Tài liệu Securing the Information Infrastructure doc

Yes, we believe that users with a strong ethical framework from a good ethics education can make sound decisions that are good for the security of the information infrastructure.. In the

Securing the

Information

Infrastructure

Joseph M KzzaUnversty of Tennessee at Chattanooga, USA

Florence M KzzaFreelance Wrter, USA

Cybertech Publishing

Acquisition Editor: Kristin Klinger

Senior Managing Editor: Jennifer Neidig

Development Editor: Kristin Roth

Published in the United States of America by

CyberTech Publishing (an imprint of IGI Global)

Web site: http://www.cybertech-pub.com

and in the United Kingdom by

CyberTech Publishing (an imprint of IGI Global)

Web site: http://www.eurospanonline.com

Copyright © 2008 by IGI Global All rights reserved No part of this book may be reproduced in any form or

by any means, electronic or mechanical, including photocopying, without written permission from the publisher Product or company names used in this book are for identification purposes only Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark.

Library of Congress Cataloging-in-Publication Data Kizza, Joseph Migga.

Securing the information infrastructure / Joseph Kizza and Florence Migga Kizza, authors.

p cm.

Summary: “This book examines how internet technology has become an integral part of our daily lives and as

it does, the security of these systems is essential With the ease of accessibility, the dependence to a computer has sky-rocketed, which makes security crucial” Provided by publisher.

Includes bibliographical references and index.

ISBN 978-1-59904-379-1 (hardcover) ISBN 978-1-59904-381-4 (ebook)

1 Cyberterrorism 2 Internet Security measures 3 Computer networks Security measures 4 Information superhighway Security measures I Kizza, Florence Migga II Title

HV6773.K59 2008

005.8 dc22

2007007405

British Cataloguing in Publication Data

A Cataloguing in Publication record for this book is available from the British Library.

All work contributed to this book is new, previously-unpublished material The views expressed in this book are those of the authors, but not necessarily of the publisher.

To Immaculate, a wonderful mother and wife

Securing the Information Infrastructure Table of Contents

Preface ix

Acknowledgment xiv

Section.I: Security.Through.Moral.and.Ethical.Education Chapter.I Building.Trust.in.the.Information.Infrastructure 1

Introduction 1

Problems.with.Building.Trust 2

Steps.to.Building.Trust 7

Conclustion 8

References 9

Chapter.II Need.for.Morality.and.Ethics 10

Introduction 10

Morality 11

Ethics 11

Codes.of.Professional.Responsibility 18

The.Relevancy.of.Ethics.in.Modern.Life 20

Conclusion 21

References 21

Building.an.Ethical.Framework.for.Decision.Making 22

Introduction 22

Principle.of.Duty.of.Care 23

Work.and.Decision.Making 23

Pillars.of.a.Working.Life 25

Need.for.an.Ethical.Education 28

Decision.Making.and.the.Ethical.Framework 35

Conclusion 39

References 40

Chapter.IV Security,.Anonymity,.and.Privacy 41

Introduction 41

Security 42

The.Importance.of.Information.Security 49

Government.and.International.Security.Standards 50

Information.Security.Evaluation.Criteria 53

Privacy 56

Privacy.and.Security.in.Cyberspace 59

Conclusion 63

References 64

Section.II: Security.Through.Innovative.Hardware.and.Software.Systems Chapter.V Software.Standards,.Reliability,.Safety,.and.Risk 66

