IT Trends

Web 2.0

Introduction
The collaborative nature of the Internet is not new people share pictures, send instant messages and post videos on different sites, be it for an educational value or simply entertainment Introduced in 2004 Web 2.0 has become part of our social and professional One important aspect of Web 2.0 is the staggering number of Web 2.0 products and services that you can find on the Internet.

Definition
Web 2.0 can be defined as the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects and get better, the more people use them. (Tim OReilly, 2007)

Definition
Heavily oriented toward content generation by people who collaborate and share their content and information. Example:
Blogs Wikis Social networks

Web 1.0 vs. Web 2.0

Web 1.0
allowed the viewing of hyperlinked documents discovered by reference and browsing, and later by searching created by site owners repository of static information

Web 2.0
allows interaction with active and real-time content Created by interactions between users dynamic and interactive web

HTML vs Ajax
HTML pages initially contained read-only content, regardless of whether the content was static (i.e. a file on the file system of a server) or dynamically generated prior to rendering the content in a browser. Web 2.0 removes the read-only content restriction from Web 1.0, enabling people to collaborate by dynamically updating, creating and sharing content with other users.

HTML vs Ajax
Updating of HTML pages in Web 1.0 means the entire web page must be sent to the web server
Web 2.0 uses Ajax to modify portions of the web page that need to be changed, offering more seamless user experience

Advantages of Web 2.0

Collaborative nature on user-content Use of AJAX as a technical component Inputted text is saved instead of overwritten Full page refresh is not required (better performance) Page state is maintained Mash-ups can be readily implemented

Disadvantages of Web 2.0

Security issues Lack of bookmarkability Cannot track URL history Harder to code applications Potential memory leaks Lack of support in older browsers More testing required (cross-browser support)

Popular Tools and Products

Flickr YouTube Twitter Facebook

Popular Tools and Products: Flickr

Photo sharing application launched in 2004 and later acquired by Yahoo! http://www.flickr.com Provides a set of APIs (including RSS and Atom feeds) to access its contents, and often used by mash-ups to render Flickr-based content. For developers, Flickr provides licensing terms and support for map-related services for cities.

Popular Tools and Products: YouTube

A video sharing application launched in 2006 and later acquired by Google http://www.youtube.com Extremely popular for sharing videos

Popular Tools and Products: Twitter

A public message-oriented application http://twitter.com Tweets are mostly used for casual communication, but they have been used for commercial purposes Provides a feature called track that lets people track specific words, and another feature called follow that lets people follow each other Started as a Ruby-on-Rails (RoR) application, the Twitter development team moved some of the backend code to Scala (Java-based) to improve performance and scalability.

Popular Tools and Products: Facebook

Social networking site created in 2004 http://www.facebook.com In 2007, Facebook released its set of APIs, which let developers create Facebook applications

Collective intelligence
Web 2.0 is all about harnessing collective intelligence which can be defined as crowdsourcing wherein a large group of people would be able to create a collective work whose value far exceeds that provided by any of the individual participants

Web 2.0 technology

With Web 2.0, the Web is not just a collection of destination sites, but a source of data and services that can be combined to create applications users need. Web 2.0 tools and services have fuelled the creation of social networks and other online communities where people can interact with one another in the manner of their choosing.

Web 2.0 technology (cont.)

Social networks
Social networking sites provide networking services to users, giving them the ability to set up profiles, blogs, tag documents of interest, and use online forums to communicate with one another

Mash-ups
Software services that enable users and system developers to mix and match content or software components to create something entirely new Example: Flickr combines photos with other information about images provided by users and tools to make it usable within other programming environments

Web 2.0 technology (cont.)

Cloud computing
Refers to a model of computing where firms and individuals obtain computing power and software applications over the Internet, rather than purchasing their own software and hardware.

Wikis
Hawaiian term for quick Collaborative Web sites where visitors can add, delete, or modify content on the site, including the work of previous authors

Web 2.0 technology (cont.)

RSS Syndication
Rich Site Summary / Really Simple Syndication Syndicates Web site content so that it can be used in another setting RSS technology pulls specified content from Web sites and feeds it automatically to users computers, where it can be stored for later viewing

Blogs
Popular term for a Weblog, is an informal yet structured Web site where subscribing individuals can publish stories, opinions, and links to other Web sites of interest

Web 2.0 technology (cont.)

Semantic Technology
Discovers relationships that exist among resources and then represents those relationships via some form of metadata. Uses:
Improves relevance of search results Provides better ad placement in advertising Discover hidden patterns of behaviour Assists in crime detection Automatically finds reference papers based on keywords

Web 2.0 technology (cont.)

