Learning Objectives
By the end of this section, you will be able to:
- Identify common vulnerabilities and threats in web applications and IoT technology
- Determine the countermeasures and techniques used to combat threats of security and privacy of web applications and IoT technology
- Discuss the social responsibility of enterprises and IT professionals developing this technology
- Determine guidelines or regulations that must be implemented to protect web applications and IoT technology in the future
Every connected device you own is collecting data—about your preferences, routines, and even your health. This data, if compromised, can lead to significant privacy breaches. As we become increasingly reliant on IoT technology, it is essential to recognize the risks that come with it. The concern is not just about securing your smartphone or computer. It is about securing a network of devices that know more about you than you might realize.
The solution rests in understanding the inherent vulnerabilities of web applications and IoT technology and recognizing the potential threats that exploit these weaknesses. In our age of extensive data collection and usage, commitment to transparency, accountability, and privacy protection becomes a cornerstone of responsible innovation. Examining these issues requires exploring privacy and security risks associated with the web and IoT technology, potential countermeasures, ethical considerations, and prospective regulatory frameworks.
Common Online Vulnerabilities and Threats
In the span of a few decades, digital technology has transformed the world. The arrival of the mobile revolution introduced an era of smartphones, bringing the internet from the confines of home and office spaces into the palms of our hands. The digital revolution continued with the equipping of even the simplest items with internet connectivity, forming the core of the modern digital era.
The Internet of Things (IoT), a term coined by Kevin Ashton in 1999, is the network that connects everyday physical objects to the internet, enabling them to collect and share data with other devices or systems. The IoT now encapsulates a vast array of everyday items from refrigerators and thermostats to door locks and light bulbs, converting them into smart, connected devices (Figure 6.4). The sheer scale of IoT’s growth is nothing short of astounding. To put it in perspective, in 2003, the number of devices connected to the internet was estimated at around 500 million.24 By 2018, that number had increased to 10 billion.25 And the number of IoT devices in use globally is expected to reach 40 billion by 2030.26
This rapid expansion of the IoT has significant implications, both positive and negative. On one hand, it creates new opportunities for innovation, efficiency, and convenience as smart homes equipped with IoT devices can automate a variety of tasks, from adjusting the thermostat to managing home security systems. However, the proliferation of IoT devices also introduces substantial security vulnerabilities both at home and at work. The introduction of these devices into the workplace further complicates security for IT managers because vulnerabilities in IoT devices often allow attackers to eavesdrop, conduct brute-force attacks, and elevate their privileges on a network.
Keeping pace with the rapid advancement in IoT technologies and adequately addressing the myriad security risks they present is a significant challenge for regulatory bodies. The sheer number of IoT devices and the rapid growth of that number, plus their widespread distribution, further complicate regulation. These devices, often manufactured in one region, sold in another, and potentially operated in a third, create a transnational landscape that can blur jurisdictional lines and make enforcement of regulations challenging. Additionally, the proprietary nature of many IoT devices poses its own set of problems. In many instances, device manufacturers prioritize time to market and functionality over security, leading to devices with hard-to-patch vulnerabilities. Some manufacturers might use proprietary protocols, which are tools specific to the organization and closed off to the public, making it difficult for regulatory bodies to assess and ensure their security.
The high-profile Mirai botnet attack of 2016 serves as an important real-world example of these challenges. This was a distributed denial-of-service (DDoS) attack that exploited many inherent weaknesses in IoT security: default passwords, unsecured network services, and the lack of regular software updates in many devices. The attack targeted and overwhelmed the servers of Dyn, a major DNS provider, with a tremendous amount of traffic. This disruption impacted several high-profile platforms and services, including Twitter, Netflix, Reddit, and CNN, rendering them inaccessible to millions of users for several hours. This incident showcased how easily IoT devices can be exploited for malicious purposes and the far-reaching consequences of such security lapses.
