Information Technology For Management 5th Edition - PowerPoint PPT Presentation

1 / 58
About This Presentation
Title:

Information Technology For Management 5th Edition

Description:

Chapter 16 Security Information Technology For Management 5th Edition Turban, Leidner, McLean, Wetherbe Lecture Slides by A. Lekacos, Stony Brook University – PowerPoint PPT presentation

Number of Views:413
Avg rating:3.0/5.0
Slides: 59
Provided by: BHA151
Category:

less

Transcript and Presenter's Notes

Title: Information Technology For Management 5th Edition


1
Chapter 16
Security
  • Information Technology For Management 5th Edition
  • Turban, Leidner, McLean, Wetherbe
  • Lecture Slides by A. Lekacos,
  • Stony Brook University
  • John Wiley Sons, Inc.

2
Learning Objectives
  • ??????????????????????????????????????
    information resources.
  • ??????????????????????? IS department
    ?????????????????? end users.
  • ??????????????????????? chief information officer
    (CIO)
  • ???????????????????????????????????, ???????????,
    ??????????????????????????????????????????????????
    ????????? ? (malfunction)
  • ???????????????????? ? ???????????? information
    systems.
  • ?????????????????????????????? Web ??? electronic
    commerce.
  • ?????????????????????????????????????????
    disaster recovery planning.
  • ????????????????????? economics of security ???
    risk management.
  • ????????????????? IT ?????????????????????????????
    ????????

3
Cybercrime in the new millennium
  • Jan 1,2000 ??????????????????????????? Y2K
    ??????????????????????????????????? ??? Feb 6,
    2000 e-commerce site ???? ? ????
    ?????????????????????????????? ? ?????????????
    ???????? Yahoo ??????????? Amazon, Etrade ???? ?
    ???????????????????????????????? Denial of
    Service
  • ???????????????? Denial of Service (DoS) ???
    ????????????????????????????????????????? ?
    ????????????????????????????????????
    ?????????????????????????? ???????????????????????
    ????????????????????????? ? ???
    ?????????????????? ????????????????????
    ???????????? Web Server, Mail Server ???? Domain
    Name Server ??????????????????
  • ??????
  • ???????????????????????????????
    ?????????????????? ???????????????????????????????
    ?????????????? ??????????????????????????
    ?????????????????????????????????????
    ???????????????? ?????????????????????????????????
    ????????????????????????????? ????????????????????
    ?????????????????????????????????? ? ???
    ??????????????????

4
  • ???????
  • ?????????????????????????????????? ? ???????
    ???????????? ?????????????????????????????????????
    ???????????????????? ? ??? Web Server ????????
    ?????????????????????? Web page ??? ??? Mail
    Server ???????? ???????????????? mail ???????
    ??????? Domain Name Server ?????????????????? url
    ???? ip ?????????????? ?????????
    ????????????????????????? ? ???????????????
    bandwidth ??????????? ????????????????????????????
    ???????????????

5
16.1 Securing the Enterprise
  • CSI/FBI ?????????????????????????? 2004 ??? 2005
    ????????????????? 16.1
  • ??????????????? IT at Work 16.1 VA Policy
    Violation and Home Burglary Cause Security Breach
    Estimated to Cost 100 Million, page 626

6
  • Global Reach Increase IS Vulnerability
  • Time-To-Exploit is Shrinking?????????????????????
    ???????????????????????????? ?????????????????????
    ???????????????????????????????????????????(exploi
    t) ???????????????????????? patch
    ????????????????????????????????????????????????
    ??????????????????????????????????????????????????
    ??????????????????????????????????????????????????
    ???? ??????? ?????????????????????????????????????
    ???????????????????????????? ????????????
    ????????????????????????????????????
    ??????????????????????????????????????????????????
    ???????????????????????????? ?????????????????????
    ??????????????????????????????????????????????????
    ??
  • ??????????????? A Closer Look 16.1 IT
    Governance ???? 627

7
  • National And International Regulations Demand
    Tougher IT Security
  • Industry Self-Regulations ???????????????????????
    ???????????????????????????????????
    ??????????????????????????????????????? ? ????
    Payment Card Industry (PCI) Data Security
    Standard ?????????????????????????????????????????
    ??????????? ???? Visa, MasterCard, American
    Express ???????
  • Small Business Regulations ?????????? ?
    ?????????????????????????? ????????????????? ?
    ??????????????????????????????????????????????????
    data security procedure ???????????? consumer
    data
  • Cyber-Blackmail ???????????????????? Hacker
    ????????????????????????? (Trojan encrypt)
    ??????????????????????????????????????????????????
    ??????

