IT Trends
Web 2.0
Introduction
• The collaborative nature of the Internet is not new – people share pictures, send instant messages and post videos on different sites, be it for an educational value or simply entertainment
• Introduced in 2004
• Web 2.0 has become part of our social and professional
• One important aspect of Web 2.0 is the staggering number of Web 2.0 products and services that you can find on the Internet.
Definition
Web 2.0 can be defined as “the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects and get better, the more people use them.”
(Tim O’Reilly, 2007)
Definition
• Heavily oriented toward content generation by people who collaborate and share their content and information.
• Example:
– Blogs
– Wikis
– Social networks
Web 1.0 vs. Web 2.0
• Web 1.0 – allowed the viewing of hyperlinked documents
discovered by reference and browsing, and later by searching
– created by site owners
– repository of static information
• Web 2.0 – allows interaction with active and real-time content
– Created by interactions between users
– dynamic and interactive web
HTML vs Ajax
• HTML pages initially contained read-only content, regardless of whether the content was static (i.e. a file on the file system of a server) or dynamically generated prior to rendering the content in a browser.
• Web 2.0 removes the read-only content restriction from Web 1.0, enabling people to collaborate by dynamically updating, creating and sharing content with other users.
HTML vs Ajax
• Updating of HTML pages in Web 1.0 means the entire web page must be sent to the web server
• Web 2.0 uses Ajax to modify portions of the web page that need to be changed, offering more seamless user experience
Advantages of Web 2.0
• Collaborative nature on user-content
• Use of AJAX as a technical component
• Inputted text is saved instead of overwritten
• Full page refresh is not required (better performance)
• Page state is maintained
• Mash-ups can be readily implemented
Disadvantages of Web 2.0
• Security issues
• Lack of “bookmarkability”
• Cannot track URL history
• Harder to code applications
• Potential memory leaks
• Lack of support in older browsers
• More testing required (cross-browser support)
Popular Tools and Products
• Flickr
• YouTube
Popular Tools and Products: Flickr
• Photo sharing application launched in 2004 and later acquired by Yahoo!
• http://www.flickr.com
• Provides a set of APIs (including RSS and Atom feeds) to access its contents, and often used by mash-ups to render Flickr-based content.
• For developers, Flickr provides licensing terms and support for map-related services for cities.
Popular Tools and Products: YouTube
• A video sharing application launched in 2006 and later acquired by Google
• http://www.youtube.com
• Extremely popular for sharing videos
Popular Tools and Products: Twitter
• A public message-oriented application
• http://twitter.com
• “Tweets” are mostly used for casual communication, but they have been used for commercial purposes
• Provides a feature called “track” that lets people track specific words, and another feature called “follow” that lets people follow each other
• Started as a Ruby-on-Rails (RoR) application, the Twitter development team moved some of the back-end code to Scala (Java-based) to improve performance and scalability.
Popular Tools and Products: Facebook
• Social networking site created in 2004
• http://www.facebook.com
• In 2007, Facebook released its set of APIs, which let developers create Facebook applications
Collective intelligence
Web 2.0 is all about harnessing collective intelligence – which can be defined as “crowdsourcing” – wherein a large group of people would be able to “create a collective work whose value far exceeds that provided by any of the individual participants”
Web 2.0 technology
• With Web 2.0, the Web is not just a collection of destination sites, but a source of data and services that can be combined to create applications users need.
• Web 2.0 tools and services have fuelled the creation of social networks and other online communities where people can interact with one another in the manner of their choosing.
Web 2.0 technology (con’t.)
• Social networks – Social networking sites provide networking services to
users, giving them the ability to set up profiles, blogs, tag documents of interest, and use online forums to communicate with one another
• Mash-ups – Software services that enable users and system developers
to mix and match content or software components to create something entirely new
– Example: Flickr combines photos with other information about images provided by users and tools to make it usable within other programming environments
Web 2.0 technology (con’t.)
• Cloud computing – Refers to a model of computing where firms and
individuals obtain computing power and software applications over the Internet, rather than purchasing their own software and hardware.
• Wikis – Hawaiian term for “quick”
– Collaborative Web sites where visitors can add, delete, or modify content on the site, including the work of previous authors
Web 2.0 technology (con’t.)
• RSS Syndication – Rich Site Summary / Really Simple Syndication – Syndicates Web site content so that it can be used in
another setting – RSS technology pulls specified content from Web sites
and feeds it automatically to users’ computers, where it can be stored for later viewing
• Blogs – Popular term for a Weblog, is an informal yet
structured Web site where subscribing individuals can publish stories, opinions, and links to other Web sites of interest
Web 2.0 technology (con’t.)
• Semantic Technology
– Discovers relationships that exist among resources and then represents those relationships via some form of metadata.
– Uses:
• Improves relevance of search results
• Provides better ad placement in advertising
• Discover hidden patterns of behaviour
• Assists in crime detection
• Automatically finds reference papers based on keywords
Web 2.0 technology (con’t.)
