PROFESSIONAL ETHICS IN IT

Ms. Claire C. Raterta

 Digital Postmaster
(Ethical Dilemmas)

• Viewing E-mail
• Can You Take E-mail Back?
• Spam, Spam, and More Spam
• Cyber Stalking, Threats, and Harassment
 Viewing E-mail

Some businesses have strict policies regarding viewing other people’s e-mail. In many cases, e-mail is a business
record; to view an e-mail message concerning a management action is the same as pulling someone’s
employment records out of the file cabinet in Human Resources. However, the anonymity of the Internet allows us
to think that no one is looking, which can quickly lead to compromised ethics. No one suffers greater temptation in
this area than the people with system privileges, the postmaster, and the system administrators, because they
have the computer authority to view any e-mail file.

Handling Bounced E-mails

The postmaster’s main job is to get the e-mail from the legitimate sender to the legitimate receiver. The only time
the postmaster should read e-mail content is when there is an investigation authorized by law enforcement or the
internal security department. Company policy should be explicitly clear and enforced in this regard. E-mail users
have a responsibility as well; if you are sending sensitive information by e-mail it should be encrypted by PGP or
S/Mime.

Traffic Analysis
Traffic analysis reveals surprisingly detailed information that is very private. Keep this practice limited to
authorized investigations and legitimate troubleshooting in order to preserve your users’ expectation of privacy, as
defined by company policy
Mailing Lists
The rule of secrets is that if you tell no one, it is a secret, if you tell one other person, it possibly remains a secret, if
you tell five people, you have told the world. While some consider mailing lists “public,” not all mailing lists receive
full posting on the Internet. There is sensitive information in this type of traffic, which varies from personal
interests and hobbies to identifying with political agendas or seeking support for a medical condition. The question
is whether the employee is demonstrating good judgment, and if they are posting sensitive information to a
mailing list. The answer is “probably not.”

Stumbling Upon E-mail

Make sure you are not “stumbling into” too many e-mails from a particular person or targeted group; this is
unethical and discriminatory. If in the course of performing legitimate postmaster work, such as content filtering
or validation of a backup tape, you happen to find something illegal or abusive, you should escalate the matter.
This could include legal, security, and/or law enforcement, based on company policy. This is especially true when it
involves child pornography, which is contraband by federal law. With regards to combating spam, remember that
it is not always necessary to read the content of an e-mail to figure out whether it is spam or not, so minimize the
intrusiveness of the vetting process by reading only the e-mail header info first.
Viewing Customer Content
Common courtesy would dictate that technical support make it explicitly known that it would
have to download attachments from the customer’s e-mail, and then let the customer decide
what to do. Minimizing the number of attachments viewed is the best solution; if the customer
knows up front, there will be no surprises and no breach of trust or privacy. Always keep in mind
the expectations of privacy that users have by default, and be sympathetic when telling them
that you have been looking through their e-mails. They might not appreciate your efforts to
“help” them if they get the “shock and awe” effect of someone looking at the contents of their e-
mail and attachments without explicit permission.

Disk Space Hogs

There is no good reason to read the CEO’s mail or anyone else’s if there is already established
policy to routinely upgrade disk space, especially if they are paying for the burden on the storage
resource. This one should not be a tough call.
 Can You Take E-Mail Back?

Certain sectors have strict regulatory burdens regarding document retention. Policies in the workplace should reflect legal
requirements in terms of retention and destruction of e-mail records.

Sins of Omission
Allowing the destruction of discoverable evidence is not only unethical, it is illegal. The court may haul you in to testify as to the
document destruction procedures that normally occur and all the actions you took that day, including when you knew about the
subpoena and who you talked to about it. While this is a sin of omission, it is also unethical to rationalize not complying with legal
orders. E-mail and other electronic records now constitute the majority of discovery requests.

