Professional Documents
Culture Documents
Web 2.0
Introduction
The collaborative nature of the Internet is not new people share pictures, send instant messages and post videos on different sites, be it for an educational value or simply entertainment Introduced in 2004 Web 2.0 has become part of our social and professional One important aspect of Web 2.0 is the staggering number of Web 2.0 products and services that you can find on the Internet.
Definition
Web 2.0 can be defined as the business revolution in the computer industry caused by the move to the internet as platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects and get better, the more people use them. (Tim OReilly, 2007)
Definition
Heavily oriented toward content generation by people who collaborate and share their content and information. Example:
Blogs Wikis Social networks
Web 2.0
allows interaction with active and real-time content Created by interactions between users dynamic and interactive web
HTML vs Ajax
HTML pages initially contained read-only content, regardless of whether the content was static (i.e. a file on the file system of a server) or dynamically generated prior to rendering the content in a browser. Web 2.0 removes the read-only content restriction from Web 1.0, enabling people to collaborate by dynamically updating, creating and sharing content with other users.
HTML vs Ajax
Updating of HTML pages in Web 1.0 means the entire web page must be sent to the web server
Web 2.0 uses Ajax to modify portions of the web page that need to be changed, offering more seamless user experience
Collective intelligence
Web 2.0 is all about harnessing collective intelligence which can be defined as crowdsourcing wherein a large group of people would be able to create a collective work whose value far exceeds that provided by any of the individual participants
Mash-ups
Software services that enable users and system developers to mix and match content or software components to create something entirely new Example: Flickr combines photos with other information about images provided by users and tools to make it usable within other programming environments
Wikis
Hawaiian term for quick Collaborative Web sites where visitors can add, delete, or modify content on the site, including the work of previous authors
Blogs
Popular term for a Weblog, is an informal yet structured Web site where subscribing individuals can publish stories, opinions, and links to other Web sites of interest
Homework
Write a comparative analysis on the latest search engines (bing, hakia, yebol) by researching the following conditions: 1. Search result accuracy 2. User interface 3. Content management
Cloud computing
Everything from raw computing power to fullblown business applications can be delivered in this way. Most organizations that adopt cloud computing are likely to do so alongside their in-house systems
Service providers offer public clouds, but IT departments can use the same technology to create private clouds
Introduction
Service providers, whether public or private, have the flexibility to change how the service is powered behind the scenes
Introduction
New ways of working and new architectures bring increasing levels of effectiveness to each succeeding generation of computer systems.
Virtualization enables higher efficiencies because more work can be packed into fewer devices Improvements are being made in software engineering and computer operations, all aimed at creating more flexible systems
Cloud services
Business application services Hosted productivity tools Hosted communications and social tools Trading community services Plug-in services
Operational services
Application platform services
Utility services
Plug-in services
Application elements which plug into or combine with existing applications to enhance or extend them.
