Lecture IS3318

advertisement
1
LECTURE IS3318
22/11/11
2
System Vulnerability and Abuse
•
Computer crime
• Defined as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration,
investigation, or prosecution”
• Computer may be target of crime, e.g.:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, e.g.:
• Theft of trade secrets
• Using e-mail for threats or harassment
3
System Vulnerability and Abuse
•
Identity theft: Theft of personal Information (social security id,
driver’s license or credit card numbers) to impersonate someone
else
•
Phishing: Setting up fake Web sites or sending e-mail messages
that look like legitimate businesses to ask users for confidential
personal data.
•
Evil twins: Wireless networks that pretend to offer trustworthy Wi-
Fi connections to the Internet
•
Pharming: Redirects users to a bogus Web page, even when
individual types correct Web page address into his or her browser
4
System Vulnerability and Abuse
•
Click fraud
•
•
Individual or computer program clicks online ad without any intention
of learning more or making a purchase
Global threats - Cyberterrorism and cyberwarfare
•
Concern that Internet vulnerabilities and other networks make digital
networks easy targets for digital attacks by terrorists, foreign
intelligence services, or other groups
5
System Vulnerability and Abuse
•
Internal threats – Employees
•
Security threats often originate inside an organization
• Inside knowledge
• Sloppy security procedures
• User lack of knowledge
• Social engineering:
• Tricking employees into revealing their passwords by
pretending to be legitimate members of the company
in need of information
6
System Vulnerability and Abuse
•
Software vulnerability
•
Commercial software contains flaws that create security
vulnerabilities
• Hidden bugs (program code defects)
• Zero defects cannot be achieved because complete
testing is not possible with large programs
• Flaws can open networks to intruders
•
Patches
• Vendors release small pieces of software to repair flaws
• However, amount of software in use can mean exploits
created faster than patches be released and implemented
7
Business Value of Security and Control
•
Lack of security, control can lead to
•
Loss of revenue
• Failed computer systems can lead to significant or
total loss of business function
•
Lowered market value:
• Information assets can have tremendous value
• A security breach may cut into firm’s market value
almost immediately
•
Legal liability
•
Lowered employee productivity
•
Higher operational costs
8
Business Value of Security and Control
•
Electronic evidence
•
Evidence for white collar crimes often found in digital form
• Data stored on computer devices, e-mail, instant messages,
e-commerce transactions
•
Proper control of data can save time, money when responding to
legal discovery request
•
Computer forensics:
• Scientific collection, examination, authentication, preservation,
and analysis of data from computer storage media for use as
evidence in court of law
• Includes recovery of ambient and hidden data
9
Establishing a Framework for Security and Control
• Information systems controls
•
General controls
• Govern design, security, and use of computer programs
and data throughout organization’s IT infrastructure
• Combination of hardware, software, and manual
procedures to create overall control environment
•
Types of general controls
•
Software controls
•
Hardware controls
•
Computer operations controls
•
Data security controls
•
Implementation controls
•
Administrative controls
10
Establishing a Framework for Security and Control
•
Application controls
• Specific controls unique to each computerized application,
such as payroll or order processing
• Include both automated and manual procedures
• Ensure that only authorized data are completely and
accurately processed by that application
• Types of application controls:
• Input controls
• Processing controls
• Output controls
11
Technologies and Tools for Security
•
Antivirus and antispyware software:
• Checks computers for presence of malware and can often
eliminate it as well
• Require continual updating
•
Unified threat management (UTM)
• Comprehensive security management products
• Tools include
•
Firewalls
•
Intrusion detection
•
VPNs
•
Web content filtering
•
Antispam software
Intro to Databases
• File organization concepts
• Computer system organizes data in a hierarchy
•
•
•
•
Field: Group of characters as word(s) or number
Record: Group of related fields
File: Group of records of same type
Database: Group of related files
• Record: Describes an entity
• Entity: Person, place, thing on which we store information
• Attribute: Each characteristic, or quality, describing entity
• E.g., Attributes Date or Grade belong to entity COURSE
The Data Hierarchy
A computer system
organizes data in a
hierarchy that starts with the
bit, which represents either
a 0 or a 1. Bits can be
grouped to form a byte to
represent one character,
number, or symbol. Bytes
can be grouped to form a
field, and related fields can
be grouped to form a record.
