Info Systems Final

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

privacy considerations (bad assumptions)

-"only people who do bad things care about privacy" -"there is an implicit bargain, if you are willing to render yourself sufficiently harmless, then, and only then, can you be free of dissident behavior and are willing to be monitored any time"

trust seals/Privacy Seals

-EX of trust seal: Privacy Seals: an attempt by companies at self-regulation regarding privacy of consumers and company verification -purpose: demonstrate to customers that their business is concerned with security, therefore also privacy, and they want their business identity verified

components requires for effective BI and Analytics

-Existence of solid data management program, including data governance --data governance defines the roles, responsibilities, & processes for ensuring that data can be trusted & used by the entire organization -creative data scientists -management team: must have strong commitment to data driven decision making

decision making applied to killer robots

-Intelligence --identify & clearly define problem; centralization of power in use of automated killer robots --determine requirements & goals; minimum is transparency (requirement); ideal is treaty specifying accountability (goal) -Design: --identify alternatives (public sentiment sought & honored then bills & treaties developed that specify alternatives) --define the criteria (policing robots present, app notifying of presence of killer robot) --select a decision making technique/tool (system that categorizes & summarizes all info ranking alternatives according to criteria) -choice: --evaluate alternatives using criteria (best if a weighing of criteria, when there are many factors) --check if a solution solves the problem (continual monitoring of situation)

Edward Snowden

-Snowden, a contracted system administrator, stole 1.7 million documents and initially released only a few hundred -he did this by assuming identity of those with higher security clearance & then copying files into a thumb drive, he reached out to journalist in late 2012 & released documents in 2013 -The Guardian & Washington Post won the Pulitzer Prize for Public Service in publishing the documents that Edward Snowden made available

Examples of update anomaly, insertion anomaly, & deletion anomaly

-Update: what if the name of the project PPV5678 is changed to sludge disposal -Insertion: what if a new project is negotiates when there is no employee assigned to it yet? What if a new employee joins who is not yet assigned to any project? -Deletion: what if Judy resigns from her Job? What happens to the sludge floatation and NO generation projects?

data mining

-a BI analytics tool used to explore large amounts of data for hidden patterns to predict future trends & behaviors for use in decision making -Cross-Industry Process for Data Mining (CRISP-DM): a size phrase structured approach for the planning & execution of a data mining project -commonly used data mining techniques: association analysis, neutral computing, case based reasoning

national security agency (NSA)

-a U.S. intelligence agency responsible for providing the US government with encrypted communication (information assurance) and the reading of encrypted communications (signals intelligence) of other nations -the NSA also creates and maintains secure computer network operations for the US govt and prepares network warfare -originating as a unit to decipher code communications in WWII, NSA was officially formed by president truman in 1952 -since then it has become one of the largest of US intelligence organizations in terms of personnel and budget, operating under the jurisdiction of the Dept of defense & reporting to the director of national intelligence

panooptican effect

-a circular prison with cells arranged around a central wall, from which prisoners could at all times be observed

online analytical processing (OLAP)

-a method to analyze multidimensional data from many different perspectives -OLAP enables users to identify issues & opportunities & perform trend analysis -data cubes: contain numeric facts called measures, which are categorized by dimensions, such as time & geography; can be built to summarize unit sales of a specific item on a specific day for a specific store manipulation of information to create business intelligence in support of strategic decision making

second normal form (2NF)

-a model is in 2NF if: --it is in 1NF and --for every instance of an entity having a PK with 2 or more components, each attribute of the instance is completely determined by the totality of the instance's PK, not just by some of its components -to put an ERD into 2NF, ass another entity & a 1:M relationship to it -*when concatenated PK, each instance attribute is completely dependent upon all PKs*

Third Normal Form (3NF)

-a model is in 3NF if: --it is in 2NF and -for every instance of an entity, each secondary attribute is dependent only on the PK, not on any other secondary attribute -to put an ERD into 3NF: add another entity & a 1:M relationship, if dependent on a secondary attribute (which is not an FK) or move attribute to other entity, if dependent on a FK -secondary attribute is an attribute that is not the PK -*each instance attribute is dependent only on PK an not a secondary attribute*

benefits of normalization

-a model that better represents the actual business situation -a model with less redundancy in the data -a model which allows easy update of data -a model that allows for accurate query results

pros/cons analysis (decision making techniques)

-a non-mathematical technique where you simply list the advantages & disadvantages for each alternative (weakest method)

enterprise resource planning (ERP)

-a set of integrated programs that manage a company's vital business operations for an entire organization -EX: manage production & supply chain management, customer relationship management & sales ordering, financial & managerial accounting

Gramm-Leach-Bliley Act

-also known as the Financial Services Modernization Act of 1999 -an act that repealed part of the Glass-Steagall act of 1933, removing barriers in the market among banking companies, securities companies and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company -with the passage of this act, commercial banks, investment banks, securities firms and insurance companies were allowed to consolidate -failed to give to the Security and Exchange Commission (SEC) or any other financial regulatory agency, the authority to regulate large investment bank holding companies -GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security & data integrity

USA Patriot Act

-an act of Congress that was signed into law by President George W. Bush on October 26, 2001 -title of act is a 10 letter backronym (Uniting and Strengthening America by Providing Appropriate Tools Requirement to Intercept and Obstruct Terrorism Act of 2001) -Obama signed a 4 year extension of 3 key provisions 1. roving wiretaps: meaning it follows surveillance target 2. searched of business records: the "library records provision" 3. conducting surveillance of lone wolves: individuals suspected of terrorist related activities not linked to terrorist groups

why centralization of power?

-an assumption is that democracy is preferable to autocratic and/or terrorists govts -an assumption is that too much power in an immoral person's hands could bring extensive harm to many people -left unregulated, drone attacks open the door to pausible deniability, which could encourage rouge attacks that could impact many by a few individuals -potentially specific people/groups could easily be targeted by a relatively few individuals -modern societies are more vulnerable to robot attacks because of data dependency

enterprise systems

-an enterprise system is central to individuals and organizations of all sizes --ensures that information can be shared across all business functions and all levels of management -businesses rely on enterprise systems to perform daily activities in areas such as: product & supply distribution, sales & marketing, human resources, manufacturing, accounting & taxes

verichip

-an injectable identification chip that can be inserted under the skin of a human being to provide biometric verification -marketed as a universal means of identification, intended for use in a variety of settings, including financial & transportation security, residential and commercial building access and military & govt security -customers arm or hand is implanted with a glass chip about the size of a grain of rice, containing a unique verification number -when activated by a VeriChip scanner, that number emits a small radio frequency, providing instant access to information logged in the global verichip subscriber (GVS) registry

data analytics

-analyze results -communicate findings -use findings for program improvement -aim for a systematic effort -keep your audience in mind -pay attention to the usability of your evaluation report

Apple and Google encryption & users

-apple & google have started letting user encrypt their mobile devices on both iOS and android with private encryption keys -apple & google say they won't be able to unlock the device's data w/o the user's cooperation -Obama administration initially was fine with that, but recent terrorist attacks have triggered efforts to require companies to make it possible to break encryption if serve with a court order

3. create access database

-be careful you know where you save database when you create it

maintaining boundaries (why privacy?)

-boundaries are both physical & informational

trust (why privacy?)