Introduction 66

The.Role.of.Software.in.the.Security.of.Computing.Systems 67

Software.Standards 70

Reliability 76

Software.Security 79

Causes.of.Software.Failures 82

Conclusion 86

References 87

Chapter.VI Network.Basics.and.Securing.the.Network.Infrastructure 88

Introduction 88

Computer.Network.Basics 89

Network.Protocols.and.Layering 97

Network.Services 104

Network.Connecting.Devices 108

Securing.the.Network.Infrastructure:.Best.Practices 114

Conclusion 118

References 118

Chapter.VII

Security.Threats.and.Vulnerabilities 119

Introduction 119

Types.of.Threats.and.Vulnerabilities 120

Sources.of.Information.Security.Threats 122

Best.Practices.of.Online.Security 133

Conclusion 134

References 134

Appendix:.Additional.Reading 135

Chapter.VIII Security.Policies.and.Risk.Analysis 137

Introduction 137

Information.Security.Policy 138

Aspects.of.Security.Policies 139

Building.a.Security.Policy 142

Types.of.Security.Policies 157

Conclusion 160

References 160

Chapter.IX Security.Analysis,.Assessment,.and.Assurance 161

Introduction 161

Threat Identification 162

Security.by.Analysis 168

Security.Assessment.and.Assurance 171

Conclusion 179

References 179

Chapter.X Access.Control,.Authentication,.and.Authorization 180

Introduction 180

Definitions 181

Access.Control 181

Authentication 191

Authorization 203

Conclusion 207

References 207

Chapter.XI Perimeter.Defense:.The.Firewall 209

Introduction 209

Types.of.Firewalls 212

Other.Firewalls 227

Virtual.Private.Network 230

Firewall.Issues.Before.Installation 231

Configuration and Implementation of a Firewall 232

Advantages.of.Firewalls 234

Disadvantages.of.Firewalls 235

Securing.a.Network.by.a.Firewall 236

Conclusion 237

References 238

Chapter.XII Intrusion.Detection.and.Prevention.Systems 239

Introduction 239

Definitions 240

Background.of.Intrusion.Detection 242

Basic.Modules.of.an.Intrusion.Detection.System 243

Intrusion.Detection.Models 244

Responses.to.Intrusion.Detection.Reports 247

Types.of.Intrusion.Detection.Systems 248

Challenges.for.Intrusion.Detection 254

Intrusion.Prevention.Systems.(IPSs) 255

Conclusion 258

References 258

Chapter.XIII Security.in.Wireless.Systems 259

Introduction 259

Types.of.Wireless.Technology 260

The.Wireless.Communication.Infrastructure 260

Wireless.Local.Area.Network.(WLAN):.Wireless.Fidelity.(Wi-Fi) 265

Security.Issues.in.Wireless.Systems 270

Best.Practices.for.Wi-Fi.Security 276

Conclusion 278

References 278

Chapter.XIV Biometrics.for.Access.Control 280

Introduction 280

History.of.Biometrics 281

Biometric.Authentication.System 282

Biometric Identifiers 284

Advantages.of.Biometrics 292

Disadvantages.of.Biometrics 293

Why.Biometrics.are.Not.Truly.Accepted 294

The.Future.of.Biometrics 295

Conclusion 296

References 296

Security.Through.the.Legal.System

Chapter.XV

Digital.Evidence.and.Computer.Crime 298

Introduction 298

Definitions 299

Nature.of.Digital.Evidence 299

Importance.of.Digital.Evidence 300

Reliability.of.Digital.Evidence 301

The.Need.for.Standardization 302

Proposed.Standards.for.the.Exchange.of.Digital.Evidence 303

The.Process.of.Digital.Evidence.Acquisition 305

Investigative.Procedures 306

Conclusion 316

References 316.

Chapter.XVI Digital.Crime.Investigation.and.Forensics 318

Definition 318

Computer.Forensics 319

History.of.Computer.Forensics 319

Network.Forensics 320

Forensics.Analysis 321

Forensics.Tools 324

Conclusion 334

References 334

Section.IV: What.Next? Chapter.XVII Trends.in.Information.Assurance 336

Introduction 336

Global.Information.Assurance.Initiatives.and.Trends 337

National.and.International.Information.Security.Initiatives 342

Certification Programs 350

Conclusion 352

References 353

Appendix:.Additional.Reading 354

Glossary.of.Terms 355

About.the.Authors 362

Index 363

The frequent headlines involvingincidents of stolen or hacked user records from company and government institutions, like the recent Veteran Affairs episode, have brought prob- ably unwanted attention the constant problem of securing vital, essential, and confidential personal, business, and national records from the hands of hackers and thieves However,

to many in the security community, such news has refocused the attention of the nation, if not the whole world, and re-ignited the debate about how far we need to go and what we need to do in order to secure the information infrastructure upon which all vital information happens to reside and is transported

Two fundamental developments have brought us to where we are today First Internet nology has become an integral part of our daily lives, and as it has, comprehensive security for systems upon which we have come to depend has become essential The tremendous increase in connectivity, now driven more by new Wi-Fi technologies than fixed networks, has led to an increase in remote access and consequently increased system vulnerability These forces have, together with the plummeting prices of information processing and indexing devices and the development of sprawling global networks, made the generation, collection, processing, indexing, and storage of and access to information easy Second,

tech-as the popularity of computer use htech-as grown, our dependence on computers and computer technology has sky rocketed to new heights and is hovering toward total dependence There

are serious consequences to total dependence on the information infrastructure and its sociated technologies As we have all witnessed in the last several years, Internet technolo- gies have been like a large cruise ship in the middle of the ocean with all its enmities but without a captain The 21 st century has, thus far, the most machine-dependent generation This dependence, though for convenience, is turning out to be one of the main sources of our security problems and a potential privacy concern It is leading to the loss of our privacy, security, and autonomy.

as-These two developments, taken together, have created an even more tempting environment for online digital crimes than ever before The annual Computer Crime Survey by the Com- puter Security Institute/Federal Bureau of Investigations (CSI/FBI) typically is a barometer

of computer crime within the United States and every year presents alarming statistics about rising digital crime rates over our public networks The survey results always paint a picture

of cyber crimes bleeding the nation The CSI/FBI Computer Crime and Security surveys are always targeted to computer security practitioners in U.S corporations, government agencies, financial institutions, medical institutions, and universities Recent data from these surveys show some disturbing developments, including:

• There has been a shift from both virus attacks and denial of service, which previously outpaced all others, to theft of proprietary information

• The percentage of organizations reporting computer intrusions to law enforcement

in recent years has declined The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.

• Although the vast majority of the organizations view security awareness training as important, respondents from all sectors do not believe that their organizations invest enough in this area.

• Security budgets in organizations are still very low, indicating a low priority given to security

Data like these point to perhaps the core reason why there is mounting uneasiness and fear of the developing information infrastructure The main question arising out of this new fear is whether we should trust our new information infrastructure medium We are at a crossroads, unable to proceed without deciding whether we should trust the path we are taking or not

If we are to trust it, how much trust must we give? Ironically, if we decide to trust, we are trusting a system we know very little about and we understand less.

Through the pages of this book, we try to give the reader reasons for trusting the information infrastructure in spite of limited user knowledge and familiarity, poor infrastructure proto- col, lack of fundamental system blue prints, and its open-architecture, open-source nature Yes, we believe that users with a strong ethical framework from a good ethics education can make sound decisions that are good for the security of the information infrastructure Along with a strong ethical framework for decision making, we also need a tool kit of sound hardware and software security protocols and best practices that will enhance the informa- tion infrastructure’s security Finally, we believe that a strong and adoptive legal system, supported by good forensics technologies and an effective apprehension of the offenders, can create secure the environment in which we can trust the information infrastructure.

The book is, therefore, a survey of these issues in four parts In the four chapters of Section I: Security through Moral and Ethical Education, we focus on moral and ethics education and also discuss related issues of security, privacy, and anonymity as they affect the creation

of a strong ethical framework for decision making:

• In Chapter.I:.Building.Trust.in.the.Information.Infrastructure, we outline the

problems we as members of cyberspace are facing, problems that are challenging our individual self and society, in general We also outline a summary of what we think

is the best approach to bringing trust to an infrastructure with a runaway security problem.