Similarly, IoT technology is transforming industry practices. Industry 4.0, which represents the fourth industrial revolution noted by the integration of digital technology in manufacturing and digital practices, allows for real-time monitoring, predictive maintenance, and increased operational efficiency. However, these devices also present a potential entry point for cyberattacks, risking not only data breaches, but also physical damage and potential safety hazards.
Given the expansive growth and diverse applications of IoT technologies, one thing is clear, while IoT devices bring a multitude of benefits, they also carry significant risks. As we continue to incorporate these technologies into various facets of life, it is important to understand and mitigate these vulnerabilities.
Web Applications: Banking and E-commerce
Among the most prevalent and potentially damaging threats in the digital realm are those targeting web applications, particularly in sectors like banking and e-commerce. A study by the security firm Positive Technologies found that 100 percent of web applications contain at least one security vulnerability, with 48 percent of these vulnerabilities considered high risk.27 Online banking systems are prime targets for cybercriminals due to the sensitive nature of the information they handle.
Techniques like phishing—wherein users are tricked into providing their login credentials to fake websites—and SQL injection—where hackers exploit a vulnerability in a web application’s database query software—can result in unauthorized account access and monetary loss. Similarly, e-commerce platforms face threats such as credit card fraud, DDoS attacks, and cross-site scripting (XSS), which is a type of vulnerability that allows an attacker to inject malicious scripts into websites trusted by end users, leading to potential theft of sensitive data such as login credentials or credit card information.
IoT Technology: Smart Homes and Self-Driving Cars
IoT technology has transformed sectors such as home automation and transportation, and as more devices become connected to the internet, the potential for vulnerabilities increases. Smart homes, with internet-connected security systems, thermostats, and appliances, are particularly susceptible to threats such as device hijacking, where attackers gain control over IoT devices. Similarly, self-driving cars, which rely on complex systems and sensors, face significant cybersecurity risks, as many of their systems were not originally designed with security in mind. In 2024, a high-profile incident occurred when researchers demonstrated the ability to remotely hack into the infotainment system of a Tesla, gaining access to critical vehicle functions.
Ethics in IS
German Steel Mill Attacks
ThyssenKrupp, a major German steel producer, was targeted by a sophisticated cyberattack in early 2024. The attack disrupted the operations of its automotive division, forcing parts of the facility offline to contain the threat. Although full details have not been disclosed, the attack demonstrated the ongoing vulnerability of industrial control systems (ICS) in the manufacturing sector. The incident involved cybercriminals gaining unauthorized access to critical systems. Another attack on a German steel mill ten years prior used spear-phishing tactics to infiltrate the office network before accessing the plant’s production networks. Attackers manipulated control systems, causing significant physical damage, including a blast furnace that could not be properly shut down. This event marked a pivotal moment in understanding the real-world dangers of cyberattacks on industrial systems.
Both incidents highlight the increased risks associated with the convergence of operational technology (OT) and information technology (IT) networks. This integration, a hallmark of the Industrial Internet of Things (IIoT), has expanded the attack surface, making industrial facilities more susceptible to cyber threats. The ThyssenKrupp attack serves as a stark reminder that even with advancements in cybersecurity, industrial control systems remain vulnerable to sophisticated cyber threats, with the potential for substantial physical damage.
Frameworks to Identify Vulnerabilities and Protect IoT/IT Ecosystems
The IoT ecosystem, marked by its complexity and breadth of use cases, presents its own set of regulatory challenges. Unlike more traditional, monolithic systems, IoT is characterized by a multitude of interconnected devices, platforms, and services, spanning across various sectors and geographical boundaries. One example would be a “smart” refrigerator communicating with a smartphone to replenish grocery items by adding them to the grocery shopping list for home delivery and communicating this information to the grocery store identified by the homeowner.