• Search Engine Optimization – The art of making your website appear as high as
possible in search engine results – Search Engines uses Ontology
• Ontologies let us model systems so that we can classify existing resources and add new ones in a reasonably structured and logical manner.
• It can help discover relationships in a system and make inferences that are not apparent without the ontology
• Normally created for a specific set of resources, i.e. books, movies, etc.
• Web Ontology Language (OWL) – ontology specifically designed for Internet resources
New search engines
• www.bing.com – formerly named Kumo, Microsoft partnered with Yahoo in 2009 to provide the search technology for Microsoft
• www.hakia.com – ontology is capable of recognizing phrases instead of the usual individual keywords, making consecutive words “combine” to determine additional context
New search engines
• yebol.com – uses patented algorithms to create a directory for queries and users, as well as “multi-dimensional” searches that provide a wider set of related search terms
Homework
Write a comparative analysis on the latest search engines (bing, hakia, yebol) by researching the following conditions:
1. Search result accuracy
2. User interface
3. Content management
Cloud computing
• Cloud computing most commonly refers to the delivery of computing services over the Internet as an alternative to running hardware and software in your data center or computer room
What is Cloud Computing?
• You rent or subscribe to computing capability, rather than installing and running systems yourself
• Everything from raw computing power to full-blown business applications can be delivered in this way.
• Most organizations that adopt cloud computing are likely to do so alongside their in-house systems
What is Cloud Computing?
• Cloud computing involves pooling lots of hardware and software together and sharing it out to whoever needs it, on demand
• Service providers offer public clouds, but IT departments can use the same technology to create private clouds
What is Cloud Computing?
• Service providers, whether public or private, have the flexibility to change how the service is powered behind the scenes
• Can help in terms of:
• cost reduction
• access to latest technology
• Ability to deal with changing requirements quickly
• Can be introduced selectively to complement traditional in-house IT systems
Introduction
• New ways of working and new architectures bring increasing levels of effectiveness to each succeeding generation of computer systems.
• Virtualization – enables higher efficiencies because more work can be packed into fewer devices
• Improvements are being made in software engineering and computer operations, all aimed at creating more flexible systems
Introduction
• Business application services
• Hosted productivity tools
• Hosted communications and social tools
• Trading community services
• Plug-in services
• Operational services
• Application platform services
• Utility services
Cloud services
• Deliver complete business functionality
• Example:
• Customer Relationship Management (CRM) Systems
• Enterprise Resource Planning (ERP)
• Business application services
• Deliver horizontal capability, ranging from desktop suites for end users, through to modeling, development and project management tools for analysts and developers
• They quite often enable multi-user collaboration
• Hosted productivity tools
• Spearheaded initially by hosted email and web conferencing, the number of services offered in this area has exploded to include full unified communications and/or social tools such as directories, blogs, wikis and social networking
• Hosted communications and social tools
• Facilitate the way in which customers and suppliers collaborate and transact electronically
• Trading community services
• Application elements which plug into or combine with existing applications to enhance or extend them.
• Examples:
• Mapping
• Credit card payment services
• Credit checking
• Plug-in services
• Provides services concerned with the following:
• online backup
• Archiving
• Security (such as email filtering)
• Full-blown monitoring and management tools
• Operational services
• Provide development and runtime environments which enable organizations to build custom applications hosted online
• Example: drupal.org
• Application platform services
• Provide raw compute and storage resources to run your own software and store data
• Utility services
• Cloud technology and services provide choice on how best to deliver flexible IT capability that blends internal and external resources, as well as bridging the gap between modern and traditional approaches to IT
Cloud services
• Improve IT responsiveness
• Modernize and future-proof
• Keep pace with work practice evolution
• Reach out via the Web
• Manage costs and resources
• Address space and power constraints
• Reduce risk and ensure compliance
Benefits
• Application and plug-in services can boost IT responsiveness by short-cutting the development work and platform implementation requirements for new applications
• Can also help IT to respond quickly and efficiently to fluctuations in demand
• Improve IT responsiveness
• Keeping up with the pace of change in the technology industry can prove to be a competitive advantage, however, implementing one depends on a company’s capability
• Service providers can afford to invest in the latest technologies, which in turn, can be made available to their customers
• Modernize and future-proof
• Working practices are evolving in ways that lend themselves well to support from cloud services
• The concept of remote access is a natural fit with increasingly popular home- and mobile-working, which can sometimes be quicker and more cost effective than in-house
• Cloud services also become useful when activity crosses organizational boundaries, such as trading community services
• Keep pace with work practice evolution
• Many organizations deploy externally-facing applications to customers, trading partners, suppliers and so on
• Infrastructure requirements (security, policy management, scalability, fluctuating demand, etc.) can be dramatically different and hard to handle than in-house systems
• Application platform services via cloud can be used to deal with such requirements
• Reach out via the Web
• Costs/benefits of cloud services depend on the service being implemented
• Careful cost projection must be taken into consideration
• Not all cloud services are a fit to an organization – what may come cheap to some, may be expensive to others
• Manage costs and resources
• Organizations large and small find themselves outgrowing their computer rooms or seeing their electricity bills escalate