Search Engine Optimization
The art of making your website appear as high as possible in search engine results Search Engines uses Ontology
Ontologies let us model systems so that we can classify existing resources and add new ones in a reasonably structured and logical manner. It can help discover relationships in a system and make inferences that are not apparent without the ontology Normally created for a specific set of resources, i.e. books, movies, etc. Web Ontology Language (OWL) ontology specifically designed for Internet resources

New search engines

www.bing.com formerly named Kumo, Microsoft partnered with Yahoo in 2009 to provide the search technology for Microsoft
www.hakia.com ontology is capable of recognizing phrases instead of the usual individual keywords, making consecutive words combine to determine additional context

New search engines

yebol.com uses patented algorithms to create a directory for queries and users, as well as multi-dimensional searches that provide a wider set of related search terms

Homework
Write a comparative analysis on the latest search engines (bing, hakia, yebol) by researching the following conditions: 1. Search result accuracy 2. User interface 3. Content management

Cloud computing

What is Cloud Computing?

Cloud computing most commonly refers to the delivery of computing services over the Internet as an alternative to running hardware and software in your data center or computer room

What is Cloud Computing?

You rent or subscribe to computing capability, rather than installing and running systems yourself

Everything from raw computing power to fullblown business applications can be delivered in this way. Most organizations that adopt cloud computing are likely to do so alongside their in-house systems

What is Cloud Computing?

Cloud computing involves pooling lots of hardware and software together and sharing it out to whoever needs it, on demand

Service providers offer public clouds, but IT departments can use the same technology to create private clouds

Introduction
Service providers, whether public or private, have the flexibility to change how the service is powered behind the scenes

Can help in terms of:

cost reduction access to latest technology Ability to deal with changing requirements quickly

Can be introduced selectively to complement traditional in-house IT systems

Introduction
New ways of working and new architectures bring increasing levels of effectiveness to each succeeding generation of computer systems.

Virtualization enables higher efficiencies because more work can be packed into fewer devices Improvements are being made in software engineering and computer operations, all aimed at creating more flexible systems

Cloud services
Business application services Hosted productivity tools Hosted communications and social tools Trading community services Plug-in services

Operational services
Application platform services

Utility services

 Business application services

Deliver complete business functionality Example:
Customer Relationship Management (CRM) Systems Enterprise Resource Planning (ERP)

 Hosted productivity tools

Deliver horizontal capability, ranging from desktop suites for end users, through to modeling, development and project management tools for analysts and developers They quite often enable multi-user collaboration

 Hosted communications and social tools

Spearheaded initially by hosted email and web conferencing, the number of services offered in this area has exploded to include full unified communications and/or social tools such as directories, blogs, wikis and social networking

 Trading community services

Facilitate the way in which customers and suppliers collaborate and transact electronically

 Plug-in services
Application elements which plug into or combine with existing applications to enhance or extend them.

Examples:
Mapping Credit card payment services Credit checking

 Operational services
Provides services concerned with the following:
online backup Archiving Security (such as email filtering) Full-blown monitoring and management tools

 Application platform services

Provide development and runtime environments which enable organizations to build custom applications hosted online

Example: drupal.org

 Utility services
Provide raw compute and storage resources to run your own software and store data

Cloud services
Cloud technology and services provide choice on how best to deliver flexible IT capability that blends internal and external resources, as well as bridging the gap between modern and traditional approaches to IT

Benefits
Improve IT responsiveness Modernize and future-proof Keep pace with work practice evolution Reach out via the Web Manage costs and resources

Address space and power constraints

Reduce risk and ensure compliance

 Improve IT responsiveness
Application and plug-in services can boost IT responsiveness by short-cutting the development work and platform implementation requirements for new applications Can also help IT to respond quickly and efficiently to fluctuations in demand

 Modernize and future-proof

Keeping up with the pace of change in the technology industry can prove to be a competitive advantage, however, implementing one depends on a companys capability Service providers can afford to invest in the latest technologies, which in turn, can be made available to their customers

 Keep pace with work practice evolution

Working practices are evolving in ways that lend themselves well to support from cloud services

The concept of remote access is a natural fit with increasingly popular home- and mobileworking, which can sometimes be quicker and more cost effective than in-house
Cloud services also become useful when activity crosses organizational boundaries, such as trading community services

 Reach out via the Web

Many organizations deploy externally-facing applications to customers, trading partners, suppliers and so on

Infrastructure requirements (security, policy management, scalability, fluctuating demand, etc.) can be dramatically different and hard to handle than in-house systems
Application platform services via cloud can be used to deal with such requirements

 Manage costs and resources

Costs/benefits of cloud services depend on the service being implemented Careful cost projection must be taken into consideration Not all cloud services are a fit to an organization what may come cheap to some, may be expensive to others

