Siguria Ne Sistemet e Informacionit: Managing The Digital Firm, 12 Edition

Management Information Systems
MANAGING THE DIGITAL FIRM, 12TH EDITION
Chapter 8
Siguria ne sistemet e
INFORMACIONIT
VIDEO CASES
Case 1: IBM Zone Trusted Information Channel (ZTIC)
Case 2: Open ID and Web Security
Instructional Video 1: The Quest for Identity 2.0
Instructional Video 2: Identity 2.0
CHAPTER 8: SECURING INFORMATION SYSTEMS
Learning Objectives
• Pse sist. E inf. Jane delikate ndaj gabimit,

shkaterrimit ose abuzimit?
• Cilat e jane komponentet e nje framework
organizimi per siguri dhe kontroll?
• Cilat jane mjetet dhe teknologjite kryesore?
2 © Prentice Hall 2011

System Vulnerability and Abuse
• Siguria:
– Politikat , procedurat dhe masat teknikete perdorura
per te parandaluar acesin e paautorizuar,
ndryshimin, vjedhjen ose demtimin fizik te sistemeve
te inf.
• Kontrollet:
– Metodat, politikat dhe proc. Organizative qe
sigurojne sigurine e pasurive te firmes, saktesisne
dhe besnikerine e reggjistrimeve te finances, dhe
mbeshtetje operacionale te standarteve te
menaxhimit.
• Sistemet jane delikate prej:

– Accessibilitetit te rrjetave
– Problemet e hardwerit (difekte, gabime ne
konfigurim, deme ose krime.
– Probleme te Soft-it (gabime programimi, instalimi,
gabime etj.
– Fatkeqesi
– Perdorim rrjetash jashte kontrollit te firmes.
– Humbje ose vjedhje te pajisjeve portale.

CONTEMPORARY SECURITY CHALLENGES AND VULNERABILITIES
FIGURE 8-1 The architecture of a Web-based application typically includes a Web client, a server, and corporate
information systems linked to databases. Each of these components presents security challenges and
vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point
in the network.

• Pikat delikate te Internetit

– I hapur per te gjithe
– Permasa sjell pasojat te medha
– Perdorimi I adresave te internetit fiks me modeme
kabell ose DSL
– VOIP I painkriptuar
– E-mail, P2P, IM
• Ndeshje
• Attachments with malicious software
• Transmetim te sekreteve te tregetise
• Sfidat e sigurise ne Celulare

– Brezi I frekuencave radio kollaj per tu ndeshur.
– SSIDs (service set identifiers)
• Identifikon piken e aksesit
• Broadcast shume here
– WEP (Wired Equivalent Privacy)

• Standardi I Sigurise per 802.11;
• Perdor pasword te perbashket per perdoruesit dhe pikat e aksesit.
• Perdoruesit shpesh nuk implementojne dot WEP ose sisteme me
te forta.

WI-FI SECURITY
CHALLENGES
Many Wi-Fi networks can be
penetrated easily by intruders
using sniffer programs to
obtain an address to access the
resources of a network without
authorization.
FIGURE 8-2

• Malware (softwaret keqberes )

– Viruset
• Programe soft. Qe iu ngjiten vete programeve te tjera
ose fila te te dhenave per tu ekzekutuar.
– Worms
• Porgrame indipendente qe kopjojne veten e tyre nga
nje kompjuter tek kompjuter te tjere te rrjetit.
– Kuajte Trojane:
• Programe Softwari qe pritet mos jene te demshem por
qe ne fakt jane.

• Ketu mund te permendim:

– Atake me Injecione SQL
– Spyware
• Programe te vogla qe instalohen vetvetiu ne kompjuter
per te monitoruar Web surfing e perdoruesit dhe ta
perdorin per reklama.
– Pergjues te tasteve
• Regjistrojne cdo goditje te tasteve ne kompjuter per te
vjedhur pasword-e, filluar sulme interneti etj.

• Spoofing (SHPIFJE)
– Prezantim I rreme I vetes duke perdorur e-mail fallco
ose duke u maskuar.
– Ridrejtim I web linkut per tu adresuar ne drejtim
tjeter nga I deshiruari me maskim te site-s.
• Sniffer (pergjues)
– Programe pergjuese qe monitorojne inf. qe udheton
mbi rrjet.
– Aktivizon hackers per te vjedhur informacione te
vecanta si e-mail-e, file te kompanise.

• Denial-of-service attacks (atake me mohim te

sherbimit)(DoS)
– Permbysin serverin me mijera kerkesa fallco, per te
shkaterruar rrjetin.
• Distributed denial-of-service attacks (DDoS- I
shperndare)
– Perdorim I shume kompjuterave qe fillojne DoS
• - Botnets.

• Vjedhje Identiteti
– Vjedhje e informacionit personal (social security id,
leje automjeti ose numra te kredit-cartave per tu
konsideruar si dikush tjeter.
• Phishing
– Krijim web siti te gabuar.
• Evil twins (binjaket djallezore)
– Rrjeta celulare qe pretend ojne te ofrojne sherbim te
sigurt ne Internet

• Kercenim I brendshem : punonjesit

– Kercenim zakonisht fillojne nga brenda kompanise
– Informacion I brendshem
– Procedura security jo te sakta
– Inxhineria Sociale:
• Duke ie dredhuar punonjesit te zbulojne informacion te
kompanise.

