8.1

Session 5. 桌面系统 ( 单机）（第 5 章） PC Hardware Software Systems

Session6. 分布式系统（多机）（第 7 章） 计算机网络与 Internet 分布式应用系统 Web 和电子商务 硬软件平台的发展趋势　

Session 7. 管理数据资料 ( 第六章） 数据库 数据创库及数据挖掘

Session 8. 安全与控制（第八章）

PartⅡ信息技术基础设施

8.2

• 学习信息系统安全与控制的作用；• 评估安全与控制的商业价值• 学习安全与控制的组织与管理架构；• 评估保护信息资源的工具与技术

Session 8. 安全与控制

8.3

为什么系统易受攻击）Contemporary Security Challenges and Vulnerabilities

1. 系统的易损与滥用

8.4

• Use of fixed Internet addresses through use of cable modems or DSL

• Lack of encryption with most Voice over IP (VoIP)

• Widespread use of e-mail and instant messaging (IM)

Internet Vulnerabilities:

1. 系统的易损与滥用

8.5

• Radio frequency bands are easy to scan

• The service set identifiers (SSID) identifying the access points broadcast multiple times

Wireless Security Challenges:

1. 系统的易损与滥用

8.6

Wi-Fi Security Challenges

1. 系统的易损与滥用

8.7

• Computer viruses(病毒）• worms（蠕虫）• trojan horses （特洛伊木马）• Spyware(间谍软件）

恶意软件 : Viruses, Worms, Trojan Horses, and Spyware

1. 系统的易损与滥用

8.8

• Spoofing and Sniffers (欺骗与嗅探器）

• Denial of Service (DoS) Attacks(拒绝服务攻击）

黑客与网络破坏形为

1. 系统的易损与滥用

8.9

身份盗窃

1. 系统的易损与滥用

计算机犯罪

8.10

Vulnerabilities from internal threats (employees);

software flaws

1. 系统的易损与滥用

8.11

Worldwide Damage from Digital Attacks

2. 安全与控制的商业价值

8.12

• Inadequate security and control may create serious legal liability.

• Businesses must protect not only their own information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft.

• A sound security and control framework that protects business information assets can thus produce a high return on investment.

2. 安全与控制的商业价值

8.13

Security Incidents Continue to Rise

2. 安全与控制的商业价值

8.14

General controls:

• Software and hardware

• Computer operations

• Data security

• Systems implementation process

信息系控制的类型

3. 建立安全与控制的管理架构

8.15

• Input

• Processing

• Output

Application controls:

3. 建立安全与控制的管理架构

8.16

• Determines the level of risk to the firm if a specific activity or process is not properly controlled

风险评估 :

3. 建立安全与控制的管理架构

8.17

• Acceptable Use Policy (AUP)

• Authorization policies

安全政策 :

Policy ranking information risks, identifying acceptable security goals, and identifying the mechanisms for achieving these goals

3. 建立安全与控制的管理架构

8.18

Security Profiles for a Personnel System

Figure 10-5

3. 建立安全与控制的管理架构

8.19

• Downtime: Period of time in which a system is not

operational

• Fault-tolerant computer systems(容错计算机 ):

Redundant hardware, software, and power supply

components to provide continuous, uninterrupted

service

• High-availability computing(高可用性计算机） :

Designing to maximize application and system

availability

确保业务持续性 (Business Continuity)

3. 建立安全与控制的管理架构

8.20

• Load balancing: Distributes access requests across

multiple servers

• Mirroring: Backup server that duplicates processes on

primary server

• Recovery-oriented computing: Designing computing systems to recover more rapidly from mishaps

3. 建立安全与控制的管理架构

8.21

• Disaster recovery planning: Plans for restoration of computing and communications disrupted by an event such as an earthquake, flood, or terrorist attack

• Business continuity planning(商业持续计划） : Plans for handling mission-critical functions if systems go down

3. 建立安全与控制的管理架构

8.22

• MIS audit: Identifies all of the controls that govern

individual information systems and assesses their

effectiveness

• Security audits: Review technologies, procedures,

documentation, training, and personnel

Auditing(审计） :

