390 likes | 479 Views
Session 5. 桌面系统 ( 单机)(第 5 章) PC Hardware Software Systems Session6. 分布式系统(多机)(第 7 章) 计算机网络与 Internet 分布式应用系统 Web 和电子商务 硬软件平台的发展趋势 Session 7. 管理数据资料 ( 第六章) 数据库 数据创库及数据挖掘 Session 8. 安全与控制(第八章). PartⅡ 信息技术基础设施. Session 8. 安全与控制. 学习信息系统安全与控制的作用; 评估安全与控制的商业价值 学习安全与控制的组织与管理架构;
E N D
Session 5. 桌面系统(单机)(第5章) PC Hardware Software Systems Session6. 分布式系统(多机)(第7章) 计算机网络与Internet 分布式应用系统 Web和电子商务 硬软件平台的发展趋势 Session 7. 管理数据资料(第六章) 数据库 数据创库及数据挖掘 Session 8. 安全与控制(第八章) PartⅡ信息技术基础设施
Session 8. 安全与控制 • 学习信息系统安全与控制的作用; • 评估安全与控制的商业价值 • 学习安全与控制的组织与管理架构; • 评估保护信息资源的工具与技术
1. 系统的易损与滥用 为什么系统易受攻击) Contemporary Security Challenges and Vulnerabilities
1. 系统的易损与滥用 Internet Vulnerabilities: • Use of fixed Internet addresses through use of cable modems or DSL • Lack of encryption with most Voice over IP (VoIP) • Widespread use of e-mail and instant messaging (IM)
1. 系统的易损与滥用 Wireless Security Challenges: • Radio frequency bands are easy to scan • The service set identifiers (SSID)identifying the access points broadcast multiple times
1. 系统的易损与滥用 Wi-Fi Security Challenges
1. 系统的易损与滥用 恶意软件: Viruses, Worms, Trojan Horses, and Spyware • Computer viruses(病毒) • worms(蠕虫) • trojan horses (特洛伊木马) • Spyware(间谍软件)
1. 系统的易损与滥用 黑客与网络破坏形为 • Spoofing and Sniffers (欺骗与嗅探器) • Denial of Service (DoS) Attacks(拒绝服务攻击)
1. 系统的易损与滥用 计算机犯罪 • 身份盗窃
1. 系统的易损与滥用 • Vulnerabilities from internal threats (employees); • software flaws
2. 安全与控制的商业价值 Worldwide Damage from Digital Attacks
2. 安全与控制的商业价值 • Inadequate security and control may create serious legal liability. • Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft. • A sound security and control framework that protects business information assets can thus produce a high return on investment.
2. 安全与控制的商业价值 Security Incidents Continue to Rise
3. 建立安全与控制的管理架构 信息系控制的类型 • General controls: • Software and hardware • Computer operations • Data security • Systems implementation process
3. 建立安全与控制的管理架构 Application controls: • Input • Processing • Output
3. 建立安全与控制的管理架构 风险评估: • Determines the level of risk to the firm if a specific activity or process is not properly controlled
3. 建立安全与控制的管理架构 安全政策: Policy ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals • Acceptable Use Policy (AUP) • Authorization policies
Figure 10-5 3. 建立安全与控制的管理架构 Security Profiles for a Personnel System
3. 建立安全与控制的管理架构 确保业务持续性 (Business Continuity) • Downtime: Period of time in which a system is not operational • Fault-tolerant computer systems(容错计算机):Redundant hardware, software, and power supply components to provide continuous, uninterrupted service • High-availability computing(高可用性计算机): Designing to maximize application and system availability
3. 建立安全与控制的管理架构 • Load balancing:Distributes access requests across multiple servers • Mirroring:Backup server that duplicates processes on primary server • Recovery-oriented computing: Designing computing systems to recover more rapidly from mishaps
3. 建立安全与控制的管理架构 • Disaster recovery planning:Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terrorist attack • Business continuity planning(商业持续计划): Plans for handling mission-critical functions if systems go down
