∞ What You Need to know...∞

___________________________________________________________

      As posted by Erwin A. Alampay, Ph.D. And Ma. Regina M. Hechanova, Ph.D., Contributors of the Philippine Daily Inquirer about the issue Monitoring employee use of Internet: Employers’ perspective that the “THE EMERGENCE OF NEW and emerging information and communication technologies can no longer be ignored by organizations. Whether organizations provide it on their own or not, people are bringing these technologies to the workplace.”

  According to Bahaudin Mujtaba (D.B.A. with International and Human Resource Management specialties) of Nova Southeastern University, Employee monitoring, due to the increase in cyber loafing and lawsuits, has become more widespread and much easier with the use of new and cheaper technologies. Both employers and employees are concerned with the ethical implications of constant monitoring. While employers use monitoring devices to keep track of their employees’ actions and productivity, their employees feel that too much monitoring is an invasion of their privacy. Thus, the ethics of monitoring employees is explored and current practices are discussed. This document further provides suggestions for reducing cyber loafing and encourages institutions to create and effectively communicate ethical standards for employee monitoring in their firms. The author has included actual samples of employees’ perceptions and feelings from the surveys and discussions on being monitored.

The Ethics of Employee Monitoring

   Employee monitoring has emerged as a necessity and yet as a very controversial issue due to the complexity and widespread use of technology. Employee monitoring is the act of watching and monitoring employees’ actions during working hours using employer equipment/property (Raposa & Mujtaba, 2003). Employers are concerned with proper employee behavior and Code of Conduct compliance in relation to their industries and related organizations. While more and more employers are using monitoring devices to check or keep track of their employees’ actions, some employees feel that too much monitoring is an invasion of their privacy. Thus, the ethics of monitoring employees is explored and ethical dimensions of this issue are presented in order to provide a full picture of this practice. Furthermore, throughout the document there are discussions about future evolvement of employee monitoring with the emergence of new technology.

The Emergence of New Technology and Explosion of the Internet

  Lim (2002) mentioned that, “anecdotal evidence suggests that the Internet is a double-edged sword which companies should deploy freely to employees with caution.” While Internet is the best thing that has happened since “sliced bread”, it is also the biggest international playground for adults of all hobbies. A survey of 1,000 American workers revealed that 64% of those with Internet access tend to use it for personal interests during working hours. A question

to start with is “can technology change or influence our sense of values, morals, or ethics?” The answer would be yes since technology can influence our actions and behaviors as it already has in many cases. Actions and behaviors, in turn, tend to form our values, ethics and ultimately our character.

  We all live in a technologically advanced world in which informed and just decisions have to be made about very technical and enormously complicated issues. One major concerrn that has been voiced repeatedly regarding technolgical advances is use of the Internet and privacy issues.

  Anyone (at work or home) who uses your computer or has access to it can find out why you have been using it. Every time you use the Internet your Internet activities are being recorded and every picture you've seen while you are on-line is probably copied to your computer’s hard drive and connected servers. For example, every website you've visited on-line is often recorded into a secret file in Windows and is usually added to your drop down list. Even your homepage could be changed and you can be tracked from anywhere in the world

  There are however legitimate individuals in many firms that are required to surf the net to check out the industry, their customers, their suppliers, their competitors and so on. One example would be “Shared Software” authors that write software and then share their work over the Internet, more or less for free. While technicians and group support system facilitators often fill formal roles within organizations, the role of shared software authors is less defined and often falls completely outside of formal organizational boundaries. Their role is bounded by the needs created by new technology, is played out over electronic communication networks, and is exemplified by demonstrations of commitment. Their role in the social exchange of information over the Internet and World Wide Web has not changed much over the last few years, but their influence on society has increased along with the influence of the Internet and the World Wide Web. Shared software authors are a unique set of people whose behavior is not easily explained with conventional models.

