dr. ken cosh. outsourcing managing information systems dependency reliability security ethics
TRANSCRIPT
ICS321 MANAGEMENT INFORMATION SYSTEMS
Dr. Ken Cosh
REVIEW
Outsourcing
THIS WEEKS TOPIC
Managing Information Systems Dependency
Reliability Security
Ethics
DEPENDABILITY
The dependability of a system reflects the user’s degree of trust in that system – their confidence that it will operate as expected.
a
Dependability
Availability Reliability Security
The ability of thesystem to deliver
services whenrequested
The ability of thesystem to deliver
services as specified?
The ability of thesystem to operate
without catastrophicfailure
The ability of thesystem to protect itelfagainst accidental ordeliverate intrusion
Safety
RELIABILITY AND AVAILABILITY
Reliability The probability of failure-free system operation over a
specified time in a given environment for a given purpose
Availability The probability that a system, at a point in time, will be
operational and able to deliver the requested services It is sometimes possible to subsume system
availability under system reliability Obviously if a system is unavailable it is not delivering
the specified system services However, it is possible to have systems with low
reliability that must be available. So long as system failures can be repaired quickly and do not damage data, low reliability may not be a problem
WHY IS RELIABILITY IMPORTANT?
Costs of downtime for a business critical system How much would a 15 minute failure of
service cost? How much would a days failure cost? If this was an Email service? What percent failure is acceptable?
REDUNDANCY
One way of dealing with Reliability is to use redundancy ‘Spare’ components, so if one fails another could
be used. ‘Back-Ups’
Availability Math If a system is 98% available that means it is not
available 2% of the time (i.e. about half an hour each day!!!)
Many systems are now needed to be 99.999% available.
COMPONENTS IN SERIES
Consider if each component was 98% reliable, and there were 5 components in series.
.98 * .98 * .98 * .98 * .98 = 0.9, i.e. only 90% all components are running just 90% of the time.
With more components, it is increasingly less reliable
Component 198%
Component 298%
Component 398%
Component 498%
Component 598%
COMPONENTS IN PARALLEL
Now consider these components in parallel.
The probability of failure is 0.02 each time;
0.02 * 0.02 * 0.02 * 0.02 * 0.02 = 0.0000000032 !!!
Hence, redundancy is used to increase reliability. If one component fails, another can be used in it’s place.
Component 198%
Component 298%
Component 398%
Component 498%
Component 598%
HARDWARE VS SOFTWARE
Components in Parallel is sometimes called ‘Triple Modular Redundancy’, and it has 2 key assumptions; Hardware components do not have common
design faults. Components fail randomly (there is low chance of
simultaneous failure) Neither of these assumptions are true for
software; Copying components copies design faults. So simultaneous failure is inevitable.
SOFTWARE RELIABILITY THROUGH DIVERSITY N-Version Programming
Different (diverse) versions of algorithms written by different teams of programmers.
Version 2
Version 1
Version 3
Outputcomparator
N-versions
Agreedresult
99.999% RELIABILITY
Before reaching ‘5 nines’ reliability / before implementing redundant components, each component needs to be reliable (98%?) UPS (Uninterruptible Power Supply)
Redundancy in power Physical Security Guards Climate Control / Fire Suppression Redundant Network Connectivity Help Desk & Support Staff
INFORMATION SYSTEMS SECURITY
So why is information systems security important?
POTENTIAL THREATS
IntrusionViruses / Worms
External AttacksIntrusion
Viruses / Worms
Interception
THREATS
Intrusion Gaining Access to internal infrastructure
Viruses / Worms Replicating Software
External Attacks Denial of Service.
Interception Catching communication while en route
between sender and receiver.
INTRUSION
Gaining access to internal infrastructure; Stealing Mobile Phone Guessing Passwords Hacking into private spaces
Once a hacker has access to an account, they have the same rights as the account owner. Problem 1: Preventing hacker from accessing
account. Problem 2: Finding out what someone may have
done while they had access.
VIRUSES / WORMS
Virus Software Program that replicate itself on more
PC’s – in a similar way to viruses spread between people.
Viruses need another program to piggyback off, e.g. a macro in a spreadsheet, or document.
Are often spread using email Worms
A small piece of software that uses security loopholes to replicate.
E.g. finds a loophole in Windows, scans network for another PC with a similar loophole and copies itself to the new PC etc.
EXTERNAL ATTACKS
Attacks without gaining access to a private device. Denial of Service(DoS)
Very Common Attacks Purpose, to use up bandwidth or service, by ‘spoof’
conversations. Blocking Webservers with repeated hits Spam emails
Distributed Denial of Service (DDOS) Attacking from many addresses simultaneously.
Code Red Worm Chain Letters
INTERCEPTION
Catching communication whilst on route between sender and receiver. Intercepting Signals.
Wireless Signals Government listening in on telephone
conversations Normally minimised through encryption.
Accessing someone else’s service Using bandwidth of wireless network
IMPROVING SECURITY
Security Policies Limiting users access & actions
Firewalls Protection between network and internet
Authentication Passwords etc.
Encryption Encoding contents of communication
Patches Responding to security breaches
SECURITY POLICIES
Access Control Lists (ACL) Limit which users can do what (e.g. update
websites) Signed agreements for service
When allowing users onto a network, normally they sign an agreement, regarding terms of use.