 Address space and power constraints

Organizations large and small find themselves outgrowing their computer rooms or seeing their electricity bills escalate

Utility services can help by reducing the requirement for local equipment and by working around the problems of accommodation, power consumption, and poor server utilization

 Reduce risk and ensure compliance

A competent business service provider has security, backup, fault tolerance and recovery capabilities that are likely superior to anything that its customers can afford When considering risk management and compliance, utilize operational services that are designed to work together with your internal structure

Benefits
Cloud computing can provide business benefits in a number of areas: It can improve responsiveness Enable you to scale to fluctuations in demand

Accelerate development work

Put the power of the latest technology to work for you Extend your reach to customers, partners and out-of-office staff Reduce your TCO (total cost of ownership) Cut energy costs Be more secure Be environmentally friendly

Cloud Deployment Models

Private Clouds External Clouds
Public Cloud Community Cloud

Hybrid

 Private Clouds
Adopting a cloud computing approach internally Typically considered by businesses with a large scale IT infrastructure that want to make better use of their hardware and software assets Usually dedicated to an organization may be managed by the organization or a third party and may exist on premise or off premise Organizations deploying private clouds often do so utilizing virtualization technology within their own data centers

 External Clouds
Require no up-front infrastructure investment Can scale readily to fluctuations in demand and can serve users on the move or in other organizations Public Cloud
Exists externally to its end user and is generally available with little restriction as to who may pay to use it Most common are those accessed via the Internet Made available to the general public or a large industry group and is owned by an organization selling cloud services

 External Clouds
Community Clouds
Shared by several organizations and supports a specific community that has shared concerns - may be managed by the organization or a third party and may exist on premise or off premise Allow multiple independent entities to gain the cost benefits of a shared non-public cloud while avoiding security and regulatory concerns that might be associated with a generic public cloud Example: Different government agencies that transact business with each other can have their processing collocated in a single facility

 Hybrid
Infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability Developing a private cloud and/or looking for external services in addition to the in-house services Organizations weigh up practical, regulatory and risk related considerations when choosing how to take advantage of cloud computing alongside their existing IT systems

Cloud Service Models

Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) IaaS is the foundation of all cloud services, with PaaS building upon IaaS and SaaS in turn, building upon PaaS

Cloud Service Models

Infrastructure as a Service (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications and possibly limited control of select networking components

 Infrastructure as a Service (IaaS)

Includes Hardware as a Service and Storage as a Service A cloud based substitute for major elements of your IT infrastructure Often referred to as Utility services Useful when:
Short of space Lower capital/operational cost No maintenance required Demands fluctuate

Cloud Service Models

Platform as a Service (PaaS)
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. Consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations

 Platform as a Service (PaaS)

Often referred to as Application platform services Enables you to grab resources on-demand to prototype, test, pilot, and so on For deploying externally-facing applications on the web which require massive scalability and the ability to deal with highly fluctuating demand

Cloud Service Models

Software as a Service (SaaS)
The capability provided to the consumer is to use the providers applications running on a cloud infrastructure The applications are accessible from various client devices through a thin client interface such as a Web browser The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings

 Software as a Service (SaaS)

Offers a range of application services:
Business application services such as CRM and ERP Hosted productivity tools including desktop suites, modeling and project management Hosted communications such as email, web conferencing and social tools Trading community services, such as customer and supplier collaboration and transactions Plug in services such as mapping, credit card payments and credit checking Operational services like backup, archiving and email filtering

Future trends

Trend No. 1: Consumerization You Aint Seen Nothing Yet

The consumerization of IT for the better part of a decade has seen the impact across various aspects of the corporate IT world. However, much of this has simply been a precursor to the major wave that is starting to take hold across all aspects of information technology as several key factors come together:
Users are more technologically-savvy and have very different expectations of technology. The internet and social media have empowered and emboldened users. The rise of powerful, affordable mobile devices changes the equation for users. Users have become innovators. Through the democratization of technology, users of all types and status within organizations can now have similar technology available to them.

Trend No. 2: Virtualization Changing How the Game Is Played

Virtualization has improved flexibility and increased the options for how IT organizations can implement client environments.

Trend No. 3: App-ification From Applications to Apps

When the way that applications are designed, delivered and consumed by users changes, it has a dramatic impact on all other aspects of the market

Trend No. 4: The Ever-Available Self-Service Cloud

The advent of the cloud for servicing individual users opens a whole new level of opportunity. Every user can now have a scalable and nearly infinite set of resources available for whatever they need to do

Trend No. 5: The Mobility Shift Wherever and Whenever You Want
Today, mobile devices combined with the cloud can fulfill most computing tasks, and any tradeoffs are outweighed in the minds of the user by the convenience and flexibility provided by the mobile devices

Personal Cloud
A small server in a home or small business network that can be accessed over the Internet. Designed for sharing photos and videos, personal clouds enable viewing and streaming from any Internet-connected personal computer and quite often from major smartphones.