Morale over Safety

Make sure you understand why the Director is asking for the recall, as your assumption about his motives may be incorrect. Ifit
seems like the Director is just trying to bury the whole safety issue, you have a larger problem. In this specific case, recalling e-
mails may not be a regulatory compliance issue, as the contractor does not fall under the same rigid document retention laws as
those that govern the financial sector, for example. Still, your sense of right and wrong has to guide you in terms of what may be
lost in conveying important incident response information to the users in your organization. Sometimes you have to take a stand.
 Spam, Spam, and More Spam

Tuning the Spam Filter

Spam has gotten so bad in the last couple of years that it is becoming more than just an
annoyance. There is ongoing research to find the best combinations of methods to weed
out the spam from the legitimate email traffic.

“Research-grade” Spam Killers and Blacklists

Spam will get worse before it gets better, but experimental software and the mail server
do not mix. Users see e-mail as one of the most critical business applications and depend
on it to convey legal, financial, and security-related messages and alerts. Not only is this
research grade “fix” bad change management, it is ethically incorrect to use software
that has not been proven in the production environment.
 Cyber Stalking,
Threats, and Harassment

Cyber stalking, threats, harassment, and other abusive behaviors occur through email on a daily
basis.There is something about e-mail that can make otherwise timid and shy people very aggressive
and threatening.This is especially true if there is a perception of anonymity on the part of the abusive
party

Online Stalking
Cyber stalking is a serious matter despite the fact that it is online and not facilitated by phone or snail
mail. Cyber stalking often transitions into physical stalking and can escalate into a violent workplace
incident. Even though it is “just e-mail” right now, it can have a devastating effect on the victim in
terms of mental health and productivity. Treat these cases with the same care as you would serious
harassing and stalking behavior originating offline. Also note that in some states, inaction on this kind
of victimization may become a legal problem if the victim (the user in this case) sues on the grounds of
“hostile work environment” if the company does nothing, since the company has been notified.
 E-mail Scams
(Ethical Dilemmas)

• Monetary Gain
• Identity Theft and Scams for Personal Information
• E-mail Chain Letter
E-mail scams are rampant on the Internet and most people do not know what to
do when they receive them in their e-mail box. Unfortunately, many have fallen
victim to them. Individuals who are scam savvy just delete and forget about
them. However, some scams can fool even the most competent and aware
individual.The following is a sample of such a scam that is sure to catch
unsuspecting people off guard. In this example, the scammers pass themselves
off as the Federal Deposit Insurance Corporation (FDIC) and use real federal
government agent names.
It is imperative for e-mail and Internet users to understand exactly how thieves
steal sensitive financial information through e-mail scams. Scam artists are
ingenious at creating e-mails that sound legitimate and that also have a
psychological affect on the recipient.The psychological affect is a big part of the
scam, throwing the recipient off guard enough to respond to the scam. The
dangerous e-mail scams will request credit card information, bank account
numbers, and social security numbers. NEVER provide this information to
anyone unless you initiate the conversation. NEVER disclose this information
through e-mail.
 Monetary Gain
In one sense, if an individual loses money on a scam for monetary gain, they deserve it.The reason we say that is that greed is the
number one reason people fall for these types of scams.This is nothing new; flim flam artists have been a part of human culture
throughout recorded history. In a culture that believes in the concept of an “honorable thief,” a good defrauding might actually be
applauded.The only thing technology has changed is the number of “marks” that can be targeted per hour. However, fraud is
certainly not ethical, and even if greed was the motivator, when a senior citizen loses everything they have, it is beyond sad. Each
of us should invest the time to talk to our parents, uncles, and aunts about these types of fraud.

Help Me Move Money from My Country

Regardless of the origin of an e-mail, financial scams targeting individuals for money are morally wrong. Trying to obtain money
from others under false pretenses is morally unacceptable.