Employers’ Perspective on Monitoring

  Various researchers have suggested that industries could be wasting up to one billion dollars each year because of Internet surfing for non-job related activities. Others estimate the cost to the American economy could be as high as 63 billion dollars each year for cyber loafing. Cyber loafers need not be absent from their offices or desks since the computer provides them the world’s biggest playground and personal work opportunities. Lim (2002) states that cyber loafers in their virtual travels away from the office “may—unwittingly or otherwise—visit sites which expose the organization to legal liabilities and to the dangers posed by computer viruses.” Lim goes on to say that “cyber loafers may pose a greater threat to the organization relative to the other types of loafers, in terms of productivity losses and cost incurred.” Beside such losses, employers are greatly concerned with sensitive and confidential information being sent outside of the company to its competitors, vendors, suppliers, and customers; thus employees harming the company. According to Gahtan’s (1997) article titled “Monitoring Employee Communication”, there have been instances where employees were sending confidential information and corporate trade secrets through an employer’s e-mail systems to other employees or friends. Furthermore, employees have been caught using an employer’s Internet facilities to start and/or operate their own businesses while on the job. Gahtan offers further reasoning for employee monitoring by stating, “…employers may also find that they could be held liable for e-mail or Internet-related activities of their employees” regardless of whether the employer was aware such activities or not. Gahtan offers recent lawsuits as excellent reasons for employer concern.

__________________________________________________________

References:

Philippine Daily Inquirer, pp. B2-3, retrieved on January 28, 2010.
Bahaudin Mujtaba (D.B.A. with International and Human Resource Management specialties) of Nova Southeastern University

Case studies: Computer Security Under Attacks

Case 1: The Wake Country Transportation Fraud

During a 2 and 1/2 year period, certain employees of the Wake County School Board in Raleigh, North Carolina, conspired with employees of Barnes Motor & Parts Co., based in Wilson, NC, to divert over $4.8 million through the use of fraudulent invoices in order to receive various kick-backs. Examples of items received included personal items such as automobiles, campers, golf carts and plasma-screen televisions. The scheme succeeded despite apparently strong internal controls, such as a bid limit of $2,500. At the time, the School Board employed only one internal auditor. Although the auditor had audit software which should have easily detected these unusual patterns, it was either not used or misapplied. There were numerous red flags that were not noticed. The story received wide press. [1]
Once the School district fired the employees and an investigation was performed, $4.8 million was recovered from Barnes and the former employees. Some of the employees involved received jail sentences, and returned at least some of the property stolen. Harold Ray Estes was sentenced to 11 – 15 years and fined $500,000. [2]. Vern Hatley, the Transportation Director, is serving a sentence of seven to ten years. Carol Dail Finch received a sentence between five years ten months and seven years nine months.
Once the fraud was discovered, an audit was performed and the report is available at Summerford audit report.

Case 2: Illegal Data Mining

The owner of Snipermail, a business that distributes advertisements via the Internet to e-mail addresses on behalf of advertisers or their brokers was indicted for conspiracy, unauthorized access of a protected computer, access device fraud, money laundering and obstruction of justice.
It was alleged that Scott Levine and other Snipermail employees illegally accessed a computer database owned and operated by Acxiom Corporation, a company that stores, processes, and manages personal, financial, and corporate data on behalf of its clients. On numerous occasions, Levine and others illegally entered into an Acxiom file transfer protocol (ftp) server and downloaded significant amounts of data. The intrusions were traced back to an internet protocol address that belonged to one of Snipermail’s computers. The downloading of the databases lasted for period of a year and a half and represented 8.2 gigabytes of data. While the stolen data contained personal information about a great number of individuals and could have resulted in tremendous loss if the information were used in a fraudulent way, there was no evidence to date that any of the data was misused in this way. Acxiom, immediately notified law enforcement upon discovery of intrusions into its system and assisted with the investigation which was conducted by a task force formed the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS).