-breaches of confidentiality are breaches of trust

transaction processing systems (TPSs)

-capture & process detailed data necessary to update the organization's records about fundamental business operations -include order entry, inventory control, accounts payable, accounts receivable, general ledger, etc -A TPS provides valuable input to: --management info systems --decision support systems --knowledge management systems --executive info systems

strategic planning

-choosing the organization's objectives -deciding how to achieve objectives -predicting the future -executive info systems

9. add table relationships

-click the database tools tab -select relationships -add all tables, both parent and child, that you created -when setting joins be sure to drag from the parent to the child, where the field instance values can exist once in the parent entity multiple times in the child entity -be sure to set referential integrity

paired comparisons (decision making techniques)

-compare pairs of alternatives to find the "winning" alternative --single elimination: only one moves forward after comparison --thorough comparison: takes into account all comparisons, choose one with the most wins to higher score after filling in chart

key features of a CRM system include

-contact management -sales management -customer support -marketing automation -analysis -social networking -access by smartphones -import contact data

trust seals

-convey a dedication to good security practices or the use of secure methods for transaction -verify you are dealing with the real company -can come in a variety of forms, including data security seals, business verified seals, and privacy selas and are available from a variety of companies for a feww

aspects to information privacy

-crime concerns -security/safety concerns -personal confidentiality concerns -protecting certain parties like children -gurading societal freedoms -protecting a nation from war or terrorism -risk of monetary gain at the expense of others

online transaction processing (OLTP)

-data processing in which each transaction is processed immediately -at any time, the data in an online system reflects the current status -many organizations find that OLTP enables them to provide faster, more efficient service`

quantitative data

-data that is numerical, counted, or compared on a scale --demographic data --answers to closed ended survey items --attendance data --scored on standardized instruments

data visualization tools

-data visualization: presentation of data in a pictorial or graphical format -representing data in visual form brings immediate impact to dull and boring numbers -word cloud: a visual depiction os a set of words that have been grouped together b/c of the frequency of their occurance -conversation funnel: graphical representation that summarizes the steps a consumer takes in making the decision to but a product & become a customer -scatter diagram: a graph in which the values of 2 variables are plotted along two axes, the pattern of the resulting points revealing any correlation present

unstructured or non-programmed decisions

-decisions that are novel, that do not have a pre-exisitng procedure -EX: decision to introduce new smartwatch by an electronics company --Executive Information System (EIS): where to locate a new manufacturing facility

structured or programmed decisions

-decisions that are routine & repetitive & often have a well defined procedure -EX: manager of a fast food restaurant needs to decide on the number of buns to buy --target output: ensure a low probability (<5%) restaurant runs out of buns tomorrow --Input: potential # of buns needed (decision variable) --process info: effect of the day of the week & month of sales, effect of local events on sales --manager could program a spreadsheet that would output the probability of a stockout given a certain # of buns each day

semi-structured decisions

-decisions that have some elements that are structured and other elements that are unstructured --EX: planning annual compensation for employees in a large company --Decision support system (DSS): routes driven by federal express vehicles

types of analytics

-descriptive (describing the past) -predictive (building models that help predict the unknown future) -prescriptive (building models that help predict the best course of action)

benefits achieved from BI and Analytics

-detect fraud -improve forecasting -increase sales -optimize operations -reduce costs

NSA prism system

-enables deputizing of corporate America to surveillance of Americans -when companies like yahoo protests, like what about a warranty process instead, NSA went before a secret court & yahoo lost and had to cooperate

operational control

-ensuring efficient, effective conducting of tasks -ensuring processes are well-maintained, followed & tight -transaction processing systems

managerial control

-ensuring efficient, effective use of resources -detailed plan & enactment of achieving objectives -continual oversight -manangement info systems

First Normal Form (1NF)

-for every instance of an entity, each attribute of the instance is completely determined by the instance's PK -1NF hold when there are no instance attributes that have multiple values -to put entity into 1NF, add another entity and a 1:M relationship to it -*each instance is completely dependent upon PK*

business analytics can be used to:

-gain a better understanding of current business performance -reveal new business patterns & relationships -explain why certain results occurred -optimize current operations -forecast future business results

FIPP

-guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace -the FIPP principles provide guidance for how to deal specifically with personal information

customer relationship management (CRM) system

-helps a company manage all aspects of customer encounters, including marketing, sales, distribution accounting, customer service -goal: to understand & anticipate the needs of current & potential customers -used primarily in sales, marketing, service organizations --to capture & view data about customers & to improve communications -CRM software: automates & integrates functions of sales, marketing, & service in an organization

neutral computing

-historical data is examined for patterns that are then used to make predictions

case based reasoning

-historical if-then-else cases are used to recognize patterns

reputation management (why privacy?)

-how we are judged by other affects out opportunities, friendships, and overall well being

decision making process

-identifying the problem: includes describing both where you are now & where you want to be; requires being careful not to confuse problems with symptoms -determining the requirements & goals: understanding the difference between them; requirements are minimally accepted solutions, (must haves); goals are ideal solutions (like to haves) -identifying alternatives: a method to transform the current condition into the desired condition or state (brainstorming, nominal group technique) -Determining the criteria: finding objective measures of the requirements& goals, each criteria must be independent of other criteria, each requirement/goal must be represented by at least 1 criteria

7. continue creating all tables

-if a new PK was added to a table, you must bring in that table in query design view & add joins, in order to ass a new table that included this new primary key field as a join field. be sure to drag from parent to child entity to create a temporary join before performing the make table query -be sure to start with the parent entities first & work toward making the child entities. If you do not do this, you will not have the foreign key values in place to accurately create the child entities

respect for individuals (why privacy?)

-if a person has a reasonable desire to keep something private, it is disrespectful to ignore that person's wishes

business intelligence (BI)

-includes a wide range of applications, practices, & technologies for the extraction, transformation, integration, visualization, analysis interpretation, & presentation of data to support improved decision making -querying, reporting, OLAPs, alerts can answer questions such as what happened, how many, how often, where the problem is, & what actions are needed -data used in BI is often pulled from multiple sources & may come from sources internal & external to the organization; can be used to build large collections of data called data warehouses, data marts, & data lakes

decision making process phases

-intelligence: --becoming aware that change to the current state is needed --may be systems that alert to a potential problem --determine requirements/goals of corrective action --identify & clearly define problem -Design: --developing alternative approaches to resolution --determining methodology as to how selection will be made --define criteria -choice: --gathering data & converting it to information --applying decision making methodology --making decision --follow up to verify results --evaluate alternatives using criteria

drill down analysis

-involves the interactive examination of high-level summary data in increasing detail to gain insight into certain elements -EX: in reviewing the worldwide sales for the past quarter, the VP of sales might want to drill down to view the sales for each country

business analysis

-its is set of tasks & techniques used to work as a liaison among stakeholders in order to understand the structure, policies, & operations of an organization, and to recommend solutions that enable the organization to achieve its goals

conversion funnel

-key steps in converting a consumer to a buyer

1. creating ERD

-look at the excel worksheet & identify entities -sketch ERD' -be sure that all excel columns are included as an attribute in an entity, unless not needed in the database -be sure that the ERD is normalized to 3NF -*mark on the ERD all parent entities & child entities so you know the order in which to create the tables once working in access. You must create all parent entities before their child entities*

linear regression

-mathematical technique for predicting the value of a dependent variable based on a single independent variable and the linear relationship between the 2 -consists of finding the best-fitting straight line through a set of observations of the dependent & independent variables -key assumptions: --a linear relationship between the ind (x) & dep (y) variables must exist --errors in the prediction of the value of Y are distributed in a manner that approaches the normal distribution curve --errors in the prediction of the value of Y are all independent of one another

dashboards

-measures are metrics that track progress in executing chosen strategies to attain organizational objectives & goals -these metrics are also called key performance indicators (KPIs) and consist of a direction, measure, target, & time frame -provide rapid access to information in an easy to interpret & concise manner -provide users at every entry level of the organization the info they need to make improves decisions --EX: For a university. Increase (direction) the five-year graduation rate for incoming freshman (measure) to at least 80 percent (target) starting with the graduating class of 2022 (time frame)

modality

-minimum number of times that an instance of an entity can be associated with instances of another entity

overall steps excel to access

-most often when moving data from excel to access you are moving from a flat data file to a relational database -an excel workbook may not be completely flat (multiple worksheets of data) but you treat them as separate flat data files or combine them into one worksheet before moving them into access -the prep work should be done to the excel workbook before you start the import to access -carefully plan what the final database will look like by creating n ERD with entity attributes that correspond to all needed data columns in the excel workbook that is in 3NF, prior to completing the port to access

financial privacy rule

-must communicate with users about how information is shared, and give chance to opt out

qualitative data

-narratives logs experience --focus groups --interviews --open ended survey items --diaries & journals --notes from observations

8. add primary keys

-once all tables have been created, go back to table design view & designate the primary keys -the reason this was not done before, is that it can create problems when performing the make table query. the issue is that an auto-number data type is moved in as a secondary attribute -you may have to change the new PK data type to number after creating the child entity, change the type back to auto-number. this occurs when you have 2 foreign keys added to a child entity & access will not allow you to create a table with 2 auto-number data types.

limit on power (why privacy?)

