Back to Subject

Unit 6 - Notes

CSE332 8 min read

Unit 6: Ethical and Professional issues in Information Security

1. Law and Ethics in Information Security

Information security professionals must understand the legal and ethical framework within which they operate. While technology changes rapidly, legal and ethical principles provide the stability required to manage risks and conduct business responsibly.

1.1 Key Definitions

  • Law: Rules that mandate or prohibit certain behavior in society. They are drawn from legislative acts, administrative agencies, and court decisions. Laws carry the authority of a governing body and enforce penalties (fines, imprisonment).
  • Ethics: Socially acceptable behaviors and moral principles that guide actions. Ethics are often based on cultural mores and are not necessarily enforced by legal bodies, though professional organizations (like (ISC)², ISACA) have codes of ethics that members must follow.

1.2 The Intersection of Law and Ethics

  • Legal and Ethical: Protecting patient data (HIPAA compliance and moral duty).
  • Legal but Unethical: Managing a sweatshop in a country with lax labor laws; technically legal, but morally condemned.
  • Illegal but Ethical: A whistleblower leaking classified documents to expose a massive human rights violation (subjective, but often debated).
  • Illegal and Unethical: Deploying ransomware or stealing credit card information.

1.3 Types of Law relevant to InfoSec

  1. Civil Law: Pertains to relationships between individuals and organizations (e.g., contract disputes, employment law).
  2. Criminal Law: Addresses violations harmful to society; enforced by the government (e.g., hacking, arson).
  3. Tort Law: A subset of civil law allows individuals to seek redress for personal wrongs (e.g., negligence leading to a data breach).
  4. Private vs. Public Law: Private law regulates relationships between individuals/corporations; Public law regulates the structure and administration of government agencies.

2. Organizational Liability and the Need for Counsel

Organizations are legal entities that can be held liable for the actions of their employees or for failing to protect assets and third-party data.

2.1 Liability Concepts

  • Liability: The legal obligation of an entity; extends beyond what follows from a lawsuit. It includes the responsibility for wrongful acts or omissions.
  • Restitution: The legal requirement to compensate a victim for loss or injury.
  • Vicarious Liability: An employer can be held liable for the actions of an employee if those actions were committed within the scope of employment.

2.2 Due Care vs. Due Diligence

To avoid negligence and liability, organizations must demonstrate:

  • Due Care: "Doing what a reasonable person would do." It is the implementation of controls (e.g., installing a firewall, training staff). It is about action.
  • Due Diligence: "Knowing what you should know." It is the management of due care (e.g., monitoring the logs of the firewall, updating the training). It is about verification and ongoing management.

2.3 The Need for Legal Counsel

Information security professionals are not lawyers. Complex scenarios require professional legal advice to:

  • Interpret regulatory requirements (GDPR, IT Act 2000).
  • Draft enforceable contracts and Service Level Agreements (SLAs).
  • Manage incident response to preserve chain of custody.
  • Advise on the legality of monitoring employee communications.

3. Policy Versus Law

While laws are enforced by the government, policies are enforced by the organization. However, for a policy to be legally viable (i.e., to fire an employee for violating it), it must meet specific criteria.

Feature Law Policy
Origin Government / Legislature Organizational Management
Scope Universal within jurisdiction Internal to the organization
Enforcement Police / Courts HR / Management
Ignorance "Ignorance of the law is no excuse." Ignorance is a valid defense if the policy was not communicated.

3.1 Criteria for Enforceable Policies

For a policy to hold up in a labor dispute or court, it must be:

  1. Distributed: The employee must have access to it.
  2. Read: There must be evidence the employee read it.
  3. Understood: It must be written in language the employee understands.
  4. Agreed to: The employee must sign or acknowledge agreement.
  5. Uniformly Enforced: The organization cannot punish one employee while ignoring another for the same violation.

4. Cyber Crime

Definition: Any criminal activity that involves a computer, networked device, or a network.

4.1 Classifications of Cyber Crime

  1. Computer as the Target: Attacking the infrastructure itself (e.g., DDoS attacks, virus injection).
  2. Computer as a Tool: Using the computer to commit traditional crimes (e.g., fraud, cyberstalking, distribution of child pornography).

4.2 Cyber-crime on the Rise

Cyber crime is increasing exponentially due to:

  • Digital Dependency: Increased reliance on cloud services, IoT, and mobile banking.
  • Low Barrier to Entry: Availability of "Cybercrime-as-a-Service" (CaaS) allows unskilled actors to launch attacks.
  • Anonymity: Use of TOR networks and cryptocurrency makes attribution difficult.
  • State-Sponsored Attacks: Governments using cyber warfare for espionage and sabotage.
  • Remote Work: The post-pandemic shift to WFH (Work From Home) expanded the attack surface.

5. Need for Cyber Law in India

As India undergoes rapid digitization (Digital India, UPI), the legal framework must evolve to protect citizens and businesses.

5.1 The Information Technology Act, 2000 (IT Act 2000)

This is the primary law in India dealing with cybercrime and electronic commerce.