Case 3: The Melissa Worm

David L. Smith, a 31-year old New Jersey programmer was accused of unleashing the “Melissa” computer virus, a Visual Basic for Application[clarification needed] based worm.[1] This virus was propagated by deliberately posting an infected document to an alt.sex usenet newsgroup from a stolen AOL account. It is believed that Smith named the virus after a stripper he had known in Florida. He constructed the virus to evade anti-virus software and to infect computers using Microsoft Windows and Word programs. The Melissa virus appeared on thousands of email systems on March 26, 1999, disguised as an important message from a colleague or friend. The virus was designed to send an infected email to the first 50 email addresses on the users’ Microsoft Outlook address book. Each infected computer would infect 50 additional computers, which in turn would infect another 50 computers. The virus proliferated rapidly and exponentially, resulting in substantial interruption and impairment of public communications and services. Many system administrators had to disconnect their computer system from the internet. Companies such as Microsoft, Intel, Lockheed Martin and Lucent Technologies were forced to shut down their e-mail gateways due to the vast amount of email the virus was generating. To date, the Melissa virus is the most costly outbreak, causing more than $400 million in damages to North American businesses.
Smith was one of the first persons ever to be prosecuted for writing a virus. He was sentenced to 20 months in federal prison and a fine of $5,000. He was also ordered to serve three years of supervised release after completion of his prison sentence.
The investigation was conducted by members of the New Jersey State Police High Technology Crime Unit, the Federal Bureau of Investigation (FBI), the Justice Department’s Computer Crime and Intellectual Property Section, and the Defense Criminal Investigative service.

Case 4: Malicious Systems Admin at UBS

A disgruntled computer systems administrator for UBS PaineWebber was charged with using a "logic bomb" to cause more than $3 million in damage to the company's computer network, and with securities fraud for his failed plan to drive down the company's stock with activation of the logic bomb. Roger Duronio is charged in one count of securities fraud which carries a maximum penalty of 10 years in federal prison and a $1 million fine and one charge of computer fraud which carries a maximum prison sentence of 10 years and a fine of $250,000 or, alternatively, two times the gain made by the defendant or the loss suffered by the victim.

Duronio, who worked at PaineWebber's offices in Weehawken, N.J., planted the logic bomb in some 1,000 of PaineWebber's approximately 1,500 networked computers in branch offices around the country. The logic bomb, which was activated after Durino resigned, deleted files on over 1,000 of UBS PaineWebber's computers. It cost PaineWebber more than $3 million to assess and repair the damage. Duronio also purchased more than $21,000 of "put option" contracts for UBS PaineWebber's parent company, UBS, A.G.'s stock, hoping that the stock would decline in response to the damage caused by the logic bomb. The bomb attack did not have any impact on the price of the stock.

The investigation of Duronio was conducted by the U.S. Secret Service’s Electronic Crimes Task Force with help from UBS PaineWebber.

Robert Duronio

Case 5: Unauthorized Access at North Bay

Jessica Quitugua Sabatia, a former accounts payable clerk for North Bay Health Care Group, admitted to using her computer to access North Bay’s accounting software without authorization, and in turn issued approximately various[clarification needed] checks payable to herself and others. Several of the checks were cashed by Sabatia or deposited into her personal bank account, and some were deposited into the bank accounts of others. She attempted to conceal the fraud by altering the electronic check registers of North Bay to make it appear as if the checks had been payable to the company’s vendors. The fraudulent scheme resulted in losses to North Bay of at least $875,035.

On May 27, 2004, Sabatia, plead guilty to two counts of computer fraud, and faces a maximum sentence of five years in prison and a $250,000 fine

_______________________________________________________________

Reference:

 http://en.wikipedia.org/wiki/Computer_fraud_case_studies

↘ Types of Attacks ↙

According to Information Security System, an attack is an intentional or intentional attempt to cause damage to or otherwise compromise the information and/or the systems that support it. If someone casually reads sensitive information not intended for his or her use, this is considered a passive attack. If hacker attempts to break into an information system, the attack is considered active. If a lightning strike causes a fire in a building, the attack is unintentional.