• In.Chapter.II:.Need.for.Morality.and.Ethics, we discussed the rising rate of

com-puter-related crime and, in particular, information-related crimes We point out that information infrastructure is made up of two components; the man-made component, consisting of hardware and software, and the humanware component, consisting of users A good solution to the information infrastructure problem must address problems

in both of these components

• In.Chapter.III:.Building.an.Ethical.Framework.for.Decision.Making, we build on

the discussion in Chapter II about building a good ethical framework and its central role in securing the information infrastructure We show that a good ethical framework

is essential for good decision making

• In Chapter IV: Security,.Anonymity, and Privacy, we discuss the centrality of

security and privacy in the information infrastructure and also the role anonymity plays The threat to privacy and security is at the core of the problem of securing the information infrastructure We cannot talk about a secure information infrastructure,

if we cannot guarantee the security and privacy of individuals and the information on the infrastructure

Within the.10 chapters of Section II: Security through Innovative Hardware and Software Systems,.we cover all practical techniques, protocols, and best practices in use today for a

secure information infrastructure These include techniques like the issues related to ware reliability and risk; security threats and vulnerabilities; information security policies and risk analysis and management; access control and authentication; firewalls, intrusion detection, and prevention; and biometrics:

soft-• In Chapter V: Software Standards, Reliability, Safety, and Risk; we focus on

software’s role in the security of systems and how we can keep software safe, pendable, and secure, as we struggle to make the information communication infra- structure secure Software, more than anything else, is at the heart of the information communication infrastructure It is, in fact, one of the three main components of the infrastructure, together with hardware and humanware

de-• In Chapter.VI: Network Basics and Securing the Network Infrastructure, we

give a very elementary treatment of the theory of networks and then outline the best network security solutions This is intended to address one of the security concerns

we discuss in Chapter I—users have little knowledge of the workings of the munication infrastructure

• In.Chapter.VII:.Security.Threats.and.Vulnerabilities, we define and discuss threats

and vulnerabilities for the ICT infrastructure We do this by first identifying threats and vulnerabilities that are exploited by people like hackers

• In.Chapter.VIII:.Security.Policies.and.Risk.Analysis, we study the central role of a

security policy in securing an enterprise network as has been pointed out by many curity specialists, scholars, and security organizations We further discuss several other issues about the security policy This includes issues like what constitutes a good policy and how to formulate, develop, write, implement, and maintain a security policy.

se-• In.Chapter.IX:.Security.Analysis,.Assessment,.and.Assurance, we look at the issues

of the implantation of a security policy we discussed in Chapter VIII, starting with curity assessment and analysis The risks and potential for security breaches involving sabotage, vandalism, and resource theft are high For security assurance of networked systems, there must be a comprehensive security evaluation to determine the status of security and ways to improve it through mitigation of security threats So an examina- tion and evaluation of the various factors affecting security status must be carried out and assessed to determine the adequacy of existing security measures and safeguards, and also to determine if improvements in the existing measures are needed

se-• In.Chapter.X:.Access.Control,.Authentication,.and.Authorization; we focus on

three major security mechanisms from our security tool kit We cover access control, authentication, and authorization

• In.Chapter.XI:.Perimeter.Defense:.The.Firewall, we continue with our discussion

of technical controls and techniques, which we started in Chapter X, by focusing on securing the perimeter of the enterprise network This discussion consists of two parts: access control and firewalls

• In.Chapter.XII:.Intrusion.Detection.and.Prevention.Systems, we look at

intru-sion detection, one of the principles that defines security Since computer networks have come to be pots of honey, attracting many, the stampede for information from computer networks is great and must be met with strong mechanisms First there is detecting those trying to penetrate the system; second is preventing them from trying; and third is responding to the attempt, successfully or not Although these three are the fundamental ingredients of security, most resources have been devoted to detection and prevention, because if we are able to detect all security threats and prevent them, then there is no need for a response.

• In.Chapter.XIII:.Security.in.Wireless.Systems, we follow the prediction by so many

that the next dominant generation of computing technology is going to be wireless

We are already witnessing the beginning of this with the tremendous growth of less technology in the last few years Along with the marvels of a new technology and more so with wireless technology, there comes an avalanche of security concerns and problems This is also the case with wired technology So we carefully look at the current security protocols and best practices.

wire-• In.Chapter.XIV:.Biometrics.for.Access.Control, we look at other emerging security

technologies New technologies and new techniques must be found to create a more reliable and more secure environment In the quest for a superior solution, biometrics verification techniques are fast emerging as the most reliable and practical method of individual identity verification Biometrics refer to technologies and techniques that rely on measurable physiological and personal characteristics and attributes that can

In the two chapters of Section III: Security through the Legal System, we discuss digital evidence and computer crime, digital crime investigations and forensics, and writing in- vestigative reports.

• In.Chapter.XV:.Digital.Evidence.and.Computer.Crime, we shift the discussion

from moral and ethical education that forms an ethical framework in decision ing and from implementation of security technologies, tools, and best practices, to focus on the legal and law enforcement approaches We believe, despite the fact that the technology has outpaced the legal system and the technology the criminals use

mak-is sometimes years ahead of that of law enforcement, that the legal system can play

a very positive and effective role in the security of networks and the communication infrastructure.

• In.Chapter.XVI:.Digital.Crime.Investigations.and.Forensics, we focus on the

in-vestigative process We divide the discussion into two parts First we look at a process known as computer forensics in which we investigate crime scenes that involve data

on computers We look at the different parts of the computer and how digital evidence can be either hidden or extracted from the computer In the second process, we consider the crime scene as not one computer but a network of computers Our investigation then goes beyond one computer to include the infrastructure of the network and all points in the network where evidence can be either hidden or extracted We refer to this second process as network forensics.

Finally in Section IV: What Next?, we conclude with an interesting discourse:

• In.Chapter.XVII:.Trends.in.Information.Assurance, we discuss all of the security

best practices, the possible trends in security protocols and best practices, their viability, and their growth in light of rapidly developing technology We conclude the chapter and the book by a discussion of the possibilities of new technologies and what they should cover.

We believe this kind of approach to the information infrastructure will result in a secure information infrastructure that can be trusted by all of its users and, hence, will be secured for all of us and our children to come.

Joseph.Migga.Kizza

Chattanooga,.TN

Florence.Migga.Kizza

Boca.Raton,.FL

Acknowledgment

This is a very comprehensive book covering a wide spectrum of interests in information security It is, therefore, a challenge to the authors to present materials that will interest and challenge the majority of the intended readers We made every effort in collecting and presenting materials that we think will go a long way to accomplish this Along the way as

we did this, we encountered many helpful and sometimes unforgettable people who went out of their way just to help by either answering one question or 10, providing a reference, questioning a statement, correcting grammar, or just pointing out a direction We are grateful

to hundreds of these unnamed heroes of this book.

