Exploratory Workhop "Information Security Management - in the 21St Century"

Exploratory Workhop "Information Security Management - in the 21St Century"

REGIONAL DEPARTMENT OF DEFENSE RESOURCES MANAGEMENT STUDIES THE 8th EXPLORATORY WORKHOP "INFORMATION SECURITY MANAGEMENT - IN THE 21ST CENTURY" ISSN: 2286 - 2765 ISSN-L: 2286 - 2765 COORDINATOR: Professor Habil Ph.D. eng. CEZAR VASILESCU National Defense University “Carol I” Publishing House Bucharest 2015 THE 8th EXPLORATORY WORKHOP "INFORMATION SECURITY MANAGEMENT - IN THE 21ST CENTURY" 11 June 2015 Proceedings of the workshop unfolded during the Information Security Management Course Conducted by the Regional Department of Defense Resources Management Studies 25 May – 19 June 2015 Braşov ROMÂNIA 2 of 321 C O N T E N T S 1. LEGAL AND ETHICAL ASPECTS OF INFORMATION SECURITY AND PRIVACY - Carmen FLOREA (Romania) 2. ASPЕCTS CОNCЕRNING TОR NЕTWОRK IMPLICATIОNS IN NATIОNAL SЕCURITY - Marius GHЕОRGHЕVICI (Romania) 3. SECURITY OVER PUBLIC INTERNET CHANNELS - Artem BAKUTA (Ukraine) 4. DIOFANTUS METHOD FOR DETERMINING THE PROBABILITY OF OCCURRENCE OF DAMAGE FOR BOUNDARY RISKS OF INFORMATION SECURITY - Vitalii BEZSHTANKO (Ukraine) 5. CYBERWAR-MYTH OR REALITY - Mircea TONCEANU (Romania) 6. HANDLING DESTRUCTIVE MALWARE - Denis-Nicolae FLORESCU (Romania) 7. INFORMATION SECURITY IN SWITZERLAND’S BANKS - Laura Maria SABOSLAI FOTIN (Romania) 8. STUDY ON THE PROTECTION MECHANISM TO SECURE INFORMATION EXCHANGE AND E-MAIL WITHIN AN INTRANET BASED ON PKI AND INFORMATION TECHNOLOGIES - Oleg CHIRILENCO (R. of Moldova) 9. OVERVIEW OF SECURITY IMPLICATIONS OF INTERNET OF THINGS IN MILITARY ORGANIZATIONS - Ștefan-Ciprian ARSENI (Romania) 10. SECURITY POLICIES AND AWARENESS IN THE SCHOOL ESTABLISHEMENT - Sadraoui ROSTOM (Jordan) 11. SECURITY ISSUES AND KEY MANAGEMENT IN MANETs - Marin DUMITRANA (Romania) 12. ANATHOMY OF A HACK - Suren OHANOV (Armenia) 3 of 321 13. INFORMATION SECURITY MANAGEMENT IN AN E- GOVERNMENT ENVIRONMENT - Lotfi HACHANA (Tunisia) 14. THE MANAGEMENT OF INFORMATION SECURITY - Irakli GIGILASHVILI (Georgia) 15. CRIMINAL IMPLICATIONS OF SOCIAL ENGINEERING - Liviu DOBRITOIU (Romania) 16. DARKNET - SECURITY ASPECTS - Bebe Răducu IONAŞCU (Romania) 17. NETWORK SECURITY FUNDAMENTALS - Parnaoz SHALVASHVILI (Georgia) 18. FRAMEWORK OF PERSONNEL TRAINING MAJORING IN UKRAINE - Oleksandr BAKALYNSKYI (Ukraine) 19. CYBER WAR GAMING AT NATO - Aamra NAQVI (Pakistan) 20. COMPUTER SECURITY INCIDENT HANDLING - Alzoubi FERAS (Jordan) 21. THE IMPORTANCE OF INFORMATION SECURITY AWARENESS TRAINING FOR THE EMPLOYEES OF THE ROMANIAN PRISON SYSTEM - Andreea NETEDU (Romania) 22. ANALYSIS METHODS OF PENETRATION TESTING - ZHYLIN A.V. (Ukraine) 4 of 321 LEGAL AND ETHICAL ASPECTS OF INFORMATION SECURITY AND PRIVACY Carmen FLOREA Introduction We are currently living in the so-called information age which can be described as an era were economic activities are mainly information based. This is due to the development and use of technology. The main characteristics of this era can be summarized as a rise in the number of knowledge workers, a world that has become more open, in the sense of communication and internationalization. This paradigm shift brings new ethical and juridical problems which are mainly related to issues such as the right of access to information, the right of privacy which is threatened by the emphasis on the free flow of information, and the protection of the economic interest of the owners of intellectual property. In this paper the ethical questions related to the right to privacy of the individual which is threatened by the use of technology will be discussed. Personal information is confidential for people, and it is their right not to reveal the information about themselves. However, since computer technology advanced, it is getting harder and harder to prevent privacy from being tracked. Many people are worried about losing their right to privacy and losing control of the personal information being collected by others. 1. Law and ethics in information security Ethics refers to the principles of right and wrong that individuals, acting as free moral agents, use to make choices to guide their behaviors. Information systems raise new ethical questions for both individuals and societies because they create opportunities for intense social change, and thus threaten existing distributions of power, money, rights, and obligations. Like other technologies, such as steam engines, electricity, the telephone, and the radio, information technology can be used to achieve social progress, but it can also be used to commit crimes and threaten cherished social values. The development of information technology will produce benefits for many and costs for others. Ethical issues in information systems have been given new urgency by the rise of the internet and electronic