-privacy is a limit on government power & companies. the more someone knows, the more power they can have over us

data analytics

-process of inspecting -cleaning, transforming -modelling data -discovering useful information -suggesting conclusions & -supporting decision making -science of examining raw data with the purpose of drawing conclusions about that information

safeguards rule

-requires financial institutes to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal info

descriptive analysis

-set of techniques that describe what has happened in the past -EX: data queries, reports (income statement), descriptive statistics (mean), data visualization (charts), what if excel models, data dashboards (collections of items such as tables, charts..)

predictive analytics

-set of techniques that use models constructed from past data to: -predict the future or ascertain impact of one variable on another -EX: linear regression (models to help predict one variable based on a one or more other variables), time series analytics & forecasting (using data to make forecasts of unknown future), data mining (reveal patterns & relationships in data)

prescriptive analytics

-set of techniques to indicate the best course of action; what decision to make to optimize outcome -EX: optimization models (math model that gives best decision, like "solver" in excel), simulation (use native excel functions to create), decision analysis -advanced analytics (predictive analytics & prescriptive analytics)

privacy policy/statement

-statement that describes what the organization's practices are -the information contained in the privacy policies of companies usually follow the fair information practices principles (FIPP) set forth by the federal trade commission (FTC)

organizational levels of decision making

-strategic planning (more unstructured decisions) -managerial control (more semi structured decisions) -operational control (more structured decisions`)

surveillance drones

-the US Federal Aviation Administration started registration of "small Unmanned Aircraft--better known as drones"

information privacy/privacy of information

-the confidentiality of the information collected by organizations about individuals who use their services or who are part of the organization -everyone should be concerned about: their own information privacy; the privacy of customers, employees, business partners, students, parents, children; basically all those who are associated in any way -the 3rd Reich killed people b/c of data collected in them. nations like belgium & france required registration, the nazi's came in and took the data & killed people of certain religions

associative entities

-the database relational model does not offer direct support to many to many relationships even though such relationships happened frequently in the realm that is being modeled -an associative entity is added to the ERD model to resolve many to a many relationship between 2 entities -an associative entity is a relationship turned into an entity -also called intersection entity or a linking table

business analytics (BA)

-the extensive use of data and quantitative analysis to support fact-based decision making within organizations -skills, technologies, applications, & practices for continuous iterative exploration & investigation of past business performance to gain insight & drive business planning -focuses on developing new insights & understanding of business performance based on data & statistical methods -continuous iterative exploration of past business performance to gain insight & drive business planning BI + additional level of functionality (forecasting, regression, & modeling) -can answer questions like why is this happening, what if these trends continue, what will happen next

cardinality

-the maximum number of times that an instance of an entity (table) can be associated with instances of another entity (table) -mandatory cardinality: EX: a patient entry cannot be added unless patient history entry is added at same time

cardinality constraints

-the number of instances of 1 entity that can or must be associated with each instance of another entity -minimum cardinality: if 0, then optional; if one or more, then mandatory -maximum cardinality: the maximum many

government privacy regulations

-there are specific situations where governments have created regulations to protect information privacy, as well as invade privacy of those residing in the country who are suspects -USA Patriot Act of 2001 -Gramm-Leach_bliley Financial services Modernization Act of 1999 (GLBA) -Family Education Rights & Privacy Act (FERPA) -Children's Online Privacy Protection Act of 1998 (COPPA) -Health Insurance portability and Accountability Act of 1996 (HIPAA)

Batch processing system

-traditional transaction processing methods & objectives -business transactions are accumulated over a period of time & prepared for processing as a single unit or batch -essential characteristic: the delay between an event and the organization's records

predictive analytics

-variety of techniques -current and historical facts to make predictions about future -actuarial science, marketing, financial services, insurance, telecommunications, retail, travel, healthcare, pharmaceuticals

numbered steps in excel to access

1. Look at the data and figure out the ERD 2. Clean and Prepare worksheet in Excel for move to Access 3. Create a blank Access Database 4. Import worksheet from Excel to a single Access Table (Raw Data Table) 5. Create Entity Tables from Raw Data Table using Make Table Query 6. Add, if needed, a Primary Key field to table; and set Data Types, Input Masks, Validation Rules & Text in the table. 7. Continue this process until all Entity Tables are created. 8. Designate all Primary Keys after all tables have been created. 9. Add Table Relationships once tables are completely designed.

2. cleaning data in excel

1. clean data, fix errors, remove duplicates, remove spaces 2. separate non-atomic data (multiple values in one cell) 3. prepare headers as field names, with no spaces 4. be sure all values are consistent in a column, no mixed data types in a column 5. remove rows or sub headings, etc 6. delete a few columns & rows surrounding block to be sure that no extraneous things get included in move area 7. when coming databases be sure notations are consistent, if they are not, fix them in excel prior to port into access -EX: one place state names be spelled out & in another place they are abbreviated -use TRIM command to remove leading, trailing & multiple embedded spaces -remove non-printing charavters

6. finish setting up table

go to table design view -add a new field with auto number to be the primary key, if needed, b/c you do not want text phrases as a PK values -set data types & size -add input masks as needed -ass validation rules & validation text as needed -add field descriptions

reasons SDLC fails...

-lack of user involvement -lack of management involvement -lack of clear scope of what system is to do -attempting to automate an ill defined process -SDLC process not well documented -under estimated complexity to functionality -trying to hit a moving target with an inelastic design -cultural resistance to change, so new IS not accepted -inadequate software testing

limiting access

-limiting access to information reduces the threat against it -access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server) -the amount of access granted to someone should be limited to what that person needs to know to do their job

common uses of cookies

-logging in to web sites such as yahoo or gmail, personalized Web pages on E-commerce Web sites, personalized advertisements on websites

why use e-commerce

-low entry cost -reduces transaction costs -access to the global market -secure market share -ability to conduct business 24x7

GLBA major components

-major compoents out in place to govern the collection, disclosure, and protection of consumers' nonpublic personal information; or personally identifiable information include: --financial privacy rule, safeguards rule, pretexting (social engineering) protection

data table

-one variable data table allows you to compute the result of a formula for various values of an input -For example, we may want to compute the monthly payments for a 30 year loan for various values of loan amounts between 185,000 and 220,000 (that increase in steps of $5000) -Data Table allows you to quickly answer What-If questions by creating a lookup table that maps various input values of a formula to the corresponding outputs values of the formula

confidentiality

-only those authorized have access -the ability to keep data secret and viewable only by authorized parties

risk

-overall exposure experiences by a network or business

threat agent

-person, process, or host used to wage a threat

online forms

-populated forms quickly from past info that has been entered, which is saved on your computer

cookie privacy settings and cookie managers

-privacy settings within a browser can help protect data -cookie managers can be available to delete unwanted or dangerous cookies

threat

-procedure used to exploit vulnerability

analysis phase - process modeling

-process modeling creates data flow diagrams (DFD) -it is an analysis & design technique that describes how processes transform inputs into outputs, and how the data flows between the processes -helps to convey what the system presently does and what changes are being requested -general term for these diagram techniques is modeling & general term for the output of various techniques is schematics

encryption

-process of converting readable data into unreadable characters to prevent unauthorized access -the process of encoding messages before they enter a communication channel such that, while in transit, the messages cannot be decoded without special information (key) -the basic objective of encryption: message should remain secure even if the message is captured by a 3rd party

ERD (entity relationship diagram)

-process of creating an ERD is called database modeling -ERd does not show how data is converted or processes to information in an information system -ERD shows the relationships between the data

normalization

-process that enables a database designer to eliminate design problems by decomposing (or reorganizing) the existing table structures -step by step process -has several levels of normalization (we consider first, second and third levels; 1NF, 2NF...)

authentication

-process used to identify an agent requesting the use of resources -determining identity via a trusted process

prototype (design/development phase)

-proof of concept -a working model of the proposed system, user interface without the guts actually working -prototypes have inadequate or missing documenttion -users tend to embrace the prototype as a final system -should not eliminate or replace activities with a prototype

SSL/TLS (secure socket layer/transport layer security)

-protocols that implement encryption that ensures secure communication between 2 computers (e.g., between a browser and a web server) -this uses encryption behind the scenes, users may not even realize what is going on

cryptography

-provides techniques for assuring the security of information as it flows through a communication channel -may be used for sending secret or private messages, digital signatures, etc -an old field of study & its use can be found in ancient civilizations (Egyptian, greek roman) -implemented using encryption

shopping mall model

-provides wider selection of products and services -customers can purchase items from many stores in a single transaction --offers speed and adds convenience -www.mall.com -www.shopnow.com

authentication methods

-proving what you know: most common is password -showing what you have: physical item: smart cars, digital certificate -demonstrating who you are: based on some physical, genetic, or human characteristic; enabled via biometrics -identifying where you are: weakest form of authentication; identify determined based upon location (IP address)

maintenance or operational phase

-purpose: to provide ongoing assistance for an information system and its users after the system is implemented -performance maintenance activities - monitor system performance performance - assess system security