Since early in its inception, this book has taken many turns and forms to get to its present form This evolution has been a result of both content and syntax reviews, sometimes casual but many times serious In particular, we want to thank the nameless IGI Global reviewers who made many invaluable suggestions To all reviewers, we thank you from the bottom of our hearts for the small and large part you played Whatever your part, you have contributed tremendously to the final product.

Finally, in a great way, we want to thank Immaculate Kizza, a mother, wife, and a gifted reviewer, for the many contributions she has made to the book As usual you made it happen for us.

Security Through Moral

and Ethical Education

xv

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

in-the information infrastructure an enjoyable environment The information infrastructure consists of computer or computer-related hardware, software

to run on the hardware, and humanware to run both The human component

in the information infrastructure is essential because humans create the life and dynamism in the infrastructure that has made it what it is However, humans also create all the problems facing the infrastructure as we will see throughout the book Note that the infrastructure we have just defined is

actually cyberspace So throughout the book, we will use cyberspace and

 Kzza & Kzza

information infrastructure interchangeably Cyberspace technology has brought more excitement to humanity than ever before Communication has become almost instantaneous The speed of data access is chasing the speed

of light Humanity could not have gotten a better technology However, with the excitement and “bewilderness,” there has come a realization, after rough experiences, that the new technology has a serious downside Based

on individual experiences, the fear of the new technology on which we have come to depend is on the rise But because there are more benefits of the new technology to humanity, trust of the technology must be cultivated among

the users of the technology Webster’s Dictionary (1989) defines trust, as a

noun as confidence or faith in a person or a thing and as a verb as having confidence or faith in someone or something For us, we want users of the information infrastructure to have confidence in it

Numerous studies have indicated that the bad experiences encountered by users of cyberspace technology form a small fraction of all the wonderful experiences offered to users by cyberspace There are many wonderful and beneficial services that are overshadowed by sometimes sensational report-ing of new, but undeniably widespread, bad incidents in cyberspace These few, sometimes overblown, incidents have created fear and an image of an insecure and out-of-control cyberspace This, in turn, has resulted in many users and would-be users starting to not trust cyberspace In fact, the opposite

of this is truer There is a lot to gain from cyberspace, both as an individual and as a community We need to pass the message along that cyberspace is safe, offers lots of benefits, and should be trusted We have built the proto-cols and we have identified the best practices to safeguard the information infrastructure for every genuine user We believe that with rising user trust

of cyberspace, the security of cyberspace will be enhanced However, the road to getting this message across is not easy

Problems.with.Building.Trust

Probably, many of you who have been around in the last 10 years have experienced two scary and turbulent periods in computing The first period probably started around 1990 and lasted through 2000 This period saw an unprecedented growth in computer networks around the globe It was charac-terized by frightening, often very devastating, and widespread virus attacks on

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

global computer networks These interconnected and interdependent networks provided a very good conduit for these virus attacks As the world became a mesh of thousands of interdependent computers, more individuals, businesses, organizations, and nations were becoming more dependent on them This period experienced monstrous and increasingly diverse, sophisticated, and coordinated virus and distrusted denial of service attacks that included attacks like Melissa, The Goodtimes, the distributed denial of services (DDoS), The Love Bug, Code Red, and the Bagle, to name but a few The inputs fuelling the rise and the destructive power of these attacks were the large volume of free hacker tools on the Internet that made it easier than ever for amateurs to create and launch a virus; the easy availability of such tools; the widespread use of computers in homes, organizations, and businesses; the large numbers

of young people growing up with computers in their bedrooms; the growing

“over interest” in computers; the anonymity of users of the Internet; and the ever-growing dependence on computers and computer networks All these put together contributed to the wild, wild cyberspace of the 1990s

Since 2000, we have been in a new period; and we are experiencing new tack techniques This period is, so far, characterized by small less powerful but selective and targeted attacks The targets are preselected to maximize

at-personal gains The targets are carefully chosen for at-personal.identity, which

leads to financial gains Attacks so far in this period are overwhelmingly targeting financial institutions and institution and businesses that store per-sonal information The list of victims is long and growing For example in this period:

• Bank of America Corp reported computer tapes containing credit card cords of U.S senators and more than a million U.S government employees went missing, putting the customers at increased risk of identity theft

re-• ChoicePoint Inc., a Georgia-based credit reporting company, had a breach

of their computer databases, which rendered nearly 145,000 people able to identity theft

vulner-• Data wholesaler LexisNexis, a division of Reed Elsevier, admitted having personal information of about 310,000 of its U.S customers stolen

• ChoicePoint, another credit reporting company, had lost account of up to 100,000 people

 Kzza & Kzza

This rapid stream of attack publicity is not new It has always been like this, but because of strict reporting laws being enacted in a number of state legislatures like California, more and more companies and institutions are reporting the loss of personal accounts Among the latest companies and in-stitutions are: PayMaxx, health care heavyweight San Jose Medical Group, California State University at Chico, Boston College, and the University of California at Berkeley (Sullivan, 2006) These made the headlines, but many more do not

Personal information has become so valuable that hackers, thieves, and some businesses are trading over legal lines to collect personal information The recent disappearance of a small disk containing personal information

on almost 4.5 million veterans and army personnel, including their social security numbers and even home addresses, has probably brought some needed awareness to the huge problem, which had not made it to a spot on the evening news previously The rate at which new ways of information gathering, like pretexting, which is a remake of the old social engineering, are being developed is indicative of the value of personal information Armed with this information, hackers and information thieves, or information brokers as they want to call themselves, using information like the social security numbers to access bank accounts, illegally acquire houses and use them to get mortgage credit lines The possibilities for using personal infor-mation are endless

Another threat that is characteristic of this period, again with a flavor of searching for personal information, is the growing problem of spyware Spyware is not only threatening enterprise networks and small home-built networks, it is turning computers on these networks into spam-generating machines, which wreak havoc on home personal computers (PCs) Spyware is software for which no purchase or license is necessary It is normally installed

on a computer without knowledge or consent of the user It has no set time

to install or specified source from which to download It installs on the user computer, without authorization, with the main mission of monitoring some

of the information on the computer and making that information available

to outside sources as needed It may send the information once, periodically,

or continuously for a long time

Spyware is usually distributed through user Web site visits and file loads Following these Web site visits and casual downloads, malware, a more destructive form of spyware, is downloaded onto the user’s computer

down-or server Also, downloading free software, such as peer-to-peer file sharing