• Utility services can help by reducing the requirement for local equipment and by working around the problems of accommodation, power consumption, and poor server utilization
• Address space and power constraints
• A competent business service provider has security, backup, fault tolerance and recovery capabilities that are likely superior to anything that its customers can afford
• When considering risk management and compliance, utilize operational services that are designed to work together with your internal structure
• Reduce risk and ensure compliance
Cloud computing can provide business benefits in a number of areas:
• It can improve responsiveness
• Enable you to scale to fluctuations in demand
• Accelerate development work
• Put the power of the latest technology to work for you
• Extend your reach to customers, partners and out-of-office staff
• Reduce your TCO (total cost of ownership)
• Cut energy costs
• Be more secure
• Be environmentally friendly
Benefits
• Private Clouds
• External Clouds
• Public Cloud
• Community Cloud
• Hybrid
Cloud Deployment Models
• Adopting a cloud computing approach internally
• Typically considered by businesses with a large scale IT infrastructure that want to make better use of their hardware and software assets
• Usually dedicated to an organization – may be managed by the organization or a third party and may exist on premise or off premise
• Organizations deploying private clouds often do so utilizing virtualization technology within their own data centers
• Private Clouds
• Require no up-front infrastructure investment
• Can scale readily to fluctuations in demand and can serve users on the move or in other organizations
• Public Cloud
• Exists externally to its end user and is generally available with little restriction as to who may pay to use it
• Most common are those accessed via the Internet
• Made available to the general public or a large industry group and is owned by an organization selling cloud services
• External Clouds
• Community Clouds • Shared by several organizations and supports a
specific community that has shared concerns - may be managed by the organization or a third party and may exist on premise or off premise
• Allow multiple independent entities to gain the cost benefits of a shared non-public cloud while avoiding security and regulatory concerns that might be associated with a generic public cloud
• Example: Different government agencies that transact business with each other can have their processing collocated in a single facility
• External Clouds
• Infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability
• Developing a private cloud and/or looking for external services in addition to the in-house services
• Organizations weigh up practical, regulatory and risk related considerations when choosing how to take advantage of cloud computing alongside their existing IT systems
• Hybrid
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
IaaS is the foundation of all cloud services, with PaaS building upon IaaS and SaaS in turn, building upon PaaS
Cloud Service Models
• Infrastructure as a Service (IaaS)
• The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications.
• Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications and possibly limited control of select networking components
Cloud Service Models
• Includes Hardware as a Service and Storage as a Service
• A cloud based substitute for major elements of your IT infrastructure
• Often referred to as Utility services
• Useful when: • Short of space
• Lower capital/operational cost
• No maintenance required
• Demands fluctuate
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider.
• Consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations
Cloud Service Models
• Often referred to as Application platform services
• Enables you to grab resources on-demand to prototype, test, pilot, and so on
• For deploying externally-facing applications on the web which require massive scalability and the ability to deal with highly fluctuating demand
• Platform as a Service (PaaS)
• Software as a Service (SaaS) • The capability provided to the consumer is to use the
provider’s applications running on a cloud infrastructure
• The applications are accessible from various client devices through a thin client interface such as a Web browser
• The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings
Cloud Service Models
• Offers a range of application services: • Business application services such as CRM and ERP
• Hosted productivity tools including desktop suites, modeling and project management
• Hosted communications such as email, web conferencing and social tools
• Trading community services, such as customer and supplier collaboration and transactions
• Plug in services such as mapping, credit card payments and credit checking
• Operational services like backup, archiving and email filtering
• Software as a Service (SaaS)
Future trends
The consumerization of IT for the better part of a decade has seen the impact across various aspects of the corporate IT world. However, much of this has simply been a precursor to the major wave that is starting to take hold across all aspects of information technology as several key factors come together:
• Users are more technologically-savvy and have very different expectations of technology.
• The internet and social media have empowered and emboldened users.
• The rise of powerful, affordable mobile devices changes the equation for users.
• Users have become innovators.
• Through the democratization of technology, users of all types and status within organizations can now have similar technology available to them.
Trend No. 1: Consumerization — You Ain’t Seen Nothing Yet
• Virtualization has improved flexibility and increased the options for how IT organizations can implement client environments.
Trend No. 2: Virtualization — Changing How the Game Is Played
• When the way that applications are designed, delivered and consumed by users changes, it has a dramatic impact on all other aspects of the market
Trend No. 3: “App-ification” — From Applications to Apps
• The advent of the cloud for servicing individual users opens a whole new level of opportunity.
• Every user can now have a scalable and nearly infinite set of resources available for whatever they need to do
Trend No. 4: The Ever-Available Self-Service Cloud
• Today, mobile devices combined with the cloud can fulfill most computing tasks, and any tradeoffs are outweighed in the minds of the user by the convenience and flexibility provided by the mobile devices
Trend No. 5: The Mobility Shift — Wherever and Whenever You Want
• A small server in a home or small business network that can be accessed over the Internet.