Although personal clouds function in a similar manner to any private cloud set up in a company, their primary feature is easy installation for the average personal computer user.

Personal cloud
In this new world, the specifics of devices will become less important for the organization to worry about. Users will use a collection of devices, with the PC remaining one of many options, but no one device will be the primary hub making way for the personal cloud Access to the cloud and the content stored or shared in the cloud will be managed and secured, rather than solely focusing on the device itself.

Semantic Technology
In software, semantic technology encodes meanings separately from data and content files, and separately from application code.

This enables machines as well as people to understand, share and reason with them at execution time. With semantic technologies, adding, changing and implementing new relationships or interconnecting programs in a different way can be just as simple as changing the external model that these programs share.

Semantic Technology
Semantic technologies are meaning centered. They include tools for:
autorecognition of topics and concepts, information and meaning extraction, and categorization.

Given a question, semantic technologies can directly search topics, concepts, associations that span a vast number of sources.

Semantic technology
Semantic technologies provide an abstraction layer above existing IT technologies that enables bridging and interconnection of data, content, and processes. From the portal perspective, semantic technologies can be thought of as a new level of depth that provides far more intelligent, capable, relevant, and responsive interaction than with information technologies alone.

Semantic Web
The Semantic Web provides a common framework that allows data to be shared and reused across application, enterprise, and community boundaries Semantic Web aims at converting the current web dominated by unstructured and semi-structured documents into a "web of data" The main purpose of the Semantic Web is driving the evolution of the current Web by enabling users to find, share, and combine information more easily. The Semantic Web is regarded as an integrator across different content, information applications and systems. It has applications in publishing, blogging, and many other areas.

Web 3.0
Content is created by the Web itself an emergent consciousness from within the Web, capable of creating new content and applications Allow discovery of documents by topic-centric browsing rather than by searching, enabling realtime information dissemination in may contexts using may different applications

Web 3.0
Focus:
Products and services will leverage semantic technology Social networks will adopt semantic technology Mobile computing Commoditization of search technology and private search engines Cloud computing Comet/HTML5 Offline computing Client-side database

Managing Information Resources, Security and Ethics

Chapter 8a

Learning Objectives

Recognize the difficulties in managing information resources. Understand the role of the IS department and its relationships with end users. Discuss the role of the chief information officer. Recognize information systems vulnerability, attack methods, and the possible damage from malfunctions. Describe the major methods of defending information systems. Describe the security issues of the Web and electronic commerce. Describe business continuity and disaster recovery planning. Understand the economics of security and risk management. Understand the IT code of Ethics

The IS Department
IT resources are very diversified; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users. The division of responsibility depends on many factors.

The reporting relationship of the ISD is important in that it reflects the focus of the department. If the ISD reports to the accounting or finance areas, there is often a tendency to emphasize accounting or finance applications at the expense of those in the marketing, production, and logistics areas. The name of the ISD is also important. Data Processing (DP) Department. Management Information Systems (MIS) Department Information Systems Department (ISD) Another important characteristic is the status of the ISD

The End-User Relationship

Since the ISD is a service organization that manages the IT infrastructure needed to carry on end-user IT applications. It is extremely important to have a good relationship with the end users. The development of enduser computing and outsourcing was motivated in part by the poor service that end users felt they received. However, this is not an easy task since the ISD is basically a technical organization that may not understand the business and the users. While the users, may not understand information technologies.

To improve collaboration, the ISD and end users may employ three common arrangements:
the steering committee

service-level agreements
the information center.

The End-User Relationship - continued

ISD and Four approaches
1. 2. Let them sink or swim. Dont do anything; let the end user beware. Use the stick. Establish policies and procedures to control enduser computing so that corporate risks are minimized, and try to enforce them.

3.
4.

Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks.
Offer support. Develop services to aid end users in their computing activity

The CIO (Chief Information Officer)

Managing the ISD is similar to managing any other organizational unit. The unique aspect of the ISD is that it operates as a service department in a rapidly changing environment, thus making the departments projections and planning difficult.

The changing role of the ISD highlights the fact that the CIO is becoming an important member of the firm's top management team. Realization of the need for IT-related disaster planning and the importance of IT to the firms activities. Aligning IT with the business strategy Implementing state-of-the-art solutions Providing information access Being a business visionary who drives business strategy Coordinating resources

The Transition Environment

IS Vulnerability
Information resources (physical resources, data, software, procedures, and other information resources) are scattered throughout the firm. Information is transmitted to and from the firms components. Therefore vulnerabilities exist at many points and at any time.