Examples:
Mapping Credit card payment services Credit checking
Operational services
Provides services concerned with the following:
online backup Archiving Security (such as email filtering) Full-blown monitoring and management tools
Example: drupal.org
Utility services
Provide raw compute and storage resources to run your own software and store data
Cloud services
Cloud technology and services provide choice on how best to deliver flexible IT capability that blends internal and external resources, as well as bridging the gap between modern and traditional approaches to IT
Benefits
Improve IT responsiveness Modernize and future-proof Keep pace with work practice evolution Reach out via the Web Manage costs and resources
Improve IT responsiveness
Application and plug-in services can boost IT responsiveness by short-cutting the development work and platform implementation requirements for new applications Can also help IT to respond quickly and efficiently to fluctuations in demand
The concept of remote access is a natural fit with increasingly popular home- and mobileworking, which can sometimes be quicker and more cost effective than in-house
Cloud services also become useful when activity crosses organizational boundaries, such as trading community services
Infrastructure requirements (security, policy management, scalability, fluctuating demand, etc.) can be dramatically different and hard to handle than in-house systems
Application platform services via cloud can be used to deal with such requirements
Utility services can help by reducing the requirement for local equipment and by working around the problems of accommodation, power consumption, and poor server utilization
Benefits
Cloud computing can provide business benefits in a number of areas: It can improve responsiveness Enable you to scale to fluctuations in demand
Hybrid
Private Clouds
Adopting a cloud computing approach internally Typically considered by businesses with a large scale IT infrastructure that want to make better use of their hardware and software assets Usually dedicated to an organization may be managed by the organization or a third party and may exist on premise or off premise Organizations deploying private clouds often do so utilizing virtualization technology within their own data centers
External Clouds
Require no up-front infrastructure investment Can scale readily to fluctuations in demand and can serve users on the move or in other organizations Public Cloud
Exists externally to its end user and is generally available with little restriction as to who may pay to use it Most common are those accessed via the Internet Made available to the general public or a large industry group and is owned by an organization selling cloud services
External Clouds
Community Clouds
Shared by several organizations and supports a specific community that has shared concerns - may be managed by the organization or a third party and may exist on premise or off premise Allow multiple independent entities to gain the cost benefits of a shared non-public cloud while avoiding security and regulatory concerns that might be associated with a generic public cloud Example: Different government agencies that transact business with each other can have their processing collocated in a single facility
Hybrid
Infrastructure is a composition of two or more clouds that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability Developing a private cloud and/or looking for external services in addition to the in-house services Organizations weigh up practical, regulatory and risk related considerations when choosing how to take advantage of cloud computing alongside their existing IT systems
Future trends
Trend No. 5: The Mobility Shift Wherever and Whenever You Want
Today, mobile devices combined with the cloud can fulfill most computing tasks, and any tradeoffs are outweighed in the minds of the user by the convenience and flexibility provided by the mobile devices
Personal Cloud
A small server in a home or small business network that can be accessed over the Internet. Designed for sharing photos and videos, personal clouds enable viewing and streaming from any Internet-connected personal computer and quite often from major smartphones.
Although personal clouds function in a similar manner to any private cloud set up in a company, their primary feature is easy installation for the average personal computer user.
Personal cloud
In this new world, the specifics of devices will become less important for the organization to worry about. Users will use a collection of devices, with the PC remaining one of many options, but no one device will be the primary hub making way for the personal cloud Access to the cloud and the content stored or shared in the cloud will be managed and secured, rather than solely focusing on the device itself.
Semantic Technology
In software, semantic technology encodes meanings separately from data and content files, and separately from application code.
This enables machines as well as people to understand, share and reason with them at execution time. With semantic technologies, adding, changing and implementing new relationships or interconnecting programs in a different way can be just as simple as changing the external model that these programs share.
Semantic Technology
Semantic technologies are meaning centered. They include tools for:
autorecognition of topics and concepts, information and meaning extraction, and categorization.
Given a question, semantic technologies can directly search topics, concepts, associations that span a vast number of sources.
Semantic technology
Semantic technologies provide an abstraction layer above existing IT technologies that enables bridging and interconnection of data, content, and processes. From the portal perspective, semantic technologies can be thought of as a new level of depth that provides far more intelligent, capable, relevant, and responsive interaction than with information technologies alone.
Semantic Web
The Semantic Web provides a common framework that allows data to be shared and reused across application, enterprise, and community boundaries Semantic Web aims at converting the current web dominated by unstructured and semi-structured documents into a "web of data" The main purpose of the Semantic Web is driving the evolution of the current Web by enabling users to find, share, and combine information more easily. The Semantic Web is regarded as an integrator across different content, information applications and systems. It has applications in publishing, blogging, and many other areas.
