Module 3 - 01-2 Flashcards
Ethics in Cybersecurity
Define Security Ethics
Guidelines for making appropriate decisions as a security professional
Explain Ethics as a security professional
- Ethically, as a security professional, your job is to remain unbiased and maintain security and confidentiality.
- Your responsibility and obligation is to adhere to the policies and protocols you’ve been trained to follow.
- Security teams are entrusted with greater access to data and information than other employees.
- Security professionals must respect that privilege and act ethically at all times.
- You should never abuse the access you’ve been granted and entrusted with.
What are some Ethical Principles (3)?
1) Confidentiality ;
2) Privacy Protections ;
3) Laws
Define Confidentiality
Only authorized users can access specific assets or data
How does Confidentiality apply to ethics?
- As a security professional, you’ll encounter proprietary or private information, such as PII. It’s your ethical duty to keep that information confidential and safe.
- There needs to be a high level of respect for privacy to safeguard private assets and data.
- Ethical violation can result in serious consequences, including reprimands, the loss of your professional reputation, and legal repercussions.
Define Privacy Protection
Safeguarding personal information from unauthorized use
How does Privacy Protection apply to ethics?
As a security analyst, your role is to follow the policies and procedures set by your company
Define Law
Rules that are recognized by a community and enforced by a governing entity
How does Law apply to ethics?
As a security professional, you will have an ethical obligation to protect your organization, its internal infrastructure, and the people involved with the organization.
How to apply Law to Ethics (4)
- You must remain unbiased and conduct your work honestly, responsibly, and with the highest respect for the law.
- Be transparent and just, and rely on evidence.
- Ensure that you are consistently invested in the work you are doing, so you can appropriately and ethically address issues that arise.
- Stay informed and strive to advance your skills, so you can contribute to the betterment of the cyber landscape.
True or False?
In the U.S., deploying a counterattack on a threat actor is illegal?
True
- In the U.S., deploying a counterattack on a threat actor is illegal because of laws like the Computer Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015, among others.
- You can only defend.
- The act of counterattacking in the U.S. is perceived as an act of vigilantism.
- Only individuals in the U.S. who are allowed to counterattack are approved employees of the federal government or military personnel.
Define Vigilante
A person who is not a member of law enforcement who decides to stop a crime on their own
Define Hacktivist
A person who uses hacking to achieve a political goal.
The political goal may be to promote social change or civil disobedience.
What does ICJ stand for?
The International Court of Justice (ICJ)
What are ICJ’s standpoint on counterattacks (4)?
A person or group can counterattack if:
* The counterattack will only affect the party that attacked first.
* The counterattack is a direct communication asking the initial attacker to stop.
* The counterattack does not escalate the situation.
* The counterattack effects can be reversed.
Scenario:
You work for a hospital as a security analyst.
One day, you log into your work computer and see a ransom note displayed on your screen. Access to files and applications is locked.
You realize this is a ransomware attack.
Response:
* Initiate a counter-attack
* Use a self-developed decryptor tool to stop the attack
* Immediately contact your supervisor
* Contact government agencies for assistance
Immediately contact your supervisor
Ethical principles dictate that you follow the law as well as the standards and procedures established by your organization.
Scenario
A doctor you work with claims to have laptop performance issues, so you try to identify the problem.
As you’re working, you notice the doctor’s laptop has unsecured patient files visible on-screen instead of within the medical practice’s secure software.
Response:
* Immediately secure the patient files
* Submit a formal complaint to Health and Human Services
* Publicly shame the doctor for not following proper procedures
* Assume the doctor knows about the issue and do nothing
Immediately secure the patient files
Unsecured patient files violate compliance standards, legal security ethics, and HIPAA regulations.
Scenario
You work for a medical device company as an entry-level security analyst.
Your supervisor has asked you to securely dispose of old developer laptops, and tells you they may contain PII (personally identifiable information).
Response:
* Take the laptops home and perform a factory reset
* Dispose of the laptops without properly erasing the data
* Store the laptops in an area designated for old equipment
* Remove the laptop hard drives and irreversibly erase all data
Remove the laptop hard drives and irreversibly erase all data
Ethical standards dictate that PII data must be properly removed from decommissioned devices.
Scenario
You work as an entry-level analyst for a pharmaceutical company.
You receive SIEM tool alerts about unusual employee activity.
You check their account activity and observe them copying confidential files to an external folder linked to an unknown destination.
Response:
* Confront the user directly regarding non-compliance with internal ethical standards
* Tell your supervisor and take no other action
* Follow provided procedures to address the issue.
* Report the incident to the company’s security personnel
Follow provided procedures to address the issue.
The ethical response is to follow the organization’s procedures to address the issue and maintain confidentiality
An employee trained to handle PII and SPII leaves confidential patient information unlocked in a public area. Which ethical principles does this violate? Select all that apply.
Privacy protections
Laws
Remaining unbiased
Confidentiality
Privacy protections
Laws
Confidentiality
This violates laws, confidentiality, and privacy protections.
Privacy protection means safeguarding _____ from unauthorized use.
personal information
compliance processes
documentation
business networks
personal information
Privacy protection means safeguarding personal information from unauthorized use. Ensuring user permissions are correct helps prevent individuals from accessing protected information that they are not authorized to access.
You receive a text message on your personal device from your manager stating that they cannot access the company’s secured online database. They’re updating the company’s monthly party schedule and need another employee’s birth date right away. Your organization’s policies and procedures state that employee information should never be accessed or shared through personal communication channels. What should you do?
- Request identification from your manager to ensure the text message is authentic; then, provide the birth date.
- Respectfully decline, then remind your manager of the organization’s guidelines.
- Give your manager the employee’s birth date; a party is a friendly gesture.
- Ask your manager to provide proof of their inability to access the database.
Respectfully decline, then remind your manager of the organization’s guidelines.
You should respectfully decline and remind your manager of the organization’s guidelines. Your role as a security analyst is to follow the policies and procedures of your company.
You work for a U.S.-based utility company that suffers a data breach. Several hacktivist groups claim responsibility for the attack. However, there is no evidence to verify their claims. What is the most ethical way to respond to this incident?
- Escalate the situation by involving other organizations that have been targeted.
- Target a specific hacktivist group as a warning to the others.
- Conduct cyberattacks against each hacktivist group that claimed responsibility.
- Improve the company’s defenses to help prevent future attacks.
Improve the company’s defenses to help prevent future attacks.
Defending against future attacks is the most ethical way to approach this situation. Counterattacks are illegal in the U.S. except for by approved employees of the federal government or military personnel.