Dr. Ken Cosh. Outsourcing Managing Information Systems Dependency Reliability Security Ethics

ICS321 MANAGEMENT INFORMATION SYSTEMS

Dr. Ken Cosh

REVIEW

Outsourcing

THIS WEEKS TOPIC

Managing Information Systems Dependency

Reliability Security

Ethics

DEPENDABILITY

The dependability of a system reflects the user’s degree of trust in that system – their confidence that it will operate as expected.

a

Dependability

Availability Reliability Security

The ability of thesystem to deliver

services whenrequested

The ability of thesystem to deliver

services as specified?

The ability of thesystem to operate

without catastrophicfailure

The ability of thesystem to protect itelfagainst accidental ordeliverate intrusion

Safety

RELIABILITY AND AVAILABILITY

Reliability The probability of failure-free system operation over a

specified time in a given environment for a given purpose

Availability The probability that a system, at a point in time, will be

operational and able to deliver the requested services It is sometimes possible to subsume system

availability under system reliability Obviously if a system is unavailable it is not delivering

the specified system services However, it is possible to have systems with low

reliability that must be available. So long as system failures can be repaired quickly and do not damage data, low reliability may not be a problem

WHY IS RELIABILITY IMPORTANT?

Costs of downtime for a business critical system How much would a 15 minute failure of

service cost? How much would a days failure cost? If this was an Email service? What percent failure is acceptable?

REDUNDANCY

One way of dealing with Reliability is to use redundancy ‘Spare’ components, so if one fails another could

be used. ‘Back-Ups’

Availability Math If a system is 98% available that means it is not

available 2% of the time (i.e. about half an hour each day!!!)

Many systems are now needed to be 99.999% available.

COMPONENTS IN SERIES

Consider if each component was 98% reliable, and there were 5 components in series.

.98 * .98 * .98 * .98 * .98 = 0.9, i.e. only 90% all components are running just 90% of the time.

With more components, it is increasingly less reliable

Component 198%

Component 298%

Component 398%

Component 498%

Component 598%

COMPONENTS IN PARALLEL

Now consider these components in parallel.

The probability of failure is 0.02 each time;

0.02 * 0.02 * 0.02 * 0.02 * 0.02 = 0.0000000032 !!!

Hence, redundancy is used to increase reliability. If one component fails, another can be used in it’s place.

Component 198%

Component 298%

Component 398%

Component 498%

Component 598%

HARDWARE VS SOFTWARE

Components in Parallel is sometimes called ‘Triple Modular Redundancy’, and it has 2 key assumptions; Hardware components do not have common

design faults. Components fail randomly (there is low chance of

simultaneous failure) Neither of these assumptions are true for

software; Copying components copies design faults. So simultaneous failure is inevitable.

SOFTWARE RELIABILITY THROUGH DIVERSITY N-Version Programming

Different (diverse) versions of algorithms written by different teams of programmers.

Version 2

Version 1

Version 3

Outputcomparator

N-versions

Agreedresult

99.999% RELIABILITY

Before reaching ‘5 nines’ reliability / before implementing redundant components, each component needs to be reliable (98%?) UPS (Uninterruptible Power Supply)

Redundancy in power Physical Security Guards Climate Control / Fire Suppression Redundant Network Connectivity Help Desk & Support Staff

INFORMATION SYSTEMS SECURITY

So why is information systems security important?

POTENTIAL THREATS

IntrusionViruses / Worms

External AttacksIntrusion

Viruses / Worms

Interception

THREATS

Intrusion Gaining Access to internal infrastructure

Viruses / Worms Replicating Software

External Attacks Denial of Service.

Interception Catching communication while en route

between sender and receiver.

INTRUSION

Gaining access to internal infrastructure; Stealing Mobile Phone Guessing Passwords Hacking into private spaces

Once a hacker has access to an account, they have the same rights as the account owner. Problem 1: Preventing hacker from accessing

account. Problem 2: Finding out what someone may have

done while they had access.

VIRUSES / WORMS

Virus Software Program that replicate itself on more

PC’s – in a similar way to viruses spread between people.

Viruses need another program to piggyback off, e.g. a macro in a spreadsheet, or document.

Are often spread using email Worms

A small piece of software that uses security loopholes to replicate.

E.g. finds a loophole in Windows, scans network for another PC with a similar loophole and copies itself to the new PC etc.

EXTERNAL ATTACKS

Attacks without gaining access to a private device. Denial of Service(DoS)

Very Common Attacks Purpose, to use up bandwidth or service, by ‘spoof’

conversations. Blocking Webservers with repeated hits Spam emails

Distributed Denial of Service (DDOS) Attacking from many addresses simultaneously.

Code Red Worm Chain Letters

INTERCEPTION

Catching communication whilst on route between sender and receiver. Intercepting Signals.

Wireless Signals Government listening in on telephone

conversations Normally minimised through encryption.

Accessing someone else’s service Using bandwidth of wireless network

IMPROVING SECURITY

Security Policies Limiting users access & actions

Firewalls Protection between network and internet

Authentication Passwords etc.

Encryption Encoding contents of communication

Patches Responding to security breaches

SECURITY POLICIES

Access Control Lists (ACL) Limit which users can do what (e.g. update

websites) Signed agreements for service

When allowing users onto a network, normally they sign an agreement, regarding terms of use.