Web 3.0
Content is created by the Web itself an emergent consciousness from within the Web, capable of creating new content and applications Allow discovery of documents by topic-centric browsing rather than by searching, enabling realtime information dissemination in may contexts using may different applications
Web 3.0
Focus:
Products and services will leverage semantic technology Social networks will adopt semantic technology Mobile computing Commoditization of search technology and private search engines Cloud computing Comet/HTML5 Offline computing Client-side database
Learning Objectives
Recognize the difficulties in managing information resources. Understand the role of the IS department and its relationships with end users. Discuss the role of the chief information officer. Recognize information systems vulnerability, attack methods, and the possible damage from malfunctions. Describe the major methods of defending information systems. Describe the security issues of the Web and electronic commerce. Describe business continuity and disaster recovery planning. Understand the economics of security and risk management. Understand the IT code of Ethics
The IS Department
IT resources are very diversified; they include personnel assets, technology assets, and IT relationship assets. The management of information resources is divided between the information services department (ISD) and the end users. The division of responsibility depends on many factors.
The reporting relationship of the ISD is important in that it reflects the focus of the department. If the ISD reports to the accounting or finance areas, there is often a tendency to emphasize accounting or finance applications at the expense of those in the marketing, production, and logistics areas. The name of the ISD is also important. Data Processing (DP) Department. Management Information Systems (MIS) Department Information Systems Department (ISD) Another important characteristic is the status of the ISD
To improve collaboration, the ISD and end users may employ three common arrangements:
the steering committee
service-level agreements
the information center.
3.
4.
Use the carrot. Create incentives to encourage certain end-user practices that reduce organizational risks.
Offer support. Develop services to aid end users in their computing activity
The changing role of the ISD highlights the fact that the CIO is becoming an important member of the firm's top management team. Realization of the need for IT-related disaster planning and the importance of IT to the firms activities. Aligning IT with the business strategy Implementing state-of-the-art solutions Providing information access Being a business visionary who drives business strategy Coordinating resources
IS Vulnerability
Information resources (physical resources, data, software, procedures, and other information resources) are scattered throughout the firm. Information is transmitted to and from the firms components. Therefore vulnerabilities exist at many points and at any time.
IS Vulnerability
IT Security Terms
System Vulnerability
A universal vulnerability is a state in a computing system which either: allows an attacker to execute commands as another user; allows an attacker to access data that is contrary to the access restrictions for that data; allows an attacker to pose as another entity; or allows an attacker to conduct a denial of service. An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either: allows an attacker to conduct information gathering activities; allows an attacker to hide activities; includes a capability that behaves as expected, but can be easily compromised; is a primary point of entry that an attacker may attempt to use to gain access to the system or data; and is considered a problem according to some reasonable security policy.
Intentional
Transferring data
Programming data Labor strikes Riots
Sabotage
Malicious damage to computer resources Destruction from viruses and similar attacks Miscellaneous computer abuses
Internet fraud.
Terrorists attack
Programming Attack
Aligned. The program must be aligned with organizational goals. Enterprise wide. Everyone in the organization must be included.
Difficulties
Defense Strategy
Knowing about potential threats to IS is necessary, but understanding ways to defend against these threats is equally critical. Because of its importance to the entire enterprise, organizing an appropriate defense system is one of the major activities of the CIO. It is accomplished by inserting controls (defense mechanisms) and developing awareness.
Defense Strategy
Any defense strategy involves the use of several controls. These controls are divided into two categories general controls that protect the system regardless of the specific application and application controls that safeguard specific applications.
General
Application
Security Layers
Business Continuity
An important element in any security system is the business continuity plan, also known as the disaster recovery plan. Such a plan outlines the process by which businesses should recover from a major disaster.
The purpose of a business continuity plan is to keep the business running after a disaster occurs.
Recovery planning is part of asset protection. Planning should focus on recovery from a total loss of all capabilities.
Proof of capability usually involves some kind of what-if analysis that shows that the recovery plan is current.
All critical applications must be identified and their recovery procedures addressed.
One of the most logical ways to deal with loss of data is to back it up. A business continuity plan should include backup arrangements were all copies of important files are kept offsite.
Auditing
Implementing controls in an organization can be very complicated and difficult to enforce. Are controls installed as intended? Are they effective? Did any breach of security occur? These and other questions need to be answered by independent and unbiased observers. Such observers perform an auditing task.
Risk Management
It is usually not economical to prepare protection against every possible threat. Therefore, an IT security program must provide a process for assessing threats and deciding which ones to prepare for and which ones to ignore.