“Free Credit Report” E-mails

We have already determined that scams are unethical. This issue addresses whether they are unethical towards businesses that
market their services in the same manner. Some people may feel they are not adding any additional ethical concerns by targeting
legitimate businesses because the consumer can easily determine a false advertisement from a real one.
eBay and PayPal Scams
There is no doubt that the customers need to be more aware of scams. One way to do this is to subscribe to information security
services that periodically send warnings of new e-mail scams.
 Chain Letters

• Chain letters seem to be the same whether done in paper or e-mail. Since they
have been done in e-mail, they are an Information Technology (IT) issue and so
we consider them in the following.
• Regardless of the dangers involved, whether they are minor irritations or
serious threats of identity theft, e-mail scams are unethical and have a
negative impact on the Internet and the individuals and businesses using the
Internet.
 Identity Theft and
Scams for Personal Information

• “Find Out Everything on Anyone” Scams

• Con Artists and E-mail Questionnaires
• Account Verification or “phisher” Scams
 Information Security Officers
(Ethical Dilemmas)

• Hacking
• Penetration Tests
• Viruses and Worms
• Encryption
• Handling Network Security Information
• Ensuring Information Security on the Personnel Level
The role of the Information Security Officer (ISO) includes the responsibility of
effectively securing their organization’s data systems and information resources.
They hold the balance between security and getting the job done. Proficient ISOs
can network well and bridge the gap through their communications skills
between managers and systems administrators. ISOs understand the threats and
risks to the corporation and corporate technology.They identify best practices
and utilize them to protect information resources.The ISO must effectively
communicate these best practices to everyone in the organization. Finally, a
strong ISO utilizes their knowledge to create a diversified protection strategy
 Hacking

Computer hacking is a form of malicious attack whereby a person known as a “hacker” breaks into a computer
system that they are not authorized to use.This includes attempts to bypass the security mechanisms of an
information system or network for the purpose of obtaining damaging information.

Hacking for Business Warfare

When senior management makes requests that border on illegal activity, do not immediately comply. Always
consider the repercussions of any action you perform and where you stand ethically on the matter. Do not
needlessly put yourself or the company in danger or surrender your personal ethics out of pressure to keep your
job.

Giving in to Distributed Denial of Service “Hacktortionists”

Corporations give in to “Hacktortionists” for two primary reasons. Number one, the cost of recovering from a
DDoS attack is greater than the pay-off amount. Number two, the reputation of the business faces ruin in the
media if the results of such a destructive attack are released to the general public. This is especially true if the
company possesses personal data such as credit card numbers or medial information.
Hacking for Education
There is not an ethically correct reason to hack into someone else’s computer system. The only organizations that may allow their
employees to hack other systems is government or military agencies for the purpose of national security. In this type of scenario,
your actions may be honorable. In any other case, stay away from hacking unless you are performing authorized penetration tests
for your own company.

OS Attacks
The footprint of Microsoft software is so large that it is not clear a significant number of attackers are actually targetingthem.
Although hacking another company’s computer system is unethical, there is often a round of applause when an attack on an
unethical business occurs. You must decide what sits right with you.

Cracking Screen Saver Passwords

The ISO must set an example for the rest of the company. In most cases, it would be wise to set the right ethical example of not
cracking others passwords. However, when you have to get the job done, you must do it at times.

Spoofing
Technologists like to outsmart each other. It is a game to them. Sometimes these games can help serve security for each other’s
organizations, and other times it just eats up valuable resources and energy. At its worst, this behavior accidentally causes
destruction.
 Penetration Tests

Penetrating testing is the process of ethically authorized hacking and probing a corporation’s
information systems and networks to determine potential security weaknesses or vulnerabilities that a
malicious attacker might exploit.The penetration testing method involves an investigation of all
security features of the system in question.The penetration tester then attempts to breech security
and penetrate the system and network.The tester simulates a hacker by using the same attack
scenarios, methods, and tools of a real malicious attack.After the test, the penetration tester submits a
report on the system vulnerabilities and suggests procedures for implementation to make the system
more secure.

