Introduction to Information System
Download
Report
Transcript Introduction to Information System
Asst.Prof. Dr. Surasak Mungsing
CIS511 สถาปั ตยกรรมระบบสารสนเทศ
Description:
หลักการทางานของคอมพิวเตอร์ การวัดขนาดและสมรรถนะคอมพิวเตอร์ วิวฒ
ั นาการ
ของระบบคอมพิวเตอร์ ระบบคอมพิวเตอร์และเครือข่าย ระบบเครือข่ายเฉพาะถิน่
ระบบ Broadband ระบบInternet ซอฟต์แวร์ระบบ เช่น ระบบปฏิบตั กิ าร
ระบบฐานข้อมูล ระบบสือ่ สารและโปรโตคอล การสือ่ สารข้อมูลและการกาหนดการ
ประมวลผล ระบบสารสนเทศBack office เช่นระบบงบประมาณ ระบบการเงิน
บัญชี ระบบบุคคล และระบบสารสนทศ ระบบให้บริการส่วน Front office การ
กาหนดคุณลักษณะเฉพาะของระบบฮาร์ดแวร์เครือข่ายและระบบประมวลผล
Week#
Topic
1
Introduction to IS and ISA
2
Organizational Systems
3
Managerial Support Systems
4
E-Commerce Applications
5
Case Study 1
6
Client-Server Architecture
7
Commercial Software Architecture
8
ISA and System Development
9
Enterprise Information Architecture
10
Case study 2
11
User Interface Architecture
12
Web Service and ISA
13
Special Lecture in Information System Architecture I
14
Special Lecture in Information System Architecture II
Evaluation
Project/Reports
40 %
Individual Report 20%
Group Project
Participation
Mid-term Exam
Final Exam
Total
20%
10 %
20 %
30 %
100 %
Q&A
Topic
Information System
Threats and Attacks
Why Study Information System
Ease the managing task
Guide for problem solving & decision making
Realise opportunities and meet personal and company
goals.
In Business: used in all functional areas.
Information Concepts (1)
Data vs. Information
Data
Raw facts
Distinct pieces of information, usually formatted in a special
way
Information
A collection of facts organized in such a way that they have
additional value beyond the value of the facts themselves
Examples
Data – thermometer readings of temperature
taken every hour:
16.0, 17.0, 16.0, 18.5, 17.0,15.5….
Transformation
Information
today’s high: 18.5
today’s low: 15.5
Types of Data
Data
Represented by
Alphanumeric data
Numbers, letters, and other characters
Image data
Graphic images or pictures
Audio data
Sound, noise, tones
Video data
Moving images or pictures
Characteristics of Valuable Information
accurate,
complete,
economical,
flexible,
reliable,
relevant,
simple,
timely,
verifiable,
accessible,
secure
Example: Health Information
You want the information about you in a health
information system to be:
As accurate as possible (e.g. your age, sex)
As complete as possible
Relevant
To be reliable
Should be available in a timely manner (e.g.
information about your drug allergies are available
before your operation!)
