CIS Test 3
Elements of a BI System
-A BI server extends alert/RSS functionality to support user subscriptions, which are user requests for particular BI results on a particular schedule or in response to particular events. -For example, a user can subscribe to a daily sales report, requesting that it be delivered each morning. -Management and delivery: The management function maintains metadata about the authorized allocation of BI results to users. -The BI server tracks what results are available, what users are authorized to view those results, and the schedule upon which the results are provided to the authorized users. -It adjusts allocations as available results change and users come and go.
Key Escrow
-A trusted party should have a copy of encryption key
Recovery
-Accomplish job tasks during failure. Know tasks to do during system recovery. -Recover systems from backed up data. Perform role of help desk during recovery.
Account Administration
-Account Management *Standards for new user accounts, modification of account permissions, removal of unneeded accounts -Password Management *Users change passwords frequently -Help Desk Policies *Provide means of authenticating users -Account management: •Create new user accounts, modify existing account permissions, remove unneeded accounts. Improve your relationship with IS personnel by providing early and timely notification of needed account changes. Password management: *Users should change passwords every 3 months or less. -Help desk management: *Set policy for means of authenticating a user.
Planning the Use of IS/IT
-Align information systems with organizational strategy; maintain alignment as organization changes. -Communicate IS/IT issues to executive group. -Develop/enforce IS priorities within the IS department. -Sponsor steering committee. -All information systems must be aligned with the organization's competitive strategy. -Maintaining alignment between IS capabilities and organizational strategy is a continual process. Without a strong CIO, IS may be perceived as a drag on an organization's opportunities. -A steering committee is a group of senior managers from the major business functions that works with the CIO to set IS priorities and decide among major IS projects and alternatives. -The IS department sets up the steering committee's schedule, agenda and conducts meetings.
Security Safeguards as They Relate to the Five Components
-An easy way to remember information systems safeguards is to arrange them according to the five components of an information system. -Figure 10-7
What is AI?
-Artificial intelligence (AI) is the ability of a machine to simulate human abilities such as vision, communication, recognition, learning, and decision making in order to achieve a goal -AI could be used in robots, commercial drones, agricultural systems, military platforms, surgical systems, and other smart devices -Content management system functions are huge and complex.
Components of a Business Intelligence System
-BI systems are information systems that process operational and other data to identify patterns, relationships, and trends for use by business professionals and other knowledge workers. -Five standard IS components are present in BI systems: hardware, software, data, procedures, and people. -The boundaries of BI systems are blurry.
New from Black Hat 2017
-Briefings on how to hack things -Shows how to exploit weaknesses in hardware, software, protocols, or systems including smartphones, IoT devices, cars, etc. -Encourages companies to fix product vulnerabilities -Serves as an educational forum for hackers, developers, manufacturers, and government agencies -Hacking IoT, hacking cars, vulnerabilities -Keynote presentation by Alex Stamos (Facebook). *Focus on stopping real issues facing users (spam, DoS, malware) *Organized groups targeting infrastructure, voting machines, personal data -Industroyer- Malware designed to knock out entire power grids (Cyberwar) *Knocked out power in Ukraine, December 2016 -Broadpwn- Wifi worm automatically infects all wifi devices with Broadcom wireless card
Project Management
-Build in-store cafés. -Expand to other locations.
Securing Privacy: Wrap up
-Business professionals must consider legality, ethics, and wisdom when collecting private data. -Think carefully about email you open over public, wireless networks. -Use long, strong passwords. -If unsure, don't give the data. -The bottom line is this: Be careful where you put your personal data. Large, reputable organizations are likely to endorse ethical privacy policy, and have strong and effective safeguards to support that policy. But individuals and small organizations might not.
How Will AI Affect You?
-By 2025, nearly 100 million workers could be taken out of the current U.S. labor force (146 million workers) -Replaced by robots with I Qs higher than 90% of the U.S. population -Labor replacement rates could be as high as 70% or 80% -AI and automation could do jobs that humans don't really want to do
Packer-Filtering firewalls
-Can prohibit outsiders from starting a session with any user behind the firewall. -They can also disallow traffic from particular sites, such as known hacker addresses. -They can prohibit traffic from legitimate, but unwanted, addresses, such as competitors' computers, and filter outbound traffic as well. -They can keep employees from accessing specific sites, such as competitors' sites, sites with pornographic material, or popular news sites. -As a future manager, if you have particular sites with which you do not want your employees to communicate, you can ask your IS department to enforce that limit via the firewall.