IS Vulnerability

IT Security Terms

System Vulnerability

A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service. An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.

System Vulnerability Continued

The vulnerability of information systems is increasing as we move to a world of networked and especially wireless computing. Theoretically, there are hundreds of points in a corporate information system that can be subject to some threats.

These threats can be classified as:

Unintentional
Human errors Environmental hazards Computer system failures Theft of data Inappropriate use of data

Intentional

Theft of mainframe computer time Theft of equipment and/or programs

System Vulnerability Continued

Intentional continued
Deliberate manipulation in handling Entering data Processing data

Transferring data
Programming data Labor strikes Riots

Sabotage
Malicious damage to computer resources Destruction from viruses and similar attacks Miscellaneous computer abuses

Internet fraud.
Terrorists attack

Programming Attack

Protecting Information Resources

Information security problems are increasing rapidly, causing damage to many organizations. Protection is expensive and complex. Therefore, companies must not only use controls to prevent and detect security problems, they must do so in an organized manner. An approach similar to TQM (total quality management) would have the following characteristics:

Aligned. The program must be aligned with organizational goals. Enterprise wide. Everyone in the organization must be included.

Continuous. The program must be operational all the time.

Proactive. Use innovative, preventive, and protective measures. Validated. The program must be tested to ensure it works. Formal. It must include authority, responsibility & accountability.

Corporate Security Plan

Difficulties

Defense Strategy
Knowing about potential threats to IS is necessary, but understanding ways to defend against these threats is equally critical. Because of its importance to the entire enterprise, organizing an appropriate defense system is one of the major activities of the CIO. It is accomplished by inserting controls (defense mechanisms) and developing awareness.

The major objectives of a defense strategy are:

1. 2. 3. 4. 5. 6. Prevention and deterrence. Detection. Limitation of damage. Recovery. Correction Awareness and compliance

Defense Strategy
Any defense strategy involves the use of several controls. These controls are divided into two categories general controls that protect the system regardless of the specific application and application controls that safeguard specific applications.

General

Application

Defense Strategy Biometric

Defense Strategy Internet Security

The major objective of border security is access control. Then authentication or proof of identity and finally authorization which determine the action or activities a user is allowed to perform.

Security Layers

Business Continuity
An important element in any security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster.

The purpose of a business continuity plan is to keep the business running after a disaster occurs.
Recovery planning is part of asset protection. Planning should focus on recovery from a total loss of all capabilities.

Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current.
All critical applications must be identified and their recovery procedures addressed.

The plan should be written so that it will be effective in case of disaster.

Business Continuity continued

The plan should be kept in a safe place; copies should be given to all key managers; or it should be available on the Intranet and the plan should be audited periodically.

One of the most logical ways to deal with loss of data is to back it up. A business continuity plan should include backup arrangements were all copies of important files are kept offsite.

Auditing
Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task.

There are two types of auditors:

An internal auditor is usually a corporate employee who is not a member of the ISD. An external auditor is a corporate outsider. This type of auditor reviews the findings of the internal audit.

There are two types of audits.

The operational audit determines whether the ISD is working properly. The compliance audit determines whether controls have been implemented properly and are adequate.

Risk Management
It is usually not economical to prepare protection against every possible threat. Therefore, an IT security program must provide a process for assessing threats and deciding which ones to prepare for and which ones to ignore.

Risk Management

IT Security Trends
Increasing the reliability of systems Self-healing computers Intelligent systems for early intrusion detection Intelligent systems in auditing and fraud detection Artificial intelligence in biometrics

Expert systems for diagnosis, prognosis, and disaster planning

Smart cards

MANAGERIAL ISSUES
To whom should the IS department report? This issue is related to the degree of IS
decentralization and to the role of the CIO. Having the IS department reporting to a functional area may introduce biases in providing IT priorities to that functional area, which may not be justifiable. Having the IS report to the CEO is very desirable.

Who needs a CIO? This is a critical question that is related to the role of the CIO as a senior

executive in the organization. Giving a title without authority can damage the ISD and its operation. Asking the IS director to assume a CIOs responsibility, but not giving the authority and title, can be just as damaging. Any organization that is heavily dependent on IT should have a CIO.

End users are friends, not enemies, of the IS department. The relationship

between end users and the ISD can be very delicate. In the past, many ISDs were known to be insensitive to end-user needs. This created a strong desire for end-user independence, which can be both expensive and ineffective. Successful companies develop a climate of cooperation and friendship between the two parties.

Ethical issues. The reporting relationship of the ISD can result in some unethical behavior. For
example, if the ISD reports to the nance department, the nance department will have access to information about individuals or other departments that could be misused.

