act quickly to limit the damage.
This includes:
- Incident response plans: a step-by-step guide on how to
handle security breaches.
- Isolating infected system: if a computer gets hacked, it may
need to be disconnected from the network to stop the spread.
o Recovery: Restoring normal operations after a security breach.
This involves:
- Backups: saving copies of important data so it can be restored
if lost or encrypted by ransomware.
- Disaster recovery plans: a plan to rebuild systems, restore
data, and resume operations as quickly as possible.

EXTENT OF RESPONSIBILITIES

o Organizations: protecting data and enforcing security policies.

Business must:
- Setup security policies
- Train employees on security best practices.
- Protecting customer data from hackers and breaches.

o Employee: following security rules and being cautious. Every

employee plays a role in keeping the company secure.
 They should:
- Follow security protocols (using strong passwords or multi-factor
authentication)
- Report suspicious activity (unusual emails or unauthorized
access attempts)
- Avoid risky behaviors, like clicking on unknown links or losing
personal flash drives on company computers.
o Vendors: Should ensure their products and services comply with
security standards. Companies often rely on third-party vendors for
software, cloud services, or IT supports
Vendor must:
- Ensure their software is secure and free from vulnerabilities
- Follow security standards like encryption and compliance
regulations.
Ex. A company using cloud storage service ensures that the
vendor often encrypts data protection and follows security best
practices.
o Government: Enforcing cybersecurity laws and regulations. The
government helps to protect businesses and individuals.
- GDPR (General Data Protection Regulation) is a law in Europe
that protects the privacy and personal data of European Union
citizens.
Main rule: companies cannot collect, use, or share a person’s
data without their clear permission.
- HIPAA (Health Insurance Portability and Accountability Act) – A
U.S. law that protects patients’ medical information and ensures
that healthcare providers keep it private and secure.
Main rule: hospitals, clinics, doctors, and insurance companies
cannot share or use a patient’s health data without their consent
(unless required by law).

THREAT CATEGORIES AND REPORTED CRIMES

Understanding the different sources of threats helps organizations prepare and

implement appropriate defenses.

Disgruntled Employee or Contract Employee

These are individuals within the organization who become dissatisfied and may
misuse their insider access intentionally to harm the organization.

These are the employees or contract workers who feel undervalued, mistreated, or
wronged by their employer and may become a security risk. Their insider access to
sensitive systems, data, and infrastructure gives them the ability to cause
significant harm, whether out of revenge, frustration, or financial gain. These
individuals may act alone or collaborate with external parties, such as competitors,
or cybercriminals, to exploit organizational weakness.

Examples of Threats

 Deleting or corrupting sensitive data: An employee might erase

important files or introduce malicious software to disrupt operations.

(Tesla (2018): a distributed employee modified Tesla’s manufacturing

operating system and leaked highly confidential data to third parties. Elon
Musk revealed that the employee acted out of frustration after being passed
over.)

 Leaking confidential information: Sensitive organizational data may be

shared with external parties or competitors.

(Google Vs. Antony Levandouski (2017): A former Google engineer stole

14,000 confidential documents related to self-driving car technology before
leaving to join Uber. He was later sentenced to prison for trade secret theft.)

 Sabotaging critical systems: Employees may deliberately damage

hardware or software to interrupt workflows.

(UBS Painewebber (2002): a disgusted it employee planted a logic bomb in

the company’s network, set to delete files at a scheduled time. The attack
caused millions in damages before the employee was arrested and
sentenced)

Preventive Measures

 Restricting Access: Applying the least privilege principle to limit access to

essential data and systems.

 Activity Monitoring: Using tools to track and log employee activities.

 Security Awareness Training: Regularly educating employees on ethical

behavior and the consequences of misuse.

Organized Crime or Drug Cartel

Organized criminal groups often use cybercrime as a means to fund illegal

operations or evade law enforcement.

Examples of Threats

 Ransomware attacks: Encrypting organizational data and demanding

payment to unlock it.
  Stealing financial information: Hacking into systems to steal credit card
or banking information for fraudulent purposes.

 Money Laundering: Using online platforms to conceal the origins of illegally.

Preventive Measures

 Strong Encryption: Protect sensitive data from unauthorized access.

 Secure Payment Gateways: Ensure all financial transactions are carried

out using a secure and verified platform.

 Law Enforcement Collaboration: Work with authorities to share

information and combat criminal activities effectively.

Cyber Criminal

Cybercriminals engage in illegal activities online for personal or financial gain.

Examples of Threats

 Phishing scams: Deceptive emails or websites designed to steal sensitive

information, such as passwords or credit card numbers.