Confidentiality (HIPAA)

-relates to the right of an individual to the protection of their health information during storage, transfer, and use, in order to prevent unauthorized disclosure of that information to 3rd parties

disintermediaiton

-removal of the intermediary (middleman) in a sale -companies can sell directly to customers (retail or wholesale) with assistance using the internet -EX: airlines selling directly to flyers without a travel agent or customer service representative

non-repudiation

-repudiation= an illicit attempt to deny sending or receiving a transaction --EX: a user sending an email to another user; web session in which a purchase is made; a network host is sending a series of port scans to a remote server -non-repudiation= the ability to prove that a transaction has, in fact, occurred --it is made possible through signatures (digital & physical), encryption, logging of transactions

conventional currency vs cryptocurrency

-similarity to Gold Standard USD: finite amount -Similarities to Fiat Money USD: no intrinsic value (not redeemable for any mineral, etc); purchasing power fluctuates -unique qualities: no physical form; not "legal tender"; supply not determined by central bank; peer-to-peer (no intermediaries); algorithm determines creation of new BTCs

malware

-stands for "malicious software" -it takes many different forms and is the general term for viruses, worms, spyware, ransomware, etc

preventive controls

-stop or limit the security threat from happening in the first place (anti-virus scans)

Key jobs in SDLC

-system development should involve representatives from each department in which the proposed system will be used -systems analyst, also known as business analyst in some companies, is the liaison between users and IT professionals

cryptocurrency (exemplified by bitcoin)

-system of digital money -controlled by complex math -obtained by: mining, receipt of payment, purchase

conventional currency

-system of money controlled by governing body -the US dollar --old: gold standard --each $ corresponded to a certain amount of gold. finite. --$1 = 1.5g of gold --1971 Nixon cancels dollar-gold convertibility -now: fiat money --dollar's value not fixed to any physical unit. Infinite (potentially) --value defined by policy, federal reserve decides money supply

government to citizen (G2C)

-EX: when someone shops for health insurance using healthcare.gov

association analysis

-a specialized set of algorithms sorts through data & forms statistical rules about relationships among the items

strong security program

-a strong security program begins by: 1. assessing threats to the organization's computers and network 2. identifying actions that address the most serious vulnerabilities 3. educating users about the risks involved and the actions they must take to prevent a security incident -if an intrusion occurs, there must be a clear reaction plan, incidence response, that addresses: --notification, evidence protection, activity log maintenance, containment, eradication, recovery

ransomware

-a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction

authentication credentials include

-a username & password -tokens, such as those created by token cards -digital certificates

freedom of thought and speech (why privacy?)

-a watchful eye over everything we read or watch can chill us from exploring ideas outside the mainstream privacy helps individuals maintain their autonomy & individuality

5. create parent entities from data

-add the raw data table to query design view -select fields to be in parent entity -toggle to datasheet view to look at data to be sure it is ready for creating a table -use group-by (click totals) to remove duplicate entries -once it looks good, click make table & enter entity name -finally click run to actually make the entity

portal model

-allows visitors to find everything within the website, for a membership fee -horizontal portal: wide range of topics -vertical portal: offers specific information on a single area of interest

scenario manager

-allows you to create predefined scenarios where each scenario may differ in the values of some inputs -you can generate outputs corresponding to each predefined scenario

solver

-an add-in program in excel that can be used to find inputs (also called decision variables) that would lead to an optimal or viable output (also called objective) given some constraints determined by the user -solver adjusts the values of the inputs so that they produce the optimal output while satisfying the specified constraints

password cracking: dictionary attack

-an attack that tries all the phrases or words in a dictionary, trying to crack a password or key -uses a predefined list of words compares to a brute force attack that tries all possible combinations

man in the middle attack

-an attacker pretends to be your final destination on the network -if a person tries to connect to a specific WLAN access point or web server, an attacker can mislead him to his computer, pretending to be that access point or server

decision matrix (decision making techniques)

-compare all alternatives against all criteria by scoring each, i.e. 1-10, where higher number is better -widely used in business -considers all criteria to be of equal importance -if all criteria are not of equal importance, then use a weighted average when combining scores across criteria

simplicity strategy

-complex security systems can be difficult to understand, troubleshoot, and feel secure about -everybody in the organization has to understand the importance of security, and how it is basically being implemented, for it to be effective -the simplicity strategy challenge is to make the system simple from the inside, but complex from the outside

security (HIPAA)

-consists of the protections or safeguards put in place to secure protected health information (PHI) -it requires that administrative, technical, and physical safeguards are developed and used

cyberespionage

-involves the development of malware that secretly steals data in the computer systems of organization, such as govt agencies, military contractors, political organization, and manufacturing firms -most targeted toward high-value data such as the following: --sales, marketing and new product development plans, schedules & budgets --details about product designs & innovative processes --employee personal information, customer & client data --sensitive info about partners ad partner agreements

layered security

-layered security has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks, or an extended attack -all the security layers must be properly coordinated to be affective -"onion" paradigm

detailed analysis

-members of the project team gather data & information using several techniques -review documentation, observe, survey, interview, JAD sessions, research -JAD = joint application development

public key infrastructure (PKI)

-public key encryption is accomplished with PKI -based on 3rd Certificate Authority (VeriSign) -used by individuals, websites, companies, etc -certificate authority issues the keys

Privacy (HIPAA)

-refers to an individual's right to control both access to and use of his or her health information

corrective controls

-repair damages after a security problem has occured (anti-virus quarantine)

security and multifactor authentication complexity vs multifactor authentication

-security & multifactor authentication --when multiple methods are combines --called strong authentication --ATM card & PIN number --written invitation plus personal recognition to party -complexity vs multifactor authentication --increasing factors increases difficulty to manage --tightening causes users to find ways around it ---writing down passwords ---getting others to help

authentication tools & *session keys*

-session keys are generated using a logical program called a random number generator, and they are used only once -a session key is near universal method used during many authentication processes; i.e. e-commerce transactions

guiding principles for SDLC

-should follow 3 general guidelines 1. group activities or tasks into phases 2. involve users 3. define & enforce process & standards

smart cards

-smart cars is the size of a credit card & contains many of the same elements on a computer: microprocessor with OS, RAM, Data bus, Secondary Storage -accomplishes multifactor authentication --Card "what-you-have" --PIN "what-you-know" -most secure method for storing private keys used in encryption

smishing and vishing

-smishing is a variation of phishing that involves the use of texting -vishing is similar to smishing except the victims receive a voice mail telling them to call a phone number or access a website

automated decision making

-some structured decisions can be automated -EX: algorithmic trading systems trading stock equities use automated decision making to make trades on behalf of investors --heavily reliant on complex math formulas --widely used by investment banks, pension funds, mutual funds -Daniel Suarez: "the kill decision shouldn't belong to a robot" --should drones make kill decision?, what type of decision is this (structured, semi-structured, unstructured?), what level of impact is this decision?, is this an all or nothing type decision

entity

-something about which data needs to be kept -can be a thing or event -entities end up as a table in a database -record, or row, in a table is called an instance of the entity -all the attributes in an entity should be completely determined by the entity instance's primary key

vulnerability

-something that allows users to attack and/or compromise the system

persistent cookies

-stores on the browser side (client side) computer even after browser is closed

temporary or session cookies

-stores on the client side temporarily while the browser is open -when the browser is closed the cookie is deleted

analysis - requirements phase

-the system proposal and feasibility reports assesses the feasibility of each alternative solution, especially in light of today's mobile environment -the steering committee discusses the system proposal & strategy and decides which, if any, alternative to pursue, but final choice may be left to design team if green light given to proceed from steering committee -packaged software, custom software, outsourcing

*information computer security* (defining information security)

-the tasks of guarding and protecting digital information that is, 1. typically processed by computer (such as a personal computer or hand-held device) 2. stored on a magnetic or optical storage device (such as a hard drive or DVD or USB drive or Smart Card) 3. transmitted over a network space

linking tables must have ________ to _______ cardinality on them

many to many

access control

process by which use of resources & services is granted or denied -allowing authorized person access to a resource

lethal autonomy

the act of a robot committing death attempts on its own

Iron triangle

-"... One of the first tasks that was thrown at me was to read through a draft 'request for tender' document from a customer. -This document was essentially asking for a fixed scope, within a fixed delivery schedule, for a fixed price. I realize there is nothing particularly unusual about this request. But we all (hopefully) know that it can't be done, short of the odd fluke. -Each project is governed by the "iron triangle" of scope, schedule and resources. You can choose which ones are fixed and which are variable, but you can't fix all three without sacrificing quality, unless you are extremely lucky and everything comes together within the expected parameters."