8
  • Information Systems Breakdown ???????????????????
    628
  • Directed and Refined Threats Call For New IT
    Security Strategies
  • ????? 9 ??? 10 ????????????????????
  • ???????????????????? (Human error)
  • ???????????????? (System malfunctioning)
  • ??????????????????????????????????????????????????
    ??????????????????
  • ??????????????? A Close Look 16.2 Money
    Laundering, Organizing Crime and Terrorist
    Financing page 629

9
IT Security and Internal Control Model
  • 1 ????????????????????????????????????????????????
    ????
  • 2 ??????????????????????????????????????????
  • ?????????????????????????? AUP (acceptable use
    policy) ???????????????????????????
    ????????????????
  • 1 ????????????????????????????????????????????????
    ??????????????????????????
  • 2 ????????????????????????????????????????????????
    ??????????????????
  • ??????????????? IT at Work 16.2 Employee-Caused
    Breaches on the Risepage631

10
  • 3 ??????????????????????????????????????????????
    (?????????????????????? 16.2)
  • 4) ???????????????????????????????????????????????
    ?????????????

11
16.2 IS Vulnerabilities and Threats
  • ??????????????????????? IT Security Term
    ?????????? 12.2 ???????? (?????? ?????????)
  • Identity theft ??????? ???????????????????????????
    ???????????????????????? ???????????? false
    identity ?????????????????????????????????
  • ???????????????????? (Information resources)
    (??????????? physical resources, data, software,
    procedures, and other information resources)
    ??????????????????????????????????????????????????
    ????????????????????????????????????
    ??????????????????????????????????? ?
    ?????????????? ?

12
Security Terms
Term Definition
Backup An extra copy of data and/or programs, kept in a secured location (s)
Decryption Transformation of scrambled code into readable data after transmission
Encryption Transmission of data into scrambled code prior to transmission
Exposure The harm, loss, or damage that can result if something has gone wrong in information system.
Fault tolerance The ability of an information system to continue to operate (usually for a limited time and/or at reduced level) when a failure occurs
13
Information system controls The procedure, devices, or software that attempt to ensure that system performs as planned.
Integrity (of data) The procedure, devices or software that attempt to ensure that the system performs as planned.
Risk A guarantee of the accuracy, completeness, and reliability of data, system integrity is provided by the integrity of its components and their integration
Threats (or hazards) The likelihood that a threat will materialize
Vulnerability Given that a threat exists, the susceptibility of the system to harm caused by the threat.
14
????????????????? (System Vulnerability)
  • Universal vulnerability ??????? ?????????????? ?
    (state) ?? computing system ??????
    ??????????????????????? execute ?????????? ?
    ??????????????????? (another user)
    ??????????????????????????????????????????????????
    ???????????????????????????????????????
    ??????????????????????????????????????????????????
    ????? (pose as another entity) ????
    ????????????????????????????????????????????
    denial of service (DoS)
  • Exposure ??? ?????????????? ? ?? computing system
    (???? set of systems) ????????????????? universal
    vulnerability ???? ???????????????????????????????
    ????????????????????????????? ???????????????????
    ????????????????? ? ????????????? ????????????? ?
    ???????????????????????? (???????????????????)
    ???? ??? a primary point of entry
    ??????????????????????????????????????????????????
    ??????????????????? ??? ??????????????????????????
    ????????? security policy.