Firewalls
-Computing device that prevents unauthorized access *Perimeter firewall sits outside the organization network *Internal firewall sits inside the network *Packet-filtering firewall examines each part of message and determines whether to let that part pass -Filters based on source IP, destination IP, other data
Data Safeguards
-Define data policies -Data rights and responsibilities -Rights enforced by user accounts authenticated by passwords -Data encryption -Backup and recovery procedures -Physical security -Data safeguards -Data administration -Key escrow -Data Safeguards: protect databases and other organizational data. Two organizational units are responsible for data safeguards.
Figure 3-10 Possible Problems with Source Data
-Dirty data -Missing values -Inconsistent data -Data not integrated -Wrong granularity *Too fine *Not fine enough -Too much data *Too many attributes *Too many data points -Purchase of data about other organizations is not unusual or particularly concerning from a privacy standpoint. -However, some companies choose to buy personal, consumer data (like marital status) from data vendors like Acxiom Corporation.
Security Policy for In-House Staff
-Dissemination and enforcement *Responsibility *Accountability *Compliance -Termination *Friendly *Unfriendly -Development of human safeguards for employees. -Employees need to be made aware of the security policies, procedures, and responsibilities they will have. -Companies must establish security policies and procedures for the termination of employees.
MIS Diagnosis
-Doctors are relying more and more on artificial intelligence (A I)-driven expert systems to select the most appropriate medications and treatments. -Ordered to improve the system's "perception" of the company's drugs -Minor modifications to the drug's profile made a big difference *But some of the numbers he used to modify the profile were not accurate *The changes would warrant a regulatory review -Suppose the company alters the drug profile. -Would the company be liable if something happened to a patient who took the drug based on altered information? -Do you think that manipulating the recommendation of an A I system even though the new recommendation may be for the better drug is ethical according to the categorical imperative and utilitarian perspective?
Unsupervised Data Mining
-Does not use a priori hypothesis or model -Findings obtained solely by data analysis -Hypothesized model created to explain patterns found -Example: Cluster analysis -Cluster analysis: Statistical technique to identify groups of entities with similar characteristics; used to find groups of similar customers from customer order and demographic data
Resistance to Knowledge Sharing
-Employees reluctant to exhibit their ignorance -Employee competition -Remedy *Strong management endorsement *Strong positive feedback *"Nothing wrong with praise or cash . . . especially cash." -Strong management endorsement can be effective in encouraging knowledge sharing, especially if that endorsement is followed by strong positive feedback
Business Intelligence Systems in 2029
-Exponentially more information about customers, better data mining techniques -Companies buy and sell your purchasing habits and psyche -Singularity *Computer systems adapt and create their own software without human assistance. *Machines will possess and create information for themselves. *Will we know what the machines will know?
Average Computer Crime Cost and Percent of Attacks by Type
-Figure 10-4 shows the results of a survey conducted from 2010 and 2017. -It was performed by the Ponemon Institute, a consulting group that specializes in computer crime. -It shows the average cost and percent of total incidents of the six most expensive types of attack. Without variance, median, and tests of significance statistics, it's difficult to determine if the differences are random. -The number of insider attacks is slightly decreasing, but the average cost of such attacks is increasing, possibly dramatically.
Goal of Information Systems Security
-Find appropriate trade-off between risk of loss and cost of implementing safeguards. -Protective actions *Use antivirus software. *Delete browser cookies? *Make appropriate trade-offs to protect yourself and your business.
Example of Expanded Grocery Sales OLAP Report
-Four dimensions -User added dimensions Store (Country) and State. Product-family sales broken out by location of stores. -Sample data include only stores in US western states of California, Oregon, and Washington.
