Asst.Prof. Dr. Surasak Mungsing CIS511 สถาปั ตยกรรมระบบสารสนเทศ Description: หลักการทางานของคอมพิวเตอร์ การวัดขนาดและสมรรถนะคอมพิวเตอร์ วิวฒ ั นาการ ของระบบคอมพิวเตอร์ ระบบคอมพิวเตอร์และเครือข่าย ระบบเครือข่ายเฉพาะถิน่ ระบบ Broadband ระบบInternet ซอฟต์แวร์ระบบ เช่น ระบบปฏิบตั กิ าร ระบบฐานข้อมูล ระบบสือ่ สารและโปรโตคอล การสือ่ สารข้อมูลและการกาหนดการ ประมวลผล ระบบสารสนเทศBack office เช่นระบบงบประมาณ ระบบการเงิน บัญชี ระบบบุคคล และระบบสารสนทศ ระบบให้บริการส่วน Front office การ กาหนดคุณลักษณะเฉพาะของระบบฮาร์ดแวร์เครือข่ายและระบบประมวลผล Week# Topic 1 Introduction to IS and ISA 2 Organizational Systems 3 Managerial Support Systems 4 E-Commerce Applications 5 Case Study 1 6 Client-Server Architecture 7 Commercial Software Architecture 8 ISA and System Development 9 Enterprise Information Architecture 10 Case study 2 11 User Interface Architecture 12 Web Service and ISA 13 Special Lecture in Information System Architecture I 14 Special Lecture in Information System Architecture II Evaluation Project/Reports 40 % Individual Report 20% Group Project Participation Mid-term Exam Final Exam Total 20% 10 % 20 % 30 % 100 % Q&A Topic Information System Threats and Attacks Why Study Information System Ease the managing task Guide for problem solving & decision making Realise opportunities and meet personal and company goals. In Business: used in all functional areas. Information Concepts (1) Data vs. Information Data Raw facts Distinct pieces of information, usually formatted in a special way Information A collection of facts organized in such a way that they have additional value beyond the value of the facts themselves Examples Data – thermometer readings of temperature taken every hour: 16.0, 17.0, 16.0, 18.5, 17.0,15.5…. Transformation Information today’s high: 18.5 today’s low: 15.5 Types of Data Data Represented by Alphanumeric data Numbers, letters, and other characters Image data Graphic images or pictures Audio data Sound, noise, tones Video data Moving images or pictures Characteristics of Valuable Information accurate, complete, economical, flexible, reliable, relevant, simple, timely, verifiable, accessible, secure Example: Health Information You want the information about you in a health information system to be: As accurate as possible (e.g. your age, sex) As complete as possible Relevant To be reliable Should be available in a timely manner (e.g. information about your drug allergies are available before your operation!) System Definition A set of elements or components that interact to accomplish goals A combination of components working together Example of a System with sub-components Customer Maintenance Component Order Entry Component Customer Support System Catalog Maintenance Component Order Fulfillment Component System Elements Inputs Processing mechanisms Outputs Inputs Outputs Process System Example Elements System Inputs Movie Actors, director, staff, sets, equipment Processing elements Filming, editing, special effects, distribution Goal Outputs Finished film delivered to movie studio Entertaining movie, film awards, profits System Components and Concepts System boundary Defines the system and distinguishes it from everything else System types Simple vs. complex Open vs. closed Stable vs. dynamic Adaptive vs. non-adaptive Permanent vs. temporary System Performance and Standards Efficiency A measure of what is produced divided by what is consumed (eg. Efficiency of a motor is the energy produced divided by what is consumed) Effectiveness A measure of the extent to which a system achieves its goals System performance standard A specific objective of the system Nature of Information Systems Organization : Group of individuals operating together in a systematic way to achieve a set of objectives Individual interact to achieve objectives The interact with each other through rules and procedures to achieve objectives Has objectives Takes input , process them into output Resources classified into raw materials, machinery, human resources, money, information Environment include physical environment, other organization, abstract entities, individuals Organizational Activities Primary activities (inbound logistics, operations, sales and marketing, outbound logistic, after sales support) Secondary activities (corporation planning and control, admin, finance management, HRM, R&D) Organizational Structure Hierarchical Functional Management Structure Strategic Management Operational Management Types of Information Planning, operating and control Strategic, operation and control Qualitative and quantitative Linkage between Activities Organization divided into departments Information disseminated formally and informally Information flows should reflect structure and means of achieving objectives Data and Information Qualities of Good Information Complete, relevant, timely, accurate, understandable, significant, channel, right recipient, cost benefit Noise in communication Redundant information Information cost (design and set up costs, running costs, storage costs) Information Systems Defn. Formalized set of procedures designed to convert data into information for decision making Activities includes: data capture, data processing, dissemination of information, information use, monitoring the system Information System Development Process entails: 1. Establish business objectives 2. Design in information needs 3. Establish sources of data 4. Examine who needs data 5. Format and timing of information received 6. Process required to convert data into information 7. Building system 8. Monitor and control system effectiveness Information System (cont.) Design could be bottom up or top down Manual or mechanized Information needs (planning, monitoring, control, decision making, recording and processing transaction, communication) Types of Information Systems Transaction processing systems Office automation systems Management