• Designed for sharing photos and videos, personal clouds enable viewing and streaming from any Internet-connected personal computer and quite often from major smartphones.
• Although personal clouds function in a similar manner to any private cloud set up in a company, their primary feature is easy installation for the average personal computer user.
Personal Cloud
• In this new world, the specifics of devices will become less important for the organization to worry about.
• Users will use a collection of devices, with the PC remaining one of many options, but no one device will be the primary hub – making way for the personal cloud
• Access to the cloud and the content stored or shared in the cloud will be managed and secured, rather than solely focusing on the device itself.
Personal cloud
• In software, semantic technology encodes meanings separately from data and content files, and separately from application code.
• This enables machines as well as people to understand, share and reason with them at execution time. With semantic technologies, adding, changing and implementing new relationships or interconnecting programs in a different way can be just as simple as changing the external model that these programs share.
Semantic Technology
• Semantic technologies are “meaning-centered.” They include tools for:
• autorecognition of topics and concepts,
• information and meaning extraction, and
• categorization.
• Given a question, semantic technologies can directly search topics, concepts, associations that span a vast number of sources.
Semantic Technology
• Semantic technologies provide an abstraction layer above existing IT technologies that enables bridging and interconnection of data, content, and processes.
• From the portal perspective, semantic technologies can be thought of as a new level of depth that provides far more intelligent, capable, relevant, and responsive interaction than with information technologies alone.
Semantic technology
• The Semantic Web provides a common framework that allows data to be shared and reused across application, enterprise, and community boundaries
• Semantic Web aims at converting the current web dominated by unstructured and semi-structured documents into a "web of data"
• The main purpose of the Semantic Web is driving the evolution of the current Web by enabling users to find, share, and combine information more easily.
• The Semantic Web is regarded as an integrator across different content, information applications and systems. It has applications in publishing, blogging, and many other areas.
Semantic Web
Content is created by the Web itself – an emergent consciousness from within the Web, capable of creating new content and applications
Allow discovery of documents by topic-centric browsing rather than by searching, enabling real-time information dissemination in may contexts using may different applications
Web 3.0
Focus:
• Products and services will leverage semantic technology
• Social networks will adopt semantic technology
• Mobile computing
• Commoditization of search technology and private search engines
• Cloud computing
• Comet/HTML5
• Offline computing
• Client-side database
Web 3.0
Managing Information Resources, Security and Ethics
Chapter 8a
Learning Objectives
• Recognize the difficulties in managing information resources.
• Understand the role of the IS department and its relationships with end users.
• Discuss the role of the chief information officer.
• Recognize information systems’ vulnerability, attack methods, and the possible damage from malfunctions.
• Describe the major methods of defending information systems.
• Describe the security issues of the Web and electronic commerce.
• Describe business continuity and disaster recovery planning.
• Understand the economics of security and risk management.
• Understand the IT code of Ethics
The IS Department
• The reporting relationship of the ISD is important in that it reflects the focus of the department. If the ISD reports to the accounting or finance areas, there is often a tendency to emphasize accounting or finance applications at the expense of those in the marketing, production, and logistics areas.
• The name of the ISD is also important. – Data Processing (DP) Department. – Management Information Systems (MIS) Department – Information Systems Department (ISD)
• Another important characteristic is the status of the ISD
IT resources are very diversified; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users. The division of responsibility depends on many factors.
The End-User Relationship
• To improve collaboration, the ISD and end users may employ three common arrangements:
– the steering committee
– service-level agreements
– the information center.
Since the ISD is a service organization that manages the IT infrastructure needed to carry on end-user IT applications. It is extremely important to have a good relationship with the end users. The development of end-user computing and outsourcing was motivated in part by the poor service that end users felt they received. However, this is not an easy task since the ISD is basically a technical organization that may not understand the business and the users. While the users, may not understand information technologies.
The End-User Relationship - continued
ISD and Four approaches
1. Let them sink or swim. Don’t do anything; let the end user beware.
2. Use the stick. Establish policies and procedures to control end-user computing so that corporate risks are minimized, and try to enforce them.
3. Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks.
4. Offer support. Develop services to aid end users in their computing activity
The CIO (Chief Information Officer)
• The changing role of the ISD highlights the fact that the CIO is becoming an important member of the firm's top management team.
– Realization of the need for IT-related disaster planning and the importance of IT to the firm’s activities.
– Aligning IT with the business strategy
– Implementing state-of-the-art solutions
– Providing information access
– Being a business visionary who drives business strategy
– Coordinating resources
Managing the ISD is similar to managing any other organizational unit. The unique aspect of the ISD is that it operates as a service department in a rapidly changing environment, thus making the department’s projections and planning difficult.
The Transition Environment
IS Vulnerability
Information resources (physical resources, data, software, procedures, and other information resources) are scattered throughout the firm. Information is transmitted to and from the firm’s components. Therefore vulnerabilities exist at many points and at any time.
IS Vulnerability
IT Security Terms
System Vulnerability
A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service.