Using Data Warehouses and Data Marts to Acquire Data
-Functions of a data warehouse *Obtain data from operational, internal and external databases. *Cleanse data. *Organize and relate data. *Catalog data using metadata. -For a small organization, the extraction may be as simple as an Access database. -Larger organizations, however, typically create and staff a group of people who manage and run a data warehouse, which is a facility for managing an organization's BI data.
Geofencing for Businesses?
-Geofencing is a location service that allows applications to know when a user has crossed a virtual fence (specific location) -Crossing a fence can trigger an automated action -Determine her location and identify local sales -Supported by more than 90% of smartphones -Used to send recruiting ads to qualified nurses who live in or frequent certain geofenced zones -Is it becoming invasive and too much of a privacy concern? -80% of people surveyed want to receive location-based alerts from businesses -Could geofencing be integrated with IoT devices to create an even more efficient smart home? How? -How could a university leverage the benefits of geofencing on campus to improve student life and safety?
Factors in Incident Response
-Have plan in place -Centralized reporting -Specific responses *Speed *Preparation pays *Don't make problem worse -Practice -Every organization should have an incident-response plan as part of the security program. -No organization should wait until some asset has been lost or compromised before deciding what to do. -The plan should include how employees are to respond to security problems, whom they should contact, the reports to make, and steps to reduce further loss. -Identify critical personnel and their off-hours contact information.
"Data Analysis, Where You Don't Know the Second Question to Ask until You See the Answer to the First One."
-Having great success with grocery stores wanting to compete with online retailers like Walmart and Amazon -Grocery stores are hesitant to share customer data -Worried about customer privacy -Use anonymized data with public data to identify customers? Data triangulation? -Get data in spreadsheet to start -Will need a data mart to combine all of the data
Problem Solving
-How can we increase sales? -How can we reduce food waste?
Figure 3-13 Example RFM Scores
-How recently (R) a customer has ordered -How frequently (F) a customer ordered -How much money (M) the customer has spent
Using Bigdata Applications
-Huge volume - petabyte and larger -Rapid velocity - generated rapidly -Great variety *Structured data, free-form text, log files, graphics, audio, and video -Big Data is a term used to describe data collections that are characterized by huge volume, rapid velocity, and great variety.
Loss of Infrastructure
-Human accidents -Theft and terrorist events -Disgruntled or terminated employee -Natural disasters -Advanced Persistent Threat *AP T37 (Reaper - North Korea) *Cyberwarfare and cyber-espionage -Examples - bulldozer cutting a conduit of fiber-optic cables or floor buffer crashing into a rack of Web servers. -APT29" based out of Russia. In 2015, the APT29 uses a piece of custom malware called "HAMMERTOSS" to attack victims by sending attack commands via Twitter, GitHub, and cloud storage services. APT group named "Deep Panda," which is allegedly based out of China, was identified by forensic experts as the group behind the Anthem healthcare data breach that resulted in the loss of sensitive data for 80 million people.
Sample Account Acknowledgment Form
-I hereby acknowledge personal receipt of the system password(s) associated with the user IDs listed below. I understand that I am responsible for protecting the password(s), will comply with all applicable system security standards, and will not divulge my password(s) to any person. I further understand that I must report to the Information Systems Security Officer any problem I encounter in the use of the password(s) or when I have reason to believe that the private nature of my password(s) has been compromised. -Employees required to sign statements similar to this.
Technical Safeguards
-Identification - identifies the user -Authentication - authenticates the user (password) *Smart card (embedded microchip) *Personal Identification Number (authentication) *Biometric Authentication ~Fingerprints, facial features, retinal scans ~Invasive? *Single Sign-On for Multiple Systems -(What you know, what you have, what you are) -Single sign on- You sign on to your local computer and provide authentication data; from that point on your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth
Using Business Intelligence to Find Candidate Parts for 3D Printing
-Identify parts that might qualify. *Provided by vendors who make part design files available for sale *Purchased by larger customers *Frequently ordered parts *Ordered in small quantities -Use part weight and price surrogates for simplicity. -Obtained an extract of sales data from its IS department and stored it in Microsoft Access
What Are Typical Uses for BI?