asset

-network hosts and valuable information

clickstream data

-tracks online browsing

security strategies

1. layering 2. diversity 3. limiting 4. obscurity 5. simplicity

E-business methods for making money

1. online retailing (sales) 2. infomediaries & Exchange (Subscription or transaction fee) 3. content providers (advertising or subscription) 4. social media (advertising)

E-business execution models include

1. shopping cart 2. shopping mall 3. auction 4. portal 5. dynamic pricing

system development life cycle phases

Idea - planning - analysis - design - implementation - system maintenance

defense in depth

Inner most: Data -Data Access Policies & Controls --Application Access Control ---Network and Host Access Control

authorization

act of recognizing an authenticated person

The CIA triad

confidentiality integrity availability

4. import data to access

import the worksheet data you have cleaned & prepared as a single temporary table into access -go to get external data tab -select import excel -don't choose primary key, this can get in the way later -the import table is a temporary raw data table, it is only used to create the needed database tables

unit test

verifies that each individual program or object works by itself

types of threats

virus, worm, trojan horse/logic bomb, social engineering, DoS or DDoS, Botnets/Zombies, rootkits, sypware

training (implementation phase)

-involves showing users how they will use the new hardware & software in the system -one on one sessions -classroom style lectures -web based training

systems test

-verifies that all programs in an application work together

Family Education Rights and Privacy Act

-FERPA permits a school to disclose personally identifiable information from education records of an "eligible student" (a student age 18 or older or enrolled in a postsecondary institution at any age) to his or her parents, if student is a dependent -new regulations under this act, effective Jan 3, 2012, allow for greater disclosures of personal and directory student identifying information and regulate student IDs and email addresses -EX: school employees divulging info to anyone other than the student about the student's grades or behavior and school work posted on a bulletin board with a grade --schools must have written permission from the parent or student to release any info

integration test

-verifies that an application works with other applications

botnet for mining

-"all the cryptocurrencies currently in the wold today use some variant of the "mining" concept to create more of their currency -people can download software, install it on their machines and at every X interval, a new unit of the currency will be born & credited to the miner who unearthed it -this is where your PC or other internet connected device enters the picture, b/c why stop at just the machines owned & controlled by the hackers themselves? -if they can infect 100,000 or more computers & put them all to work, quietly mining for currency, then that's money in the bank for them" -as of sept 2017, there have been 1.65 million such attacks reported for the year, on target to exceed prior years

history of e-commerce

-1970s: Electronic Funds Transfer (EFT)- used by the banking industry to exchange account information and funds transfer over secured networks -Late 1970s & early 1980s: Electronic Data Interchange (EDI) for e-commerce between companies- used by businesses to transmit data from one business to another -1990s: the WWW on the internet provides easy-to-use technology for information publishing & dissemination & transaction support- cheaper to do business (economies of scale); enable diverse business activities (economies of scope)

analysis/requirements phase

-2 major activities -conduct a preliminary feasibility investigation: determines & defines the exact nature of the problem or improvement, interview the user who submitted the request, determine if request is feasible -perform detailed analysis: study how the current system works, determine the users' wants, needs, and requirements, recommend a solution, known as logical design

design/development phase

-2 major activities 1. acquire hardware & software 2. develop all of the details of the new or modified system -to acquire the necessary hardware & software -the next step is to develop detailed design specifications (sometimes called a physical design) -database design -input and ouput design -program design

advanced persistent threat

-APT is a network attack in which an intruder gains access to a network & stays undetected with the intention of stealing data over a long period of time -an APT attack advances through the following 5 phases: reconnaissance, incursion, discover, capture, export -detecting anomalies in outbound data is the best way for administrators to discover that the network has been the target of an APT attack

Children's Online Privacy Protection Act (COPPA)

-COPPA is a US federal law, enacted Oct 21, 1998 -the act, effective april 21, 2000, applies to the online collection of personal information by persons or entities under US jurisdiction from children under 13 years of age -it details what a website operator must include in a privacy policy, when & how to seek verifiable consent from a parent/guardian & what responsibilities an operator has to protect children's privacy & safety online including restrictions on the marketing those under 13 -while, kids under 13 can legally give out personal info w/o parents permission, many sites disallow underage kids from using their services due to the amount of work involved

Denial of service (DoS) Attack

-DoS attacks are carried out to intentionally block a service such as a bank's web site from its legitimate users -it is often achieved by flooding the target system (e.g., a bank's website) with a large number of unnecessary requests -when such attacks are carried by many companies (working together) distributed by many computers (working together) distributed over the internet, they are called Distributed Denial of Service Attacks (DDoS attacks)

security policy implementation

-Educating employees and constituents -Assessment on-going -Prevention measures --Firewall (NGFW) --Security Dashboard --Antivirus Software --Credentialing and roles --Staying abreast of vulnerabilities (US-CERT) --Security Audits --Incident Response Plans ---Containment ---Eradication ---Recovery --Follow-up to ensure future prevention --System monitoring ---Intrusion Detection Systems ---Logging

honeypot

-vulnerable computer that is set up to entice intruder to break into it

Health Insurance Portability and Accountability Act (HIPAA)

-HIPAA is a law that was created to protect millions of working Americans & their family members with medical problems -HIPAA Title I: protects health insurance coverage for individuals who lose or change jobs; prohibits group health plans from denying coverage to individuals with specific diseases & pre-existing conditions, & from setting lifetime coverage limits -HIPAA Title II: directs the US department of health and human services (HHS) to establish national standards for processing electronic healthcare transactions; requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS

Regulation: Property or Currency?

-IRS: Cryptocurrency is not "real" currency, but cryptocurrency is property (taxable based on fair market value, capital gains/losses) -Courts: bitcoin cases referred to it as "virtual currency",seemingly treat it as variation on regular currency rather than property -are these conflicting classifications a problem? what cryptocurrency is classified as influences its regulation (ex. paying employee in bitcoin)

onion security model

-Inner most: CIA model --hardware, software, communications ---products (physical security) ---people (personnel security) ----Procedures (organizational security)

Examples of cybercrime warfare

-On November 24, 2014, a hacker group which identified itself by the name "Guardians of Peace" (GOP) leaked a release of confidential data from the film studio Sony Pictures. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, and other information. The perpetrators then employed a variant of the Shamoon wiper malware to erase Sony's computer infrastructure. -In November 2014, the GOP group demanded that Sony pull its film The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un, and threatened terrorist attacks at cinemas screening the film. After major U.S. cinema chains opted not to screen the film in response to these threats, Sony elected to cancel the film's formal premiere and mainstream release, opting to skip directly to a digital release followed by a limited theatrical release the next day. -United States intelligence officials, after evaluating the software, techniques, and network sources used in the hack, alleged that the attack was sponsored by North Korea.

iron triangle of systems development (3 ends)

-Quality is in the center 1. Scope (features, functionality) 2. resources (cost, budget) 3. schedule (time)

planning phase

-Steering committee: decision making body for the company --annual budget cycle reveiws all RFSS -preliminary planning conducted -projects prioritized: need/urgency, financial return, portfolio perspective, resource availability, market window of opportunity -begins when the steering committee receives a project request -4 major activities performed: review & approve the project requests, prioritize the project requests, allocate resources, form a project development team

international regulation of cryptocurrencies

-UK: govt says that it plans to regulate soon -Bangladesh: outlawed bitcoin -japan: considering regulation, such as a licensing scheme for exchanges -china: prohibited financial institutions from handling cryptocurrencies -european central bank: advised financial institutions to trade in cryptocurrencies until they are regulated -Brazil: does not regulate cryptocurrencies

upcoming regulation of cryptocurrencies

-US: Uniform law commission to discuss draft model law specific to cryptocurrencies -California: a bill regulating cryptocurrencies made it through numerous rounds of voting but was rendered inactive by veto -Massachusetts: nothing yet, but the Mass office of consumer affairs and business regulation issued a consumer alert to inform consumers about the dangers of virtual currencies -various initiatives at state cooperation

rootkit

-a collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network -upon penetrating a computer, a hacker installs a collection os programs, called rootkit -a rootkit may enable: easy access for the hacker (and others), keystroke logger -eliminates evidence of break-in -modifies the operating system so that a backdoor is available for re-entry -a set of programs that enables users to gain administrator level access to a computer without the end user's consent or knowledge -attackers can use the rootkit to execute files, access logs, monitor user activity, & change the computer's configuration

security plan

-a computer security plan should do the following 1. identify all information assets of an organization 2. identify all security risks that may cause an information asset loss 3. for each risk, identify the safeguards that exist to detect, prevent, and recover from a loss

password cracking: brute force attack

-a cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one

public key encryption (asymmetrical encryption)