 Identity theft: Stealing personal information to impersonate someone and

commit fraud.

 Distributed Denial of Service (DDoS) attacks: Overloading a network or

website with traffic to disrupt its operations.

Preventive Measures

 Anti-Malware Solutions: Deploy software to detect and prevent malicious

activities.

 User Education: Train users to recognize and avoid scams.

 Network Monitoring: Continuously monitor for suspicious activities.

Competitors

Competitors may engage in unethical practices such as corporate espionage or

sabotage to gain an advantage.

Examples of Threats

 Stealing trade secrets: Accessing confidential innovations or strategies to

replicate them.

 Spreading disinformation: Deliberately circulating false information to

harm the organization’s reputation.
  Hacking proprietary systems: Breaking into systems to disrupt operations
or steal valuable data.

Preventive Measures

 Protect Intellectual Property: Use digital rights management (DRM) to

secure sensitive data.

 Conduct Risk Assessments: Regularly evaluate vulnerabilities and address

them proactively.

 Legal Measures: Pursue legal action against competitors engaging in

unethical practices.

Hackers

Hackers are individuals with advanced technical skills who breach systems for
various motivations, such as personal gain, activism, or curiosity.

Examples of Threats

 Website defacement: Altering the appearance of a website to damage

reputation.

 Exploiting software vulnerabilities: Taking advantage of system flaws to

gain unauthorized access.

 Data Breaches: Stealing or manipulating data from networks.

Preventive Measures

 Software Updates: Regularly update systems to fix vulnerabilities.

 Penetration Testing: Simulate cyberattacks to identify weaknesses.

 Firewalls and IDS: Block unauthorized access attempts.

Government

These threats come from State-sponsored entities that may engage in cyber
operations for intelligence gathering, sabotage, or warfare.

Examples of Threats

 Cyber espionage: Stealing sensitive data or intellectual property for

strategic advantages.

 Attacking critical infrastructure: Disrupting essential systems like power

grids, communication networks, or transportation.

 Spreading misinformation: Influencing public opinions or destabilizing

social systems through fake news campaigns.
Preventive Measures

 National Cybersecurity Frameworks: Establish guidelines for protecting

critical infrastructure.

 International Collaboration: Share intelligence with allies to counteract state-

sponsored threats.

 Advanced Monitoring: Use cutting-edge technologies to detect and mitigate

attacks.

CS 406

Social Issues and Professional Practices

INTRODUCTION TO ETHICS
 Ethics is the philosophical study of moral phenomena. Also called moral
philosophy, it investigates normative questions about what people ought to do or
which behavior is morally right.

Ethics is the rational reflection on what is right, what is wrong, what is just, what is
good, & what is bad in terms of human behavior.

 Some Ethical Principles are:

o Truthfulness
o Honesty
o Loyalty
o Respect
o Fairness
o Integrity

ORIGIN OF ETHICS

 The word Ethics is derived from Latin word “Ethicus” & the Greek word
“Ethikos”
 Ethics are an arrangement of decent principles & branch of attitude which
defines what is good for individuals & society.
 There are many well known figures in the history of ethics, Greek
philosophers Plato & Aristotle, modern influences include people as Immanuel
Kant, Jeremy Bentham, John Stuart Mill, D.W. Ross, C.L. Stevenson, Alasdair
Maclntyre & John Rawls

EVOLUTION OF ETHICS

 The evolution of ethics constructs a conceptual bridge between biology &

human behavior. In theory, cybernetic process is at the heart of developing
ethical systems.
 Ethics merge with science in cybernetic ethics. This present a persuasive
theory describing how ethics can be linked to science and mathematics.
 Evolutionary ethics belongs to a branch of evolutionary science and not
philosophy. Evolutionary ethics has no logical connection to the formal ethics
of philosophy.