-Identifying changes in purchasing patterns *Important life events change what customers buy -Entertainment *Netflix has data on watching, listening, and rental habits *Classify customers by viewing patterns -Predictive policing *Analyze data on past crimes - location, date, time, day of week, type of crime, and related data -Typical uses involve classification or prediction.
Benefits of Knowledge Management
-Improve process quality. -Increase team strength. -Goal: *Enable employees to use organization's collective knowledge.
BI Publishing Alternatives
-In the BI context, most static reports are published as PDF documents. -Dynamic reports are BI documents that are updated at the time they are requested. -A sales report that is current at the time the user accessed it on a Web server is a dynamic report.
Faulty Service
-Incorrect data modification -Systems working incorrectly -Procedural mistakes -Programming errors -IT installation errors -Usurpation -Faulty service - problems caused by incorrect system operation
International Outsourcing
-India *Large, well-educated, English-speaking, labor cost 70-80% less than U S -China and other countries, too -Modern telephone technology and Internet-enabled service databases -Customer support and other functions operational 24/7 -With modern telephone technology and Internet-enabled service databases, a single customer service call can be initiated in the United States, partially processed in India, then Singapore, and finalized in Ireland -Amazon.com operates customer service centers in the United States, India, and Ireland.
Payload
-Is program code that causes unwanted activity. It can delete programs or data, or modify data in undetected ways.
Sales History for Selected Parts
-Judging just by the results, there seems to be little revenue potential in selling designs for these parts. -It is possible they chose the wrong criteria. -Might find themselves changing criteria until they obtain a result they want, which results in a very biased study. -Importance of the human component of an IS: Business intelligence is only as intelligent as the people creating it!
Knowledge Management Systems
-Knowledge Management (K M) *Creating value from intellectual capital and sharing knowledge with those who need that capital -Preserving organizational memory *Capturing and storing lessons learned and best practices of key employees
Legal Safeguards for Data
-Laws dictating the management of data 1. Payment Card Industry Data Security Standard (PCIDSS) governs the secure storage and processing of credit card data. 2. Gramm-Leach-Bliley (GLB) Act protects consumer financial data. 3. Health Insurance Portability and Accountability Act (HIPAA) governs access to health information.
Figure 11-5 Popular Reasons for Outsourcing IS Services
-Many companies outsource portions of information systems activities. This figure lists popular reasons for doing so.
Equihax
-Massive breach at Equifax in the summer of 2017 -Equifax is one of the three primary consumer credit reporting agencies -Stolen data included the names, addresses, birth dates, and Social Security numbers associated with 143 million people -Much more rigorous security controls should have been in place. -What do you think should happen to Equifax as a result of this breach? -Should consumers have the right to have their data deleted by a company at any time upon request? -Should the government step in and become the clearinghouse for consumer credit reporting?
Adware
-Most is benign in that it does not perform malicious acts or steal data. -It does, however, watch user activity and produce pop-up ads. -Adware can also change the user's default window or modify search results and switch the user's search engine.
Ponemon Study Findings (2017)
-Most of the increase in computer crime over the past year are from malicious code and denial-of-service attacks. -Data loss and disruption is the most expensive consequence of computer crime. -Ransomware and web-based attacks have increased. -Detection and recovery account for more than half of the internal costs related to cyber intrusions. -Warn students that many computer crime studies are based on dubious sampling techniques, and some seem to be written to promote a particular safeguard product or point of view. Be aware of such bias as you read.
Figure 3-9 Examples of Consumer Data That Can Be Purchased
-Name, address, phone -Age -Gender -Ethnicity -Religion -Income -Education -Voter registration -Home ownership -Vehicles -Magazine subscriptions -Hobbies -Catalog orders -Marital status, life stage -Height, weight, hair and eye color -Spouse name, birth date -Children's names and birth dates -Purchase of data about other organizations is not unusual or particularly concerning from a privacy standpoint. -However, some companies choose to buy personal, consumer data (like marital status) from data vendors like Acxiom Corporation.
Denial of Service (DoS)
-Natural Disaster -Human error or lack of procedures *Humans inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. -Denial-of-service attacks *Malicious hacker intentionally floods a Web server with millions of bogus service requests. *Computer worms create artificial traffic so legitimate traffic cannot get through.