-a cryptographic system that uses 2 keys (a public key known to everyone and a private or secret key known only to a particular entity -EX: when John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message, then Jane uses her private key to decrypt it

certificates

-a digital certificate acts as a trusted third party to allow unknown parties to authenticate with each other w/o exchange of authentication information -issued by a certificate authority (CA) -CA is part of a public key infrastructure (PKI) -CA establishes trust through building a hierarchy, called a tree, where it vouches for all entities beneath it; called a trust pattern -verisign is the main CA in use by web sites

systems development life cycle (SDLC)

-a framework defining tasks performed at each step in the software development process -a structured process followed by a development team within the software organization -consists of detailed steps in how to develop, maintain, and replace specific information systems or software components of an info system -each phases has inputs and outputs (deliverables) -the initial input is the idea for the system -the final deliverable is the system itself -the project moves systematically through each phase -the key idea of the life cycle is gradual refinement

botnet

-a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a distributed denial of service attack -bots: forward spam for financial gain -zombies: host illegal movies, music, porn, criminal web sites -when your computer becomes infected, it is likely to become a bot; b/c attacks are international, they are hard to eliminate

feasibility

-a measure of how suitable the development of a system will be to the organization -operational feasibility -schedule feasibility -technical feasibility -economic feasibility

system development

-a set of activities used to build an information system -activities grouped into phases and is called the system development life cycle (SDLC)

system

-a set of components that interact to achieve a common goal

single sign-on authentication

-a single system (can be a set of servers) holds authentication information -once authenticated with one device on the system, access is granted to any resources according to access level

blended threat

-a sophisticated threat that combines the features of a virus, worm, trojan horse, and other malicious code into a single payload -might use server & internet to initiate and then transmit and spread an attack using EXE files, HTML files, and registry keys

E-commerce

-also known as electronic marketing -consists of buying & selling goods & services over electronic systems, such as the internet and other computer networks -E-commerce is the purchasing, selling, and exchanging goods and services over computer networks (internet) through which transaction or terms of sale are performed electronically

Web Data Collection

-it has become easier and faster to collect ever increasing amounts of data and gain information -data can be collected w/o anyone's awareness EX: cookies, clickstream data, online forms

worm

-an independent program which replicates itself and sends copies from computer to computer across network connections -upon arrival the worm may be activated to replicate -worms are more sophisticates viruses that can replicate automatically and send themselves to other computers by first taking control of certain software programs on your PC, such as email -can propagate w/o human intervention -resides in active memory of computer & duplicates itself

silk road

-an online black market and the first modern darknet market, best known as a platform for selling illegal drugs -as part of the dark web, it was operated as a Tor hidden service, such that online users were able to browse it anonymously & securely w/o potential traffic monitoring -website was launched in feb 2011; development had begun 6 months prior -In Oct 2013, the FBI shut down the website and arrested Ross William Ulbricht under charges of being the site's pseudonymous founder "Dread Pirate Roberts" -he was convicted of 8 charges related to silk road in US fed court in manhattan and was sentenced to life in prison w/o possibility of parole

Intrusion detection software (IDS)

-analyzes all network traffic -assesses system vulnerabilities -identifies any unauthorized intrusions -notifies network administrators of suspicious behavior patterns or security breaches

RFSS (request for system services)

-anyone can initiate a system development project via RFSS

virus

-attaches itself to a program, file, or disk -when the program is executed, the virus activates & replicates itself -Computer viruses are software programs that are deliberately designed by online attackers to invade your computer, to interfere with its operation, and to copy, corrupt or delete your data -the virus may be benign or malignant but executes its payload at some point (often upon contact) --viruses may result in crashing of the computer and loss of data -in order to recover/prevent virus/attacks: --avoid potentially unreliable websites/emails --if hacked, you may need to: do a system restore, re-install operating system --should use anti-virus (i.e Avira, AVG, Norton) -designed to spread to other computers -hidden in entertaining programs or email attachments such as computer games, videos, etc

Consumer to consumer (C2C)

-available via may sites (free classifieds, auctions, forums) where individuals can buy and sell -a key support to this is online payment systems like PayPal, where people can send & receive money online with ease via a trusted 3rd party -EX: when one person buys a good from another person on eBay.com

digital signature

-based on public key encryption -an encrypted code that a person, website, or organization attaches to an electronic message to verify the identity of the sender -legally binding, actually more so than actual signature, non-repudiation -often used to ensure that an imposter is not participating in an internet transaction -used when sending over a non-secure channel -supports non-repudiation, when signer cannot successfully claim that they did not sign a message -john agrees to term of foreign contract that has been emailed to him, so he signs by, --encryption SW hashes doc to create a message direct --message digest is encrypted using John's private key to create digital signature --digital signature is attached to the original doc --only john's public key can decrypt digital signature

planning phase output

-basically this is preliminary investigation -identify business value -develop general work plan, set next deliverable -establish project manager -staff the project -*key deliverables: system request* -EX: building a house: establish need/desire for new house, scout location, determine budget constraints

biometrics

-biometric-based authentication uses a person's physical characteristics as a basis for identification -strategies: fingerprints, hand geometry, voice recognition, retinal scans (most effective method), iris scans, face recognition, vascular patterns, DNA recognition, ear recongntion, signature recogntion

mutual authentication

-both the client and the server authenticate with each other, usually through a third party -goals: facilitate trust for exchange of information; raw passwords are not stored on serve that provides the service

business to consumer (B2C)

-businesses and consumers interacting -the basic concept of this model is to sell the product online to the consumers -the direct trade between the company and the consumers -provides direct selling through online sites -EX: buying books on amazon.com

identifying the challenges for information security

-challenge of keeping networks & computers secure has never been more important & more difficult -a number of trends illustrate why security is becoming increasingly difficult-increase in cybercrime, increase in networks & things being accomplished with systems -security attacks are growing at an alarming rate, as well as growing in size and impact -to what lengths should organizations go to keep their data & systems secure? where is the balance between security and privacy, between controls and freedoms?

acceptance test

-checks the new system to ensure that it works with real-world data

diversity strategy

-closely related to layering -you should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all the other layers -using diverse layers of defense means that breaching one security layer does not compromise the whole system

information system (IS)

-collection of hardware, software, data, people & procedures that work together to produce quality information

symptoms for rootkit infections

-computer locks up or fails to respond to input from the keyboard -screen saver changes without any action on the part of the user -taskbar disappears -network activities function extremely slow

implementation phase output

-construction -installation -testing -training plan -security plan -*key deliverable: system itself* -building a house: let the builder go to work, do the painting and the landscaping, move in & enjoy your new house

deep/dark web

-content is not indexed by searched engines, we search about 4% of the web, 96% is now deep market or dark web -Cypherpunk, Cryptoantarchist: create a free zone using cryptography and cryptocurrencies so people can do what they want and the pantoptican effect is negated -Cypherpunks wrote in 1998: privacy is necessary in an electronic age; state will try to slow this, b/c it is a threat to their systems -extremists predict that bitnation, a stateless state from crypto-markets, will replace the financial and social systems as we know it

analysis phase - data modeling

-data modeling creates an entity relationship diagram (ERD) which is a tool that graphically shows the connections among entities in a system, how data relates to itself -entities are objects in the system that have data (table in DB)

design phase output

-design HW/SW strategy -architectural design -interface design -database and file design -program design -*Key deliverable: system specification* -Building a house: hire an architect to draw up blueprints, hire builder, plan specific features

security policy

-documents and defines an organization's security requirements along with the controls & sanctions needed to meet those requirements -outlines what needs to be done but not how to do it -automated system rules should mirror an organization's written policies -some companies have begun to include special security requirements for mobile devices as part of their security policies

business to employee (B2E)

-electronic commerce uses an intrabusiness network which allows companies to provide products and/or services to their employees -typically, companies use B2E networks to automate employee-related corporate processes -EX: self service site to select benefit options with company allocated funds

pretexting (social engineering) protection

-encourages the organizations covered by the GLB to implement safeguards against pretexting