Noticeably none at Payap? Policies could include,

Regular password changes Whether personal use of service is permitted Antivirus updates

Can help against, external attacks, intrusion, virus / worms

FIREWALLS

Hardware and / or Software protection sitting between internal network and internet.

Can help stop viruses/worms from accessing the network,

W W W

AUTHENTICATION

Software to ensure permission of user to access service Password Finger prints / retina scans

Helps against intrusion

ENCRYPTION

Encoding the contents of a transmission so it can’t be decrypted on route. Symmetric-key encryption Public / Private key encryption

Helps prevent interception.

SYMMETRIC KEY ENCRYPTION

Both sender and receiver use the same ‘code’ to encrypt and then decrypt a message. If I tell you to move each

character back two in the alphabet, and then send you this message;

Jgnnq Encuu Anyone who intercepts the

message gets nothing, but you are able to decrypt it.

More interesting patterns can be created to increase security. Substitution Transposition

Key:FANCY

Message:eatitnihmexnetmgmedt

DECODING

PATCHES

Response to a virus or security breach Anti virus software often updates to add

new virus definitions. Operating systems regularly update to deal

with security loopholes which may allow worms to work.

ETHICAL & SOCIAL IMPACT

“The use of information technologies in business has had major impacts on society and thus raises ethical issues in the areas of crime, privacy, individuality, employment, health and working conditions.”

Impacts can be positive, negative or both; Computerising a manufacturing process has lead

to people losing jobs, while improving the working conditions of those left and producing higher quality product and less cost.

MANAGING ETHICALLY

Should you monitor employees email? Should employees use work computers

for private purpose? Should they take copies of software

home? Should you keep electronic access to

employee’s personal records? Should you sell customers information?

BUSINESS ETHICS

Stockholder Theory Managers are agents of the stockholders, with the

ethical responsibility to them to increase profits without breaking the law

Social Contract Theory Companies have an ethical responsibility to all

members of society. Stakeholder Theory

Managers should manage for the benefit of all stakeholders; shareholders, customers, suppliers, local community, employees etc.

COMPUTER CRIME

1. Unauthorised use, access, modification and destruction of hardware, software, data or network resources.

2. Unauthorised release of information3. Unauthorised copying of software4. Denying an end user access to his or her

own hardware, software, data or network resources

5. Using or conspiring to use computer of network resources to illegally obtain information or tangible property

A HACKER’S TOOLKIT

Denial of Service (DOS – DDOS) Scans Sniffers Spoofing Trojan Horses Back Doors Malicious Applets War Dialing Logic Bombs Buffer Overflow Password Crackers Social Engineering Dumpster Diving

UNAUTHORISED USE AT WORK

Time and Resource Theft (Cyberslacking) Often monitored by sniffing software.

Includes; General Email abuse (spamming, chain

letters, spoofing, virus spreading, harrassment, defamatory statements)

Unauthorised Usage and Access (Sharing passwords and network access)

Copyright Infringement / Plagiarism (illegal or pirate software, copying websites or logos)

UNAUTHORISED USE AT WORK

Newsgroups Postings (Posting non-work related topics)

Transmission of Confidential Data (Sharing company secrets)

Pornography (Accessing inappropriate websites on work resources)

Hacking Non-work-related bandwidth use (sharing movies,

music etc.) Leisure use (online shopping, chatting, gambling) Usage of External ISPs (avoiding detection by using

external ISP) Moonlighting (using company resources for personal

business).

PIRACY

Software Piracy Unauthorised copying of software Alternatives include site licenses,

shareware or public domain software. IP Piracy

Intellectual property is also subject to piracy

The immergence of P2P network structures have led to a proliferation of IP piracy.

PRIVACY

A basic human right is the right to privacy, but this right is brought into question by Technology. Accessing individuals private email conversations

and computer records is a violation of privacy Monitoring peoples whereabouts through CCTV,

computer monitoring, Mobile GPS. Computer matching of customer information

gained from different sources. Collecting telephone number / email addresses

etc. to build customer profiles

INTERNET PRIVACY

One aspect of the internet is anonymity. Although in reality much of it is very visible

and open to privacy violations. But precautions can be taken to protect

privacy, such as encryption, authentication etc. – which we will discuss under the security topic.

COMPUTER PROFILING

We’ve encountered several examples of computer profiling / matching during this course; Individuals have been wrongly arrested. Individuals have been denied credit. Because of being mistakenly identified.

Identity Theft is also possible. Many countries introduce privacy laws

to protect people’s privacy, or attempted to.

FREEDOM OF SPEECH / INFORMATION Now, competing against the freedom of

privacy, freedom of speech (information and the press), is another important human right. People have a right to know about matters that

others may wish to keep private. With modern communication systems,

sharing opinion (using ones right to free speech) becomes easier; Flaming Spamming

MANAGEMENT’S ETHICAL CHALLENGES Employment

The introduction of IS/IT has created many new jobs, while at the same time eliminating some – how do we ethically introduce job cutting systems?

Computer Monitoring How can we weight up our employees right

to privacy against the desire to monitor computer usage (as a way of managing employees work)?

MANAGEMENT’S ETHICAL CHALLENGES Working Conditions

While IS/IT has removed many repetitive, monotonous tasks, often the human role has changed from one of a craftsman to one of a machine regulating a machine

Individuality Many IS/IT remove the individual treatment of

people by imposing strict, uncustomisable procedures. Rather than dealing with customers individually, we are constrained by the capabilities of the system.