Ethical Issue in Exposing Security Flaws

Question: Discuss about theEthical Issue in Exposing Security Flaws. Answer: Introduction: Issues in Softwares and hardwares in information technology are the reasons behind the increasing privacy and security concerns for the individuals as well as organizations [1]. It is the ethical responsibility of employees like Mike Lynn of X-Force to discuss and alert users about the flaw in the different systems. Following report highlights the role of Mike Lynn and justification of his ethical role in the scenario. Moreover, the role of Cisco and ISS in the scenario and other reasonable approach to resolve this ethical role is also contained in this report. 1. Analyzing the whole situation it can be said that, the course of action selected by him was correct. As an IT professional he decided to inform people about the worm threat related to Cisco routers, which can affect the whole internet network of an organization or an individual user and create a digital pearl harbor [5]. Moreover, it can be said that as a professional, he decided to inform the world about the worm to save he interest of majority of the people in the society. In the whole incident when Mike started to investigate about the flaws in the internet operating system, he found that it is possible to create a network worm that can propagate itself and attack the network to take control over the internet network. After this he talked with officials of Cisco and ISS to convey the results of investigation at black hat conference [7]. Later both the organizations pulled the plug off and forced mike to talk about another topic in the conference. As a result of it, mike resigned from the organization and discussed the flaws of the Cisco routers in the conference. Being a professional Mike also has some duties and responsibilities towards the society. Therefore he had to choose between two paths, one is to stay silent about the issue and work as a good employee of the organization by harming the interest of majority. Another path was to speak out about the discovery of the worm that can affect the community and damage their property [2]. It is given in the case that, when the companies pulled the plug off from the initiative and forced him to talk on another topic, then Mike resigned from the company to present are discoveries in the conference [4]. This decision makes him a responsible IT professional who stands for his own beliefs and ethical values. Theses ethical values encouraged him to talk about the flaw even though he has to resign from his job to do this. Supporting Arguments for Mike Lynn : Ciscos internet operating system that powers most of its routers all around the world is vulnerable to the attacks of a worm that can propagate it and control the network [3]. Therefore for a professional with ethics it is important for Mike Lynn to disclose the flaws to the world so that preventive ways and developments can be done to mitigate or minimize the damage due to the network worm. Opposing Arguments against Mike Lynn: On the contrary, many of the industry representatives argue that, disclosure of this security flaws makes a hackers work much easier [6]. At the same time it can be stated that information about the security flaws helps the users to tackle them in an effective way. 2. In the case study it is seen that both the companies (Cisco and ISS) at first agreed about the presentation of Mike. But just before the day of presentation they pulled the plug off and filed a suit against mike and Black hat [1]. Companies acted in an unethical manner by pressurizing mike no to disclose the vulnerability in a public domain. It was like a war between what is right and doing it in a right way. Analysis of their Role According to the Cisco and ISS, mike should not have disclosed those flaws. As a reason they stated that, this can effect on their business and reputation. They also stated that mike has stolen the codes which can be exploited by the hackers. But the truth was he has not given away the exploit codes [4]. Moreover, the employees of Cisco are also unable to create and exploit by the provided information. Supporting arguments for the companies: As a renowned company in the sector of Information technology Cisco and ISS tries to hide their trade secrets and weaknesses so that they can have completive advantage in the market [3]. Therefore, when a flaw in their routers is found they tried to hide it from the users as well as hackers so that they can not intrude into the users networks. Opposing arguments for Cisco and ISS: This era is known as era of information therefore, if there is any flaw in the systems then it can be used by hackers intrude and steal data. Therefore it is important for the organizations like Cisco and ISS to inform their customers about the flaws so that they can take preventive measures for those flaws [2]. More Reasonable Approach to Resolve the Ethical Issue Another reasonable approach to resolve the ethical issues in this kind of situations is better communication between the involved parties. If the ethical issue or problem is addressed calm and proper way it is possible to evade animosity among the parties. ] in the communication process all the involved parties should drop their ego for the sake of better security and patch management of the routers. Everything that is ethical is not always legal [5]. Therefore if Mike Lynn and the companies have better communication between them then the whole problem may have solved in a better way by providing patches to the customers. Conclusion In his disclosure Mike explained the severity of the flaw in the Cisco systems. He explained that having control over a host machine, the attacker only gets the machine controls, on the other hand if attacker gets control over the router then they can make changes to data traffic that is flowing over the router. This case illustrates that a simple decision by a researcher (Mike Lynn) to present what he knows can be very complicated both legally and ethically. Therefore it is important to communicate with each other to avoid the issues related to ethics. References [1]R. McMillan, "Black Hat: ISS researcher quits job to detail Cisco flaws",InfoWorld, 2016. [Online]. Available: https://www.infoworld.com/article/2671541/security/black-hat--iss-researcher-quits-job-to-detail-cisco-flaws.html. [Accessed: 22- Aug- 2016]. [2]"Cisco, ISS file suit against rogue researcher",Securityfocus.com, 2005. [Online]. Available: https://www.securityfocus.com/news/11259. [Accessed: 22- Aug- 2016]. [3]"Daily News - Google News Archive Search",News.google.com, 2016. [Online]. Available: https://news.google.com/newspapers?nid=1241dat=20050808id=OoJTAAAAIBAJsjid=UoYDAAAAIBAJpg=4590,5551051hl=en. [Accessed: 22- Aug- 2016]. [4]"Cisco Harasses Security Researcher - Schneier on Security",Schneier.com, 2016. [Online]. Available: https://www.schneier.com/blog/archives/2005/07/cisco_harasses.html. [Accessed: 22- Aug- 2016]. [5]"Detection and prevention of stack buffer overflow attacks",Dl.acm.org, 2016. [Online]. Available: https://dl.acm.org/citation.cfm?id=1096004. [Accessed: 22- Aug- 2016]. [6]D. Lim and T. Kim, "Modeling discovery and removal of security vulnerabilities in software system using priority queueing models",Journal of Computer Virology and Hacking Techniques, vol. 10, no. 2, pp. 109-114, 2014. [7]E. Casey, "Case study: Network intrusion investigation lessons in forensic preparation",Digital Investigation, vol. 2, no. 4, pp. 254-260, 2005. [8]Citeseerx.ist.psu.edu, 2016. [Online]. Available: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.97.7449rep=rep1type=pdf#page=85. [Accessed: 22- Aug- 2016].