System
Definition
A set of elements or components that interact to
accomplish goals
A combination of components working together
Example of a System with sub-components
Customer
Maintenance
Component
Order Entry
Component
Customer Support System
Catalog
Maintenance
Component
Order Fulfillment
Component
System Elements
Inputs
Processing mechanisms
Outputs
Inputs
Outputs
Process
System Example
Elements
System
Inputs
Movie
Actors, director,
staff, sets,
equipment
Processing
elements
Filming,
editing,
special
effects,
distribution
Goal
Outputs
Finished film
delivered to
movie studio
Entertaining
movie, film
awards,
profits
System Components and Concepts
System boundary
Defines the system and distinguishes it from
everything else
System types
Simple vs. complex
Open vs. closed
Stable vs. dynamic
Adaptive vs. non-adaptive
Permanent vs. temporary
System Performance and Standards
Efficiency
A measure of what is produced divided by what is
consumed (eg. Efficiency of a motor is the energy
produced divided by what is consumed)
Effectiveness
A measure of the extent to which a system achieves its
goals
System performance standard
A specific objective of the system
Nature of Information Systems
Organization : Group of individuals operating together in
a systematic way to achieve a set of objectives
Individual interact to achieve objectives
The interact with each other through rules and
procedures to achieve objectives
Has objectives
Takes input , process them into output
Resources classified into raw materials, machinery,
human resources, money, information
Environment include physical environment, other
organization, abstract entities, individuals
Organizational Activities
Primary activities (inbound logistics, operations,
sales and marketing, outbound logistic, after sales
support)
Secondary activities (corporation planning and
control, admin, finance management, HRM, R&D)
Organizational Structure
Hierarchical
Functional
Management Structure
Strategic Management
Operational Management
Types of Information
Planning, operating and control
Strategic, operation and control
Qualitative and quantitative
Linkage between Activities
Organization divided into departments
Information disseminated formally and informally
Information flows should reflect structure and means
of achieving objectives
Data and Information
Qualities of Good Information
Complete, relevant, timely, accurate, understandable,
significant, channel, right recipient, cost benefit
Noise in communication
Redundant information
Information cost (design and set up costs, running
costs, storage costs)
Information Systems
Defn. Formalized set of procedures designed to convert data into
information for decision making
Activities includes: data capture, data processing, dissemination
of information, information use, monitoring the system
Information System Development Process entails:
1. Establish business objectives
2. Design in information needs
3. Establish sources of data
4. Examine who needs data
5. Format and timing of information received
6. Process required to convert data into information
7. Building system
8. Monitor and control system effectiveness
Information System (cont.)
Design could be bottom up or top down
Manual or mechanized
Information needs (planning, monitoring, control,
decision making, recording and processing
transaction, communication)
Types of Information Systems
Transaction processing systems
Office automation systems
Management information systems
Decision support systems
Executive information systems
Expert systems
Nature of Decision Making
Structure (programmed decisions)
Unstructured
Semi-structured
Analytical decision
Heuristic decisions
Q&A
Threats and Attacks
Principles of Information Security, 2nd Edition
30
Learning Objectives
Identify and understand the threats posed to
information security
Identify and understand the more common attacks
associated with those threats
Principles of Information Security, 2nd Edition
31
Threats
Threat: an object, person, or other entity that
represents a constant danger to an asset
Management must be informed of the different
threats facing the organization
By examining each threat category, management
effectively protects information through policy,
education, training, and technology controls
Principles of Information Security, 2nd Edition
32
Threats (contd)
The 2004 Computer Security Institute (CSI)/Federal
Bureau of Investigation (FBI) survey found:
79 percent of organizations reported cyber security
breaches within the last 12 months
54 percent of those organizations reported financial
losses totaling over $141 million
Principles of Information Security, 2nd Edition
33
Threats to Information Security
Principles of Information Security, 2nd Edition
34
Acts of Human Error or Failure
Includes acts performed without malicious intent
Causes include:
Inexperience
Improper training
Incorrect assumptions
Employees are among the greatest threats to an
organization’s data
Principles of Information Security, 2nd Edition
35
Acts of Human Error or Failure (contd)
Employee mistakes can easily lead to:
Revelation of classified data
Entry of erroneous data
Accidental data deletion or modification