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

programs, screen savers, backgrounds, and media files, increases the chances

of acquiring malware Once deposited on a corporate computer, spyware starts to track keystrokes, scan hard drives, and change system and registry settings Actions like these can lead to identity theft, data corruption, and even theft of a company’s trade secrets

Based on the latest study, two-thirds of consumer computers are infected with spyware (Plante, 2006) Because they are widespread, they have become a huge security problem to system administrators and chief security officers (CSOs) They are a management problem and a security nightmare because they (Plante, 2006):

• Are a loss to network bandwidth due to unsolicited advertising traffic

• Overload the security and help-desk staff with the job of cleaning adware from all corporate computers

• Are keystroke logger/screen capture software that hides on a user puter and then records the user keystrokes and screenshots that later can

com-be used to reconstruct a user session, which may lead to theft of personal confidential information, like passwords, social security numbers, and banking and other financial information

• May be hacking software, like password crackers and Trojan horses, that can unscrupulously be used to remotely enter the system

Spam is yet another menacing security problem to systems Spam is licited bulk e-mail Unlike a penetration and a DDOS attack, which affect the system security through a variety of ways, spam does not penetrate a system without authorization or deny system services to users According

unso-to The Yankee Group, a Bosunso-ton-based research and consulting firm, Spam costs U.S businesses $4 billion annually in lost productivity (Plante, 2006) Spam comes in the form of e-mails, hundreds or thousands of them, sent to a mail server So many e-mails can become a problem in many ways, including clogging of networks and servers, so that other security threats can exploit the clogged server

The fourth major problem that stranded the two periods is our dependence on information technology (IT) This dependence is unfortunately ever increas-ing and our trust in the technology that seems to do wonders is total We buy stocks online; we bank online; we keep all our personal records online We routinely get our news online Very few of us take a minute to question the

 Kzza & Kzza

reliability and integrity of the online information we access and give For the current dynamism of the digital information and electronic commerce (e-commerce) to survive, we need to have and maintain this trust We must trust online information as we trust the brick-and-mortal printed and broad-cast information

There are other problems, including those listed below, that have made the information age and cyberspace a replay of the old wild, wild West, and I

discuss them more fully in Network.Security.and.Cyber.Ethics (2002).

• Network.operating.systems.and.software.vulnerabilities

• Limited.knowledge.of.users.and.system.administrators: The

lim-ited knowledge computer users and system administrators have about computer network infrastructure and the working of its protocols does not help advance network security Rather, it increases the dangers

• Lack.of.planning: There is no clear plan, direction, or blueprint to guide

the national efforts in finding a solution to information infrastructure problems

• Complacent.society: The public has yet to come to terms with the fact

that cyberspace is dangerous and one ought to be cautious

• Inadequate security mechanism and solutions: The existing

solu-tions are best practices and are not comprehensive enough; they are still technology or application specific Also, they are so far not really solutions but patches

• Poor.reporting.of.computer.crimes: The number of reported cyber crimes

tracked by CERT, the FBI, and local enforcement authorities is low

• Solution.overload:.There are just too many “solutions” and “best

prac-tices” to be fully trusted It takes more time looking for a more effective solution

Internationally, the picture is no better; in fact, it is worse in some aspects

than it is in the United States, according to The.Global.State.of.Information Security.2005, a worldwide study by CIO, CSO, and PricewaterhouseCoo- pers (PwC) in the CSO.Online.Magazine.(Berinato, 2005) In the report, the

author compares the global information security picture to an escaped fire, where the firefighters are desperately trying to outflank the fire line and prevent flare ups and firestorms Just holding your ground is a victory In the

wild-Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

third annual report in which they surveyed more than 8,200 IT and security executives from 63 countries on six continents, the data shows disturbing patterns It shows:

• A notable lack of focus on actions and strategies that could prevent these incidents in the first place

• A remarkable ambivalence among respondents about compliance with government regulations

• A clear lack of risk management discipline

• A continuing inability to create actionable security intelligence out of mountains of security data

For example, the survey reveals that just 37 percent of respondents reported that they had an information security strategy, and only 24 percent of the rest say that creating one is in the plans for next year

The report also revealed that while the numbers on incidents, down time, and damages have remained steady, there is an increase in other numbers that are cause for alarm:

• The sharply rising number of respondents who report damages as known”—up to 47 percent

“un-• During the past year, could also contribute to the rising “unknown” group

• Increased sophistication and complexity of attacks, hitting more complex targets

Steps.to.Building.Trust

Against this background, efforts need to be and are being taken to protect online data and information and enhance user trust of the information infra-structure Such trust will create confidence in the information infrastructure leading to enhanced privacy, security, reliability, and integrity of informa-tion, which forms the core of a secure information infrastructure One way

to accomplish this is by building a strong ethical framework for all users of

 Kzza & Kzza

the information infrastructure, developing tools and best practices to protect hardware and software products that make up the information infrastructure, and creating and enforcing a strong legal framework Such approaches would involve measures, such as:

• Developing a culture neutral and nonreligious value-based moral work

frame-• Developing effective security protocols, including security policies and models of security governance, assessment of the security treats, intru-sion detection and prevention ,and authentication and access control regimens

• Enacting legislation

• Providing self-regulation

• Developing an effective and enforceable legal framework that involves computer forensics

Without firm security controls and best practices like these, we will never

be able to secure the ever growing information infrastructure upon which all societies and individuals have come to depend

Conclusion

This is an introductory chapter where we have defined both the information infrastructure and trust, and outlined the problems that cause users to fail to trust the information infrastructure We also have discussed the need for users

to trust the information infrastructure Without this trust, the infrastructure cannot be secure Finally we have outlined the steps needed to build the trust in the information infrastructure In the remainder of the chapters, we are going to open a dialogue with the reader as we survey the landscape of possible solutions and best practices as we all strive to build an environment

we can all trust

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

ecuritymag.techtarget.com/ss/0,295796,sid6_iss386_art765,00.html

0 Kzza & Kzza

of users Surely a good solution to the information infrastructure problem must address problems in both of these components We begin our survey and discussion of an array of solutions and best practices that address and try

to build trust in the information infrastructure, starting with the humanware Our discussion will focus on morality and ethics