Usurpation
-Occurs when computer criminals invade a computer system and replace legitimate programs with their own unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal, and manipulate data, or for other purposes
Largest! Data! Breach! Ever!
-October 2017 Yahoo! announced extent of breach. -3 billion user accounts compromised. -Took over 3 years for Yahoo! to disclose. -Email addresses, names, phone numbers, hashed password, security questions/answers. -Hackers working with Russian spies.
Hadoop
-Open-source program supported by Apache Foundation2 -Manages thousands of computers -Implements MapReduce *Written in Java -Amazon.com supports Hadoop as part of EC3 cloud -Query language entitled Pig (platform for large dataset analysis) *Easy to master *Extensible *Automatically optimizes queries on map-reduce level -BigData has volume, velocity, and variation characteristics that far exceed those of traditional reporting and data mining. -Experts are required to use it; you may be involved, however, in planning a BigData study or in interpreting results.
Use of Multiple Firewalls
-Organizations normally use multiple firewalls. -Perimeter firewall sits outside organizational network; is first device that Internet traffic encounters. -Packet-filtering firewall examines each part of a message and determines whether to let that part pass. *To make this decision, it examines source address, destination address(es), and other data. -Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall, prohibit traffic from legitimate, but unwanted, addresses, such as competitors' computers, and filter outbound traffic. -No computer should connect to the Internet without firewall protection. -Many ISPs provide firewalls for their customers. -By nature, these firewalls are generic. -Large organizations supplement such generic firewalls with their own. -Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. -Third parties also license firewall products.
Poor Data Management at Facebook
-Over 2 billion active users -Open model that allowed integration of a variety of other platforms and services *Users could log into 3rd party sites with Facebook login -Open model enabled 3rd party to siphon off 80 million Facebook users' data *Data management practices damaged reputation
The Major Functions of the IS Department
-Plan use of IS to accomplish organizational goals and strategy -Manage outsourcing relationships -Protect information assets -Develop, operate, maintain computing infrastructure -Develop, operate, maintain applications
Security Policy for In-House Staff
-Position definition *Separate duties and authorities *Determine least privilege *Document position sensitivity -Hiring and screening -Human safeguards involve the people and procedure components of information systems. -In general, human safeguards result when authorized users follow appropriate procedures for system use and recovery. -Restricting access to authorized users requires effective authentication methods and careful user account management. -In addition, appropriate security procedures must be designed as part of every information system, and users should be trained on the importance and use of those procedures.
Backup
-Prepare for loss of system functionality. -Back up Web site resources, databases, administrative data, account and password data, and other data.
Incorrect Data Modification
-Procedures incorrectly designed or not followed -Increasing customer's discount or incorrectly modifying employee's salary -Placing incorrect data on company Web site -Cause *Improper internal controls on systems *System errors *Faulty recovery actions after a disaster
What is Outsourcing?
-Process of hiring another organization to perform services *Save costs, gain expertise *Save direct/indirect management time and attention -Any value chain business activity can be outsourced -"Your back room is someone else's front room." (Drucker) -At ARES Systems, building a large development and test team may be more than the company needs and may require management skills that they don't have. Outsourcing the development function saves them from needing this expertise.
Encryption
-Process of transforming clear text into coded, unintelligible text for secure storage or communication *Key: string of bits used to encrypt data (unlocks message) -With symmetric encryption, the same key is used to encode and to decode. -With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. *Public Key encryption (used on Internet)
Figure 3-25 Productivity Gains from Automation
-Productivity Gains from Automation -Can work 24 hours, 365 days -Immediately trained, no "onboarding" -No breaks during work hours -No impaired workers -No time-wasting activities -No arguments with other employees or managers -No scheduling issues -All holiday shifts covered -More accurate, precise, and consistent
Spyware
-Programs are installed on the user's computer without the user's knowledge or permission. -It resides in the background and, unknown to the user, observes user's actions and keystrokes, monitors computer activity, and reports the user's activities to sponsoring organizations. -Some malicious spyware, called key loggers, captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. -Other spyware supports marketing analyses such as observing what users do, Web sites visited, products examined and purchased, and so forth.