Risk Management
IT Security Trends
Increasing the reliability of systems Self-healing computers Intelligent systems for early intrusion detection Intelligent systems in auditing and fraud detection Artificial intelligence in biometrics
MANAGERIAL ISSUES
To whom should the IS department report? This issue is related to the degree of IS
decentralization and to the role of the CIO. Having the IS department reporting to a functional area may introduce biases in providing IT priorities to that functional area, which may not be justifiable. Having the IS report to the CEO is very desirable.
Who needs a CIO? This is a critical question that is related to the role of the CIO as a senior
executive in the organization. Giving a title without authority can damage the ISD and its operation. Asking the IS director to assume a CIOs responsibility, but not giving the authority and title, can be just as damaging. Any organization that is heavily dependent on IT should have a CIO.
End users are friends, not enemies, of the IS department. The relationship
between end users and the ISD can be very delicate. In the past, many ISDs were known to be insensitive to end-user needs. This created a strong desire for end-user independence, which can be both expensive and ineffective. Successful companies develop a climate of cooperation and friendship between the two parties.
Ethical issues. The reporting relationship of the ISD can result in some unethical behavior. For
example, if the ISD reports to the nance department, the nance department will have access to information about individuals or other departments that could be misused.
organizations use the Internet, extranets, and intranets, the greater are the security issues. It is important to make sure that employees know who is responsible and accountable for what information and that they understand the need for security control. The vast majority of information resources is in the hands of end users. Therefore, functional managers must understand and practice IT security management and other proper asset management tasks.
Security awareness programs are important for any organization, especially if it is heavily dependent on IT. Such programs should be corporate wide
and supported by senior executives. In addition, monitoring security measures and ensuring compliance with administrative controls are essential to the success of any security plan. For many people, following administrative controls means additional work, which they prefer not to do.
Auditing information systems should be institutionalized into the organizational culture. Organizations should audit IS because it can save considerable
amounts of money. Conversely, over-auditing is not cost-effective.
complex issue. Some organizations prefer a complete decentralization, having an ISD in each country or even several ISDs in one country. Others keep a minimum of centralized staff. Some companies prefer a highly centralized structure. Legal issues, government constraints, and the size of the IS staff are some factors that determine the degree of decentralization. Sarbanes-Oxley. The Sarbanes-Oxley Act, according to the CSI/FBI survey (Gordon et al., 2004) is having a major impact on IT, especially in the financial, utility, and telecommunications sectors (see Minicase 2).
What is Ethics?
Ethics
Set of beliefs about right and wrong behavior
Ethical behavior
Conforms to generally accepted social norms
Organizations today recognize the need to take action to ensure that their employees operate in an ethical manner when using technology
Corporation will place a higher emphasis on ethics policies following a major scandal within the organization
IT Code of Conduct
RFC 1087
In January 1989, the Internet Architecture Board (IAB) in RFC 1087 defines an activity as unethical and unacceptable if it: 1. Seeks to gain unauthorized access to the resources of the Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources (people, capacity, computer) through such actions. 4. Destroys the integrity of computer-based information, or 5. Compromises the privacy of users (RFC 1087, 1989).
(Harris, 2003)
Computer Viruses, Worms, and Trojan Horses How can a virus spread through an e-mail message?
Step 1. Unscrupulous Step 2. They use
programmers create a virus program. They hide the virus in a Word document and attach the Word document to an e-mail message.
the Internet to send the e-mail message to thousands of users around the world.
users open the attachment and their computers become infected with the virus.
recognize the name of the sender of the e-mail message. These users do not open the e-mail message. Instead they delete the e-mail message. These users computers are not infected with the virus.
Computer Viruses, Worms, and Trojan Horses How can you protect your system from a macro virus?
Set macro security level in applications that allow you to write macros At medium security level, warning displays that document contains macro
Macros are instructions saved in an application, such as word processing or spreadsheet program
Identifies and removes computer viruses Most also protect against worms and Trojan horses
A back door is a program or set of instructions in a program that allow users to bypass security controls when accessing a computer resource
What is spoofing?