Testing Security Vulnerability

Trying to help the ISO by finding weakness can cause more damage than they prevent. It is better to
avoid “helping” the ISO, since they are the experts, not you. If you do find a security weaknesses,
immediately bring it up to them. Never launch malicious code at your own company for any reason,
even if your intentions are good.
Appropriate Hacking to Determine Weaknesses
Assessing the security of the systems you are responsible for as the ISO is a challenging job. Be certain
you know exactly what you are doing when you hack into the system. If you are a novice, take it slow or
leave the job to an experienced professional that can perform penetration tests without putting the
system at risk. If you feel the knowledge you have is sufficient, perform basic tests on your system.
Start with running these tests in the test or development environment, not in production.

Failure of Penetration Testing Software

Trust in any single tool is a recipe for disaster. Not all vulnerability assessment software tools meet the
mark; some are better than others, none are close to perfect. Make sure you thoroughly research a tool
prior to purchase. Do not place the security of the information systems you are responsible for in the
hands of marketing hype. Take your time and shop around, ask questions, call references, and really
know what you are buying so that you have the piece of mind that it is an effective solution to the
information security needs of your business. When it comes to protecting corporate resources, it is
always good to double up and use a tool and human resources, especially in the case of penetration
testing.
 Viruses and Worms

Viruses and worms are forms of malicious code designed to disable or destroy information
systems.There are many types of viruses and worms. In addition, programmers launch new ones on a
daily basis. Some, such as Code Red, are devastating, while others are just a nuisance. Spam is also a
form of malicious code, which has grown significantly due to its marketing potential.

Virus Development for Profit

Writing code that throws spam into e-mail boxes is not an honorable job, but it is not completely
unethical either, unless it causes damage to the recipient’s system. After all, we have lived with cold
calling and door-to-door salespeople and we will probably all live with spam to some extent. Laws also
vary from country to country, and therefore, spam may be an acceptable part of business in some
countries, and no one has the right to stop that.

Bounty Hunters for Virus Writers

The ethical result of bounty hunters will determine if the human and financial resources are worth it. It
may just be a waste of time and energy; then again, it may be a powerful deterrent in the war against
malicious attacks.
Acceptable Virus Tolerance Level
The acceptable tolerance level that an ISO needs to set for an administrator is dependent on the
factors involved. If attacks on the system occur daily and all other corporations are having the
same problem because of a new virus, it may not be the fault of the administrator. However, if
your company is the only one affected by these attacks, you need to reassess overall security and
the qualifications of the administrator responsible for virus prevention.

Viruses and Due Diligence

Due diligence can work in the favor of the administrator or against him. If he did due diligence
and your company was the only one under such heavy virus attacks means that his best is not
good enough. However, if everyone in the industry is facing these attacks and he did due
diligence, your company may not suffer as greatly as other companies and the administrator
deserves a pat on the back. The correct ethical response is relative to the full details of the
circumstance.
System Crashes
Determining fault is very tricky when it comes to technology. Very few people understand the complexities of
technology and how malicious attacks affect computers. If you try to explain this circumstance to a non-technical
user, they may not be able to grasp what happened and since they cannot understand it, they just presume you
messed up somehow. You made a mistake by formatting the hard drive without really covering your bases; it left
you open to take the fall. The executive made many mistakes: obtaining the virus and then blaming you. If you still
have your job, set up formal procedures where you obtain a signature on a sign off sheet when you must reformat
someone’s hard drive. In the future, this will relieve you of the painful consequences.

Attacking Attackers
ISO’s need to use many different tactics when addressing security breaches. In most cases, going on the offense is
not a good idea because you could end up in legal trouble. However, there may be instances where you find it is
your only option.