5.2 Why Cyber Law is Essential in India:

  1. Legal Validity of Electronic Records: To recognize digital signatures and electronic documents as equal to paper records.
  2. E-Commerce Growth: To regulate online transactions, consumer rights, and fraud.
  3. Intellectual Property: To protect software copyrights and digital content from piracy.
  4. Data Protection: To hold bodies corporate liable for negligence in implementing reasonable security practices (Section 43A).
  5. Cyber Terrorism: To address acts that threaten the unity, integrity, and sovereignty of India (Section 66F).
  6. Jurisdiction: To determine how to prosecute crimes committed on servers located outside India but affecting Indian citizens.

6. Ethical Dilemmas in Project Management

Project Managers (PMs) in InfoSec often face conflict between business goals and security requirements.

6.1 The "Iron Triangle" Conflicts

  • Time vs. Quality: Pressure to launch a product by a specific date may tempt a PM to skip security testing (Penetration Testing) to meet the deadline.
  • Cost vs. Scope: Budget cuts may lead to removing expensive but necessary security controls (e.g., skipping a redundancy server).

6.2 Common Ethical Dilemmas

  1. Scope Creep and Gold Plating: Adding unauthorized features that may introduce vulnerabilities.
  2. Resource Allocation: Assigning under-qualified staff to critical security tasks to save money.
  3. Reporting: Hiding the "bad news" about a vulnerability to stakeholders to avoid project cancellation.
  4. Vendor Relations: Accepting gifts or kickbacks from security software vendors.

6.3 PMI Code of Ethics

Project managers are expected to adhere to values like:

  • Responsibility: Ownership of decisions.
  • Respect: Treatment of resources and people.
  • Fairness: Impartiality in decision making.
  • Honesty: Truthfulness in reporting status and risks.

7. Principles of Arbitration and Alternative Dispute Resolution (ADR)

Litigation (going to court) is expensive, public, and slow. ADR provides methods to resolve disputes outside the courtroom.

7.1 Key ADR Mechanisms

  1. Negotiation: Direct communication between parties to reach a settlement without third-party intervention.
  2. Mediation: A neutral third party (mediator) facilitates communication to help parties reach a voluntary settlement. The mediator does not make a decision.
  3. Arbitration: A private, judicial determination of a dispute by an independent third party (arbitrator). The decision (award) is usually binding and enforceable by courts.

7.2 Benefits of ADR in Tech Disputes

  • Technical Expertise: You can choose an arbitrator with InfoSec knowledge (judges may lack technical understanding).
  • Confidentiality: Unlike court cases, ADR proceedings are private, protecting trade secrets and reputation.
  • Speed: Generally faster than the court system.
  • Cost: Often cheaper than prolonged litigation.

8. Hands-on Tools for Cyber Security

Security professionals use various tools to assess and secure systems. Note: These must only be used ethically and with permission.

8.1 Reconnaissance and Scanning

  • Nmap (Network Mapper): Open-source tool for network discovery and security auditing. It determines what hosts are available, what services (apps) they are offering, and what OS they are running.
  • Shodan: A search engine for Internet-connected devices (webcams, routers, servers).

8.2 Packet Sniffing

  • Wireshark: A network protocol analyzer. It captures traffic flowing through a network interface and allows deep inspection of packets. Used to detect unencrypted traffic or suspicious data flow.

8.3 Vulnerability Assessment & Penetration Testing

  • Metasploit Framework: A powerful tool for developing and executing exploit code against a remote target machine. Used to verify vulnerabilities.
  • Burp Suite: The standard tool for web application security testing. It acts as a proxy to intercept and modify traffic between the browser and the server.
  • Nessus: A proprietary vulnerability scanner that automates the checking of compliance and vulnerabilities.

8.4 Password Cracking (Audit)

  • John the Ripper / Hashcat: Tools used to test password strength by attempting to crack password hashes.

9. Case Studies on Cyber Crimes

9.1 Case Study 1: WannaCry Ransomware (2017)

  • The Incident: A global ransomware attack targeting Microsoft Windows systems. It encrypted data and demanded payment in Bitcoin.
  • The Exploit: Used the "EternalBlue" exploit (leaked from the NSA) which targeted the SMB protocol.
  • Impact: Crippled the UK’s National Health Service (NHS), FedEx, and huge corporations globally.
  • Ethical/Legal Lesson: Organizations failed in Due Care by not applying the security patch released by Microsoft months prior. It highlighted the need for rigorous Patch Management policies.

9.2 Case Study 2: Equifax Data Breach (2017)

  • The Incident: Equifax, a credit reporting agency, lost the personal data (SSNs, birth dates) of 147 million people.
  • The Cause: Failure to patch a known vulnerability in the Apache Struts web framework.
  • Impact: Massive reputational damage, stock drop, and settlements worth nearly $700 million.
  • Ethical/Legal Lesson: Third-Party Risk. Negligence in maintaining open-source components. The executives were accused of insider trading (selling stock before the breach was public), an intense ethical and criminal violation.

9.3 Case Study 3: Cosmos Bank Cyber Heist (India, 2018)

  • The Incident: Hackers siphoned ₹94 crores from Cosmos Bank in Pune.
  • The Method: Malware was introduced to the bank’s ATM switch server. The attackers bypassed the Core Banking System (CBS), allowing them to approve thousands of fraudulent ATM withdrawals across 28 countries.
  • Legal Impact: Highlighted vulnerabilities in India's banking infrastructure and the necessity of real-time fraud monitoring as mandated by RBI regulations.
Previous
Unit 5