MANAGERIAL ISSUES Continued

Responsibilities for security should be assigned in all areas. The more

organizations use the Internet, extranets, and intranets, the greater are the security issues. It is important to make sure that employees know who is responsible and accountable for what information and that they understand the need for security control. The vast majority of information resources is in the hands of end users. Therefore, functional managers must understand and practice IT security management and other proper asset management tasks.

Security awareness programs are important for any organization, especially if it is heavily dependent on IT. Such programs should be corporate wide
and supported by senior executives. In addition, monitoring security measures and ensuring compliance with administrative controls are essential to the success of any security plan. For many people, following administrative controls means additional work, which they prefer not to do.

Auditing information systems should be institutionalized into the organizational culture. Organizations should audit IS because it can save considerable
amounts of money. Conversely, over-auditing is not cost-effective.

MANAGERIAL ISSUES Continued

Multinational corporations. Organizing the ISD in a multinational corporation is a

complex issue. Some organizations prefer a complete decentralization, having an ISD in each country or even several ISDs in one country. Others keep a minimum of centralized staff. Some companies prefer a highly centralized structure. Legal issues, government constraints, and the size of the IS staff are some factors that determine the degree of decentralization. Sarbanes-Oxley. The Sarbanes-Oxley Act, according to the CSI/FBI survey (Gordon et al., 2004) is having a major impact on IT, especially in the financial, utility, and telecommunications sectors (see Minicase 2).

What is Ethics?
Ethics
Set of beliefs about right and wrong behavior

Ethical behavior
Conforms to generally accepted social norms

Doing what is ethical can be difficult

Improving Corporate Ethics

Unethical behavior has led to serious negative consequences that have had a global impact
Failure of major corporations like Enron and WorldCom due to accounting scandals Collapse of many financial institutions due to unwise and unethical decision making

Organizations today recognize the need to take action to ensure that their employees operate in an ethical manner when using technology

Appointing a Corporate Ethics Officer

Corporate ethics
Includes ethical conduct, legal compliance, and corporate social responsibility

Corporate ethics officer

Senior-level manager Provides vision and direction in the area of business conduct

Corporation will place a higher emphasis on ethics policies following a major scandal within the organization

Ethical Standards Set by Board of Directors

Board of directors
Responsible for supervising the management team Expected to conduct themselves according to the highest standards of personal and professional integrity Set the standard for company-wide ethical conduct and ensure compliance with laws and regulations

Establishing a Corporate Code of Ethics

Code of ethics
Highlights an organizations key ethical issues Identifies the overarching values and principles that are important to the organization

Formal, written statements about:

Purpose of the organization Values Principles that guide its employees actions

Develop with employee participation Fully endorsed by the organizations leadership

Establishing a Corporate Code of Ethics (continued)

Requiring Employees to Take Ethics Training

Companys code of ethics must be promoted and continually communicated within the organization
From top to bottom

Comprehensive ethics education program

Small workshop formats

Existence of formal training programs

Can reduce a companys liability in the event of legal action

Including Ethical Criteria in Employee Appraisals

Employees evaluated on their demonstration of qualities and characteristics highlighted in the corporate code of ethics
Considered along with more traditional criteria used in performance appraisals

IT Code of Conduct

RFC 1087
In January 1989, the Internet Architecture Board (IAB) in RFC 1087 defines an activity as unethical and unacceptable if it: 1. Seeks to gain unauthorized access to the resources of the Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources (people, capacity, computer) through such actions. 4. Destroys the integrity of computer-based information, or 5. Compromises the privacy of users (RFC 1087, 1989).

The Code of Fair Information Practices

The Code of Fair Information Practices is based on five principles outlining the requirements for records keeping systems. This requirement was implemented in 1973 by the U.S. Department of Health, Education and Welfare. 1. There must be no personal data record-keeping systems whose very existence is secret. 2. There must be a way for a person to find out what information about the person is in a record and how it is used. 3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent. 4. There must be a way for a person to correct or amend a record of identifiable information about the person. 5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data (Harris, 2003)

(ISC)2 Code of Ethics

(ISC)2 an organization committed to certification of computer security professional has further defined its own Code of Ethics generally as: 1. 2. 3. 4. 5. 6. 7. Act honestly, justly, responsibly, and legally, and protecting the commonwealth. Work diligently and provide competent services and advance the security profession. Encourage the growth of research teach, mentor, and value the certification. Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures. Observe and abide by all contracts, expressed or implied, and give prudent advice. Avoid any conflict of interest, respect the trust that others put in you, and take on only those jobs you are qualified to perform. Stay current on skills, and do not become involved with activities that could injure the reputation of other security professionals

(Harris, 2003)

Computer Security Risks

Chapter 8b

Computer Security Risks

What is a computer security risk?

