1. Asst.Prof. Dr. Surasak Mungsing

2. CIS511 สถาปัตยกรรมระบบสารสนเทศ Description: หลักการทำงานของคอมพิวเตอร์ การวัดขนาดและสมรรถนะ คอมพิวเตอร์ วิวัฒนาการของระบบคอมพิวเตอร์ ระบบ คอมพิวเตอร์และเครือข่าย ระบบเครือข่ายเฉพาะถิ่น ระบบ Broadband ระบบ Internet ซอฟต์แวร์ระบบ เช่น ระบบปฏิบัติการ ระบบฐานข้อมูล ระบบสื่อสารและ โปรโตคอล การสื่อสารข้อมูลและการกำหนดการ ประมวลผล ระบบสารสนเทศ Back office เช่นระบบ งบประมาณ ระบบการเงินบัญชี ระบบบุคคล และระบบสาร สนทศ ระบบให้บริการส่วน Front office การกำหนด คุณลักษณะเฉพาะของระบบฮาร์ดแวร์เครือข่ายและระบบ ประมวลผล

3. Week#Topic 1Introduction to IS and ISA 2Organizational Systems 3Managerial Support Systems 4E-Commerce Applications 5Case Study 1 6Client-Server Architecture 7Commercial Software Architecture 8ISA and System Development 9Enterprise Information Architecture 10Case study 2 11User Interface Architecture 12Web Service and ISA 13Special Lecture in Information System Architecture I 14Special Lecture in Information System Architecture II

4. Evaluation Project/Reports40 % Individual Report 20% Group Project 20% Participation10 % Mid-term Exam20 % Final Exam30 % Total100 %

5. Q & A

7. Topic Information System Threats and Attacks

8. Why Study Information System Ease the managing task Guide for problem solving & decision making Realise opportunities and meet personal and company goals. In Business: used in all functional areas.

9. Information Concepts (1) Data vs. Information Data Raw facts Distinct pieces of information, usually formatted in a special way Information A collection of facts organized in such a way that they have additional value beyond the value of the facts themselves

10. Examples Information today’s high: 18.5 today’s low: 15.5 Transformation Data – thermometer readings of temperature taken every hour: 16.0, 17.0, 16.0, 18.5, 17.0,15.5….

11. Types of Data DataRepresented by Alphanumeric dataNumbers, letters, and other characters Image dataGraphic images or pictures Audio dataSound, noise, tones Video dataMoving images or pictures

12. Characteristics of Valuable Information accurate, complete, economical, flexible, reliable, relevant, simple, timely, verifiable, accessible, secure

13. Example: Health Information You want the information about you in a health information system to be: As accurate as possible (e.g. your age, sex) As complete as possible Relevant To be reliable Should be available in a timely manner (e.g. information about your drug allergies are available before your operation!)

14. System Definition A set of elements or components that interact to accomplish goals A combination of components working together

15. Example of a System with sub-components Customer Maintenance Component Order Entry Component Catalog Maintenance Component Order Fulfillment Component Customer Support System

16. System Elements Inputs Processing mechanisms Outputs Process Inputs Outputs

17. System Example System Elements Goal Inputs Processing elements Outputs Movie Actors, director, staff, sets, equipment Filming, editing, special effects, distribution Finished film delivered to movie studio Entertaining movie, film awards, profits

18. System Components and Concepts System boundary Defines the system and distinguishes it from everything else System types Simple vs. complex Open vs. closed Stable vs. dynamic Adaptive vs. non-adaptive Permanent vs. temporary

19. System Performance and Standards Efficiency A measure of what is produced divided by what is consumed (eg. Efficiency of a motor is the energy produced divided by what is consumed) Effectiveness A measure of the extent to which a system achieves its goals System performance standard A specific objective of the system

20. Nature of Information Systems Organization : Group of individuals operating together in a systematic way to achieve a set of objectives Individual interact to achieve objectives The interact with each other through rules and procedures to achieve objectives Has objectives Takes input, process them into output Resources classified into raw materials, machinery, human resources, money, information Environment include physical environment, other organization, abstract entities, individuals

21. Organizational Activities Primary activities (inbound logistics, operations, sales and marketing, outbound logistic, after sales support) Secondary activities (corporation planning and control, admin, finance management, HRM, R&D)

22. Organizational Structure Hierarchical Functional Management Structure Strategic Management Operational Management Types of Information Planning, operating and control Strategic, operation and control Qualitative and quantitative

23. Linkage between Activities Organization divided into departments Information disseminated formally and informally Information flows should reflect structure and means of achieving objectives Data and Information

24. Qualities of Good Information Complete, relevant, timely, accurate, understandable, significant, channel, right recipient, cost benefit Noise in communication Redundant information Information cost (design and set up costs, running costs, storage costs)

25. Information Systems Defn. Formalized set of procedures designed to convert data into information for decision making Activities includes: data capture, data processing, dissemination of information, information use, monitoring the system Information System Development Process entails: 1. Establish business objectives 2. Design in information needs 3. Establish sources of data 4. Examine who needs data 5. Format and timing of information received 6. Process required to convert data into information 7. Building system 8. Monitor and control system effectiveness