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

Morality

Morality is a set of rules of right conduct; it is also a system used to modify and regulate our behavior It is a quality system of human acts by which we judge them right or wrong, good or bad This system creates moral persons who possess virtues like love for others, compassion, and a desire for justice; thus it builds character traits in people Morality is a lived set of shared rules, principles, and duties, with no reference to the desires, aspirations, interests,

or powers of any particular person However, the degree of living and ing of these values varies greatly We may agree more on values like truth, justice, and loyalty, than on others

shar-Ethics

While morality is the pursuit of the good life, ethics is the science of the examination of that life to which Socrates devoted his life and for which he died Ethics is, therefore, a study of right and wrong in human conduct It is

a theoretical examination and justification of morality The role of ethics is to help societies to distinguish between right and wrong and to give each society

a basis for justifying the judgment of human actions When the interest of other people is affected, the justification for human actions becomes complicated and paramount, as it requires a demonstration that shows the balance of good

to harm is acceptable and is in the interest of everyone Ethics is, therefore,

a field of inquiry, the subject of which are human actions, collectively called

human.conduct, that are done consciously, willfully, and for which one can

be held responsible Such acts must have, according to Fagothey (1959), knowledge that signifies the presence of a motive, “volunteeriness” to signify that it is willed, and freedom to signify the presence of free choice to act or not to act It is also a theoretical examination of morality

The purpose of ethics is to interpret human conduct, acknowledging and distinguishing between right and wrong The interpretation is done based

on a system that uses a process of argumentation, consisting of a mixture

of induction and deductions In most cases, these arguments are based on historical schools of thought called ethical theories There are many differ-ent kinds of ethical theories, and within each theory, there may be different versions of that theory Let us discuss these theories next

 Kzza & Kzza

Ethical.Theories

For centuries in different societies, human actions have been judged good

or bad and right or wrong, based on theories or systems of justice that were developed, tested, revised, and debated by philosophers and/or elders in that

society Such theories are commonly known as ethical.theories An ethical

theory is that something that makes an action or set of actions morally right

or wrong Codes of ethics have then been drawn up, using and based on these ethical theories The processes of reasoning, explanation, and justification used in ethics are based on these theories

Sophism

In her article Sophism:.The.Philosophy.of.the.Sophists, Gill defines sophism

as an ancient Greek philosophy that started around the 5th century B.C and was made famous by Plato, Aristotle, and Aristophanes The philosophy consisted of techniques from highly respected Greek philosophers that em-phasized rhetoric rather than virtue Because of this, sophists were taken as philosophers that were capable of perverting the truth, because they could argue any side of an issue The techniques were misused, and sophists charged high fees for their services, which eventually led to the decline in this philoso-phy Sophism was and is still criticized for the process of its argument In an argument, a conclusion is arrived at after a systematic and logical sequence

of premises The argument makes sense when the premises are connected together by logic The conclusion is deemed true or false by the audience or judge based on the flow of the premises in the argument Sophism is criti-cized for attacking the role of logic and its validity in the argument Perhahs

poet Emily Dickinson in her poem Tell.All.The.Truth.But.Tell.It.With.a.Slant

(Kennedy, 2003) captures the spirit of the sophists

Socratic.Method.

The Socratic method is a philosophical school of thought started by Socrates that handles the process of inquiry (argument) dialectrically through answer-ing a question with a question, while examining key moral concepts The Socratic method handles an argument by progressively eliminating hypotheses with the assumption that better hypotheses are found by steadily identifying

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

and eliminating those which lead to contradictions By doing this, Socrates thought that he could force individuals involved in the argument to steadily examine their own beliefs and the validity of such beliefs

Platonism

According to the online Stanford Encyclopedia of Philosophy (1978),

Platonism is the view that there exist abstract objects (nonphysical—not physically existing; and nonmental—they are not minds and are not ideas

in minds, brains, disembodied souls, Gods, or anything else along these lines) Such objects are not affected by time and space They are, therefore, unchanging and cannot interact with other physical objects.For example, think of properties and relations in object-oriented programming These are considered abstract objects

Platonism, therefore, advances a theory or doctrine of ideas of something whose originality, in particular, does not exist in the reality of the time-space continuum, except through instantiation of the idea These ideas are,

therefore, infinite and, according to the Encyclopedia.of.Philosophy (1978),

they compose the object or whole of all knowledge and aspiration, which form the one and absolute real being, the Platonic supreme idea of the good Based on these ideas, rationalists, of which Plato was a member, associate recollection as a theory of knowledge, that is, innate knowledge, which are ideas and knowledge that we are born with, rather than acquire through ex-perience Various world religions also have interpreted the Platonic theory

of ideas to subscribe to the existence of God

.

Cynicism

Like the foregoing philosophical theories, cynicism, was also a Greek losophy concerned with virtue and supported the belief that virtue was the cause of happiness and the good life Because virtue was the only essential ingredient in bringing about happiness and the good life, the followers of this philosophy pursued virtue to whatever possible ends, many times neglecting all worldly things, like hygiene, family, and money

phi- Kzza & Kzza

Other.Variants.of.the.Major.Greek.Philosophical.Theories

The philosophical theories we have discussed above were all developed by the Greeks Greek philosophy gave imprints that are still seen today in all Western philosophy It defined the terms and gave variants to the philosophical theories being used today Some of these variants include: consequentialism, deontology, human nature, relativism, hedonism, and emotivism

Consequentialism

We think of the right action as that which produces good consequences If

an act produces good consequences, then it is the right thing to do Those

who subscribe to this position are called consequentialists

Consequential-ists judge human actions as good or bad and right or wrong, based on the results of actions—a desirable result denotes a good action, and vice versa According to Hull (1979), utilitarian theories have three parts: a theory of value, a principle of utility, and a decision procedure Within these, there are further theories For example in the theory of value, there are several other theories held by utilitarians, including Hull (1979):