Makes a network or Internet Transmission appear legitimate
IP spoofing occurs when an intruder computer fools a network into believing its IP address is from a trusted source
Perpetrators of IP spoofing trick their victims into interacting with a phony Web site
What is a firewall?
Security system consisting of hardware and/or software that prevents unauthorized intrusion
Program that protects personal computer and its data from unauthorized intrusions Monitors transmissions to and from computer Informs you of attempted intrusion
Unique combination of characters that identifies user Password is private combination of characters associated with the user name that allows access to computer resources
Item that you must carry to gain access to computer or facility Often used with numeric password called personal identification number (PIN)
Software Theft
What is software theft?
Act of stealing or illegally copying software or intentionally erasing programs Software piracy is illegal duplication of copyrighted software
Software Theft
What is a license agreement?
Right to use software Single-user license agreement allows user to install software on one computer, make backup copy, and sell software after removing from computer
Software Theft
What are some other safeguards against software theft?
Product activation allows user to input product identification number online or by phone and receive unique installation identification number
Business Software Alliance (BSA) promotes better understanding of software piracy problems
Information Theft
What is encryption?
Safeguards against information theft Process of converting plaintext (readable data) into ciphertext (unreadable characters) Encryption key (formula) often uses more than one method To read the data, the recipient must decrypt, or decipher, the data
Authorized person or company that issues and verifies digital certificates Users apply for digital certificate from CA
Provides encryption of all data that passes between client and Internet server
Web addresses beginning with https indicate secure connections
System Failure
What is a system failure?
Prolonged malfunction of computer Can cause loss of hardware, software, or data
System Failure
What is a surge protector?
Protects computer and equipment from electrical power disturbances Uninterruptible power supply (UPS) is surge protector that provides power during power loss
In case of system failure or corrupted files, restore files by copying to original location
Wireless Security
How can I ensure my wireless communication is secure?
Secure your wireless access point (WAP) WAP should not broadcast your network name Enable Wired Equivalent Privacy or Wi-Fi Protected Access (WPA)
Perpetrators
Defensive Measures
Risk assessment
Organizations review of potential threats to its computers and networks Identify which investments of time and resources will best protect the organization from its most likely and serious threats Reasonable assurance
Managers must use their judgment to ensure that the cost of control does not exceed the systems benefits or the risks involved
Prevention
Installing a corporate firewall
Established through the use of software, hardware, or a combination of both Can lead to complacency
Prevention (continued)
Installing antivirus software on personal computers
Virus signature
Specific sequence of bytes
Prevention (continued)
Implementing safeguards against attacks by malicious insiders
IT staff must delete the computer accounts, login IDs, and passwords of departing employees Create roles and user accounts so that users have the authority to perform their responsibilities and no more
Prevention (continued)
Addressing the most critical Internet security threats
Overwhelming majority of successful computer attacks are made possible by taking advantage of well-known vulnerabilities SANS (System Administration, Networking, and Security) Institute and US-CERT regularly update a summary of the most frequent, high-impact vulnerabilities
Prevention (continued)
Conducting periodic IT security audits
Evaluate whether an organization has a wellconsidered security policy in place and if it is being followed Test system safeguards Federal Computer Security Report Card
Prevention (continued)
Detection
Intrusion detection system
Software and/or hardware Monitors system and network resources and activities and notifies network security personnel when it identifies possible intrusions Different approaches to intrusion detection
Knowledge-based approaches Behavior-based approaches
Response
Primary goal
Regain control and limit damage
Not to attempt to monitor or catch an intruder
Incident notification
Define who to notify and who not to notify
Incident containment
Act quickly to contain an attack
Response (continued)
Eradication
Collect and log all possible criminal evidence from the system Verify that all necessary backups are current Create a forensic disk image of each compromised system Keep a log of all actions taken
Response (continued)
Incident follow-up
Determine how the organizations security was compromised Develop an estimate of the monetary damage Determine amount of effort that should be put into capturing the perpetrator