Introduction to Information System

advertisement
Asst.Prof. Dr. Surasak Mungsing
CIS511 สถาปั ตยกรรมระบบสารสนเทศ
Description:
หลักการทางานของคอมพิวเตอร์ การวัดขนาดและสมรรถนะคอมพิวเตอร์ วิวฒ
ั นาการ
ของระบบคอมพิวเตอร์ ระบบคอมพิวเตอร์และเครือข่าย ระบบเครือข่ายเฉพาะถิน่
ระบบ Broadband ระบบInternet ซอฟต์แวร์ระบบ เช่น ระบบปฏิบตั กิ าร
ระบบฐานข้อมูล ระบบสือ่ สารและโปรโตคอล การสือ่ สารข้อมูลและการกาหนดการ
ประมวลผล ระบบสารสนเทศBack office เช่นระบบงบประมาณ ระบบการเงิน
บัญชี ระบบบุคคล และระบบสารสนทศ ระบบให้บริการส่วน Front office การ
กาหนดคุณลักษณะเฉพาะของระบบฮาร์ดแวร์เครือข่ายและระบบประมวลผล
Week#
Topic
1
Introduction to IS and ISA
2
Organizational Systems
3
Managerial Support Systems
4
E-Commerce Applications
5
Case Study 1
6
Client-Server Architecture
7
Commercial Software Architecture
8
ISA and System Development
9
Enterprise Information Architecture
10
Case study 2
11
User Interface Architecture
12
Web Service and ISA
13
Special Lecture in Information System Architecture I
14
Special Lecture in Information System Architecture II
Evaluation
 Project/Reports
40 %
 Individual Report 20%
 Group Project
 Participation
 Mid-term Exam
 Final Exam
Total
20%
10 %
20 %
30 %
100 %
Q&A
Topic
 Information System
 Threats and Attacks
Why Study Information System
 Ease the managing task
 Guide for problem solving & decision making
 Realise opportunities and meet personal and company
goals.
 In Business: used in all functional areas.
Information Concepts (1)
 Data vs. Information
 Data


Raw facts
Distinct pieces of information, usually formatted in a special
way
 Information

A collection of facts organized in such a way that they have
additional value beyond the value of the facts themselves
Examples
Data – thermometer readings of temperature
taken every hour:
16.0, 17.0, 16.0, 18.5, 17.0,15.5….
Transformation
Information
today’s high: 18.5
today’s low: 15.5
Types of Data
Data
Represented by
Alphanumeric data
Numbers, letters, and other characters
Image data
Graphic images or pictures
Audio data
Sound, noise, tones
Video data
Moving images or pictures
Characteristics of Valuable Information
 accurate,
 complete,
 economical,
 flexible,
 reliable,
 relevant,
 simple,
 timely,
 verifiable,
 accessible,
 secure
Example: Health Information
 You want the information about you in a health
information system to be:
 As accurate as possible (e.g. your age, sex)
 As complete as possible
 Relevant
 To be reliable
 Should be available in a timely manner (e.g.
information about your drug allergies are available
before your operation!)
