Download - Ethics in-information-security
Ethics in Information Security
By Milinda Wickramasinghe
Am I comfortable appearing as a headline in a local newspaper tomorrow morning with what I am
about to do?
Ethics can make a man, ethics can break a man...
Ethics
Am I comfortable appearing as a headline in a local newspaper tomorrow morning with what I am about to do?
ANSWER: YESThen maybe you’re on to something good.
ORCould end up in the news for committing
crime.
Ethics
Am I comfortable appearing as a headline in a local newspaper tomorrow morning with what I am about to do?
ANSWER : NODefinitely you’re up to something which is
not good.
Ethics
Why we need ethics in IT Security
• Providing an incorrect opinion unprofessionally on someone / organization via social media
• Offering incorrect information in the event of a fraud investigation
• Misusing access to an organization’s information systems
Common unethical practice
Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10.Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.
BIRTH DISCOVERY DISCLOSURE CORRECTION PUBLICITY DEATH
RIS
K
TIME
Vulnerability lifecycle
Vulnerability lifecycleR
ISK
TIME
Types of disclosureNon Disclosure
Never disclosed to general publicOnce a vulnerability is found it is kept as a secret and leveraged to exploit vulnerable systems and gain benefits
Limited DisclosureVulnerability information is shared among a few individuals (Discloser, Vendor and possibly, Third party coordinator )The initial public disclosure contains; the flawed product & very few details about the vulnerabilityDoes not contain full technical detailsWill only be released once the vendor has fixed the flaw
Full DisclosureFull technical details of the vulnerability is disclosed along with the exploit codeWithout the consent of the vendor / author of the codeVendor is informed at the same time as the general public
Responsible DisclosureDiscovery
Finds the vulnerability by Security Firm or Researcher
Initial Contact
Notify the vendor - could get the help of a 3rd party
Set reasonable deadline
Continued Communication
Vendor try to reproduce, the originator should provide assistance
Patch Development
Vendor creates patches, test them and analyzes further for more issues
Public disclosure
Technical details of the vulnerability is disclosed without the exploit code
Exploit Release
Enters the scripting stage
Tools are developed
• Write articles, blogs etc.• Receive bounty (Facebook White Hat)• Build Self Brand - Recognition
• Acknowledgement in website• T-shirts / Stickers
Responsible Disclosure - Benefits for the researcher
What could possibly go wrong..?
• Act No 24 of 2007 - Computer Crime Act : Section I
• Unauthorised disclosure of information enabling access to a service
Cyber Security Laws in Sri Lanka
• Sri Lanka is a fully fledged member of the Budapest Convention on Cybercrime
• The first country in South Asia
Convention on Cybercrime - Budapest Convention
Thank you.