L12 - Ken Cosh
Download
Report
Transcript L12 - Ken Cosh
261446
Information Systems
Dr. Ken Cosh
Lecture 12
REVIEW
Outsourcing
THIS WEEKS TOPIC
Managing Information Systems
Dependability
Reliability
Security
Ethics
DEPENDABILITY
The dependability of a system reflects the user’s
degree of trust in that system – their confidence
that it will operate as expected.
Dependability
Availability
The ability of the
system to deliver
services when
requested
Reliability
The ability of the
system to deliver
services as specified?
Safety
The ability of the
system to operate
without catastrophic
failure
Security
The ability of the
system to protect itelf
against accidental or
deliverate intrusion
RELIABILITY AND AVAILABILITY
Reliability
The probability of failure-free system operation over a specified
time in a given environment for a given purpose
Availability
The probability that a system, at a point in time, will be
operational and able to deliver the requested services
It is sometimes possible to subsume system availability under
system reliability
Obviously if a system is unavailable it is not delivering the
specified system services
However, it is possible to have systems with low reliability that
must be available. So long as system failures can be repaired
quickly and do not damage data, low reliability may not be a
problem
WHY IS RELIABILITY IMPORTANT?
Costs of downtime for a business critical
system
How much would a 15 minute failure of service
cost?
How much would a days failure cost?
If this was an Email service?
What percent failure is acceptable?
REDUNDANCY
One way of dealing with Reliability is to use
redundancy
‘Spare’ components, so if one fails another could be used.
‘Back-Ups’
Availability Math
If a system is 98% available that means it is not available
2% of the time (i.e. about half an hour each day!!!)
Many systems are now needed to be 99.999% available.
COMPONENTS IN SERIES
Consider if each component was 98% reliable, and
there were 5 components in series.
Component 1 Component 2 Component 3 Component 4 Component 5
98%
98%
98%
98%
98%
.98 * .98 * .98 * .98 * .98 = 0.9, i.e. only 90% all
components are running just 90% of the time.
With more components, it is increasingly less
reliable
COMPONENTS IN PARALLEL
Now consider these
components in parallel.
The probability of failure is
0.02 each time;
0.02 * 0.02 * 0.02 * 0.02 *
0.02 = 0.0000000032 !!!
Hence, redundancy is used
to increase reliability. If one
component fails, another
can be used in it’s place.
Component 1
98%
Component 2
98%
Component 3
98%
Component 4
98%
Component 5
98%
HARDWARE VS SOFTWARE
Components in Parallel is sometimes called ‘Triple
Modular Redundancy’, and it has 2 key
assumptions;
Hardware components do not have common design faults.
Components fail randomly (there is low chance of
simultaneous failure)
Neither of these assumptions are true for software;
Copying components copies design faults.
So simultaneous failure is inevitable.
SOFTWARE RELIABILITY THROUGH
DIVERSITY
N-Version Programming
Different (diverse) versions of algorithms written by
different teams of programmers.
Version 1
Version 2
Version 3
N-versions
Output
comparator
Agreed
result
99.999% RELIABILITY
Before reaching ‘5 nines’ reliability / before
implementing redundant components, each
component needs to be reliable (98%?)
UPS (Uninterruptible Power Supply)
Redundancy in power
Physical Security Guards
Climate Control / Fire Suppression
Redundant Network Connectivity
Help Desk & Support Staff
INFORMATION SYSTEMS SECURITY
So why is information systems security
important?
POTENTIAL THREATS
Intrusion
Viruses / Worms
External Attacks
Intrusion
Viruses / Worms
Interception
THREATS
Intrusion
Viruses / Worms
Replicating Software
External Attacks
Gaining Access to internal infrastructure
Denial of Service.
Interception
Catching communication while en route between
sender and receiver.
INTRUSION
Gaining access to internal infrastructure;
Stealing Mobile Phone
Guessing Passwords
Hacking into private spaces
Once a hacker has access to an account, they have
the same rights as the account owner.
Problem 1: Preventing hacker from accessing account.
Problem 2: Finding out what someone may have done
while they had access.
VIRUSES / WORMS
Virus
Software Program that replicate itself on more PC’s – in a
similar way to viruses spread between people.
Viruses need another program to piggyback off, e.g. a
macro in a spreadsheet, or document.
Are often spread using email
Worms
A small piece of software that uses security loopholes to
replicate.
E.g. finds a loophole in Windows, scans network for
another PC with a similar loophole and copies itself to the
new PC etc.
EXTERNAL ATTACKS
Attacks without gaining access to a private device.
Denial of Service(DoS)
Very Common Attacks
Purpose, to use up bandwidth or service, by ‘spoof’
conversations.
Blocking Webservers with repeated hits
Spam emails
Distributed Denial of Service (DDOS)
Attacking from many addresses simultaneously.