System
 Definition
 A set of elements or components that interact to
accomplish goals
 A combination of components working together
Example of a System with sub-components
Customer
Maintenance
Component
Order Entry
Component
Customer Support System
Catalog
Maintenance
Component
Order Fulfillment
Component
System Elements
 Inputs
 Processing mechanisms
 Outputs
Inputs
Outputs
Process
System Example
Elements
System
Inputs
Movie
Actors, director,
staff, sets,
equipment
Processing
elements
Filming,
editing,
special
effects,
distribution
Goal
Outputs
Finished film
delivered to
movie studio
Entertaining
movie, film
awards,
profits
System Components and Concepts
 System boundary
 Defines the system and distinguishes it from
everything else
 System types
 Simple vs. complex
 Open vs. closed
 Stable vs. dynamic
 Adaptive vs. non-adaptive
 Permanent vs. temporary
System Performance and Standards
 Efficiency
 A measure of what is produced divided by what is
consumed (eg. Efficiency of a motor is the energy
produced divided by what is consumed)
 Effectiveness
 A measure of the extent to which a system achieves its
goals
 System performance standard
 A specific objective of the system
Nature of Information Systems
 Organization : Group of individuals operating together in






a systematic way to achieve a set of objectives
Individual interact to achieve objectives
The interact with each other through rules and
procedures to achieve objectives
Has objectives
Takes input , process them into output
Resources classified into raw materials, machinery,
human resources, money, information
Environment include physical environment, other
organization, abstract entities, individuals
Organizational Activities
 Primary activities (inbound logistics, operations,
sales and marketing, outbound logistic, after sales
support)
 Secondary activities (corporation planning and
control, admin, finance management, HRM, R&D)
Organizational Structure
 Hierarchical
 Functional
Management Structure
 Strategic Management
 Operational Management
Types of Information
 Planning, operating and control
 Strategic, operation and control
 Qualitative and quantitative
Linkage between Activities
 Organization divided into departments
 Information disseminated formally and informally
 Information flows should reflect structure and means
of achieving objectives
 Data and Information
Qualities of Good Information
 Complete, relevant, timely, accurate, understandable,
significant, channel, right recipient, cost benefit
 Noise in communication
 Redundant information
 Information cost (design and set up costs, running
costs, storage costs)
Information Systems
Defn. Formalized set of procedures designed to convert data into
information for decision making
Activities includes: data capture, data processing, dissemination
of information, information use, monitoring the system
Information System Development Process entails:
1. Establish business objectives
2. Design in information needs
3. Establish sources of data
4. Examine who needs data
5. Format and timing of information received
6. Process required to convert data into information
7. Building system
8. Monitor and control system effectiveness
Information System (cont.)
 Design could be bottom up or top down
 Manual or mechanized
 Information needs (planning, monitoring, control,
decision making, recording and processing
transaction, communication)
Types of Information Systems
 Transaction processing systems
 Office automation systems
 Management information systems
 Decision support systems
 Executive information systems
 Expert systems
Nature of Decision Making
 Structure (programmed decisions)
 Unstructured
 Semi-structured
 Analytical decision
 Heuristic decisions
Q&A
Threats and Attacks
Principles of Information Security, 2nd Edition
30
Learning Objectives
 Identify and understand the threats posed to
information security
 Identify and understand the more common attacks
associated with those threats
Principles of Information Security, 2nd Edition
31
Threats
 Threat: an object, person, or other entity that
represents a constant danger to an asset
 Management must be informed of the different
threats facing the organization
 By examining each threat category, management
effectively protects information through policy,
education, training, and technology controls
Principles of Information Security, 2nd Edition
32
Threats (contd)
 The 2004 Computer Security Institute (CSI)/Federal
Bureau of Investigation (FBI) survey found:
 79 percent of organizations reported cyber security
breaches within the last 12 months
 54 percent of those organizations reported financial
losses totaling over $141 million
Principles of Information Security, 2nd Edition
33
Threats to Information Security
Principles of Information Security, 2nd Edition
34
Acts of Human Error or Failure
 Includes acts performed without malicious intent
 Causes include:
 Inexperience
 Improper training
 Incorrect assumptions
 Employees are among the greatest threats to an
organization’s data
Principles of Information Security, 2nd Edition
35
Acts of Human Error or Failure (contd)
 Employee mistakes can easily lead to:
 Revelation of classified data
 Entry of erroneous data
 Accidental data deletion or modification
