Upload
phebe-morton
View
213
Download
0
Embed Size (px)
Citation preview
Alter – Information Systems 4th
ed. © 2002 Prentice Hall1
E-Business Security
Alter – Information Systems 4th
ed. © 2002 Prentice Hall2
Threat of Accidents and Malfunctions
Operator error Hardware malfunction Software bugs Data errors Accidental disclosure of information Damage to physical facilities Inadequate system performance Liability for system failure
Alter – Information Systems 4th
ed. © 2002 Prentice Hall3
Threat of Computer Crime: Theft
Theft of software and equipment Unauthorized use of access codes and
financial passwords Theft by entering fraudulent transaction data Theft by stealing or modifying data Internet hoaxes for illegal gain Theft by modifying software
Alter – Information Systems 4th
ed. © 2002 Prentice Hall4
Threat of Computer Crime: Sabotage and Vandalism
Trap door A set of instructions that permits a user to
bypass the computer system’s security measures
Trojan horse A program that appears to be valid but
contains hidden instructions that can cause damage
Alter – Information Systems 4th
ed. © 2002 Prentice Hall5
Threat of Computer Crime: Sabotage and Vandalism (cont.)
Logic bomb A type of Trojan horse set to activate when a
particular condition occurs Virus
A special type of Trojan horse that can replicate itself and spread
Denial of service attack Sabotaging a Web site by flooding it with incoming
messages
Alter – Information Systems 4th
ed. © 2002 Prentice Hall6
Factors that Increase the Risks
The nature of complex systems Human limitations Pressures in the business environment
Alter – Information Systems 4th
ed. © 2002 Prentice Hall7
Methods for Minimizing Risks
Controlling system development and modifications Software change control systems
Providing security training Physical access controls
Alter – Information Systems 4th
ed. © 2002 Prentice Hall8
Controlling Access to Data, Computers, and Networks
Guidelines for manual data handling Access privileges Access control based on what you know
Password Password schemes Access control based on what you have Access control based on where you are Access control based on who you are
Alter – Information Systems 4th
ed. © 2002 Prentice Hall9
Controlling incoming data flowing through networks and other media Commercially available virus protectionvirus protection
products FirewallFirewall software that inspects each incoming
data packet, and decides whether it is acceptable based on its IP address
Alter – Information Systems 4th
ed. © 2002 Prentice Hall10
Firewall and the Internet
Alter – Information Systems 4th
ed. © 2002 Prentice Hall11
Making the Data Meaningless to Unauthorized Users
Public key encryption – encryption method based on two related keys, a public key and a private (secret) key Also used to transmit the secret key used by
the Data Encryption Standard (DES) Digital signatures – use public key encryption
to authenticate the sender of a message and the message content
Alter – Information Systems 4th
ed. © 2002 Prentice Hall12
Encryption
Alter – Information Systems 4th
ed. © 2002 Prentice Hall13
Controlling Traditional Transaction Processing
Data preparation and authorization Data validation Error correction Backup and recovery
Alter – Information Systems 4th
ed. © 2002 Prentice Hall14
Maintaining Security in Web-Based Transactions
Public key infrastructure (PKI)Public key infrastructure (PKI) Certification authority (CA)Certification authority (CA) – a company that
issues digital certificates Computer-based records that identify the CA,
identify the sender that is being verified, contain the sender’s public key, an is digitally signed by the CA
Alter – Information Systems 4th
ed. © 2002 Prentice Hall15
Transaction Privacy, Authentication, Integrity, and Nonrepudiation
Web transactions are encrypted using the Secure Socket Layer (SSL) protocol - Encrypts the transmission using a temporary key generated
automatically based on session information
Transaction authentication – the process of verifying the identity of the participants in a transaction
Transaction integrity – ensuring that information is not changed after the transaction is completed
Nonrepudiation – ensuring that neither party can deny that the transaction occurred
Alter – Information Systems 4th
ed. © 2002 Prentice Hall16
Difficulties With Security Methods for Web Transactions
Secure Electronic Transaction (SET) method: Proposed by a consortium of credit card
companies More secure than SSL Costly, and very slow adoption rate
Alter – Information Systems 4th
ed. © 2002 Prentice Hall17
Motivating Efficient and Effective Operation
Monitoring information system usage Business process performance Information system performance Unusual activity
Charging users to encourage efficiency Chargeback systems try to motivate efficient
usage by assigning the cost of information systems to the user departments
Alter – Information Systems 4th
ed. © 2002 Prentice Hall18
Auditing the Information System
Auditing ensures that financial operations are neither misrepresented nor threatened due to defective procedures or accounting systems
Auditing around the computer vs. auditing through the computer
Alter – Information Systems 4th
ed. © 2002 Prentice Hall19
Preparing for Disasters
Disaster plan – a plan of action to recover from occurrences that shut down or harm major information systems