15
Security Threats
16
????????????????? (System Vulnerability)
  • ??????????????????????????????????????????????????
    ??????????????????????? ?????????????????
    wireless computing ??????????????
    ????????????????????? ???????????????????
    (???????????????) ?????????????????
    ????????????????
  • ???????????? (Unintentional)
  • Human errors
  • Environmental hazards ???? ?????????? ???????
    ???????
  • Computer system failures ???? ???????????????
    ????????????????
  • ?????? (Intentional)
  • Theft of data
  • Inappropriate use of data
  • Theft of mainframe computer time
  • Theft of equipment and/or programs

17
  • Deliberate manipulation in handling
  • Entering data
  • Processing data
  • Transferring data
  • Programming data
  • Labor strikes
  • Riots (???????????)
  • Sabotage (????????????)
  • Malicious damage to computer resources
  • Destruction from viruses and similar attacks
  • Miscellaneous computer abuses (??????????????)
  • Internet fraud (??????????????????????????)
  • Terrorists attack

18
??????????????????????? (Computer Crimes)
  • Type of computer crimes and criminals
  • ????????? ????????????????????????????????????????
    ?????????? ???? ??????????????????????????????????
    ??????????????????????
  • ???????? (Hacker) ??????? ????????????????????????
    ??????????????????? ????????????
    ???????????????????????? (no criminal intent)
  • ????????? (Cracker) ??????? ??????????????????????
  • Social engineering ??????? ???????????????????????
    ????????????? ?????? ??????????
    ???????????????????????? sensitive information
    ???? ????????????????? ?????????????????????
    ?????????????????????????????

19
Type of computer crimes and criminals
  • Cybercrimes ??????? ??????????????????????
    Internet
  • Identify theft ??????? ??????? (the identity
    thief) ?????????????????????
  • Cyberwar ?????????????????????????????????????????
    ???? ???????????? ????????? massive attack
    ????????? destructive software.

20
Methods of Attack on Computing Facility
  • (?????????????????????????????????????????????????
    ?) ??????????????????????? ???????????????????????
    ????? (Data Tampering) ??? ??????????????????????
    (Programming attack)
  • ????? (Virus) ??????? ????????????????????????????
    ?????????????????????????? ????????????
    ??????????????????????????????????????????????????
    ????????????
  • Denial of Service (DoS)??????? Cyber-attack
    ?????????????????????? data packets ?????
    ?????????????????????????????? ???????????????????
    ???????? overload ???? ???????????????????????
    ???? ????????????????? Zombied PC
  • Botnets ?????????????????????????????????????
    ?????? Spam???????????????????????????? ?
    ?????????????????????? ???????????????????????????
    ???? computer robot ???? bot

21
Virus
22
Security Terms
Method Definition
Virus Secret instructions inserted into programs (or data) that are innocently ordinary tasks. The secret instructions may destroy or alter data as well as spread within or between computer systems
Worm A program that replicates itself and penetrates a valid computer system. It may spread within a network, penetrating all connected computers.
Trojan horse An illegal program, contained within another program, that sleep' until some specific event occurs then triggers the illegal program to be activated and cause damage.
Salami slicing A program designed to siphon off small amounts of money from a number of larger transactions, so the quantity taken is not readily apparent.
23
Super zapping A method of using a utility zap program that can bypass controls to modify programs or data
Trap door A technique that allows for breaking into a program code, making it possible to insert additional instructions.
Logic bomb An instruction that triggers a delayed malicious act
Denial of services Too many requests for service, which crashes the site
Sniffer A program that searches for passwords or content in packet of data as they pass through the Internet
Spoofing Faking an e-mail address or web-page to trick users to provide information instructions
24
Password cracker A password that tries to guess passwords (can be very successful)
War dialling Programs that automatically dial thousands of telephone numbers in an attempt to identify one authorized to make a connection with a modem, then one can use that connection to break into databases and systems
Back doors Invaders to a system create several entry points, even if you discover and close one, they can still get in through others
Malicious applets Small Java programs that misuse your computer resource, modify your file, send fake e-mail, etc
25
16.3 Fraud and Computer Crimes
  • Fraud (?????,???????) ??????? ????????????????????
    ??????????????????????????????????????????????????
    ???????????????????????????????????????????????
    ???????? Occupational fraud