26. Information System (cont.) Design could be bottom up or top down Manual or mechanized Information needs (planning, monitoring, control, decision making, recording and processing transaction, communication)

27. Types of Information Systems Transaction processing systems Office automation systems Management information systems Decision support systems Executive information systems Expert systems

28. Nature of Decision Making Structure (programmed decisions) Unstructured Semi-structured Analytical decision Heuristic decisions

29. Q&A

30. Threats and Attacks Principles of Information Security, 2nd Edition30

31. Learning Objectives Identify and understand the threats posed to information security Identify and understand the more common attacks associated with those threats Principles of Information Security, 2nd Edition31

32. Threats Threat: an object, person, or other entity that represents a constant danger to an asset Management must be informed of the different threats facing the organization By examining each threat category, management effectively protects information through policy, education, training, and technology controls Principles of Information Security, 2nd Edition32

33. Threats (contd) The 2004 Computer Security Institute (CSI)/Federal Bureau of Investigation (FBI) survey found: 79 percent of organizations reported cyber security breaches within the last 12 months 54 percent of those organizations reported financial losses totaling over $141 million Principles of Information Security, 2nd Edition33

34. Threats to Information Security Principles of Information Security, 2nd Edition34

35. Acts of Human Error or Failure Includes acts performed without malicious intent Causes include: Inexperience Improper training Incorrect assumptions Employees are among the greatest threats to an organization’s data Principles of Information Security, 2nd Edition35

36. Acts of Human Error or Failure (contd) Employee mistakes can easily lead to: Revelation of classified data Entry of erroneous data Accidental data deletion or modification Data storage in unprotected areas Failure to protect information Many of these threats can be prevented with controls Principles of Information Security, 2nd Edition36

37. Figure 2-1 – Acts of Human Error or Failure Principles of Information Security, 2nd Edition37

38. Deliberate Acts of Espionage or Trespass Access of protected information by unauthorized individuals Competitive intelligence (legal) vs. industrial espionage (illegal) Shoulder surfing occurs anywhere a person accesses confidential information Controls let trespassers know they are encroaching on organization’s cyberspace Hackers uses skill, guile, or fraud to bypass controls protecting others’ information Principles of Information Security, 2nd Edition38

39. Principles of Information Security, 2nd Edition39

40. Deliberate Acts of Theft Illegal taking of another’s physical, electronic, or intellectual property Physical theft is controlled relatively easily Electronic theft is more complex problem; evidence of crime not readily apparent Principles of Information Security, 2nd Edition40

41. Deliberate Software Attacks Malicious software (malware) designed to damage, destroy, or deny service to target systems Includes viruses, worms, Trojan horses, logic bombs, back doors, and denial-of-services attacks Principles of Information Security, 2nd Edition41

42. Principles of Information Security, 2nd Edition42

43. Forces of Nature Forces of nature are among the most dangerous threats Disrupt not only individual lives, but also storage, transmission, and use of information Organizations must implement controls to limit damage and prepare contingency plans for continued operations Principles of Information Security, 2nd Edition43

44. Deviations in Quality of Service Includes situations where products or services not delivered as expected Information system depends on many interdependent support systems Internet service, communications, and power irregularities dramatically affect availability of information and systems Principles of Information Security, 2nd Edition44

45. Internet Service Issues Internet service provider (ISP) failures can considerably undermine availability of information Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software Principles of Information Security, 2nd Edition45

46. Attacks Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system Accomplished by threat agent which damages or steals organization’s information Principles of Information Security, 2nd Edition46

47. Attacks (contd) Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism Principles of Information Security, 2nd Edition47

48. Attacks (contd) Password crack: attempting to reverse calculate a password Brute force: trying every possible combination of options of a password Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses Principles of Information Security, 2nd Edition48

49. Attacks (contd) Denial-of-service (DoS): attacker sends large number of connection or information requests to a target Target system cannot handle successfully along with other, legitimate service requests May result in system crash or inability to perform ordinary functions Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously Principles of Information Security, 2nd Edition49

50. Figure 2-9 - Denial-of-Service Attacks Principles of Information Security, 2nd Edition50

51. Attacks (continued) Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network Spam: unsolicited commercial e-mail; more a nuisance than an attack, though is emerging as a vector for some attacks Principles of Information Security, 2nd Edition51

52. Principles of Information Security, 2nd Edition52

53. Figure 2-11 - Man-in-the-Middle Principles of Information Security, 2nd Edition53

54. Attacks (contd) Mail bombing: also a DoS; attacker routes large quantities of e-mail to target Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker Principles of Information Security, 2nd Edition54

55. Attacks (contd) Buffer overflow: application error occurring when more data is sent to a buffer than can be handled Timing attack: relatively new; works by exploring contents of a Web browser’s cache to create malicious cookie Principles of Information Security, 2nd Edition55

56. Summary Threat: object, person, or other entity representing a constant danger to an asset Attack: a deliberate act that exploits vulnerability Principles of Information Security, 2nd Edition56