commerce. Internet and digital firm technologies make it easier than ever to assemble, integrate, and 5 of 321 distribute information, unleashing new concerns about the appropriate use of customer information, the protection of personal privacy, and the protection of intellectual property. Insiders with special knowledge can “fool” information systems by submitting phony records, and diverting cash, on a scale unimaginable in the pre-computer era. Other pressing ethical issues raised by information systems include establishing accountability for the consequences of information systems, setting standards to safeguard system quality that protects the safety of the individual and society, and preserving values and institutions considered essential to the quality of life in an information society1. Laws are rules adopted and enforced by governments to codify expected behavior in modern society. The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not. Ethics are based on cultural mores: relatively fixed moral attitudes or customs of a societal group. Many organizations collect, trade, and sell personal information as a commodity, and many individuals are becoming aware of these practices and looking to the governments to protect their privacy. In the past it was not possible to create databases that contained personal information collected from multiple sources. 1.1 Cyberlaw and crime Cyberlaw is still in its formative stages and has not kept up with the rapid progress of technology. This poses problems for law enforcement and the court systems. One of the complexities of investigating computer crimes is jurisdiction issues. If an attacker in New York bounces his traffic through three other countries and attacks a merchant in California, what law enforcement agency needs to be involved? We have moved from more traditional physical crimes to intangible crimes that are not restricted by state or country boundaries. Some countries are beginning to understand the global economic ramifications of widespread computer crime and are beginning to cooperate in investigations but many are not2. The framework for cybercrime prosecution of any kind depends on the proper investigation and collection of evidence. Therefore, CISSP-certified security professionals are expected to be fully knowledgeable of corporate security and privacy policies, and understand what is considered acceptable behavior for employees. They should be aware of pertinent laws and regulations at the state and national level, understand incident handling procedures, what constitutes computer abuse in their protection domain, and how to gather, identify and 1 http://www.prenhall.com/behindthebook/0132304619/pdf/laudon%20MIS10_CH-04%20FINAL.pdf 2 http://searchsecurity.techtarget.com/feature/Spotlight-article-Domain-8-Laws-Investigations-and-Ethics 6 of 321 control evidence. This is important not only for successful prosecution of the perpetrator, but it also shows due care and due diligence on the part of the organization to properly protect the assets of the corporation on behalf of the owners or stockholders. The CISSP exam covers these items in depth, including a list of actions that prove due care. If such steps are not taken, the company could be charged with negligence. There are differences between civil, criminal and administrative law that must be properly understood by a security professional because of the laws continual increase in importance in the industry. Many civil cases pertain to intellectual property law, which includes trade secrets, copyright, trademarks and patents, because most often the value of a corporation is embodied in these. Each has a value, which should be classified to ensure that the proper level of security is applied in their protection. Many types of laws are covered in the CISSP exam, including the implications of import and export laws and transborder information flow; privacy laws including the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Privacy Act and the European Union Principles on Privacy; and general computer security laws including the Computer Fraud and Abuse Act, and the Computer Security Act of 1989. The United States began to get serious about computer security in the 1990s with the passage of Federal Sentencing Guidelines that encompass computer crimes related to fraud, antitrust and other related white collar crimes, and with passage of the Economic Espionage Act, which provided the framework that allows the FBI to investigate corporate and industrial espionage. 1.2 Romanian data protection laws Even though Romania has only been a member of the European Union since 1 January 2007, the EU Data Protection Directive 95/46/EC was implemented into national legislation in November

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    321 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us