26
Computer CrimesIdentify Theft
27
16.4 IT Security Management Practices Defense
Strategy How Do We Protect ?
??????????????? potential threats ??? IS
????????????????? ????????????????????????????????
??? ?????????????? ?????????? controls (defense
mechanisms) ??? developing awareness
??????????????
  • The major objectives of a defense strategy are
  • ????????????????? (?????????????????)
  • ???????
  • ????????????????
  • ??????????
  • ???????????? (???????????????????????????????)
  • Awareness and compliance

28
Major defense control
29
General Controls
  • Physical control
  • ?????? data center ?????????? ???? ?????????
    ??????
  • ??????????????????????????????????
  • ????????????? ??????? ??? ?????
  • ????????????? ??? ???? UPS
  • ??????????? ????????? ??? ??????
    ?????????????????????????
  • ?????????????????????? ???? ????????????????
    ???????????

30
  • Access Control
  • ??????????????????? ??? ??????????? (Authorize)
    ??? ???????????????????????????????? (??????
    ????????? ? )(Authentication) ????????????????????
    ?Unique user-identifier (UID)
  • Biometric Control
  • Photo face Fringerprints
  • Hand geometry Iris scan
  • Retina scan Voice scan
  • Signature Keystroke dynamic

31
Defense Strategy Biometric
32
  • Data Security controls
  • ?????????????? 2 ?????????????????? data security
    ???
  • Minimal privilege ????????????????????????????????
    ????????????
  • Minimal exposure ?????????????????????????????????
    ??????? ??????????????????????????????????????????
    ?????????????????????? ????????? ??????? ????
    ?????? ?????
  • Communications and Network controls
  • Administrative controls
  • Other General Controls
  • Programming controls
  • Documentation controls
  • System Development controls

33
  • Application Controls
  • Input controls ??????
  • Completeness
  • Format
  • Range
  • Consistency
  • Processing controls ?????????????????????????
    ????????????? ??????? ?????? ?????????????????????
    ???????????
  • Output controls ?????????????????? ?????????
    ??????? ??????????????

34
16.5 Network Security
  • Border Security
  • ??????????????????? border security ??? access
    control ??????? ????? authentication ???? proof
    of identity ????????????????? ?????????????????
    authorization ????????????????????????????????????
    ??????? user ????? ? ????????????????????????

Security Layers
35
Tool ???????????????? Border Security
  • Firewalls
  • Malware Controls
  • Intrusion Detecting Systems (IDSs)
  • Virtual Private Networking (VPN)
  • ????????????????? (Encryption)
  • ?????? Tester ??????? Trouble Shooting ????
    Protocol analyzer
  • Payload Security ?????????????????????????????????
    ????????
  • Honeypots ????????? hacker ???????????????????????
    ? (????????????? Honeypots ????? Honetnets)

36
Authentication
  • Phishing ??? identity theft ?????????????????
    weak authentication ????????????????????????
    ?????????????????????????? strong authentication
    ????????? two-factor authentication ????
    multifactor authentication ????????????? 2
    ????????(???????????)??????????
  • ????????????????????????????????????????????????
    ???
  • 1) ?????????? ???? ??????? ?????? ???????
    ?????????????????????
  • 2) ????????????? ???? ????????????????????????????
    ???????????????????????????????? remote ??????,
    ??? remote ?????? ???? IP ?????????????????
  • 3) ??????????????? ?????????? ????????????????????
    ????????????? (???????? ???? ?????????????????????
    ???????????????? ? ?? ???? ??????????????????

37
Defense mechanism
38
16.6 Internal Control and Compliance Management
  • Internal Control (IC) ????????????????? ?
    ???????????????????????????
  • 1) ???????????????(reliability)???????????????????
    ???????????
  • 2) ????????????????????????????????
  • 3) ???????????????????????? (Law)
  • 4) ???????????????????????? (Regulation)
    ????????? (Policy)
  • 5) ?????????????????????????? ?

39
Increasing role of IT in internal control
40
(No Transcript)
41
Internal control procedures and activities
  • ??????????? 5 ????????????????????????????
    (internal control)
  • 1) ?????????????????????????????????
  • ????????? fraud ??????????????????????????????????
    ??????????????????????????????????
  • 2) ??????????????????????????
  • ??????????????????????????????????????????????????
    ?????????????????????????????????????????????????
    ????????? fraud ??????
  • 3) ?????????????????(??????)????????????
  • ??????????????????????????????????????????????????
    ??????????????? ??????????????????????????????????
    ??????????????????????????????????????????????????
    ???