An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.
System Vulnerability Continued
• These threats can be classified as:
– Unintentional • Human errors
• Environmental hazards
• Computer system failures
– Intentional
• Theft of data
• Inappropriate use of data
• Theft of mainframe computer time
• Theft of equipment and/or programs
The vulnerability of information systems is increasing as we move to a world of networked and especially wireless computing. Theoretically, there are hundreds of points in a corporate information system that can be subject to some threats.
System Vulnerability Continued
– Intentional continued
• Deliberate manipulation in handling
• Entering data
• Processing data
• Transferring data
• Programming data
• Labor strikes
• Riots
• Sabotage
• Malicious damage to computer resources
• Destruction from viruses and similar attacks
• Miscellaneous computer abuses
• Internet fraud.
• Terrorists’ attack
Programming Attack
Protecting Information Resources
• Aligned. The program must be aligned with organizational goals.
• Enterprise wide. Everyone in the organization must be included.
• Continuous. The program must be operational all the time.
• Proactive. Use innovative, preventive, and protective measures.
• Validated. The program must be tested to ensure it works.
• Formal. It must include authority, responsibility & accountability.
Information security problems are increasing rapidly, causing damage to many organizations. Protection is expensive and complex. Therefore, companies must not only use controls to prevent and detect security problems, they must do so in an organized manner. An approach similar to TQM (total quality management) would have the following characteristics:
Corporate Security Plan
Difficulties
Defense Strategy
• The major objectives of a defense strategy are: 1. Prevention and deterrence.
2. Detection.
3. Limitation of damage.
4. Recovery.
5. Correction
6. Awareness and compliance
Knowing about potential threats to IS is necessary, but understanding ways to defend against these threats is equally critical. Because of its importance to the entire enterprise, organizing an appropriate defense system is one of the major activities of the CIO. It is accomplished by inserting controls (defense mechanisms) and developing awareness.
Defense Strategy
Any defense strategy involves the use of several controls. These controls are divided into two categories general controls that protect the system regardless of the specific application and application controls that safeguard specific applications.
General Application
Defense Strategy – Biometric
Defense Strategy – Internet Security
Security Layers
The major objective of border security is access control. Then authentication or proof of identity and finally authorization which determine the action or activities a user is allowed to perform.
Business Continuity
An important element in any security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster.
• The purpose of a business continuity plan is to keep the business running after a disaster occurs.
• Recovery planning is part of asset protection.
• Planning should focus on recovery from a total loss of all capabilities.
• Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current.
• All critical applications must be identified and their recovery procedures addressed.
• The plan should be written so that it will be effective in case of disaster.
Business Continuity continued
• The plan should be kept in a safe place; copies should be given to all key managers; or it should be available on the Intranet and the plan should be audited periodically.
One of the most logical ways to deal with loss of data is to back it up. A business continuity plan should include backup arrangements were all copies of important files are kept offsite.
Auditing
Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task.
• There are two types of auditors:
• An internal auditor is usually a corporate employee who is not a member of the ISD.
• An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit.
• There are two types of audits.
• The operational audit determines whether the ISD is working properly.
• The compliance audit determines whether controls have been implemented properly and are adequate.
Risk Management
It is usually not economical to prepare protection against every possible threat. Therefore, an IT security program must provide a process for assessing threats and deciding which ones to prepare for and which ones to ignore.
Risk Management
IT Security Trends
• Increasing the reliability of systems
• Self-healing computers
• Intelligent systems for early intrusion detection
• Intelligent systems in auditing and fraud detection
• Artificial intelligence in biometrics
• Expert systems for diagnosis, prognosis, and disaster planning
• Smart cards
MANAGERIAL ISSUES
• To whom should the IS department report? This issue is related to the degree of IS
decentralization and to the role of the CIO. Having the IS department reporting to a functional area may introduce biases in providing IT priorities to that functional area, which may not be justifiable. Having the IS report to the CEO is very desirable.
• Who needs a CIO? This is a critical question that is related to the role of the CIO as a senior
executive in the organization. Giving a title without authority can damage the ISD and its operation. Asking the IS director to assume a CIO’s responsibility, but not giving the authority and title, can be just as damaging. Any organization that is heavily dependent on IT should have a CIO.
• End users are friends, not enemies, of the IS department. The relationship
between end users and the ISD can be very delicate. In the past, many ISDs were known to be insensitive to end-user needs. This created a strong desire for end-user independence, which can be both expensive and ineffective. Successful companies develop a climate of cooperation and friendship between the two parties.
• Ethical issues. The reporting relationship of the ISD can result in some unethical behavior. For
example, if the ISD reports to the finance department, the finance department will have access to information about individuals or other departments that could be misused.
MANAGERIAL ISSUES Continued
• Responsibilities for security should be assigned in all areas. The more
organizations use the Internet, extranets, and intranets, the greater are the security issues. It is important to make sure that employees know who is responsible and accountable for what information and that they understand the need for security control. The vast majority of information resources is in the hands of end users. Therefore, functional managers must understand and practice IT security management and other proper asset management tasks.