Noticeably none at Payap? Policies could include,
Regular password changes Whether personal use of service is permitted Antivirus updates
Can help against, external attacks, intrusion, virus / worms
FIREWALLS
Hardware and / or Software protection sitting between internal network and internet.
Can help stop viruses/worms from accessing the network,
W W W
AUTHENTICATION
Software to ensure permission of user to access service Password Finger prints / retina scans
Helps against intrusion
ENCRYPTION
Encoding the contents of a transmission so it can’t be decrypted on route. Symmetric-key encryption Public / Private key encryption
Helps prevent interception.
SYMMETRIC KEY ENCRYPTION
Both sender and receiver use the same ‘code’ to encrypt and then decrypt a message. If I tell you to move each
character back two in the alphabet, and then send you this message;
Jgnnq Encuu Anyone who intercepts the
message gets nothing, but you are able to decrypt it.
More interesting patterns can be created to increase security. Substitution Transposition
Key:FANCY
Message:eatitnihmexnetmgmedt
DECODING
PATCHES
Response to a virus or security breach Anti virus software often updates to add
new virus definitions. Operating systems regularly update to deal
with security loopholes which may allow worms to work.
ETHICAL & SOCIAL IMPACT
“The use of information technologies in business has had major impacts on society and thus raises ethical issues in the areas of crime, privacy, individuality, employment, health and working conditions.”
Impacts can be positive, negative or both; Computerising a manufacturing process has lead
to people losing jobs, while improving the working conditions of those left and producing higher quality product and less cost.
MANAGING ETHICALLY
Should you monitor employees email? Should employees use work computers
for private purpose? Should they take copies of software
home? Should you keep electronic access to
employee’s personal records? Should you sell customers information?
BUSINESS ETHICS
Stockholder Theory Managers are agents of the stockholders, with the
ethical responsibility to them to increase profits without breaking the law
Social Contract Theory Companies have an ethical responsibility to all
members of society. Stakeholder Theory
Managers should manage for the benefit of all stakeholders; shareholders, customers, suppliers, local community, employees etc.
COMPUTER CRIME
1. Unauthorised use, access, modification and destruction of hardware, software, data or network resources.
2. Unauthorised release of information3. Unauthorised copying of software4. Denying an end user access to his or her
own hardware, software, data or network resources
5. Using or conspiring to use computer of network resources to illegally obtain information or tangible property
A HACKER’S TOOLKIT
Denial of Service (DOS – DDOS) Scans Sniffers Spoofing Trojan Horses Back Doors Malicious Applets War Dialing Logic Bombs Buffer Overflow Password Crackers Social Engineering Dumpster Diving
UNAUTHORISED USE AT WORK
Time and Resource Theft (Cyberslacking) Often monitored by sniffing software.
Includes; General Email abuse (spamming, chain
letters, spoofing, virus spreading, harrassment, defamatory statements)
Unauthorised Usage and Access (Sharing passwords and network access)
Copyright Infringement / Plagiarism (illegal or pirate software, copying websites or logos)
UNAUTHORISED USE AT WORK
Newsgroups Postings (Posting non-work related topics)
Transmission of Confidential Data (Sharing company secrets)
Pornography (Accessing inappropriate websites on work resources)
Hacking Non-work-related bandwidth use (sharing movies,
music etc.) Leisure use (online shopping, chatting, gambling) Usage of External ISPs (avoiding detection by using
external ISP) Moonlighting (using company resources for personal
business).
PIRACY
Software Piracy Unauthorised copying of software Alternatives include site licenses,
shareware or public domain software. IP Piracy
Intellectual property is also subject to piracy
The immergence of P2P network structures have led to a proliferation of IP piracy.
PRIVACY
A basic human right is the right to privacy, but this right is brought into question by Technology. Accessing individuals private email conversations
and computer records is a violation of privacy Monitoring peoples whereabouts through CCTV,
computer monitoring, Mobile GPS. Computer matching of customer information
gained from different sources. Collecting telephone number / email addresses
etc. to build customer profiles
INTERNET PRIVACY
One aspect of the internet is anonymity. Although in reality much of it is very visible
and open to privacy violations. But precautions can be taken to protect
privacy, such as encryption, authentication etc. – which we will discuss under the security topic.
COMPUTER PROFILING
We’ve encountered several examples of computer profiling / matching during this course; Individuals have been wrongly arrested. Individuals have been denied credit. Because of being mistakenly identified.
Identity Theft is also possible. Many countries introduce privacy laws
to protect people’s privacy, or attempted to.
FREEDOM OF SPEECH / INFORMATION Now, competing against the freedom of
privacy, freedom of speech (information and the press), is another important human right. People have a right to know about matters that
others may wish to keep private. With modern communication systems,
sharing opinion (using ones right to free speech) becomes easier; Flaming Spamming
MANAGEMENT’S ETHICAL CHALLENGES Employment
The introduction of IS/IT has created many new jobs, while at the same time eliminating some – how do we ethically introduce job cutting systems?
Computer Monitoring How can we weight up our employees right
to privacy against the desire to monitor computer usage (as a way of managing employees work)?
MANAGEMENT’S ETHICAL CHALLENGES Working Conditions
While IS/IT has removed many repetitive, monotonous tasks, often the human role has changed from one of a craftsman to one of a machine regulating a machine
Individuality Many IS/IT remove the individual treatment of
people by imposing strict, uncustomisable procedures. Rather than dealing with customers individually, we are constrained by the capabilities of the system.