*information/data computer security* (defining information security)

-ensures that protective measures are properly implemented -it is intended to protect information from the following perspectives: confidentiality, integrity, availability -note that it involves more than protecting the information itself

compromise

-event which a system loses integrity

phishing

-fake email -a "trustworthy" entity asks via email for sensitive information such as SSN, credit card numbers, login IDs or passwords -type of social engineering -The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.

pharming

-fake web pages -can be the link provided in email that leads to a fake webpage which collects important information and submits it to the site owner -the fake web page looks like the real thing, but extracts key information -type of social engineering -deniaA user's session is redirected to a masquerading website. At the fake website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real site and conduct transactions using the credentials of a valid user on that website.

analysis phase output

-feasibility analysis report -analysis strategy -information gathering results -process models (dataflow diagram DFD) -data models (ERD diagram) -key is this logical design -*Key deliverable: and Feasibility analysis/system proposal* -building a house: determine basic characteristics of new house, talk to builders, sketch layout, determine any building restrictions or codes

detective controls

-find or discover where and when security threats occurred (audit logs)

cryptocurrencies risks & failures: consumer (hackers, fewer protections, cost, scams, lack of transparency)

-hackers: cryptocurrencies are targets for highly sophisticated hackers, who have been able to breach advanced security systems -fewer protections: if you must trust someone else to hold your cryptocurrencies and something goes wrong, that company may not offer you the kind of help you expect from a bank or debit or credit card provider -Cost: cryptocurrencies can cost consumers much more to use than credit cards or even regular cash, often due to price volatility -scams: fraudsters are taking advantage of the hype surrounding virtual currencies to cheat people with fake opportunities -lack of transparency: the anonymous nature of cryptocurrencies make transparency and accountability difficult for consumers seeking to ensure the safety of their investments

https

-https protocol uses http in conjunction with the SSL/TLS protocol to provide secure communication -this uses encryption behind the scenes, users may not even realize what is going on

summarizing the authentication process

-identification: credentials presented -authentication: checks to see if present in authentication DB -authorization: allowed to log onto computer -access: granted access to resources according to role permissions assigned

cryptocurrencies consumer recourse: advice

-if you can't afford to lose the money you have, you should not buy cryptocurrencies -Due diligence: weight risks; understand how the currency works, how much currency is currently valued & whether you can retrieve the value at any time -take proper precautions: protect private key; don't leave large amounts in virtual wallet

security controls

-implemented procedures, tat include manual as well as automated parts, that often use applications as part of the procedure --preventive controls, corrective controls, detective controls

availability

-information is available as needed to authorized users -ensuring that authorized parties can readily access information

integrity

-information is correct and timely -verifying that illicit changes have not been made to data

information security and threats

-information security is a broad concept that involves dealing with any threat to computerized systems, such as viruses, hackers, accidental loss of data or systems, natural disasters (earthquakes, floods), fires etc. -3 main categories of threats are: 1. denial/disruption of service 2. unauthorized access 3. theft & fraud

ensuring information security

-information security requires technology + management -information security typically involves asymmetrical security warfare --you have to secure all paths that lead to strategic/private resources --the attacker has to find just 1 path that is unsecured

auction model

-internet users can login to the online auction sites, either as bidder or seller --sellers post their items and wait for the buyers to bid -auction sites get commission on every successful auction --ebay is an example -reverse auction model: allow buyer to set the price; roles of buyer and seller are reversed, normally buyers compete, but with this the sellers compete

logic bomb

-malware logic executes upon certain conditions -a type of trojan horse that executes when it is triggered by a specific event -program is often used for legitimate reasons --software which malfunctions if maintenance fee is not paid --employee triggers a database erase when he is fired -malware that destroys data when certain conditions are met -EX: an employee places a logic bomb inside a system to destroy data when his/her record is removed upon termination

spyware

-malware that is specifically designed to track activity of users on computing systems -some of spyware is called "keyloggers" and can record every keystroke of a user without their knowledge

social engineering

-manipulates people into performing actions or divulging confidential information -similar to a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems -can occur in person, over the phone, in emails or fake web pages -non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems.

trojan horse

-masquerades as beneficial program while quietly destroying data or damaging your system --download a game: might be fun but has hidden part that emails your password file without you knowing -a program which seems to be doing one thing, but is actually doing another -can be used to set up back door in a computer system so that the intruder can gain access later -victim is usually tricked into opening it

sopping cart model

-most commonly used -an order processing technology that allows users to accumulate the shopping list & continue shopping -supported by product catalog, merchant server & database technology -amazon

dynamic pricing model (4)

-name your price business model: customers choose their price for the products or services -comparison pricing model: customers poll some merchants & find the lowest prices -demand-sensitive pricing model: enables customers to get better services and prices -bartering model: exchange items

Regulation: cryptocurrency-specific

-no enacted cryptocurrency-specific laws (except for NY licensing law) -proposed law: cryptocurrency protocol protection and Moratorium Act (CryptPMA), H.R. 5777 -law was proposed in december 2014 & died in congress, it would have: 1. prevented government from creating any statutory restrictions or regulations specifically identifying and governing the creation, use, exploitation, possession or transfer of any algorithmic protocols governing the operation of any cryptocurrency 2. declared cryptocurrency to be treated as currency, not property, only tax when covered to an official government currency

obscurity strategy

-obscurity strategy means what goes on inside a system or organization should be hidden -avoid clean patterns of behavior so that attacks from the outside are difficult -guard changes and updates, better if made on an irregular schedule

robert morris the internet worm

-on November 2, 1988, Robert Morris, Jr., a graduate student in computer science at cornell, wrote an experimental, self-replicating, self-propagating program called a worm & injected it into the internet -the Morris worm or internet worm was one of the first computer worms distributed via the internet -it was the first to gain significant mainstream media attention -it resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act -ended with 3 years probation, 400 hours of community service & fine of 410, 500 plus

conversion strategies (implementation phase)

-one or more of 4 conversion strategies can be used to change from the old system to the new system 1. direct conversion 2. parallel conversion 3. phases conversion 4. pilot coversion

cookies

-text files that contain data, saved on your computer -small text files located on your computer, to store information about you, your accounts, and your computer -a text data passed to a browser from a web serve. then the text data is sent back to the web server with every subsequent request to the web serve. used by web applications to store state and user information -information not types in can also be stores in cookies (IP address, domain name) -when accessing some sites, browsers transmit information contained in stores cookies, these are then intercepted to commit privacy violations -Problem: can be used to track user activity -Misconception: Cookie is a virus or a program (NOT)

great Chicago flood - April 13, 1992

-the Chicago board of trade and Chicago mercantile exchange closed -banks were unable to process transactions -workers rushed to save important documents - including cook county birth, death and marriage certificates dating back to 1871 - stores in subterranean levels of office buildings -flood became national news & led Gov. JIm Edgar and President George H.W. Bush to declare Chicago a disaster area -It causes at least $1 billion in damages & business losses, sparked numerous lawsuits and turned into a political hot potato for then mayor Richard M. Daley over who was to blame for a leak in the 47 mile tunnel system near the Kinzie Street Bridge

cybercrime

-the global cost of cybercrime will reach $2 trillion by 2019, a threefold increase from the 2015 estimate of $500 billion -the financial hit resulting from theft of trade secrets ranges from 1%-3% of an entire nation's GDP, according to IDG's "Global State of Information Security Survey 2016" -the cost ranges from $749 billion to $2.2 trillion annually

unauthorized access/theft and fraud

-the internet allows an attacker from anywhere on the planet -risks caused by poor security knowledge and practice: --identity theft --monetary theft --legal ramification (for yourself & companies) --termination if company policies are not followed -Accordin to www.SANS.org, the top vulnerabilities available for a cyber criminal are: --web browser, instant messaging (IM) clients, web applications, excessive user rights

cyberterrorism

-the intimidation of govt of civilian population by using information technology to disable critical national infrastructure to achieve political, religious, or ideological goals -Dept of homeland security (DHS) provides a link that enables users to report cyber incidents --incident reports go to the US Computer Emergency Readiness Team (US-CERT) -cyberterrorists try daily to gain unauthorized access to a number of important and sensitive sites

deep/dark web proponents

-the people building the dark net are idealists who believe passionately in the right to privacy -they say our battle for privacy is pathetic, we lost it a long time ago -we have to redefine privacy, our world is undergoing very accelerated change -as long as some work for surveillance, we must continue to work for privacy -a place to escape the ever watchful eye of big brother, to know real freedom, although most people just want enough freedom to be comfortable