• Security awareness programs are important for any organization, especially if it is heavily dependent on IT. Such programs should be corporate wide
and supported by senior executives. In addition, monitoring security measures and ensuring compliance with administrative controls are essential to the success of any security plan. For many people, following administrative controls means additional work, which they prefer not to do.
• Auditing information systems should be institutionalized into the organizational culture. Organizations should audit IS because it can save considerable
amounts of money. Conversely, over-auditing is not cost-effective.
MANAGERIAL ISSUES Continued
• Multinational corporations. Organizing the ISD in a multinational corporation is a
complex issue. Some organizations prefer a complete decentralization, having an ISD in each country or even several ISDs in one country. Others keep a minimum of centralized staff. Some companies prefer a highly centralized structure. Legal issues, government constraints, and the size of the IS staff are some factors that determine the degree of decentralization.
• Sarbanes-Oxley. The Sarbanes-Oxley Act, according to the CSI/FBI survey (Gordon et al., 2004) is having a major impact on IT, especially in the financial, utility, and telecommunications sectors (see Minicase 2).
What is Ethics?
• Ethics
– Set of beliefs about right and wrong behavior
• Ethical behavior
– Conforms to generally accepted social norms
• Doing what is ethical can be difficult
Improving Corporate Ethics
• Unethical behavior has led to serious negative consequences that have had a global impact
– Failure of major corporations like Enron and WorldCom due to accounting scandals
– Collapse of many financial institutions due to unwise and unethical decision making
• Organizations today recognize the need to take action to ensure that their employees operate in an ethical manner when using technology
Appointing a Corporate Ethics Officer
• Corporate ethics – Includes ethical conduct, legal compliance, and
corporate social responsibility
• Corporate ethics officer – Senior-level manager
– Provides vision and direction in the area of business conduct
• Corporation will place a higher emphasis on ethics policies following a major scandal within the organization
Ethical Standards Set by Board of Directors
• Board of directors
– Responsible for supervising the management team
– Expected to conduct themselves according to the highest standards of personal and professional integrity
– Set the standard for company-wide ethical conduct and ensure compliance with laws and regulations
Establishing a Corporate Code of Ethics
• Code of ethics – Highlights an organization’s key ethical issues – Identifies the overarching values and principles that
are important to the organization
• Formal, written statements about: – Purpose of the organization – Values – Principles that guide its employees’ actions
• Develop with employee participation • Fully endorsed by the organization’s leadership
Establishing a Corporate Code of Ethics (continued)
Requiring Employees to Take Ethics Training
• Company’s code of ethics must be promoted and continually communicated within the organization – From top to bottom
• Comprehensive ethics education program – Small workshop formats
• Existence of formal training programs – Can reduce a company’s liability in the event of
legal action
Including Ethical Criteria in Employee Appraisals
• Employees evaluated on their demonstration of qualities and characteristics highlighted in the corporate code of ethics
– Considered along with more traditional criteria used in performance appraisals
IT Code of Conduct
RFC 1087
In January 1989, the Internet Architecture Board (IAB) in RFC 1087 defines an activity as unethical and unacceptable if it:
1. Seeks to gain unauthorized access to the resources of the
Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources (people, capacity, computer) through
such actions. 4. Destroys the integrity of computer-based information, or 5. Compromises the privacy of users (RFC 1087, 1989).
The Code of Fair Information Practices
The Code of Fair Information Practices is based on five principles outlining the requirements for records keeping systems. This requirement was implemented in 1973 by the U.S. Department of Health, Education and Welfare.
1. There must be no personal data record-keeping systems whose very existence is
secret. 2. There must be a way for a person to find out what information about the person
is in a record and how it is used. 3. There must be a way for a person to prevent information about the person that
was obtained for one purpose from being used or made available for other purposes without the person's consent.
4. There must be a way for a person to correct or amend a record of identifiable information about the person.
5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data
(Harris, 2003)
(ISC)2 Code of Ethics
(ISC)2 an organization committed to certification of computer security professional has further defined its own Code of Ethics generally as:
1. Act honestly, justly, responsibly, and legally, and protecting the commonwealth. 2. Work diligently and provide competent services and advance the security
profession. 3. Encourage the growth of research – teach, mentor, and value the certification. 4. Discourage unsafe practices, and preserve and strengthen the integrity of
public infrastructures. 5. Observe and abide by all contracts, expressed or implied, and give prudent
advice. 6. Avoid any conflict of interest, respect the trust that others put in you, and take
on only those jobs you are qualified to perform. 7. Stay current on skills, and do not become involved with activities that could
injure the reputation of other security professionals (Harris, 2003)
Computer Security Risks
Chapter 8b
Computer Security RisksWhat is a computer security risk? Action that causes loss of or damage to computer
system
Computer Viruses, Worms, and Trojan Horses
What are viruses, worms, and Trojan horses?