• Hedonism, which equates good with pleasure and bad or evil with pain

• Eudamonism, which equates good with happiness and bad or evil with unhappiness

• Agathism, which views good as an indefinable, intrinsic feature of various situations and states, and evil as either an indefinable, intrinsic feature

of other situations and states, or simply as the absence of good

• Agapeism, which equates good with love and bad with hate

• Values pluralism, which holds that there are many good, including pleasure and happiness, but also knowledge, friendship, love, and so forth These may or may not be viewed as differing in importance or priority

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

There are three commonly discussed types of consequentialism theory (Kizza, 2002):

• Egoism: This theory puts an individual’s interests and happiness above

everything else With egoism, any action is good as long as it maximizes

an individual’s overall happiness There are two kinds of egoism: ethical egoism, which states how people ought to behave as they pursue their own interests, and psychological egoism, which describes how people actually behave

• Utilitarianism: Unlike egoism, this theory puts a group’s interest and

happiness above those of an individual Thus an action is good if it efits the maximum number of people Among the forms of utilitarianism are the following:

ben- Act.Utilitarianism: which tells one to consider seriously the

con-sequences of all actions before choosing that with the best overall advantage, happiness in this case, for the maximum number of people; and

 Rule.Utilitarianism: which tells one to obey those rules that bring

the maximum happiness to the greatest number of people Rule utilitarianism maintains that a behavioral code or rule is good if the consequences of adopting that rule are favorable to the greatest number of people

• Altruism: In altruism an action is right, if the consequences of that

action are favorable to all except the actor

Deontology

The theory of deontological reason does not concern itself with the sequences of the action, but rather with the will of the action An action is good or bad depending on the will inherent in it According to deontologi-cal theory, an act is considered good if the individual committing it had a good reason to do so This theory has a duty attached to it In fact, the word

con-“deontology”.comes from two Greek words: deon meaning duty and logos.

meaning science (Johnson, 1994) For example, we know that killing is bad, but if an armed intruder enters your house and you kill him or her, your ac-tion is good, according to deontologists You did it because you had a duty

to protect your family and property

 Kzza & Kzza

Human.Nature

The theory of human nature tries to answer several questions about human nature and the purpose of life Are human beings endowed with all faculties and capabilities to live in happiness? These questions lead to an exploration

of the understanding of the working of human mind, why it works in such a way and not another, and whether the answers to these questions lead us to understanding what is man’s ultimate nature There are several explanations for the nature of man

According to Wilson (1978), no species, ours included, possesses a purpose beyond the imperatives created by its genetic history Species may have vast potential for material and mental progress, but they lack any immanent purpose or guidance from agents beyond their immediate environment or even an evolutionary goal toward which their molecular architecture auto-matically steers them Human brains exist only to promote the survival and multiplication of the genes that direct the assembly of man and that the mind

is a device for survival and reproduction Reason is just one of its various techniques to maintain itself In essence, the human capabilities that give us drive, wit, love, pride, anger, hope, and anxiety are but a part of the perpetu-ation of the same human cycle Wilson (1978) further explains that the brain evolved by natural selection Even the capacities to select particular esthetic judgments and religious beliefs must have arisen by the same mechanistic process as either a direct adaptations to past environments in which the ancestral human populations evolved or, at most, constructions thrown up secondarily by deeper, less visible activities that were once adaptive in this stricter, biological sense

Relativism

This theory is negatively formulated, denying the existence of universal moral norms It takes right and wrong to be relative to society, culture, or the individual Relativism also states that moral norms are not fixed in time

Hedonism

Hedonism, one of the oldest ethical theories, characterizes happiness as a way of life lived through being open to pleasurable experiences, like sex and

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

drug stimulants There are many problems to the purest form of hedonism, and it has been rejected on moral grounds by many because it is not consid-

ered healthy for long-term happiness This is what is called the hedonism paradox A hedonist acts only for maximum pleasure, and whatever he or

she does is done to maximize pleasure or minimize pain There are several types of hedonism, including: psychological hedonism, which claims that,

in.fact,.what people seek in their everyday actions is pleasure, and ethical hedonism, which claims that people ought.to.seek pleasure and that plea- sure is the moral good Other forms of hedonism include sensory.hedonism,

which considers that pleasure and happiness result from sensory pleasure This leads to the hedonist belief that the value of a life is determined by the total amount of sensory pleasure it contains, minus the total amount of sensory pain it contains The fourth category of hedonism we will discuss

is attitudinal.hedonism According to Feldman (2002), attitudinal hedonism

states that what makes a life good for one who lives it is that it contains a lot of enjoyment, or attitudinal pleasure, and relatively little disenjoyment,

or attitudinal pain

Emotivism

This theory maintains that ethical statements are neither true nor false and

cannot be proven; they are really only statements about how.someone feels

(Internet.Encyclopedia.of.Philosophy).

Philosophers use these theories as engines to help them understand and justify human actions Although over the years and in different places, changing values have been attached to human actions, these ethical theories have remained relatively unchanged This means that although ethics as a discipline is evolving, ethical reasoning has relatively remained the same

In other words, Aristotle and Plato’s reasoning to explain and justify human actions is still valid, although the premises surrounding human actions are changing with time and with every new technology

Ethical.Reasoning

The process of ethical reasoning takes several steps These steps are ally referred to as layers of reasoning Before one can justify to someone

actu- Kzza & Kzza

else the goodness or badness and the rightness or wrongness of one’s action, one must labor through layers of explanations to justify taking such actions For example, in the aftermath of Hurricane Katrina in the New Orleans, the world witnessed droves of people breaking into department stores and coming out with bags of merchandise This action was very controversial It might have been condemned by some people as stealing and praised by others an ingenious way to survive Imagine yourself trying to convince somebody who does not think like you, whatever your position was on those acts You probably would go through several layers of reasoning to convince the fellow that your judgment of the action was the way it was and a good one