This variety of devices and tasks not only introduces numerous potential vulnerabilities but also makes it difficult to apply a one-size-fits-all regulatory framework. One of the primary regulatory challenges in IoT is its vast and rapidly evolving nature. IoT devices range from simple sensors to complex industrial systems, each with different security requirements and implications.
As such, it is necessary to examine the existing structure of rules and guidelines, often legislated, within which an industry or business must operate, or the regulatory framework.
Organizations such as the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) have developed standards, such as ISO/IEC 27001 and IEEE 2413, to address these vulnerabilities through risk management frameworks and architectural guidelines. The ISO/IEC 27001 provides the framework for an information security management system (ISMS), which is a systematic approach consisting of processes and procedures designed to control an organization’s information security risks. An ISMS allows organizations to manage security in a comprehensive and structured manner, ensuring that all potential vulnerabilities are addressed and that systems are resilient to potential attacks. The IEEE has been heavily involved in developing standards for IoT. One such standard is the IEEE 2413, an architectural framework for IoT that aims to promote cross-domain interaction, aid system interoperability and functional compatibility, and foster a common understanding among IoT systems.
International standards offer guidelines that help ensure the robustness, security, and interoperability of web and IoT technologies. They also provide a basis for creating regulations and laws that can govern these technologies in different regions worldwide. Cities adopting smart technologies often rely on these international standards to ensure the reliable and secure operation of their systems. For instance, another standard from the ISO, ISO/IEC 30141, provides a reference architecture for IoT, assisting the developers and operators of smart city solutions in creating systems that can securely communicate and interact.
However, since current regulations such as GDPR and CCPA are region-specific, there is a need for more comprehensive global regulations. Countries such as the United Kingdom, Brazil, and India are developing specific IoT security laws, reflecting a trend toward targeted regulatory measures. For example, Brazil’s Lei Geral de Proteção de Dados (LGPD) and India’s Personal Data Protection Bill reflect global concerns regarding data privacy. Countries such as the United Kingdom have initiated specific guidelines for IoT device security, focusing on secure passwords and regular updates. New regulatory trends such as these require different stakeholders to adapt. Businesses must understand and comply with various international regulations, making it necessary to invest in legal expertise. Consumers benefit from these protections, and as a result, they develop confidence in digital services.
Regulators face challenges, however, in balancing consumer protection with enabling technological innovation. Future challenges may arise from the integration of IoT with 5G networks, quantum computing, and decentralized technologies such as blockchain. These advancements will necessitate a reevaluation of existing regulations and potentially lead to new regulatory frameworks. Strategies may include international collaboration to standardize regulations across jurisdictions, fostering innovation while maintaining security. For example, the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) is a system privacy framework designed to facilitate the secure flow of personal information across APEC borders while maintaining strong privacy protections.
Industry-led self-regulation extends beyond established examples such as Payment Card Industry Data Security Standard (PCI DSS), which is a set of standards designed to ensure companies secure credit information. For example, the Center for Internet Security (CIS), a nonprofit organization that works to safeguard private and public organizations against cyber threats, provides guidelines that organizations can voluntarily follow. The Industrial Internet Consortium (IIC)—which is an organization that accelerates the growth of the industrial internet by promoting best practices, reference architectures, and frameworks—has released a security framework to guide industries in building secure IoT systems.
In addition, the Internet of Things Security Foundation (IoTSF) provides a comprehensive set of guidelines and best practices for securing IoT devices. The continually evolving landscape of IoT and web regulations, combined with the increasing role of self-regulation by the industry, emphasizes the importance of understanding various global regulations and guidelines. These include well-known examples such as GDPR and CCPA, plus emerging trends such as LGPD, IIC, and IoTSF. Adapting to these changes requires ongoing vigilance, collaboration, and commitment to balancing innovation with ethical principles and consumer protection.