Code Red Worm
Chain Letters
INTERCEPTION
Catching communication whilst on route
between sender and receiver.
Intercepting Signals.
Wireless Signals
Government listening in on telephone conversations
Normally minimised through encryption.
Accessing someone else’s service
Using bandwidth of wireless network
IMPROVING SECURITY
Security Policies
Firewalls
Passwords etc.
Encryption
Protection between network and internet
Authentication
Limiting users access & actions
Encoding contents of communication
Patches
Responding to security breaches
SECURITY POLICIES
Access Control Lists (ACL)
Signed agreements for service
When allowing users onto a network, normally they sign an
agreement, regarding terms of use.
Did you sign one at CMU?
Policies could include,
Limit which users can do what (e.g. update websites)
Regular password changes
Whether personal use of service is permitted
Antivirus updates
Can help against, external attacks, intrusion, virus /
worms
FIREWALLS
Hardware and / or
Software protection
sitting between internal
network and internet.
Can help stop
viruses/worms from
accessing the network,
WWW
AUTHENTICATION
Software to ensure permission of user to
access service
Password
Finger prints / retina scans
Helps against intrusion
ENCRYPTION
Encoding the contents of a transmission so it
can’t be decrypted on route.
Symmetric-key encryption
Public / Private key encryption
Helps prevent interception.
SYMMETRIC KEY ENCRYPTION
Both sender and receiver use the
same ‘code’ to encrypt and then
decrypt a message.
If I tell you to move each
character back two in the
alphabet, and then send you this
message;
Jgnnq Encuu
Anyone who intercepts the
message gets nothing, but you
are able to decrypt it.
More interesting patterns can be
created to increase security.
Substitution
Transposition
Key:
FANCY
Message:
eatitnihmexnetmgmedt
DECODING
PATCHES
Response to a virus or security breach
Anti virus software often updates to add new virus
definitions.
Operating systems regularly update to deal with
security loopholes which may allow worms to
work.
ETHICAL & SOCIAL IMPACT
“The use of information technologies in business
has had major impacts on society and thus raises
ethical issues in the areas of crime, privacy,
individuality, employment, health and working
conditions.”
Impacts can be positive, negative or both;
Computerising a manufacturing process has lead to people
losing jobs, while improving the working conditions of those
left and producing higher quality product and less cost.
MANAGING ETHICALLY
Should you monitor employees email?
Should employees use work computers for
private purpose?
Should they take copies of software home?
Should you keep electronic access to
employee’s personal records?
Should you sell customers information?
BUSINESS ETHICS
Stockholder Theory
Social Contract Theory
Managers are agents of the stockholders, with the ethical
responsibility to them to increase profits without breaking
the law
Companies have an ethical responsibility to all members of
society.
Stakeholder Theory
Managers should manage for the benefit of all
stakeholders; shareholders, customers, suppliers, local
community, employees etc.
UNAUTHORISED USE AT WORK
Time and Resource Theft (Cyberslacking)
Often monitored by sniffing software.
Includes;
General Email abuse (spamming, chain letters,
spoofing, virus spreading, harrassment,
defamatory statements)
Unauthorised Usage and Access (Sharing
passwords and network access)
Copyright Infringement / Plagiarism (illegal or
pirate software, copying websites or logos)
PIRACY
Software Piracy
Unauthorised copying of software
Alternatives include site licenses, shareware or
public domain software.
IP Piracy
Intellectual property is also subject to piracy
The immergence of P2P network structures have
led to a proliferation of IP piracy.
PRIVACY
A basic human right is the right to privacy, but this
right is brought into question by Technology.
Accessing individuals private email conversations and
computer records is a violation of privacy
Monitoring peoples whereabouts through CCTV, computer
monitoring, Mobile GPS.
Computer matching of customer information gained from
different sources.
Collecting telephone number / email addresses etc. to build
customer profiles
INTERNET PRIVACY
One aspect of the internet is anonymity.
Although in reality much of it is very visible and
open to privacy violations.
But precautions can be taken to protect
privacy, such as encryption, authentication
etc. – which we will discuss under the
security topic.
COMPUTER PROFILING
We’ve encountered several examples of
computer profiling / matching during this
course;
Individuals have been wrongly arrested.
Individuals have been denied credit.
Because of being mistakenly identified.
Identity Theft is also possible.
Many countries introduce privacy laws to
protect people’s privacy, or attempted to.
FREEDOM OF SPEECH /
INFORMATION
Now, competing against the freedom of privacy,
freedom of speech (information and the press), is
another important human right.
People have a right to know about matters that others may
wish to keep private.
With modern communication systems, sharing
opinion (using ones right to free speech) becomes
easier;
Flaming
Spamming