 Data storage in unprotected areas
 Failure to protect information
 Many of these threats can be prevented with
controls
Principles of Information Security, 2nd Edition
36
Figure 2-1 – Acts of Human Error or Failure
Principles of Information Security, 2nd Edition
37
Deliberate Acts of Espionage or Trespass
 Access of protected information by unauthorized
individuals
 Competitive intelligence (legal) vs. industrial
espionage (illegal)
 Shoulder surfing occurs anywhere a person accesses
confidential information
 Controls let trespassers know they are encroaching on
organization’s cyberspace
 Hackers uses skill, guile, or fraud to bypass controls
protecting others’ information
Principles of Information Security, 2nd Edition
38
Principles of Information Security, 2nd Edition
39
Deliberate Acts of Theft
 Illegal taking of another’s physical, electronic, or
intellectual property
 Physical theft is controlled relatively easily
 Electronic theft is more complex problem; evidence
of crime not readily apparent
Principles of Information Security, 2nd Edition
40
Deliberate Software Attacks
 Malicious software (malware) designed to damage,
destroy, or deny service to target systems
 Includes viruses, worms, Trojan horses, logic bombs,
back doors, and denial-of-services attacks
Principles of Information Security, 2nd Edition
41
Principles of Information Security, 2nd Edition
42
Forces of Nature
 Forces of nature are among the most dangerous
threats
 Disrupt not only individual lives, but also storage,
transmission, and use of information
 Organizations must implement controls to limit
damage and prepare contingency plans for
continued operations
Principles of Information Security, 2nd Edition
43
Deviations in Quality of Service
 Includes situations where products or services not
delivered as expected
 Information system depends on many
interdependent support systems
 Internet service, communications, and power
irregularities dramatically affect availability of
information and systems
Principles of Information Security, 2nd Edition
44
Internet Service Issues
 Internet service provider (ISP) failures can
considerably undermine availability of information
 Outsourced Web hosting provider assumes
responsibility for all Internet services as well as
hardware and Web site operating system software
Principles of Information Security, 2nd Edition
45
Attacks
 Act or action that exploits vulnerability (i.e., an
identified weakness) in controlled system
 Accomplished by threat agent which damages or steals
organization’s information
Principles of Information Security, 2nd Edition
46
Attacks (contd)
 Malicious code: includes execution of viruses,
worms, Trojan horses, and active Web scripts with
intent to destroy or steal information
 Back door: gaining access to system or network using
known or previously unknown/newly discovered
access mechanism
Principles of Information Security, 2nd Edition
47
Attacks (contd)
 Password crack: attempting to reverse calculate a
password
 Brute force: trying every possible combination of
options of a password
 Dictionary: selects specific accounts to attack and
uses commonly used passwords (i.e., the dictionary)
to guide guesses
Principles of Information Security, 2nd Edition
48
Attacks (contd)
 Denial-of-service (DoS): attacker sends large number
of connection or information requests to a target
 Target system cannot handle successfully along with
other, legitimate service requests
 May result in system crash or inability to perform
ordinary functions
 Distributed denial-of-service (DDoS): coordinated
stream of requests is launched against target from
many locations simultaneously
Principles of Information Security, 2nd Edition
49
Figure 2-9 - Denial-of-Service Attacks
Principles of Information Security, 2nd Edition
50
Attacks (continued)
 Spoofing: technique used to gain unauthorized
access; intruder assumes a trusted IP address
 Man-in-the-middle: attacker monitors network
packets, modifies them, and inserts them back into
network
 Spam: unsolicited commercial e-mail; more a
nuisance than an attack, though is emerging as a
vector for some attacks
Principles of Information Security, 2nd Edition
51
Principles of Information Security, 2nd Edition
52
Figure 2-11 - Man-in-the-Middle
Principles of Information Security, 2nd Edition
53
Attacks (contd)
 Mail bombing: also a DoS; attacker routes large
quantities of e-mail to target
 Sniffers: program or device that monitors data
traveling over network; can be used both for
legitimate purposes and for stealing information
from a network
 Social engineering: using social skills to convince
people to reveal access credentials or other valuable
information to attacker
Principles of Information Security, 2nd Edition
54
Attacks (contd)
 Buffer overflow: application error occurring when
more data is sent to a buffer than can be handled
 Timing attack: relatively new; works by exploring
contents of a Web browser’s cache to create
malicious cookie
Principles of Information Security, 2nd Edition
55
Summary
 Threat: object, person, or other entity representing a
constant danger to an asset
 Attack: a deliberate act that exploits vulnerability
Principles of Information Security, 2nd Edition
56
Download