Data Administration
-Refers to an organization-wide function that is in charge of developing data policies and enforcing data standards. -When organizations store databases in the cloud, all of the safeguards should be part of the service contract.
Design for Secure Applications
-SQL injection attack *User enters SQL statement into a form instead of a name or other data. *Result 1. SQL code becomes part of database commands issued. 2. Improper data disclosure, data damage and loss possible. -Well designed applications make injections ineffective -ARES with security in mind: ARES will store users' privacy settings in a database, and it will develop all applications to first read the privacy settings before revealing any data in exercise reports. -Most likely, ARES will design its programs so that privacy data is processed by programs on servers, which means data need be transmitted over the Internet only when it is created or modified.
Training Your Replacement
-Scott must cut his team of software developers by 75%. -They are going to be replaced with new outsourced employees-working on the other side of the planet. -Employees who are being released will train the new outsourced employees. -Training the replacements will be a condition of departing employees' severance package. 0How is it fair to ask someone to train the person taking his or her job? -Scott wondered how long it would be before he was training his own replacement. -Do you think that forcing an employee to train his or her replacement is ethical according to the categorical imperative? The utilitarian perspective?
Security Policies
-Senior management creates company-wide policies: *What sensitive data will be stored? *How will data be processed? *Will data be shared with other organizations? *How can employees and others obtain copies of data stored about them? *How can employees and others request changes to inaccurate data? -Senior management manages risks. -Specifics of a policy depend on whether the organization is governmental or nongovernmental, publicly held or private, organization's industry, relationship of management to employees, and other factors -Senior management must establish company-wide security policies -Senior management security function is to manage risk
Spyware and Adware Symptoms
-Slow system startup -Sluggish system performance -Many pop-up advertisements -Suspicious browser homepage changes -Suspicious changes to the taskbar and other system interfaces -Unusual hard-disk activity Malware: -Viruses -Trojan horses -Worms -Spyware -Adware -Ransomware -Payload
Source Disciplines of Data Mining
-Sometimes people use the term knowledge discovery in databases (KDD) as a synonym for data mining. -There are many interesting and rewarding careers for business professionals who are knowledgeable about data mining techniques.
The Essence of Https (SSL or TLS)
-Summary of how SSL/TLS works when you communicate securely with a Web site: 1. Your computer obtains public key of Web site to which it will connect. 2. Your computer generates a key for symmetric encryption. 3. Your computer encodes key using Web site's public key, then sends encrypted symmetric key to Web site. 4. Web site decodes symmetric key using its private key. 5. Now, your computer and Web site communicate using symmetric encryption. -Note: With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. -Symmetric encryption is simpler and much faster than asymmetric encryption.
What Are Content Management Systems (CMS)?
-Support management and delivery of documents, other expressions of employee knowledge -Challenges of Content Management *Huge databases *Dynamic content *Documents refer to one another *Perishable contents *In many languages -Content management system functions are huge and complex.
Figure 10-6 Personal Security Safeguards
-Take security seriously -Create strong passwords -Use multiple passwords -Send no valuable data via email or IM -Use https at trusted, reputable vendors -Remove high-value assets from computers -Clear browsing history, temporary files, and cookies (CCleaner or equivalent) -Regularly update antivirus software -Demonstrate security concern to your fellow workers -Follow organizational security directives and guidelines -Consider security for all business initiatives -Computer security professionals run intrusion detection systems to detect attacks. -An intrusion detection system (IDS) is a computer program that senses when another computer is attempting to scan or access a computer or network. -IDS logs can record thousands of attempts each day.
Outsourcing the Development of a Strategic Application Seems Risky
-Team discuss outsourcing A R E S development to India -Raj's friend in India (Sandeep) is a developer -Successfully developed: C# app for him -Risks: What if he doesn't finish? Takes code? Loses interest? -Will cost 4 to 6 times as much to develop in U S -Bite the bullet and hire own programmers -Illustrate some of the technical issues of offshore outsourcing: *It can be considerably cheaper than domestic development. *It is replete with problems and risks.