Bypassing Alerts
In the above ethical dilemma, both the vendor and the ISO are at fault. The vendor is at fault because their tool is
determinately tedious and generalized, and the ISO because they were lazy.
 Encryption

Encryption is the procedure of encoding or scrambling plaintext data to make it difficult for someone
else to see the original data sent with the exception of the intended receiver.An encryption algorithm
complexity utilized determines the level of protection provided by encryption. Encryption protects e-
mail, secure on-line transactions, File Transfer Protocol (FTP) sites, and much more.

Backup Keys
Staying abreast of the most recent requirements in information security is a tiring job but necessary to
protect your company. Always keep current on the most recent tools such as key backup and recovery
systems that will protect your company.

VPN Encryption
For the most part, avoid using corporate resources, especially information security resources, for
personal means. In some cases, you or others may determine it is unethical. In most cases, it is simply
not smart.
Sending Unencrypted Documents
You may witness employees making the mistake in this issue but it is not one that the Information Security Professional should ever make.

Victim of Industrial Espionage

Ethically speaking you should have properly prepared the CEO and all of the employees in the company for this type of scenario. The CEO was wrong
and you were too in failing to properly educate him on the security requirements of information technology.

Is Industrial Espionage Ethical?

Industrial espionage is the practice of stealing data and ideas from another corporation, which is quite common. All businesses need to guard their
computers, sensitive documents, personnel, and offices from this type of behavior.

Law Enforcement and Viewing Irrelevant Data

You should always attempt to secure the network to the best of your ability. This includes contingency plans for the security of the encrypted
information even in a case such as mentioned above.

Selling Encryption Tools Globally

Whenever you develop tools for information security be certain to do research on the legalities of those tools. Since the laws are still catching up to
the rapid advancement of IT, new ones are passed daily that affect your business. Run all new information security developments through legal
council prior to placing them on the market for the general public, especially before you go global with a tool
 Handling Network Security Information

Network security information is the reporting of security information and weakness such as malfunctions and
intrusions that affect the security of the network. Ethical issues concerning the reporting of software failures that
cause a breach in security and stealth sniffers monitoring corporate networks are discussed in this section. In both
cases, awareness is key.The ISO has the demanding responsibility to ensure that all employees are aware of the
corporate security policy and that all systems are closely monitored by them and remain secure

Software Malfunctions
ISO’s should provide adequate security awareness so that an issue such as this one does not arise. If the employee
was previously made aware of the security implications and still failed to report the incident, they are in breach of
their ethical responsibility to the corporation.

Stealth Sniffer
The ISO must assume responsibility for all security breaches. They must also further improve the system to
prevent them. Running a sniffer may be unethical on the part of the person doing it; however, you as the ISO fall
into the realm of unethical behavior if you do nothing to remediate the situation.
 Ensuring Information
Security on the Personnel Level

ISO’s also hold responsibility on the personnel level. Issues such as lying to clients about the integrity of
information security fall under the realm of the ISO. Other ethical dilemmas discussed in this section
include sex in the workplace caught on security tape, handling evidence, and security reprimands.

Lying to Clients Regarding Corporate Security

Marketing hype often exaggerates the environment of information systems. An ISO needs to be strong
in their influence on the communications distributed by marketing and other departments. The ISO
must ensure that nothing is communicated that will come back to haunt the company because it is
grossly inaccurate.

Sex in the Work Place – How to Handle It?

An ISO needs to be ready to deal with personnel security incidents as well as computer-related ones. It
is always better to do everything by the book. However, some incidents may be too embarrassing to
address according to policy. Choose what feels ethically correct to you when these incidents occur.
Handling Evidence on Personnel
Erasing security tapes is not a good idea under any circumstances. This is a difficult
situation that the couple put themselves in, not you. Being forced into this type of
circumstance will test your resolve in protecting the corporate assets according to policy
with integrity.

Security Reprimands,Contractors vs. Personnel

Contractors do not tend to remain at a company for a long period of time due to the
nature of their work. You may want to allow the contractor to finish their contract and
not renew it. A corporation does not have as much of a commitment to a contractor. To
avoid future problems with this couple, the contractor may end up sacrificed.