There are too many types, methods and mechanisms of attack to provide a comprehensive description of all of them. New attack techniques and exploits are constantly being developed and discovered.

One of the main advantages of KFSensor is that it assumes all connections made to it are malevolent, as there is no legitimate reason to connect to its simulated servers. Because of this it is effective at detecting unknown attack techniques as it does not rely on signature databases of known attacks.

This section provides an introduction to some of the types and techniques used to attack and compromise a system.

The perpetrators

Ultimately all attacks are originated by people with a motivation to steal, cause vandalism, prove themselves to be elite hackers, or just for the thrill it gives them. Most attacks are actually performed by automated tools that such people release on the Internet.

· Virus

Computer viruses have a long history. A virus attempts to install itself on a user's system and to spread directly to other files on that system with the aim that these infected files will be transferred to another machine. The payload of a virus can range from 'comical' pranks to destruction of the system itself.
A virus relies on users to spread by sharing infected files either directly or via email. Once launched, a virus is completely independent of its creator.
Although the most common threat to security, the traditional virus does not attack other systems directly and so is unlikely to be detected by KFSensor.

· Worm

A worm is very similar to a virus. The key difference is that a worm attempts to propagate itself without any user involvement. It typically scans other computers for vulnerabilities which it is designed to exploit. When such a machine is identified, the worm will attack that machine, copying over its files and installing itself, so that the process can continue.
KFSensor excels at detecting worms as they scan and attempt to attack very large numbers of systems at random.

· Trojan

Trojans take their name from the trojan horse of Greek mythology.
Computer trojans work in the same way. A game, screen saver or cracked piece of commercial software is given to a victim. The software may appear to work as normal, but its real purpose is to deliver a payload, such as a virus or a root kit.

· Root Kit

A root kit is a piece of software that once installed on a victim's machine opens up a port to allow a hacker to communicate with it and take full control of the system. Root kits are also known as back doors. Some root kits give a hacker even more control of a machine than a victim may have themselves.
The SubSeven root kit allows an attacker to turn off a victim's monitor, move the mouse and even turn on an installed web cam and watch the victim without their knowledge.

· Hybrids

Often malware is a dangerous hybrid that can combine the features of the different classifications described above. The SubSeven root kit is delivered and classified as a trojan.

· Scanners

Scanners are tools designed to interrogate machines on the Internet to elicit information about the types and versions of the services that they are running. There are a variety of scanners, some just ping for the presence of a machine, others look for open ports, while others are more specialized in looking for vulnerabilities of a particular type of service, or the presence of a root kit. Scanners are often incorporated into other malware such as worms.
Scanners are a favorite tool of a hacker, but are just as useful to security professionals trying to detect and close down system vulnerabilities. KFSensor detects scanners and is effective at misleading them.

· Hacker

Hacker, H4x0r5, crackers and black hats are all terms for those individuals that KFSensor is ultimately designed to detect and offer protection from. The term hacker is used in this manual to cover all such individuals.
Direct, or manual actions, by a hacker are much rarer than the attacks launched by the tools described above. Hackers usually only attack a system directly once a system has been identified as vulnerable or has already been exploited by an automated tool.

Denial of Service (DoS)

A denial of service attack is a simple, but often extremely effective, attack that is difficult, if not impossible, to prevent. The goal of a denial of service attack is to deny access to your particular services, effectively preventing your organization from operating. A denial of service could be launched against any part of your Internet connectivity and network infrastructure.

Flood Pings
An attacker could target your Internet connection, for example, with a DoS attack. By sending a simple flood ping, which barrages the target with ICMP Echo Request packets as fast as possible without waiting for replies, an attacker can cause more traffic than your Internet connection is capable of handling. This effectively prevents you from receiving or replying to legitimate requests. (ICMP is the Internet Control Message Protocol which is used to report errors to devices, usually routers. An echo request packet asks for an ICMP reply; sent continuously, your machine will get bogged down sending ICMP replies.)