Careers in IS
Careers in Security
Due to the rapid proliferation of technology, there’s a growing need for professionals who can navigate the security challenges these technologies present, such as the following:
- Web security analyst: identifies and mitigates vulnerabilities in web applications such as SQL injection and XSS
- IoT security specialist: secures connected devices by recognizing and addressing vulnerabilities unique to IoT environments
- Ethical hacker: tests vulnerabilities in web and IoT technologies, exploiting weaknesses and recommending countermeasures
- Corporate social responsibility (CSR) officer: ensures that web and IoT technology development aligns with ethical and social responsibility initiatives
- Policy analyst: studies and influences regulations related to web and IoT security, drafting guidelines for improved protection
- Privacy engineer: designs and implements privacy solutions for IoT devices and web applications in compliance with regulations
- Compliance auditor: ensures web and IoT technologies adhere to industry standards and regulations, safeguarding business integrity
Countermeasures to Combat Online Security Threats
With an ever-increasing reliance on interconnected digital technologies, security risks continue to escalate. Cybersecurity incidents have the potential to cause not only digital disruption, but also substantial real-world impacts. There is an array of strategies designed to manage the risks associated with these technologies, from preventive measures such as secure coding and data encryption to reactive solutions such as incident response plans. These countermeasures help professionals better navigate the challenges of technological advancement and safeguard digital environments.
Implementing Secure Coding Practices
Securing web applications begins with secure coding practices. Because code is one of the key elements of a digital system, poor coding practices can inadvertently introduce vulnerabilities that bad actors can exploit to compromise these systems and cause data breaches or service disruptions. One notable example of a data breach that took advantage of coding errors is that of First American Financial Corporation, a leading provider of title insurance and settlement services to the real estate and mortgage industries. In 2019, hundreds of millions of documents related to mortgage deals going back to 2003 were leaked due to a coding issue that permitted attackers to access unauthorized information by manipulating the URL of the website. 28
These practices encompass various activities such as validating input, ensuring proper error handling, and maintaining the principle of least privilege. Following guidelines such as the OWASP Secure Coding Practices can help developers avoid common pitfalls that lead to vulnerabilities in the code. Secure coding practices include the following:
- Systems should always check inputs received from users or from other systems for their data type, length, format, and range, a process called input validation. Any input that does not meet these requirements should be rejected.
- Every module or process should follow the least privilege principle, in which users are granted the minimum levels of access, or permissions, needed to perform their job functions, reducing the risk of unauthorized access to sensitive information. If a function only needs to read from a file, it should not have write access to the file. This reduces the potential damage that can be done if the function is compromised. If a malicious actor gains control of a process, they are restricted by the permissions of that process. For example, if a database query only needs to retrieve data, it should not have permission to alter or delete the data.
- Implement strategies and coding practices to effectively identify, report, and manage errors that occur during the operation of a software application or system. Potential errors need to be systematically managed and addressed to prevent system failures and security breaches, known as error handling.
Strengthening Authentication and Authorization
The importance of robust authentication and authorization mechanisms in web applications cannot be overstated. In such applications, user credentials typically serve as the keys to unlocking a massive amount of sensitive information and services. Hence, their protection helps maintain the integrity and confidentiality of these resources as well as user trust.
Multifactor authentication (MFA), biometric identification, and risk-based authentication are among the strategies that can significantly bolster the authentication and authorization process. MFA, which requires the user to provide two or more verification factors, adds an extra layer of security, making it harder for attackers to gain access even if they compromise one factor. Biometric identification, such as fingerprints or facial recognition, provides a unique verification method that is difficult to replicate, thereby enhancing security. Risk-based authentication adjusts the authentication process based on the risk level associated with the user’s behavior or access conditions. Such an approach allows for a balance between security and usability, offering a more robust protection mechanism when needed.
Designing for Security and Hardware Measures
As you learned in Chapter 5 Information Systems Security Risk Management, technologies such as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) play a vital role. These systems identify possible threats and deploy measures to mitigate them.