42
  • 4) ????????????????????????? (Physical
    safeguards) (???? ????????? ???????????)
  • ??????????????????????????????????????????????????
    ?????????????????????????? fraud
  • 5) ????????????????????????????????
  • ??????????????????????????????????????????????????
    ???????

43
16.7 Business Continuity and Disaster Recovery
Planning
  • ?????????????????????????????????????????? ? ???
    business continuity plan, ???????????????
  • Disaster recovery ??????? ???????????????????????
    ????????????????????????? ???????
    ????????????????? (???????????????????????????????
    ???)
  • Disaster recovery plan. ??????????????????????????
    ??????????????????????????????????????????????????
    ?????????????? ? (major disaster)
  • Disaster avoidance ??????? ???????????????????????
    ???????????????????????? ???
  • Backup location ??????? ???????????????????
    ??????????? ???/???? ???????????????
    ???????????????? ?????????????????????????????????
    ????????????????????
  • Hot site ??????? ?????????? vendors ????????????
    access ???????? fully configured backup data
    center.

44
Business continuity services managed by IBM
45
Business Continuity Planning
  • ?????????????????? business continuity plan
    ??????????????????????????????????????????????????
  • Recovery planning ????????????????????????????????
    ??????? (asset protection)
  • ??????????????????????????????????????????????????
    ???????????????????????? ( total loss of all
    capabilities)
  • ?????????????????????????????????????? What if
    analysis
  • Application ??????????????????????????????????????
    ??????????????????????????????????
  • ??????????????????????????????????????????????????
    ??????????????????????
  • ??????????????? IT at Work 16.3 Business
    Continuity and Disaster Recovery page649

46
One of the most logical ways to deal with loss of
data is to back it up. A business continuity plan
should include backup arrangements were all
copies of important files are kept offsite.
47
16.8 Implementing Security Auditing and Risk
Management
  • ??????????????????????????????? ?
    ??????????????????????????????????????????????????
    ???????????????????????????????????????????
    ??????????????? ? ??????????????????????????????
    ???? auditing task
  • ???????????????? 2 ?????? ???
  • ??????????????????? (internal auditor)
    ?????????????????????????????????????? ISD.
  • ???????????????????? (external auditor)
    ??????????????????????????
  • ???????????????? 2 ????????????? ???
  • Operational audit ?????????? ISD
    ???????????????????
  • Compliance audit ?????????????????????????????????
    ??????????????????????????

48
???????????????????????????????????
  • ???????????????????????????????
    ?????????????????????????? ??? ???????????????????
    ????
  • ????????????? ????? ?????????????????????????????
  • ????????????? ? ???????????????????? (???????????
    ???????????????????????????????????)
  • ?????????????????????????????? ? ?????????????
  • ??????????????? ? ????????????????????????????????
    ???????
  • ??????????????? ? ?????????????????????????????
    ???????????????????????????????????????? ???????

49
Risk Management and Cost-Benefit Analysis
  • ?????????????????????????????????????? ?
    ?????????????????????? ??????? IT security
    program ???????????????????????????????????????
    (assessing threats) ??????????????
    ???????????????????? ?????????????????????
    (ignore)
  • Risk-Management Analysis
  • Expected loss P1 x P2 x L
  • ????? P1 probability of attack (estimate, based
    on judgment)
  • P2 probability of attack being successful
    (estimate, based on judgment)
  • L Loss occurring if attack is successful
  • ???????? P1 .02, P2 .10, L 1,000,000 usd
  • Expected loss 0.02 x 0.10 x 1,000,000 usd
    2,000

50
16.9 Computer Forensics (?????????????????????????
?????????????)
  • ???????????????????????? ? ?????? 651 ??? 653

51
MANAGERIAL ISSUES
  • To whom should the IS department report?
  • ???????????????????? degree of IS
    decentralization ??? ???????? CIO ????? IS
    department ??????? functional area ?? ?
    ???????????????????????????????????????????
    functional area ???? ? ?????????
    ????????????????? IS ??????????????? CEO
  • Who needs a CIO?
  • ?????????????????????????????????????????? CIO
    ?????? senior executive ?????????
    ????????????????????????????????????????????????
    ISD ??????????????? ? ????????????? ???????
    ???????? ? ???????????????????????? IT
    ???????????????? ???????????? CIO