3. 建立安全与控制的管理架构

8.23

Sample Auditor’s List of Control Weaknesses

3. 建立安全与控制的管理架构

8.24

Access Control（访问控制 )

• Passwords

Authentication:

Access control: Consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders

• Tokens, smart cards

• Biometric authentication（生物认证）

4. 安全与控制的工具与技术

8.25

• Firewalls(防火墙） : Hardware and software

controlling flow of incoming and outgoing network

traffic

• Intrusion detection systems(入侵检测技术） : Full-time

monitoring tools placed at the most vulnerable points

of corporate networks to detect and deter intruders

Firewalls, Intrusion Detection Systems, and Antivirus Software

4. 安全与控制的工具与技术

8.26

• Antivirus software: Software that checks computer

systems and drives for the presence of computer

viruses and can eliminate the virus from the infected

area

• Wi-Fi Protected Access specification

Firewalls, Intrusion Detection Systems, and Antivirus Software (Continued)

4. 安全与控制的工具与技术

8.27

A Corporate Firewall

Figure 10-7

4. 安全与控制的工具与技术

8.28

• Public key encryption: Uses two different keys, one

private and one public. The keys are mathematically

related so that data encrypted with one key can be

decrypted using only the other key

• Message integrity: The ability to be certain that the

message being sent arrives at the proper destination

without being copied or changed

Encryption and Public Key Infrastructure(公钥基础设施）

4. 安全与控制的工具与技术

8.29

密码学研究改变信息和信号的形式以隐弊 ( 加密 ) 或复

现 ( 解密 ) 的学科，即研究如何设计密码体制；

加密技术与Ｐ KI(公钥基础设施）

4. 安全与控制的工具与技术

8.30

按应用技术或历史发展阶段划分• 手工密码

• 第一次世界大战前的密码• 机械密码

• 第一次世界大战至第二次世界大战中得到普遍使用• 电子机内乱密码

• 上世纪 50-70年代• 计算机密码

• 上世纪 70年代以来

4. 安全与控制的工具与技术

8.31

移位密码 (shift)- 手工密码 加密早期的密码体制创始人之一是 Julius Caesar. 假设他要发送如下的明文信息 :gaul is divided three parts

他不想让敌方获取该信息，于是他将每个字母向后移动三位 .JDXOLVVGLYLGHGLQWRWKUHHSDUWV

4. 安全与控制的工具与技术

8.32

解密 解密过程为将字母回移 3 位（并尽量判断如何还原

空格） gaulisdividedthreeparts gaul is

divided three parts

Playfair 和 ADFGX 密码 ( 代替密码体制，替换密码体制

4. 安全与控制的工具与技术

8.33

Enigma- 机械密码轮转机加密设备是 1920 年发明的 , 最著明的设计是德国的 Enigma( 亚瑟 ·谢尔比乌斯 ,Arthur Scherbius 发明 ), 它是第二次世界大战中德国使用的最著明的机器之一 . 具说它非常安全 , 但英国人在二战期间破译了该设备 .

4. 安全与控制的工具与技术

8.34

计算机密码—对称密钥加密算法

DES IDES AES.

4. 安全与控制的工具与技术

8.35

4. 安全与控制的工具与技术

计算机密码—非对称密钥加密算法 - 加密与解密

8.36

4. 安全与控制的工具与技术

计算机密码—非对称密钥加密算法 - 签名与鉴别

8.37

• Digital signature（数字签名） : A digital code attached to an electronically transmitted message that is used to verify the origin and contents of a message

• Digital certificates(数字证书） : Data files used to establish the identity of users and electronic assets for protection of online transactions

• Public Key Infrastructure (PKI-公钥机础设施 ): Use of public key cryptography working with a certificate authority

4. 安全与控制的工具与技术

8.38

• Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS): protocols for secure information transfer over the Internet; enable client and server computer encryption and decryption activities as they communicate during a secure Web session.

• Secure Hypertext Transfer Protocol (S-HTTP): used for encrypting data flowing over the Internet; limited to Web documents, whereas SSL and TLS encrypt all data being passed between client and server.

4. 安全与控制的工具与技术

8.39

Digital Certificates

4. 安全与控制的工具与技术