The spectrum of human actions on which ethical judgments can be based

is wide ranging, from simple traditional and easy to understand actions like killing and stealing, to complex and abstract ones like hacking, cellular tele-phone scanning, and subliminal human brain alterations On one side of this spectrum, the inputs have straight output value judgments of right and wrong

or good and evil On the other end of the spectrum, there are, however, inputs that cannot be easily mapped into the same output value judgments of good and bad or right and evil It is at this side of the input spectrum that most new human actions created as a result of computer technology are found Computer technology created new possibilities where there were none It creates new muddles that make decision making complex and strenuous It

is this kind of environment that we find ourselves in today It is the reason

we need moral and ethical education and codes of conduct

Codes.of.Professional.Responsibility

The main domains in which ethics are defined are governed by a particular and definitive regiment of guidelines and “rules of thumb” called “codes of ethics.” These rules, guidelines, canons, advisories, or whatever you want

to call them are usually followed by members of the respective domains For example your family has an ethical “set of rules” that every member of the family must observe Your school has a set of “conduct” rules that every student, staff member, and faculty member must observe And for example, college departments have sets of rules to which students using the university computers must adhere So depending on the domain, ethical codes can take any of the following forms:

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

• Principles, which may act as guidelines, references, or bases for some document

• Public policies, which may include aspects of acceptable behavior, norms, and practices of a society or group

• Codes of conduct, which may include ethical principles

• Legal instruments, which enforce good conduct through courts

Although the use of codes of ethics is still limited to professions and high visibility institutions and businesses, there is a growing movement toward widespread use The wording, content, and target of these codes differ greatly Some codes are written purposely for the public, others target employees, and yet others are for professionals only The reader is referred to the codes

of Association of Computing Machinery (ACM) and The Institute of tric and Electronics Engineers’ Computer Society (IEEE Computer), both professional organizations The ACM code can be found at www.acm.org and code for IEEE Computer is at www.ieee.org

Elec-Objectives.of.Codes.

Different domains and groups of people formulate different codes of ethics, but among them, they all have the following objectives (Kizza, 2002):

• Disciplinary: By instilling discipline, the group or profession ensures

professionalism and integrity of its members

• Advisory: The codes are usually a good source of tips for members

and offer advice and guidance in areas where there are fuzzy moral sues

is-• Educational: Ethical codes are good educational tools for members

of the domain, especially the new ones who have to learn the do’s and don’ts of the new profession These codes are also a good source of renewal for the older members, needing to refresh and polish their pos-sibly waning morals

• Inspirational: Besides being disciplinary, advisory, and educational,

the codes also should carry subliminal messages to inspire those using them to be “good.”

0 Kzza & Kzza

• Publicity: One way for professions to create a good clientele is to show

that they have a strong code of ethics and, therefore, their members are committed to basic values and are responsible

The.Relevancy.of.Ethics.in.Modern.Life

When Socrates made the statement “The unexamined life is not worth ing” before the Athens’s court in 399 B.C., human life was as it is today in almost every aspect, except the quality The essence of life has not changed much since Socrates’ time and now We still straggle for the meaning of life;

liv-we work to improve the quality of life; and liv-we do not rest unless liv-we have love, justice, and happiness for all Socrates spent all his life questioning the people of Athens so that they, together with him, could examine their

individual lives to find “what they individually ought to do” “to Improve the

lot of human-kind.” Many philosophers and those not so schooled believe that this is the purpose of ethics

The difficulty in finding “what I individually ought to do” has always been

and continues to be for modern life the myriad of decisions that must be made quickly, with an overwhelming and quickly changing on-the-minute informa-tion, and must be done reasonably well This is not a simple statement that can

be quickly overlooked We face these decision-making dilemmas every minute

of every day Under these circumstances, when we are faced with the need to make such decisions, we really need to have enough information and a strong enough backing in moral and ethical education to build an ethical framework

on which to base our judgment for a sound decision When the information

at hand is not complete and when the necessary knowledge and ing of the reality to be able to make the decision is lacking, then the ability

understand-to approximate the consequences of the decision many times leads understand-to a bad decision For a number of people, when the ingredients of a good decision-making process are missing, they rely on habits Decisions based on habits are not always sound ethical decisions, and they are not always good

The purpose of ethics has been and continues to be, especially for the modern technologically driven society, the establishment of basic guidelines and “rules

of thumb” for determining which behaviors are most likely to promote the achievement of the “The Best,” over the long-term (Wilson, 1978) These guidelines and “rules of thumb” are the codes of ethics

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

ed.) New York: Springer

Stanford encyclopedia of philosophy (1978)

http://plato.stanford.edu/en-tries/platonism/#1

Wilson, E O (1978) On.human.nature: Washington, DC: Harvard

Univer-sity Press

 Kzza & Kzza

Copyright © 2008, IGI Global Copying or distributing in print or electronic forms without written permission

Principle.of.Duty.of.Care

Duty of care is our individual implicit responsibilities to other individuals in our society in whatever we do The principle of duty of care is also the for-malization of these individual responsibilities towards one’s community and society Human beings are social animals that must exist in communities So

as members of these communities in which we live, we shoulder these social responsibilities to be mindful of others within our communities in whatever

we do Our working life, therefore, bears this responsibility

Since a working life involves a continuous sequence of daily decision ing, we will look at the process of decision making as the cradle of the care

mak-of duty, because no decision should and, indeed, must be taken without it Wrong decisions, lacking the responsibilities in the duty of care, should lead

to the feeling of guilt about the wrong decisions and how to avoid them By the very nature of a working life, workers are decision makers From the time one checks in at the place of work until the end of the working day, and even beyond, a worker must make hundreds of decisions A good decision must take into account the principle of the duty of care and be anchored by

an ethical framework

Work.and.Decision.Making

Good decisions are not only based on an ethical framework, but also on the decision maker’s abilities The decision maker’s abilities are based on the following basic requirements, namely (Kizza, 2002):

1 .A.set.of.highly.developed.skills.and.deep.knowledge.of.the.domain:.

Skills and deep knowledge of the domain are both acquired and oped over an extended period of formal schooling and experience at work Acquiring a sophisticated level of knowledge is crucial because skills based on shallow knowledge of the domain could be damaging

devel-in cases devel-involvdevel-ing decisions that require understanddevel-ing, analysis, and adoption of concepts to suit the environment or the problem

2 Autonomy:.When at work, both employers and employees make

de-cisions, each in the domain of the tasks they are doing An employer