information systems Decision support systems Executive information systems Expert systems Nature of Decision Making Structure (programmed decisions) Unstructured Semi-structured Analytical decision Heuristic decisions Q&A Threats and Attacks Principles of Information Security, 2nd Edition 30 Learning Objectives Identify and understand the threats posed to information security Identify and understand the more common attacks associated with those threats Principles of Information Security, 2nd Edition 31 Threats Threat: an object, person, or other entity that represents a constant danger to an asset Management must be informed of the different threats facing the organization By examining each threat category, management effectively protects information through policy, education, training, and technology controls Principles of Information Security, 2nd Edition 32 Threats (contd) The 2004 Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) survey found: 79 percent of organizations reported cyber security breaches within the last 12 months 54 percent of those organizations reported financial losses totaling over $141 million Principles of Information Security, 2nd Edition 33 Threats to Information Security Principles of Information Security, 2nd Edition 34 Acts of Human Error or Failure Includes acts performed without malicious intent Causes include: Inexperience Improper training Incorrect assumptions Employees are among the greatest threats to an organization’s data Principles of Information Security, 2nd Edition 35 Acts of Human Error or Failure (contd) Employee mistakes can easily lead to: Revelation of classified data Entry of erroneous data Accidental data deletion or modification Data storage in unprotected areas Failure to protect information Many of these threats can be prevented with controls Principles of Information Security, 2nd Edition 36 Figure 2-1 – Acts of Human Error or Failure Principles of Information Security, 2nd Edition 37 Deliberate Acts of Espionage or Trespass Access of protected information by unauthorized individuals Competitive intelligence (legal) vs. industrial espionage (illegal) Shoulder surfing occurs anywhere a person accesses confidential information Controls let trespassers know they are encroaching on organization’s cyberspace Hackers uses skill, guile, or fraud to bypass controls protecting others’ information Principles of Information Security, 2nd Edition 38 Principles of Information Security, 2nd Edition 39 Deliberate Acts of Theft Illegal taking of another’s physical, electronic, or intellectual property Physical theft is controlled relatively easily Electronic theft is more complex problem; evidence of crime not readily apparent Principles of Information Security, 2nd Edition 40 Deliberate Software Attacks Malicious software (malware) designed to damage, destroy, or deny service to target systems Includes viruses, worms, Trojan horses, logic bombs, back doors, and denial-of-services attacks Principles of Information Security, 2nd Edition 41 Principles of Information Security, 2nd Edition 42 Forces of Nature Forces of nature are among the most dangerous threats Disrupt not only individual lives, but also storage, transmission, and use of information Organizations must implement controls to limit damage and prepare contingency plans for continued operations Principles of Information Security, 2nd Edition 43 Deviations in Quality of Service Includes situations where products or services not delivered as expected Information system depends on many interdependent support systems Internet service, communications, and power irregularities dramatically affect availability of information and systems Principles of Information Security, 2nd Edition 44 Internet Service Issues Internet service provider (ISP) failures can considerably undermine availability of information Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software Principles of Information Security, 2nd Edition 45 Attacks Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system Accomplished by threat agent which damages or steals organization’s information Principles of Information Security, 2nd Edition 46 Attacks (contd) Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism Principles of Information Security, 2nd Edition 47 Attacks (contd) Password crack: attempting to reverse calculate a password Brute force: trying every possible combination of options of a password Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses Principles of Information Security, 2nd Edition 48 Attacks (contd) Denial-of-service (DoS): attacker sends large number of connection or information requests to a target Target system cannot handle successfully along with other, legitimate service requests May result in system crash or inability to perform ordinary functions Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously Principles of Information Security, 2nd Edition 49 Figure 2-9 - Denial-of-Service Attacks Principles of Information Security, 2nd Edition 50 Attacks (continued) Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks Principles of Information Security, 2nd Edition 51 Principles of Information Security, 2nd Edition 52 Figure 2-11 - Man-in-the-Middle Principles of Information Security, 2nd Edition 53 Attacks (contd) Mail bombing: also a DoS; attacker routes large quantities of e-mail to target Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker Principles of Information Security, 2nd Edition 54 Attacks (contd) Buffer overflow: application error occurring when more data is sent to a buffer than can be handled Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create malicious cookie Principles of Information Security, 2nd Edition 55 Summary Threat: object, person, or other entity representing a constant danger to an asset Attack: a deliberate act that exploits vulnerability Principles of Information Security, 2nd Edition 56