A predominant concern in IoT is the integral need for security starting from the very roots. For example commonplace items such as home appliances, vehicles, and personal devices have become embedded with IoT technology, thereby extending IT concerns beyond their traditional confines (Figure 6.5).
Maintaining security of IoT devices involves regular firmware updates. These updates play a dual role: first, they bring new features and rectify bugs, and second, they patch security vulnerabilities, which is key to preserving the security of the device throughout its life cycle. Further critical to IoT security is secure device onboarding, which involves adding devices to the network in a secure manner that prevents unauthorized access and protects the integrity of the network.
Social Responsibility of Enterprises and Information Technology Professionals
Technology has permeated virtually every aspect of modern life, largely propelled by the proliferation of IoT and web applications. This pervasive integration of IoT has brought to the forefront a range of ethical considerations that were once limited to more clearly defined technological areas. It now encompasses not only privacy and data security, but wider societal issues such as accessibility, inclusivity, environmental sustainability, and professional ethics. This evolution underscores the critical need for a comprehensive understanding and proactive management of ethical concerns in all areas of technology.
Ethical Considerations in Information Technology
Data handling and management, professional responsibilities, and promoting digital inclusivity are critical ethical considerations in the field of IT. Key aspects of these principles include:
- Data collection, storage, processing, and sharing:
- Collecting: Enterprises must be transparent about the nature and purpose of data collection, ensuring users are fully informed.
- Storing and processing: Robust security measures are necessary to prevent unauthorized access and potential misuse, safeguarding sensitive information.
- Sharing: Data sharing practices should prioritize user privacy and adhere to relevant regulations, ensuring that information is treated with respect.
- Professional responsibilities of IT professionals:
- Protecting user data and ensuring privacy
- Promoting accessibility and reducing the digital divide
- Upholding fairness and inclusivity within the digital realm
- Adherence to professional codes of ethics:
- Complying with codes of ethics from organizations such as the Association of Computing Machinery (ACM) and IEEE that guide IT professionals in ethical decision-making
- Operating under key principles such as respecting privacy, avoiding harm, performing with honesty and trustworthiness, and contributing to society and human well-being
- Digital inclusivity and accessibility:
- Ensuring equal access to technology, regardless of socioeconomic background, geographical location, or physical abilities
- Designing technology with accessibility in mind benefits diverse user needs, improving both reach and user experience
Link to Learning
View the entire ACM Code of Ethics here.
Link to Learning
Point: Some scholars assert that technology companies have an inherent moral duty to prioritize human well-being in their operations, citing ethical theories such as utilitarianism and corporate social responsibility.
Counterpoint: Others argue that the primary responsibility of these enterprises is to their shareholders and that ethical considerations, while important, should not overshadow business objectives.
Role of Enterprises in Promoting Digital Inclusivity and Accessibility
Ensuring everyone has equal access to technological advances is an important social issue. Digital inclusivity, which entails making IT solutions available and accessible to all, has a profound impact on narrowing the digital divide. The digital divide refers to the gap between individuals, communities, or countries that have access to modern information and communication technologies and those that do not. This divide can manifest in various forms, such as differences in internet access, digital literacy, and the availability of affordable devices and services. Tech enterprises have the responsibility to foster an inclusive digital environment. By developing affordable and accessible technologies, they can ensure that the benefits of digital innovation reach all corners of society and that users can effectively utilize these solutions.
This necessitates designing technology with diverse user needs in mind. From building websites that are accessible to individuals with visual or hearing impairments, to creating software that is easy to navigate for individuals with cognitive or motor skill challenges, the commitment to accessibility is a cornerstone of ethical IT development. Designing with accessibility in mind not only widens the user base, but also enhances the overall user experience.