Virus is a
potentially
damaging
computer
program
Worm copies itself repeatedly,
using up resources
and possibly shutting down computer or
network
Trojan horse hides
within
or looks like
legitimate
program until
triggered
Payload
(destructive
event) that is
delivered when
you open file, run
infected program,
or boot computer
with infected disk
in disk driveCan spread
and
damage
files
Does not
replicate
itself on
other
computers
Computer Viruses, Worms, and Trojan HorsesHow can a virus spread through an e-mail message?
Step 1. Unscrupulous
programmers create a virus
program. They hide the
virus in a Word document
and attach the Word
document to an e-mail
message.
Step 2. They use
the Internet to send
the e-mail message
to thousands of
users around the
world.
Step 3b. Other users do not
recognize the name of the
sender of the e-mail message.
These users do not open the
e-mail message. Instead they
delete the e-mail message.
These users’ computers are not
infected with the virus.
Step 3a. Some
users open the
attachment and
their computers
become infected
with the virus.
Computer Viruses, Worms, and Trojan Horses
How can you protect your system from a macro virus? Set macro security level in applications that allow you
to write macros
At medium security
level, warning displays
that document contains
macro
Macros are instructions
saved in an application,
such as word processing
or spreadsheet program
Computer Viruses, Worms, and Trojan Horses
What is an antivirus program? Identifies and removes
computer viruses
Most also protect against
worms and Trojan
horses
Computer Viruses, Worms, and Trojan Horses
What is a virus signature? Specific pattern of virus code
Also called virus definition
Antivirus programs
look for virus
signatures
Keeps file
in separate
area of hard disk
Computer Viruses, Worms, and Trojan Horses
How does an antivirus program inoculate a program file?
Records
information
about program such
as file size and
creation
date Attempts
to remove
any detected
virus
Uses
information
to detect if
virus tampers
with fileQuarantines
infected
files that it
cannot
remove
Computer Viruses, Worms, and Trojan HorsesWhat are some tips for preventing virus, worm, and Trojan horse infections?
Install a personal
firewall program
If the antivirus
program flags an
e-mail attachment
as infected, delete
the attachment
immediately
Set the macro security
in programs so you
can enable or disable
macros
Never open an
e-mail attachment
unless you are
expecting it and
it is from a
trusted source
Install an antivirus
program on all of
your computers
Check all
downloaded
programs for
viruses, worms,
or Trojan horses
Computer Viruses, Worms, and Trojan Horses
What is a denial of service attack and back door?
A denial of service attack is an assault which
disrupts computer access to an Internet service
such as the Web or e-mail
A back door is a program or set of instructions
in a program that allow users to bypass
security controls when accessing a computer
resource
Computer Viruses, Worms, and Trojan Horses
What is spoofing?
Makes a
network
or Internet
Transmission appear legitimate
IP spoofing occurs when an intruder
computer fools a network into believing
its IP address is from a trusted source
Perpetrators of IP spoofing trick their
victims into interacting
with a phony Web site
Computer Viruses, Worms, and Trojan Horses
What is a firewall? Security system consisting of hardware and/or
software that prevents unauthorized intrusion
Computer Viruses, Worms, and Trojan Horses
What is a personal firewall utility? Program that protects personal computer and its data
from unauthorized intrusions
Monitors transmissions to and from computer
Informs you of attempted intrusion
Unauthorized Access and UseHow can companies protect against hackers?
Intrusion detection software
analyzes network traffic, assesses
system vulnerabilities, and identifies
intrusions and suspicious behavior
Access control defines who
can access computer and
what actions they can take
Audit trail records access
attempts
Unauthorized Access and UseWhat are other ways to protect your personal
computer?
Disable file and
printer sharing on
Internet connection File and
printer sharing
turned off
Unauthorized Access and UseWhat is a user name? Unique combination of characters that identifies user
Password is private
combination of
characters associated
with the user name
that allows access
to computer
resources
Unauthorized Access and UseHow can you make your password more secure? Longer passwords provide greater security
Unauthorized Access and UseWhat is a possessed object? Item that you must carry to gain access to
computer or facility
Often used with
numeric password
called personal
identification
number (PIN)
Unauthorized Access and UseWhat is a biometric device? Authenticates person’s
identity using personal
characteristic
Fingerprint, hand geometry,
voice, signature, and iris
Hardware Theft and VandalismWhat are hardware theft and hardware
vandalism? Hardware theft is act of stealing
computer equipment
Cables sometimes used to lock
equipment
Some notebook computers use
passwords, possessed objects, and
biometrics as security methods
For PDAs, you can password-
protect the device
Hardware vandalism is act of
defacing or destroying computer
equipment
Software TheftWhat is software theft?
Act of stealing or
illegally copying
software or
intentionally
erasing
programs
Software piracy
is illegal
duplication
of copyrighted
software
Software TheftWhat is a license agreement? Right to use software
Single-user license agreement allows user to install software
on one computer, make backup copy, and sell software after
removing from computer
Software TheftWhat are some other safeguards against software
theft?