MODELS OF ETHIS

 Façade
o in its metaphorical sense referring to a person and his/her actions –
irrevocably carries negative ethical value: it is associated with
superficiality, sham, pretense, deception, and hypocrisy.
o Examples:
  A façade is the front of a building , or a kind of a front people put
up emotionally. If you’re mad but acting happy, you’re putting
up a façade. This word has to do with the outer layer of
something.
 Walk their Talk
o When an individual or organization follows through on their wors and
belief by taking actions that align with their stated values and goals. It
means demonstrating consistency between what they say and what
they actually do.
o Examples:
 Someone who acts very tough and talks very tough, if an actual
tough situation comes up and they are able to deal with it you
could say that they “walk the talk” but if they can’t, you would
say they are “all talk”.
 Opportunist
o The practice of taking advantage of circumstances – with little regard
for principles or with what the consequences are for others.
Opportunist actions are expedient actions guided primarily by self-
interested motives.
o Examples:
 He was portrayed as a ruthless opportunist who exploited the
publicity at every opportunity, using situation to get power or an
advantage. The burglary was probably carried out by an
opportunist thief who notices the door was open.
 Salt f of the Earth
o The idiom salt of the earth refers to a person or a group of people who
are honest, hardworking, and reliable. “Salt of the Earth” originates
from the Bible, specifically the Sermon on the Mount. Jesus tells the
people, “You are the salt of the earth” referring to the high value
placed on salt.
o Examples:
 “David is the salt of the earth. He’s always the first to help when
someone is in trouble”.

TYPES OF ETHICS

 META-ETHICS
o Meta-ethics is the branch of ethics that seeks to understand the nature
of ethical properties, statement, attitudes, and judgements.
o A meta-ethical question is abstract and relates to a wide range of more
specific practical questions.
o Examples:
  “Abortion is morally wrong”
 “Going to war is never morally justified”
 NORMATIVE – ETHICS
o Normative ethics is focused on exploring what actions are morally
correct or incorrect and how one ought to conduct themselves in
various situations.
o Definition
 According to Bishai (2021), normative ethics “… is the branch of
philosophical ethics that investigates the set of questions that
arise when considering how one ought to, morally speaking” (p.
155).
o Types
 Virtue ethics : places emphasis on character and values
 Deontology: Emphasizes the importance of following moral
rules
 Consequentialism: emphasizes the importance of the
consequences of an action
o Examples:
 “simple judgment of liking or pleasurable”.
 APPLIED ETHICS
o The application of ethics to real-world problems. Practical ethics
attempts to answer the question of how people should act in specific
situations.
o Examples:
 Sex before marriage.
 Gay/Lesbian marriage
 Death Penalty
 DESCRIPTIVE ETHICS
o A form of empirical research into the attitudes of individuals or groups
of people. In other words, this is the division of philosophical or general
ethics that involves the observation of the moral decision – making
process with the goal of describing the phenomenon.
o Examples:
 Descriptive ethics are judgements about the “rightness” of
“wrongness” of things in terms of people’s opinions. Some
examples of descriptive ethics include : “68% of respondents
said they disapprove of the administration”.
 “This movie has a pretty bad rating on Rotten Tomatoes”

INTRODUCTION TO SOCIAL ISSUES

 INTRODUCTION TO SOCIAL ISSUES

a field of study that examines how societal problems, like discrimination, inequality,
and privacy concerns, intersect with professional conduct, requiring individuals in
various fields to consider the ethical implications of their actions within a broader
social context.

DEFINITION OF SOCIAL ISSUES

A social issue is a problem that impacts a significant portion of society, often

causing debate and disagreement regarding its nature, causes, and potential
solutions; it can range from issues like poverty and healthcare access to
environmental degradation and gender equality.

Examples of Social Issues

1. Economic Issues
 Poverty and unemployment
 Income inequality
 Homelessness
2. Political and Human Rights Issues
 Corruption
 Discrimination (race, gender, religion, etc.)
 Violation of human rights
3. Health and Education Issues
 Lack of access to healthcare
 Mental health stigma
 Education disparity
4. Environmental Issues
 Climate change
 Pollution
 Deforestation
5. Social and Cultural Issues
 Gender inequality
 Crime and violence
 Substance abuse

COMPONENTS OF SOCIAL ISSUES

1. Cause (Root Factors)

The underlying reasons that lead to a social issue.
Causes can be:
 Economic – Unemployment, poverty, wealth inequality.
 Political – Corruption, lack of government policies.
  Cultural – Discrimination, gender inequality.
 Environmental – Climate change, pollution.
2. Affected Population
Social issues impact specific groups of people, often based on:
 Socioeconomic status (low-income communities, marginalized groups).
 Age (children, elderly, youth).
 Gender and identity (women, LGBTQ+ individuals).
3. Consequences (Effects on Society)
The impact of social issues can be seen in:
 Health – Disease outbreaks, mental health crises.
 Economy – Reduced productivity, poverty cycles.
 Society – Crime, inequality, unrest.
4. Possible Solutions and Interventions
Efforts to resolve social issues include:
 Government Policies – Laws, welfare programs, subsidies.
 Community Actions – NGOs, social activism, awareness campaigns.
 Education and Awareness – Promoting knowledge to address
misinformation and stereotypes.