Figure 10-8 Technical Safeguards
-Technical safeguards involve the hardware and software components of an information system. -Single Sign-on for Multiple Systems
MapReduce Processing Summary
-Technique for harnessing power of thousands of computers working in parallel -BigData collection broken into pieces, and hundreds or thousands of independent processors search these pieces for something of interest
Human Safeguards for Nonemployee Personnel
-Temporary personnel, vendors, partner personnel (employees of business partners), and the public. -Require vendors and partners to perform appropriate screening and security training. -Specify security responsibilities in the contract. -Provide accounts and passwords with least privilege and remove accounts as soon as possible.
Data Mart Examples
-The data analysts who work with a data warehouse are experts at data management, data cleaning, data transformation, data relationships, and the like. -However, they are not usually experts in a given business function. -A data mart is a subset of a data warehouse. A data mart addresses a particular component or functional area of the business.
Three Primary Activities in the BI Process
-These activities directly correspond to the BI elements in Figure 3-1. -The four fundamental categories of BI analysis are reporting, data mining, BigData, and knowledge management. -Push publishing delivers business intelligence to users without any request from the users; the BI results are delivered according to a schedule or as a result of an event or particular data condition. Pull publishing requires the user to request BI results.
Hadoop the Cookie Cutter
-Third-party cookie created by site other than one you visited -Most commonly occurs when a Web page includes content from multiple sources -DoubleClick *IP address where content was delivered ~DoubleClick instructs your browser to store a DoubleClick cookie *Records data in cookie log on DoubleClick's server -Third-party cookie owner has history of what was shown, what ads you clicked, and intervals between interactions -Cookie log shows how you respond to ads and your pattern of visiting various Web sites where ads placed -Firefox Lightbeam tracks and graphs cookies on your computer
Figure 11-1 Typical Senior-Level Reporting Relationships
-This figure a shows typical top-level structure and reporting relationships of a large organization. -The organizational structure varies depending on the organization's size, culture, competitive environment, industry, and other factors. -Other common titles are vice president of information services, director of information services, and, less commonly, director of computer services. -The size and structure of the development group depend on whether programs are developed in-house. -The Data Administration staff function is to protect data and information assets by establishing data standards and data management practices and policies.
Components of a Data Warehouse
-This figure shows the components of a data warehouse. Programs read operational and other data and extract, clean, and prepare that data for BI processing. -An organization might use Oracle for its operational processing, but use SQL Server for its data warehouse. Other organizations use SQL Server for operational processing, but use DBMSs from statistical package vendors such as SAS or SPSS in the data warehouse.
Example Grocery Sales OLAP Report
-Two dimensions: Product Family and Store Type -Report shows how net store sales vary by product family and store type.
What Types of Security Loss Exists?
-Unauthorized Data Disclosure -Pretexting -Phishing -Spoofing *IP spoofing *Email spoofing -Sniffing - packet sniffers *Wardrivers -Hacking -Natural disasters -These are common threats associated with unauthorized data disclosure.
Web Recording Everything
-Understand how and why customers make purchase decisions, then customize the site for each visitor to increase purchases. -Web sites are now storing and analyzing everything that visitors do on the site-not just pages they visit or the products that they add to a shopping cart, but all of the mouse movements, keystrokes, and scrolling behavior, too. *Researchers can analyze mouse movement to uncover emotion. -Could be sold to 3rd party.
Normal operation
-Use the system to perform job tasks, with security appropriate to sensitivity. -Operate data center equipment, manage networks, run Web servers, and do related operational tasks.
Example of Drilling Down into Expanded Grocery Sales OLAP Report
-User drilled down into stores located in California. Report shows sales data for four cities in California that have stores. -User also changed the order of the dimensions. -All this flexibility comes at a cost. If the database is large, doing the necessary calculating, grouping, and sorting for such dynamic displays will require substantial computing power.
Supervised Data Mining
-Uses a priori model -Prediction, such as regression analysis -Ex: CellPhoneWeekendMinutes -•Predict number of minutes of weekend cell phone use
"I Think You'll See That We Really Do Take Security Seriously."