Product activation allows user to input product
identification number online or by phone and
receive unique installation identification number
Business Software Alliance (BSA) promotes better
understanding of software piracy problems
Information TheftWhat is encryption? Safeguards against information theft
Process of converting plaintext (readable data) into ciphertext
(unreadable characters)
Encryption key (formula) often uses more than one method
To read the data, the recipient must decrypt, or decipher, the data
Secure site
is Web site that uses
encryption to secure data
Internet Security RisksHow do Web browsers provide secure data transmission?
Digital certificate is notice that
guarantees Web site is legitimate
Many Web browsers
use encryption
Internet Security RisksWhat is a certificate authority (CA)? Authorized person
or company that
issues and verifies
digital certificates
Users apply for
digital certificate
from CA
Internet Security RisksWhat is Secure Sockets Layer (SSL)? Provides encryption of all data that passes between
client and Internet server
Web addresses
beginning with
“https” indicate
secure connections
Undervoltage—drop
in electrical supply
System FailureWhat is a system failure?
Overvoltage or
power surge—
significant increase
in electrical power
Noise—unwanted
electrical signal
Caused by aging hardware,
natural disasters, or electrical
power disturbances
Can cause loss of hardware,
software, or data
Prolonged malfunction
of computer
System FailureWhat is a surge protector? Protects computer and
equipment from electrical power
disturbances Uninterruptible power supply
(UPS) is surge protector that
provides power during power loss
Backing Up — The Ultimate SafeguardWhat is a backup?
Duplicate of file, program, or disk
Full backup
all files in
computer
Selective backup
select which files
to back up
Three-generation
backup
preserves
three copies of
important files
In case of system failure or corrupted files,
restore files by copying to original location
Wireless SecurityHow can I ensure my wireless communication is secure? Secure your wireless access point (WAP)
WAP should not broadcast your network name
Enable Wired Equivalent Privacy or Wi-Fi
Protected Access (WPA)
Perpetrators
Defensive Measures
• Risk assessment
– Organization’s review of potential threats to its computers and networks
– Identify which investments of time and resources will best protect the organization from its most likely and serious threats
– Reasonable assurance
• Managers must use their judgment to ensure that the cost of control does not exceed the system’s benefits or the risks involved
Establishing a Security Policy
• Security policy
– Defines an organization’s security requirements
– Defines controls and sanctions needed to meet those requirements
• National Institute of Standards and Technology (NIST)
– Computer Security Division
• Automated system rules should mirror an organization’s written policies
Establishing a Security Policy (continued)
• E-mail attachments
– Critical security issue
• Virtual private network (VPN)
– Uses the Internet to relay communications
– Maintains privacy through security procedures and tunneling protocols
Educating Employees, Contractors, and Part-Time Workers
• Must be educated about the importance of security
– Discuss recent security incidents
• Protect an organization’s information systems and data by:
– Guarding their passwords
– Applying strict access controls
– Reporting all unusual activity to the organization’s IT security group
Prevention
• Installing a corporate firewall
– Established through the use of software, hardware, or a combination of both
– Can lead to complacency
• Intrusion prevention systems
– Prevent an attack by blocking viruses, malformed packets, and other threats from getting into the company network
Prevention (continued)
• Installing antivirus software on personal computers
– Virus signature
• Specific sequence of bytes
– United States Computer Emergency Response Team (US-CERT)
• Most of the virus and worm attacks that the team analyzes use already known programs
• Crucial that antivirus software be updated continually with the latest virus detection information
Prevention (continued)
• Implementing safeguards against attacks by malicious insiders
– IT staff must delete the computer accounts, login IDs, and passwords of departing employees
– Create roles and user accounts so that users have the authority to perform their responsibilities and no more
Prevention (continued)
• Addressing the most critical Internet security threats
– Overwhelming majority of successful computer attacks are made possible by taking advantage of well-known vulnerabilities
– SANS (System Administration, Networking, and Security) Institute and US-CERT regularly update a summary of the most frequent, high-impact vulnerabilities
Prevention (continued)
• Conducting periodic IT security audits
– Evaluate whether an organization has a well-considered security policy in place and if it is being followed
– Test system safeguards
– Federal Computer Security Report Card
Prevention (continued)
Detection
• Intrusion detection system
– Software and/or hardware
– Monitors system and network resources and activities and notifies network security personnel when it identifies possible intrusions
– Different approaches to intrusion detection
• Knowledge-based approaches
• Behavior-based approaches
Response
• Primary goal
– Regain control and limit damage
• Not to attempt to monitor or catch an intruder
• Incident notification
– Define who to notify and who not to notify
• Protecting evidence and activity logs
– Document all details of a security incident
• Incident containment
– Act quickly to contain an attack
Response (continued)
• Eradication
– Collect and log all possible criminal evidence from the system
– Verify that all necessary backups are current
– Create a forensic disk image of each compromised system
– Keep a log of all actions taken
Response (continued)
• Incident follow-up
– Determine how the organization’s security was compromised
– Develop an estimate of the monetary damage
– Determine amount of effort that should be put into capturing the perpetrator