risk assessment

-the process of assessing security-related risks to an organization's computer and networks form both internal and external threats -Steps in general risk assessment process: 1. Identify the set of IS assets about which the organization is most concerned 2. identify the loss events or the risks or threats that could occur 3. assess the frequency of events or the likelihood of each potential threat 4. determine the impact of each threat occurring 5. determine how each threat can be mitigated so it is less likely to occur 6. assess the feasibility of implementing the mitigation options 7. perform a cost-benefit analysis to ensure that your efforts will be cost effectiv 8. make the decision on whether or not to implement a particular countermeasure

project management

-the process of planning, scheduling, and then controlling the activities during system development -to plan & schedule a project efficiently, the project manager or leader identifies: project scope, required activities, time estimates for each activity, cost estimates for each activity, order of activities, activities that can take place at the same time

software publisher certificate

-used to validate code being downloaded to assure no malicious content

server certificate

-used to verify a company's web server

implementation phase

-the purpose is to construct the new or modified system and deliver it -Develop programs - install and test the new system - train users - convert to the new system -the program development life cycle follows these steps: analyze the requirements, design the solution, validate the design, implement the design, test the solution, document the solution -various tests should be performed on the new system (unit test, system tests, integration test, acceptance test)

SDLC failures

-the standish group reports that around 30% of IT projects will be cancelled. Around 52% of projects will cost 189% of their original estimates. Only 16% are completed on time and on budget -in larger companies, the news is even worse: only 9% of their projects come in on time and on budget

identity theft

-the theft os personal information and then used without their permission -data breach is the unintended release of sensitive data or the access of sensitive data by unauthorized individuals (often results in identity theft) -most e-commerce websites use some form of encryption technology to protect information as it comes from the consumer

threat to our privacy

-the threat to our privacy is being seriously threatened because of these emerging and in place technologies: -increase amount of images online & increase ability of facial recognition --increase computing power available via cloud computing -ubiquitous computing via vast networks & mobile devices --govt surveillance using corporate network providers servers to collect data --extensive, sophisticated hacking as a business --accepting of human chipping -we are trading our convenience for privacy -people are more savvy in using technology but do not know what it can do to steal their privacy -internet is borderless, but laws are national, therefore, it is difficult to regulate the internet -people fail to do the basic security best practices like keeping their computer updates & using secure passwords & guarding the info, therefore privacy invasion is growing

cybercrime warfare

-the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes -"a recent New York Times report uncovered a secret operation to derail North Korea's nuclear-missile program that has been raging for 3 years -the report attributes North Korea's high rate of failure with russian-designed missiles to the US meddling in the country's missile software and networks

exceptions of HIPAA

-there are instances in which you must reveal patient information to someone other than the patient -You are requires to report the name sof the people who have a positive HIV test to public health authorities for infectious disease surveillance -some states you are required to report the names of partners of those who test positive for HIV

pure play (virtual)

-these are organizations that serve their customer sonly through online presence

clicks and mortar

-these are traditional organizations that serve their customers through both physical & online presence -EX: walmart, bestbuy

brick and mortar

-these are traditional organizations that serve their customers through physical locations

Threat (denial/disruption of service)

-threats are those that: (1) render a system inoperative, (2) limit its capability to operate, (3) make data unavailable -result from: (1) intentional acts, (2) careless behavior, (3) natural disasters -natural disasters cannot be prevented but can be planned for (backups, redundancy, etc.) -Careless behaviors, such as forgetting to perform proper backups of one's computer, not installing security updates & tools, leaving computer so that is easily accessible

computer-aided software engineering (CASE) (design/development phase)

-tools are designed to support one or more activities of system development -CASE tools sometimes contain the following tools: project repository, graphics, prototyping, quality assurance, code generator, housekeeping

Business to business (B2B)

-tranditionally the largest form of e-commerce -model defines that buyers and seller are 2 different entities; it is similar to manufacturer issuing goods to the retailer or wholesaler -Dells sells computer & other associated accessories online, but it is not the owner of all those products, so they purchase and resell these products, vis B2B -EX: Walmart sending inventory requests to suppliers

steps to acquiring the necessary hardware and software

-use research techniques such as e-zines (identify technical specifications) -RFQ, RFP or RFI is sent to potential vendors or VARs (solicit vendor proposals) -various techniques are used to determine the best proposal (test and evaluate vendor proposals) -analyst makes recommendation to steering committee (make a decision)

certificate authority certificate

-used by CA to validate another CA

personal certificate

-used by individuals to encrypt email or to authenticate with a web server

private key encryption (symmetric encryption)

-used by juilius caesar, the navaho indians, german u-boat commanders -requires all parties that are communicating to share a common key -if someone were to have a ciphertext (encrypted) and its corresponding plaintext meddage, it is possible to determine the encryption algorithm & break the code

data validation

-used to prevent users from entering input data on a worksheet that does not meet specific conditions (i.e., constraints) -data validation is an important tool for maintaining quality of data in a worksheet -Examples of constraints for data validation in case 16: cost of addition should be a whole number less than or equal to 145,000, cost of lighting should be a whole number less than or equal to 10,000

visual basic for applicants (VBA)

-water authority spreadsheet model -this excel model was created using VBA code (visual basic for application code) to write macros. the macro code is invoked by clicking the buttons1. To change a range of cells at one time to the same value, select range, change upper left cell, then push Ctrl-Enter 2. Can connect worksheets in an aggregate worksheet and then drill down via link to get detail on another worksheet 3. Can add buttons to worksheets that when clicked cause a macro to execute that invokes VBA code (Create copy of data in a new worksheet, Find the difference between values in two identically formatted worksheets and place in a new worksheet)

safety

-we must behave in ways that protect us against risks & threats that come with technology (focus is protecting people) -EX: safe email behavior, safe software downloading behaviot

security

-we must protect our computers 7 data the same way that we secure the doors to our homes (focus is protecting the assets) -EX: ani-virus software, firewall

zombie

-zombie computers are computers that have been taken over by a hacker without the knowledge of the owner

phases of system development

1. Planning: review project requests; prioritize project requests, allocate resources; form project development team 2. conduct preliminary investigation; perform detailed analysis of current system, determine requirements and recommend solution 3. design: acquire hardware and software; develop details of system 4. implementation: develop programs, install and test new systems, train users, concert to new system 5. operation support and security: perform maintenance activities, monitor system performance, assess system security -ongoing activities: project management, flexibility assessment, documentation, data gathering

authentication tools & methods (8)

1. user name & password: less secure b/c it can be intercepted 2. single sign-on authentication: authenticate once to access multiple resources 3. mutual authentication: identifies of all parties, determined using a 3rd party 4. certificates: dedicated message to network transmission designed to authenticate users & encrypt sessions 5. tokens: item presented during authentication process; often a challenge phrase is presented, security question response 6. One-time passwords (OTP): password allows only once, form of token 7. smart cards: card that can present information or accept programming 8. biometrics: devices that require input based on quantifiable human element

B2C advantages/Disadvantages

Advantages -product: unlimited choices are available -place: commerce can be conducted from anywhere -price: lower prices Disadvantages -time: time lag between the time of purchase and receipt -physical: lacks sensory experience of touch, smell, etc -social: online shopping lacks the social interaction of malls -security: credentials stole, scammed on sale

auditing or accounting

process of tracking users & their actions on the network

anomaly

something that deviates from what is standard, normal, or expected

The goal of SDLC is...

to build an information system that meets 1. the user requirements 2. on time 3. within budget

E-business

today types of E-business, based on who is interacting with whom, include: -B2B -B2C -B2E -C2C -G2C -business classification is based on degree of digitalization

Lihat semua set pelajaran

Set pelajaran terkait

Microbiology Chapter 15: Specific Immunity and Immunization

View Set

UNIT 6: MEETING HIGHER ORDER NEEDS

View Set

ATI - CHAPTER 21 Medications for Anxiety Disorders

View Set

Huguenots: pre-1661 and the Edict of Nantes

View Set

Paramedic Vol 1 Chapter 1, 2, 3, 4

View Set

Nutrition 1410 Complete Final Study Guide

View Set

Chapter 2.1: HTML Document Structure

View Set

Quiz: Applying a Continuous Passive Motion Device

View Set

Series 63, QBank Missed Questions 2

View Set

Sports Medicine 2 Final Exam Study Guide

View Set

ATI 2023 Maternal Newborn Test A and B

View Set