Mail Bombing
Another type of Denial of Service attack can be caused by mail bombing, in which an attacker targets your email system by sending overly large email messages to users such as postmaster or Webmaster. This not only affects your Internet connection bandwidth, but also your mail server's capability to handle other email. An attack such as this could easily fill up your mail server's mail store drive, preventing you from sending or receiving new email.

TCP SYN Scan
Another common type of attack is the TCP SYN attack. Typically, when a TCP connection is initiated, the sending machine sends a SYN request, which is acknowledged by the recipient machine with an ACK, and the sending machine responds itself with an ACK. This three-way handshake sets the stage for a normal TCP connection.

An example of putting it all together

The following description explains how everything described above came together to produce one of the most dangerous and destructive Internet attacks.

Code Red
The Code Red worm first attacked on 18 June 2001. It exploited a buffer overflow vulnerability in the Microsoft Internet Information Server's ISAPI Index Server filter. Even though a patch for this exploit had been released by Microsoft some time before, many administrators had not updated their systems. Once infected with Code Red, a system would scan the Internet searching for un-patched IIS installations and infect them using the buffer overflow. Due to the ineffective way in which Code Red generated random IP addresses to scan it did not spread as rapidly as it could have done.

Code Red II
A new variant, named Code Red II, quickly emerged a month later on 19 July 2001. This had a much better mechanism for selecting random IP addresses and managed to infect 359,000 servers within 14 hours of its release.

Code Red III
Code Red evolved again, by 4 August 2001 its payload was more destructive. It re-configured the web server to allow access to the entire disk drive and installed a trojan.

Nimba
The vulnerability opened by Code Red laid thousands of servers open to further attack by hackers and a new worm called Nimba that emerged on 18 September 2001.
The Nimba worm is a true hybrid managing to spread via the vulnerabilities caused by Code Red, but also via a vulnerability in Microsoft Outlook and ASP files and mis-configured network shares.

___________________________________________________

Reference:
http://www.keyfocus.net/kfsensor/help/Concepts/con_TypesOfAttacks.php
http://www.comptechdoc.org/independent/security/recommendations/secattacks.html
Introduction to Information Security. Information Security Terminology, page 30.

￫ World of Ethics ￩

What is Profession?

Profession is a task and responsibility given to person who are capable of doing things professionally, and does not hinder his/her feelings on the job.

What is Professional?

Professional are people who can do things according on what they were ought, and they studied on their field.
According to The Merriam- Webster’s Dictionary, “Professional is one that engages in activity professionally.”

Am I an IT Professional?

After I graduate, I can say that I am a professional. Maybe because I graduate with a four degree course. But in other conversation IT professional working proficiency. Every day, people use computers in new ways. Computers are increasingly affordable; they continue to be more powerful as information-processing tools as well as easier to use. According to Capella University web site, “the profession of Information Technology studies the design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware. Moreover; information technology is the capability to electronically input, process, store, output, transmit, and receive data and information, including text, graphics, sound, and video, as well as the ability to control machines of all kinds electronically.”
This is also the one of the five of the top 10 fastest growing profession that require bachelor's degrees. In my position I take advantage of a wide range of opportunities with this Information Technology bachelor's degree designed to build both technical and business skills, a combination that is increasingly valued by today's employers. Through my choice of electives, I can design a broad program that touches on several IT disciplines or narrow my focus to deepen my knowledge in the area of information technology, including networking, Web development, project management, or information security. People who choose this profession are often pursuing entry- or senior-level technical specialist positions in a variety of IT-related fields.
And according to European Journal of Information Systems, “IT professionals perform a variety of duties that range from installing applications to designing complex computer networks and information databases. A few of the duties that IT professionals perform may include data management, networking, engineering computer hardware, database and software design, as well as the management and administration of entire systems. “

I can say that IT Professional response to the demand of the people regarding on the development of life to level it using modern technology with interrelates with the quality of life.

What Certification would you like to achieve?

Certified Wireless Network Professional and certified E-Commerce consultant IT Certification