52
MANAGERIAL ISSUES
  • 1) What is the business value of IT security and
    internal control?
  • ????????????????????????????????? IT ???
    ??????????????????? ??????? ?????????????? IT
    ??????????????? business objective
    ???????????????????????????
  • 2) Why are there legal obligations
    (?????????????????????)?
  • ??????????????????????????????????????????????????
    ??????????????????????????????? transaction ???
    ?????????? ? ?????????????????????????? ??????
    ?????????? ???????????????????????????????????
    ?????????????????????????
  • 3) How important is IT security to management?
  • ????????????????????????????????????????????
    ???????????????????????????????????
    ???????????????????????????? hacker, phisher,
    spammer, identity thieve, malware ??? terrorist
    worldwide ????????????????????

53
MANAGERIAL ISSUES
  • 4) IT security and internal control must be
    implemented top-down
  • ?????????????? IT ????????????????????????????????
    ??????????????????????????????????????????
  • 5) Acceptable use policies (AUPs) and security
    awareness training are important for any
    organization
  • ??????? 1 ??????????????????????????? IT ???
    Human error
  • 6) Digital assets are relied upon for competitive
    advantage
  • ?????????????? ???????????????????????????????????
    ??????????????????????? ??????? ???????????????
    BI, ERP, CRM ??? EC ????????????????????
    ??????????? ??? ?????????????? ??????????????? IT

54
MANAGERIAL ISSUES
  • 7) What does risk management involve?
  • ????????????????????????????? ?????????????? ????
    ???????? ??? ?????? ?????????????
    ?????????????????????? ? ?????????
    ??????????????????????????????????????????????????
    ????????? ???????????????????????????????? ? ???
    ???????????????????? malware, spyware ???
    profit-motivated hacking
  • 8) What are the impacts of IT security breaches
    (????????? IT security)?
  • ??????????????????????????????????????????????????
    ??????????????????????????????????????????

55
  • End users are friends, not enemies, of the IS
    department.
  • ??????????????????? end users ??? ISD
    ???????????????????????? ?????????? ISD
    ?????????? end-user ??????????????
    ??????????????????????????????????????????????
    ???????????????????????????????????????????????
    ?????????????????? ???????????????????????????????
    ??????????????????????????????????????????
  • Ethical issues.
  • ????????????????????????? ISD ????
    ???????????????????????????????????????????? ????
    ???ISD ?????????????????? ????????????????????????
    ???????????????????????????? ? ???????????????????
    ? ????????????????????????????????

56
MANAGERIAL ISSUES Continued
  • Responsibilities for security should be assigned
    in all areas.
  • ????????????? Internet, extranets, ??? intranets
    ??????????????????????????????????????????????????
    ????????????? ????????????????????????????????????
    ??????????????????????????????????????????????????
    ????????? ??????? ????????????????? functional
    managers ?????????????????????????????? IT
    security management and asset management
    ????????????
  • Security awareness programs are important for any
    organization, especially if it is heavily
    dependent on IT.
  • ??????????????????????????????????????????????????
    ??????????? senior executives ???? ? ????????
    ????????????? administrative controls
    ????????????????????? ????????????????

57
MANAGERIAL ISSUES Continued
  • Auditing information systems should be
    institutionalized into the organizational
    culture.
  • ?????????????????????? IS ????????????????????????
    ????? (???????????????????? ? ????????????????????
    ????????????????????????????????) ????????????
    over-auditing ??????????????????????????
  • Multinational corporations.
  • ??????????? ISD ??????? multinational corporation
    ?????????????????????????????????????????????????
    ??????????????????????????? complete
    decentralization ????? ISD ?????????????
    ?????????? ISD ????? ??????????? centralized
    staff ?????????????????????? ? ???????????????????
    ????????? highly centralized structure
    ?????????????????????

58
??????????? 16
  • ???????????????.
Write a Comment
User Comments (0)
About PowerShow.com