3. 建立安全与控制的管理架构 Auditing(审计): • MIS audit: Identifies all of the controls that govern individual information systems and assesses their effectiveness • Security audits: Review technologies, procedures, documentation, training, and personnel
3. 建立安全与控制的管理架构 Sample Auditor’s List of Control Weaknesses
4. 安全与控制的工具与技术 Access Control(访问控制) Access control: Consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders Authentication: • Passwords • Tokens, smart cards • Biometric authentication(生物认证)
4. 安全与控制的工具与技术 Firewalls, Intrusion Detection Systems, and Antivirus Software • Firewalls(防火墙): Hardware and software controlling flow of incoming and outgoing network traffic • Intrusion detection systems(入侵检测技术): Full-time monitoring tools placed at the most vulnerable points of corporate networks to detect and deter intruders
4. 安全与控制的工具与技术 Firewalls, Intrusion Detection Systems, and Antivirus Software (Continued) • Antivirus software: Software that checks computer systems and drives for the presence of computer viruses and can eliminate the virus from the infected area • Wi-Fi Protected Access specification
Figure 10-7 4. 安全与控制的工具与技术 A Corporate Firewall
4. 安全与控制的工具与技术 Encryption and Public Key Infrastructure(公钥基础设施) • Public key encryption: Uses two different keys, one private and one public. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key • Message integrity: The ability to be certain that the message being sent arrives at the proper destination without being copied or changed
4. 安全与控制的工具与技术 加密技术与PKI(公钥基础设施) • 密码学 研究改变信息和信号的形式以隐弊(加密)或复现(解密)的学科,即研究如何设计密码体制;
4. 安全与控制的工具与技术 • 按应用技术或历史发展阶段划分 • 手工密码 • 第一次世界大战前的密码 • 机械密码 • 第一次世界大战至第二次世界大战中得到普遍使用 • 电子机内乱密码 • 上世纪50-70年代 • 计算机密码 • 上世纪70年代以来
4. 安全与控制的工具与技术 • 移位密码(shift)-手工密码 • 加密 早期的密码体制创始人之一是Julius Caesar. 假设他要发送如下的明文信息: gaul is divided three parts 他不想让敌方获取该信息,于是他将每个字母向后移动三位. JDXOLVVGLYLGHGLQWRWKUHHSDUWV
4. 安全与控制的工具与技术 • 解密 • 解密过程为将字母回移3位(并尽量判断如何还原空格) • gaulisdividedthreeparts gaul is divided three parts • Playfair和ADFGX密码(代替密码体制,替换密码体制
4. 安全与控制的工具与技术 • Enigma-机械密码 轮转机加密设备是1920年发明的,最著明的设计是德国的Enigma(亚瑟·谢尔比乌斯 ,Arthur Scherbius 发明),它是第二次世界大战中德国使用的最著明的机器之一. 具说它非常安全,但英国人在二战期间破译了该设备.
4. 安全与控制的工具与技术 • 计算机密码—对称密钥加密算法 • DES • IDES • AES.
4. 安全与控制的工具与技术 • 计算机密码—非对称密钥加密算法-加密与解密
4. 安全与控制的工具与技术 • 计算机密码—非对称密钥加密算法-签名与鉴别
4. 安全与控制的工具与技术 • Digital signature(数字签名): A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message • Digital certificates(数字证书): Data files used to establish the identity of users and electronic assets for protection of online transactions • Public Key Infrastructure (PKI-公钥机础设施): Use of public key cryptography working with a certificate authority
4. 安全与控制的工具与技术 • Secure Sockets Layer (SSL)and its successor Transport Layer Security (TLS): protocols for secure information transfer over the Internet; enable client and server computer encryption and decryption activities as they communicate during a secure Web session. • Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to Web documents, whereas SSL and TLS encrypt all data being passed between client and server.
4. 安全与控制的工具与技术 Digital Certificates