Action that causes loss of or damage to computer system

Computer Viruses, Worms, and Trojan Horses

What are viruses, worms, and Trojan horses?

Virus is a potentially damaging computer program Worm copies itself repeatedly, using up resources and possibly shutting down computer or network Trojan horse hides within or looks like legitimate program until triggered Does not replicate itself on other computers Payload (destructive event) that is delivered when you open file, run infected program, or boot computer with infected disk in disk drive

Can spread and damage files

Computer Viruses, Worms, and Trojan Horses How can a virus spread through an e-mail message?
Step 1. Unscrupulous Step 2. They use

programmers create a virus program. They hide the virus in a Word document and attach the Word document to an e-mail message.

the Internet to send the e-mail message to thousands of users around the world.

Step 3b. Other users do not Step 3a. Some

users open the attachment and their computers become infected with the virus.

recognize the name of the sender of the e-mail message. These users do not open the e-mail message. Instead they delete the e-mail message. These users computers are not infected with the virus.

Computer Viruses, Worms, and Trojan Horses How can you protect your system from a macro virus?

Set macro security level in applications that allow you to write macros At medium security level, warning displays that document contains macro
Macros are instructions saved in an application, such as word processing or spreadsheet program

Computer Viruses, Worms, and Trojan Horses

What is an antivirus program?

Identifies and removes computer viruses Most also protect against worms and Trojan horses

Computer Viruses, Worms, and Trojan Horses

What is a virus signature?

Specific pattern of virus code

Also called virus definition

Antivirus programs look for virus signatures

Computer Viruses, Worms, and Trojan Horses

How does an antivirus program inoculate a program file?

Records information about program such as file size and creation Uses date Attempts information to remove to detect if any detected virus tampers virus with file Quarantines infected files that it Keeps file cannot in separate remove
area of hard disk

Computer Viruses, Worms, and Trojan Horses

What are some tips for preventing virus, worm, and Trojan horse infections?
Set the macro security in programs so you can enable or disable macros If the antivirus program flags an e-mail attachment as infected, delete the attachment immediately Install an antivirus program on all of your computers Never open an e-mail attachment unless you are expecting it and it is from a trusted source

Check all downloaded programs for viruses, worms, or Trojan horses

Install a personal firewall program

Computer Viruses, Worms, and Trojan Horses

What is a denial of service attack and back door?

A denial of service attack is an assault which disrupts computer access to an Internet service such as the Web or e-mail

A back door is a program or set of instructions in a program that allow users to bypass security controls when accessing a computer resource

Computer Viruses, Worms, and Trojan Horses

What is spoofing?
Makes a network or Internet Transmission appear legitimate

IP spoofing occurs when an intruder computer fools a network into believing its IP address is from a trusted source
Perpetrators of IP spoofing trick their victims into interacting with a phony Web site

Computer Viruses, Worms, and Trojan Horses

What is a firewall?

Security system consisting of hardware and/or software that prevents unauthorized intrusion

Computer Viruses, Worms, and Trojan Horses

What is a personal firewall utility?

Program that protects personal computer and its data from unauthorized intrusions Monitors transmissions to and from computer Informs you of attempted intrusion

Unauthorized Access and Use

How can companies protect against hackers?
Intrusion detection software analyzes network traffic, assesses system vulnerabilities, and identifies intrusions and suspicious behavior Access control defines who can access computer and what actions they can take

Audit trail records access attempts

Unauthorized Access and Use

What are other ways to protect your personal computer?

Disable file and printer sharing on Internet connection

File and printer sharing turned off

Unauthorized Access and Use

What is a user name?

Unique combination of characters that identifies user Password is private combination of characters associated with the user name that allows access to computer resources

Unauthorized Access and Use

How can you make your password more secure?

Longer passwords provide greater security

Unauthorized Access and Use

What is a possessed object?

Item that you must carry to gain access to computer or facility Often used with numeric password called personal identification number (PIN)

Unauthorized Access and Use

What is a biometric device?

Authenticates persons identity using personal characteristic

Fingerprint, hand geometry, voice, signature, and iris

Hardware Theft and Vandalism

What are hardware theft and hardware vandalism?

Hardware theft is act of stealing computer equipment

Cables sometimes used to lock equipment Some notebook computers use passwords, possessed objects, and biometrics as security methods For PDAs, you can passwordprotect the device

Hardware vandalism is act of defacing or destroying computer equipment

Software Theft
What is software theft?
Act of stealing or illegally copying software or intentionally erasing programs Software piracy is illegal duplication of copyrighted software

Software Theft
What is a license agreement?