Ethics in IS
Ethical Decision-Making in IT
To illustrate the importance of ethical decision-making, consider the case of a social media platform deciding to implement a new data-sharing policy. Adherence to ethical principles would mean that the platform informs its users about the policy changes in a clear and transparent manner, allows users to opt out if they desire, and implements robust measures to protect shared data. In contrast, an unethical approach would be to implement the policy covertly without informing users or obtaining their consent. A real-world example of not following ethical principles was demonstrated by Facebook in 2014.
Facebook faced significant controversy when it was revealed that the company had covertly conducted a psychological experiment on nearly 700,000 unsuspecting users. The experiment, carried out in 2012, involved manipulating users’ news feeds to either reduce the number of positive posts or reduce the number of negative posts they saw. The objective was to determine whether the changes could sway users’ emotions and influence their subsequent posts. The results suggested that emotional states could be transmitted across the social network, leading to a ripple effect.
However, the study’s execution sparked significant backlash. Critics argued that Facebook had manipulated users’ emotions without their explicit consent, raising serious ethical concerns regarding user consent and the boundaries of corporate research. The incident served as a stark reminder of the need for clearer guidelines and transparency when conducting research on platforms with such extensive user bases. This conversation about ethics and transparency was further highlighted in U.S. Senate Committee on the Judiciary’s congressional hearings during 2024 when lawmakers scrutinized the impact of social media on teens’ mental health and the ethical responsibilities of tech companies.
Transparency and Accountability
Transparency has become a significant ethical issue in IT. In the context of organizations and governance, transparency refers to openness, communication, and accountability, where actions and decisions are clear and understandable to stakeholders. Users have the right to know how their data are collected, stored, used, and shared. Enterprises need to be transparent in their data practices, providing clear and understandable privacy policies and consent mechanisms. Transparent practices not only meet regulatory requirements, but also foster trust between users and enterprises, which is crucial for long-term user engagement.
The roles of tech enterprises and IT professionals in being accountable for the social and ethical implications of technology have never been more critical. Both entities are key stakeholders in shaping the norms and values of the digital realm. Enterprises must imbue their business strategies with ethical considerations, from protecting user data to ensuring digital inclusivity. Likewise, IT professionals, the frontline workers of the digital revolution, must adhere to professional ethical codes, conscientiously delivering solutions that honor user rights and societal values. It is through their collective efforts that technology can truly serve its purpose as a tool for advancing societal well-being.
Social Responsibility in the Information Technology Sector
The obligation of companies to act in ways that benefit society and the environment beyond what is legally required is considered social responsibility. In the IT sector, social responsibility is expected to evolve and deepen as emerging technologies such as artificial intelligence, IoT, and blockchain raise new ethical questions that will require innovative and thoughtful responses. As these technologies become increasingly integrated into everyday life, the ethical dimensions of IT will extend beyond individual user rights to encompass broader societal impacts, including sustainability. The future will call for an even stronger commitment from enterprises and IT professionals to uphold ethical standards, promote transparency, ensure digital inclusivity, and champion sustainability.
Footnotes
- 24Dave Evans, “The Internet of Things: How the Next Evolution of the Internet Is Changing Everything,” Cisco Internet Business Solutions Group (IBSG), April, 2011, https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf
- 25Insider Intelligence, “How IoT & Smart Home Automation Is Entering Our Homes in 2020,” Business Insider, January 6, 2020. https://www.businessinsider.com/iot-smart-home-automation
- 26“Satyajit Sinha, Connected IoT Devices Forecast 2024–2030,” from State of IoT 2024: Number of Connected IoT Devices Growing 13% to 18.8 Billion Globally, IoT Analytics, September 3, 2024, https://iot-analytics.com/number-connected-iot-devices/
- 27“Threats and Vulnerabilities in Web Applications 2020–2021,” Positive Technologies, June 13, 2022, https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020-2021/
- 28United States of America before the Securities and Exchange Commission, Securities Exchange Act of 1934: Administrative Proceeding, File No. 3-20367, in the matter of First American Financial Corporation, Respondant, Release No. 92176, June 14, 2021.