Data storage in unprotected areas
Failure to protect information
Many of these threats can be prevented with
controls
Principles of Information Security, 2nd Edition
36
Figure 2-1 – Acts of Human Error or Failure
Principles of Information Security, 2nd Edition
37
Deliberate Acts of Espionage or Trespass
Access of protected information by unauthorized
individuals
Competitive intelligence (legal) vs. industrial
espionage (illegal)
Shoulder surfing occurs anywhere a person accesses
confidential information
Controls let trespassers know they are encroaching on
organization’s cyberspace
Hackers uses skill, guile, or fraud to bypass controls
protecting others’ information
Principles of Information Security, 2nd Edition
38
Principles of Information Security, 2nd Edition
39
Deliberate Acts of Theft
Illegal taking of another’s physical, electronic, or
intellectual property
Physical theft is controlled relatively easily
Electronic theft is more complex problem; evidence
of crime not readily apparent
Principles of Information Security, 2nd Edition
40
Deliberate Software Attacks
Malicious software (malware) designed to damage,
destroy, or deny service to target systems
Includes viruses, worms, Trojan horses, logic bombs,
back doors, and denial-of-services attacks
Principles of Information Security, 2nd Edition
41
Principles of Information Security, 2nd Edition
42
Forces of Nature
Forces of nature are among the most dangerous
threats
Disrupt not only individual lives, but also storage,
transmission, and use of information
Organizations must implement controls to limit
damage and prepare contingency plans for
continued operations
Principles of Information Security, 2nd Edition
43
Deviations in Quality of Service
Includes situations where products or services not
delivered as expected
Information system depends on many
interdependent support systems
Internet service, communications, and power
irregularities dramatically affect availability of
information and systems
Principles of Information Security, 2nd Edition
44
Internet Service Issues
Internet service provider (ISP) failures can
considerably undermine availability of information
Outsourced Web hosting provider assumes
responsibility for all Internet services as well as
hardware and Web site operating system software
Principles of Information Security, 2nd Edition
45
Attacks
Act or action that exploits vulnerability (i.e., an
identified weakness) in controlled system
Accomplished by threat agent which damages or steals
organization’s information
Principles of Information Security, 2nd Edition
46
Attacks (contd)
Malicious code: includes execution of viruses,
worms, Trojan horses, and active Web scripts with
intent to destroy or steal information
Back door: gaining access to system or network using
known or previously unknown/newly discovered
access mechanism
Principles of Information Security, 2nd Edition
47
Attacks (contd)
Password crack: attempting to reverse calculate a
password
Brute force: trying every possible combination of
options of a password
Dictionary: selects specific accounts to attack and
uses commonly used passwords (i.e., the dictionary)
to guide guesses
Principles of Information Security, 2nd Edition
48
Attacks (contd)
Denial-of-service (DoS): attacker sends large number
of connection or information requests to a target
Target system cannot handle successfully along with
other, legitimate service requests
May result in system crash or inability to perform
ordinary functions
Distributed denial-of-service (DDoS): coordinated
stream of requests is launched against target from
many locations simultaneously
Principles of Information Security, 2nd Edition
49
Figure 2-9 - Denial-of-Service Attacks
Principles of Information Security, 2nd Edition
50
Attacks (continued)
Spoofing: technique used to gain unauthorized
access; intruder assumes a trusted IP address
Man-in-the-middle: attacker monitors network
packets, modifies them, and inserts them back into
network
Spam: unsolicited commercial e-mail; more a
nuisance than an attack, though is emerging as a
vector for some attacks
Principles of Information Security, 2nd Edition
51
Principles of Information Security, 2nd Edition
52
Figure 2-11 - Man-in-the-Middle
Principles of Information Security, 2nd Edition
53
Attacks (contd)
Mail bombing: also a DoS; attacker routes large
quantities of e-mail to target
Sniffers: program or device that monitors data
traveling over network; can be used both for
legitimate purposes and for stealing information
from a network
Social engineering: using social skills to convince
people to reveal access credentials or other valuable
information to attacker
Principles of Information Security, 2nd Edition
54
Attacks (contd)
Buffer overflow: application error occurring when
more data is sent to a buffer than can be handled
Timing attack: relatively new; works by exploring
contents of a Web browser’s cache to create
malicious cookie
Principles of Information Security, 2nd Edition
55
Summary
Threat: object, person, or other entity representing a
constant danger to an asset
Attack: a deliberate act that exploits vulnerability
Principles of Information Security, 2nd Edition
56