Related records can be
collected to form a file, and
related files can be
organized into a database.
Figure 6-1
•
Problems with the traditional file environment (files maintained
separately by different departments)
• Data redundancy and inconsistency
• Data redundancy: Presence of duplicate data in multiple files
• Data inconsistency: Same attribute has different values
• Program-data dependence:
• When changes in program requires changes to data accessed by
program
• Lack of flexibility
• Poor security
• Lack of data sharing and availability
•
Database
• Collection of data organized to serve many applications by
centralizing data and controlling redundant data
•
Database management system
• Interfaces between application programs and physical data files
• Separates logical and physical views of data
• Solves problems of traditional file environment
•
•
•
•
Controls redundancy
Eliminates inconsistency
Uncouples programs and data
Enables organization to central manage data and data security
Human Resources Database with Multiple Views
A single human resources database provides many different views of data, depending on the information
requirements of the user. Illustrated here are two possible views, one of interest to a benefits specialist and
one of interest to a member of the company’s payroll department.
Figure 6-3
•
Relational DBMS
• Represent data as two-dimensional tables called relations or files
• Each table contains data on entity and attributes
•
Table: grid of columns and rows
• Rows (tuples): Records for different entities
• Fields (columns): Represents attribute for entity
• Key field: Field used to uniquely identify each record
• Primary key: Field in table used for key fields
• Foreign key: Primary key used in second table as look-up field to
identify records from original table
Relational Database Tables
A relational database organizes data in the form of two-dimensional tables. Illustrated here are tables for
the entities SUPPLIER and PART showing how they represent each entity and its attributes.
Supplier_Number is a primary key for the SUPPLIER table and a foreign key for the PART table.
Figure 6-4A
Relational Database Tables (cont.)
Figure 6-4B
•
Capabilities of Database Management Systems
• Data definition capability: Specifies structure of database
content, used to create tables and define characteristics of fields
• Data dictionary: Automated or manual file storing definitions of
data elements and their characteristics
• Data manipulation language: Used to add, change, delete,
retrieve data from database
• Structured Query Language (SQL)
• Microsoft Access user tools for generation SQL
• Many DBMS have report generation capabilities for creating
polished reports (Crystal Reports)
The Database Approach to Data Management
Microsoft Access Data Dictionary Features
Figure 6-6
Microsoft Access has a
rudimentary data dictionary
capability that displays
information about the size,
format, and other
characteristics of each field
in a database. Displayed
here is the information
maintained in the SUPPLIER
table. The small key icon to
the left of Supplier_Number
indicates that it is a key field.
22
Some Drawbacks…
• Complexity
• A DBMS is a complex piece of software all users must fully
understand it to make use of its functionalities
• Cost of DBMS
• The cost varies significantly depending on the environment and the
functionality provided. Must take into consideration recurrent
annual maintenance costs
23
Continued..
• Cost of Conversion
• Cost of converting existing applications to run on the
new DBMS and hardware. (additional training costs)
• Performance
• DBMS is written for applications in general which
means that some applications may run slower than
before
• Higher Impact of Failure
• Centralization of resources increases vulnerability of the
system
24
Database Administrator
• Oversees a staff of database specialists
• Final recommendations for DB design
• Load and maintain DB
• Establish security controls
• Perform backup and recovery
25
Data Administration
Database
technology
And
management
Data
Administrator
Database
Management
System
Data planning
and modelling
technology
Users
26
Systems Analyst
• Or business analyst is a systems analyst that
specializes in business problem analysis and
technology-independent requirements analysis.
• A programmer/analyst (or analyst/programmer)
includes the responsibilities of both the computer
programmer and the systems analyst.
• Other synonyms for systems analyst include:
• Systems consultant
• Systems architect
• Systems engineer
• Information engineer
• Systems integrator
27
Variations on the Systems Analysts Title
• Other synonyms for systems analyst include:
• Systems consultant
• Systems architect
• Systems engineer
• Information engineer
• Systems integrator
28
Where Systems Analysts Work
• In traditional businesses
• Working in traditional information services organizations
(permanent project teams)
• Working in contemporary information services
organizations
(dynamic project teams)
• In outsourcing businesses
• Contracted to traditional businesses
• In consulting businesses
• Contracted to traditional businesses
• In application software businesses
• Building software products for traditional businesses
Download