-Video conference with exercise equipment manufacturer CanyonBack Fitness (potential A R E S partner) -Security concerns about integrating ARES with CanyonBack exercise bikes -Does ARES systems have acceptable level of security? -Can their bikes get hacked? Customers hurt? Personal data stolen? -ARES implements secure coding practices and secure data backup. -Users interact with radio buttons, dropdown menus, and other interactive A R elements. -Reduces the possibility of a SQL injection attack. -New technology typically brings new risks.
Figure 3-27 Evolution of AI Abilities
-Weak AI which is focused on completing a single specific task -Strong AI that can complete all of the same tasks a human can -Superintelligence capable of intelligence more advanced than human intelligence
Public Users
-Web sites and other openly accessible information systems *Hardening ~Special versions of operating system ~Lock down or eliminate operating systems features and functions not required by application -Protect such users from internal company security problems -Hardening a site means to take extraordinary measures to reduce a system's vulnerability.
Deciding
-Which customers shop at each location? -Create custom marketing plans per store.
Informing
-Which products are selling quickly? -Which products are most profitable?
Malware Protection (Viruses, Spyware, Adware)
1. Antivirus and antispyware programs. 2. Scan frequently. 3. Update malware definitions. 4. Open email attachments only from known sources. 5. Install software updates. 6. Browse only reputable Internet neighborhoods.
Figure 10-18 Target Data Breach
1. Bought malware 2. Spearphished users at Fazio to get login credentials on Target vendor server 3. Escalated privileges, accessed Target's internal network, and planted malware 4. Trojan.POSRAM extracted data from P O S terminals 5. Sent data to drop servers
Information Systems Security in 2029
APTs more common -Concern about balance of national security and data privacy -Security on devices improved -Skill level of cat-and-mouse activity increases substantially -Improved security at large organizations -Strong local "electronic" sheriffs
Figure 11-2 Job Positions in the Information Systems Industry
Job Positions in the Information Systems Industry: *Relate to five components of an information system. *With the exception of computer technician, and possibly test QA engineer, all of these positions require a 4-year degree and business knowledge or business degree, and good verbal communication and writing skills. -Salaries for information systems jobs have a wide range. Higher salaries are for professionals with more experience, working for larger companies, and living in larger cities.
Security Monitoring
Server activity logs: -Firewall log *Lists of all dropped packets, infiltration attempts, unauthorized access, attempts from within the firewall -DBMS *Successful and failed logins -Web servers *Voluminous logs of Web activities -PCO/S produces record of log-ins and firewall activities -Employ utilities to assess vulnerabilities. -Use honeypots for computer criminals to attack. -Investigate security incidents. -Constantly monitor to determine the adequacy of existing security policy and safeguards.
Security Problems and Sources
Sources of security threats: -Human error examples: (1) employee misunderstands operating procedures and accidentally deletes customer records; (2) employee inadvertently installs an old database on top of current one while doing backing up; (3) physical accidents, such as driving a forklift through wall of a computer room -Computer crime - intentional destruction or theft of data or other system components -Natural disasters - fires, floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature; includes initial loss of capability and service, and recovery costs
Threat/Loss Scenario
Threat/Loss Scenario: Major elements of IS security 1. Threat - person or organization seeks to obtain data or other assets illegally, without owner's permission and often without owner's knowledge 2. Vulnerability - opportunity for threats to gain access to individual or organizational assets; for example, when you buy online, you provide your credit card data, and as data is transmitted over Internet, it is vulnerable to threats 3. Safeguard - measure individuals or organizations take to block threat from obtaining an asset; not always effective, some threats achieve their goal in spite of safeguards 4. Target - asset desired by threat
RFM Analysis RFM Analysis Classification Scheme
To produce an RFM score: -Sort customer purchase records by date of most recent (R) purchase -Divide sorts into quintiles -Give customers a score of 5 to 1 *Top 20% = 5 *Middle 20% = 3 *Bottom 20% = 1 -Process is repeated for Frequently and Money -To produce an RFM score, a program sorts customer purchase records by date of most recent (R) purchase, divides sorts into quintiles, and gives customers a score of 5 to 1. -Process is repeated for Frequently and Money.