Right to use software Single-user license agreement allows user to install software on one computer, make backup copy, and sell software after removing from computer

Software Theft
What are some other safeguards against software theft?
Product activation allows user to input product identification number online or by phone and receive unique installation identification number

Business Software Alliance (BSA) promotes better understanding of software piracy problems

Information Theft
What is encryption?

Safeguards against information theft Process of converting plaintext (readable data) into ciphertext (unreadable characters) Encryption key (formula) often uses more than one method To read the data, the recipient must decrypt, or decipher, the data

Internet Security Risks

How do Web browsers provide secure data transmission?

Many Web browsers use encryption

Secure site is Web site that uses encryption to secure data

Digital certificate is notice that guarantees Web site is legitimate

Internet Security Risks

What is a certificate authority (CA)?

Authorized person or company that issues and verifies digital certificates Users apply for digital certificate from CA

Internet Security Risks

What is Secure Sockets Layer (SSL)?

Provides encryption of all data that passes between client and Internet server
Web addresses beginning with https indicate secure connections

System Failure
What is a system failure?
Prolonged malfunction of computer Can cause loss of hardware, software, or data

Caused by aging hardware, natural disasters, or electrical power disturbances

Noiseunwanted electrical signal Undervoltagedrop in electrical supply Overvoltage or power surge significant increase in electrical power

System Failure
What is a surge protector?

Protects computer and equipment from electrical power disturbances Uninterruptible power supply (UPS) is surge protector that provides power during power loss

Backing Up The Ultimate Safeguard

What is a backup?
Duplicate of file, program, or disk
Three-generation backup preserves three copies of important files

Full backup all files in computer

Selective backup select which files to back up

In case of system failure or corrupted files, restore files by copying to original location

Wireless Security
How can I ensure my wireless communication is secure?

Secure your wireless access point (WAP) WAP should not broadcast your network name Enable Wired Equivalent Privacy or Wi-Fi Protected Access (WPA)

Perpetrators

Defensive Measures
Risk assessment
Organizations review of potential threats to its computers and networks Identify which investments of time and resources will best protect the organization from its most likely and serious threats Reasonable assurance
Managers must use their judgment to ensure that the cost of control does not exceed the systems benefits or the risks involved

Establishing a Security Policy

Security policy
Defines an organizations security requirements Defines controls and sanctions needed to meet those requirements

National Institute of Standards and Technology (NIST)

Computer Security Division

Automated system rules should mirror an organizations written policies

Establishing a Security Policy (continued)

E-mail attachments
Critical security issue

Virtual private network (VPN)

Uses the Internet to relay communications Maintains privacy through security procedures and tunneling protocols

Educating Employees, Contractors, and Part-Time Workers

Must be educated about the importance of security
Discuss recent security incidents

Protect an organizations information systems and data by:

Guarding their passwords Applying strict access controls Reporting all unusual activity to the organizations IT security group

Prevention
Installing a corporate firewall
Established through the use of software, hardware, or a combination of both Can lead to complacency

Intrusion prevention systems

Prevent an attack by blocking viruses, malformed packets, and other threats from getting into the company network

Prevention (continued)
Installing antivirus software on personal computers
Virus signature
Specific sequence of bytes

United States Computer Emergency Response Team (US-CERT)

Most of the virus and worm attacks that the team analyzes use already known programs Crucial that antivirus software be updated continually with the latest virus detection information

Prevention (continued)
Implementing safeguards against attacks by malicious insiders
IT staff must delete the computer accounts, login IDs, and passwords of departing employees Create roles and user accounts so that users have the authority to perform their responsibilities and no more

Prevention (continued)
Addressing the most critical Internet security threats
Overwhelming majority of successful computer attacks are made possible by taking advantage of well-known vulnerabilities SANS (System Administration, Networking, and Security) Institute and US-CERT regularly update a summary of the most frequent, high-impact vulnerabilities

Prevention (continued)
Conducting periodic IT security audits
Evaluate whether an organization has a wellconsidered security policy in place and if it is being followed Test system safeguards Federal Computer Security Report Card

Prevention (continued)

Detection
Intrusion detection system
Software and/or hardware Monitors system and network resources and activities and notifies network security personnel when it identifies possible intrusions Different approaches to intrusion detection
Knowledge-based approaches Behavior-based approaches

Response
Primary goal
Regain control and limit damage
Not to attempt to monitor or catch an intruder

Incident notification
Define who to notify and who not to notify

Protecting evidence and activity logs

Document all details of a security incident

Incident containment
Act quickly to contain an attack

Response (continued)
Eradication
Collect and log all possible criminal evidence from the system Verify that all necessary backups are current Create a forensic disk image of each compromised system Keep a log of all actions taken

Response (continued)
Incident follow-up
Determine how the organizations security was compromised Develop an estimate of the monetary damage Determine amount of effort that should be put into capturing the perpetrator