• Diffektet e soft-it (Software vulnerability)

• Hidden bugs (program code defects)
• Rrjedhje qe mund t’I hapin intrudeve.
– Arna
• Copa te vogla soft-I te perdorura per te riparuar
rrjedhjet.

Establishing a Framework for Security and Control
• Tipet e kontrolleve te pergjithshme

– Software controls
– Hardware controls
– Kontroll I operimeve te kompjuterit
– Data security controls
– Kontroll I Implementimeve
– Kontrolli Administrativ

• Poliktikat e sigurise
– Rankon rreziqet e informacionit, identifikon qellimet
e pranueshme te sigurise, identifikon qellimet e
pranueshme te sigurise si dhe mekanizmin per ta
arritue ate.s
• Politikat jane:
-Politika te pranueshme (Acceptable use policy (AUP)
-Politika te autorizuara (Authorization policies)

• Menaxhimi I identitetit
– Proceset dhe mjetet e biznesit qe pedoren per te
identifkuar perdoruesit e vlefshem te sistemit
dhe per te kontrolluar akseset.
• Identifikon dhe autorizon perdoruesit.
• Specifikon ke porcion te sistemit mund te aksesoje
cdo perdorues.
• Autentifikon perdoruesit dhe mbron identitetet e
tyre.

Pikat e dobeta te sistemit dhe abuzimi
Profilet e sigurise
per nje sistem
personeli
These two examples represent
two security profiles or data
security patterns that might be
found in a personnel system.
Depending on the security
profile, a user would have
certain restrictions on access
to various systems, locations,
or data in an organization.
FIGURE 8-3

• Disaster recovery planning: Devises plans for

restoration of disrupted services
• Business continuity planning: Focuses on restoring
business operations after disaster
– Both types of plans needed to identify firm’s most
critical systems
– Business impact analysis to determine impact of an
outage
– Management must determine which systems
restored first

• MIS audit
– Examines firm’s overall security environment as well
as controls governing individual information systems
– Reviews technologies, procedures, documentation,
training, and personnel.
– May even simulate disaster to test response of
technology, IS staff, other employees.
– Lists and ranks all control weaknesses and estimates
probability of their occurrence.
– Assesses financial and organizational impact of each
threat
SAMPLE AUDITOR’S
LIST OF CONTROL
WEAKNESSES
This chart is a sample page
from a list of control
weaknesses that an auditor
might find in a loan system in a
local commercial bank. This
form helps auditors record and
evaluate control weaknesses
and shows the results of
discussing those weaknesses
with management, as well as
any corrective actions taken by
management.
FIGURE 8-4

Technologies and Tools for Protecting Information Resources
• Soft-et qe perdoren per menaxhimin e identitetit

– Automatizohet regjistrimi I gjithe perdoruesve dhe
privilegjeve te tyre.
– Autentifikon perdoruesit duke mbrojtur identitete e
tyre si dhe kontrollon aksesin.
• Authentifikimi
– Sistemet e Password-it
– Tokens
– Kartat Smart
– Autentifikimi Biometrik
• Firewall:
– Kombinimi I of hardware dhe software-it
qe parandalon perdoruesit e paautorizuar
te aksesojne rrjetat private.
– Teknologjite perfshijne:
• Filtrimi statik I paketave
• Perkthimi I adreses se rrjetit (Network
address translation) (NAT)
• Filtrimi ne proxin e aplikimit
FIREWALL-I i nje
Korporate
The firewall is placed between
the firm’s private network and
the public Internet or another
distrusted network to protect
against unauthorized
traffic.
FIGURE 8-5

• Sigurimi I rrjetave celulare

– Per kete perdoret WEP qe siguron duke:
• Emeron ne menyre unike SSID te rrjetit dhe nuk
e brodkast ate
• Perdor teknologjine VPN
– Standartet e reja nga aleanca Wi-Fi kerkojne:
- Ndryshim te vazhdueshem te celesave
• Sistem autentifikimi te inkriptuar me serverin
qendror.

• Inkriptimi:
– Transformi I tekstit ose te dhenave ne tekst
te shifruar qe s’mund te lexohet nga
marres te huaj.
– Dy metodat e inkriptimit te rrjetave jane:
• Shtresa me soket te sigurt (Secure
Sockets Layer) (SSL) dhe ne vazhdim
Transport Layer Security (TLS)
• Secure Hypertext Transfer Protocol (S-
27
HTTP) © Prentice Hall 2011
• Dy metodat e inkriptimit:
– Inkriptimi me celes simetrik
• Si derguesi dhe marresi perdorin celes te vetem
dhe te njejte
– Inkriptimi me celes publik
• Perdor dy celesa te lidhur matematikisht: Celesi
publik(Public key) dhe ai privat
• Derguesi e inkripton mesazhin me celesin
publik te marresit
• Marresi e dekripton mesazhin me celesin privat
28
key © Prentice Hall 2011

Inkriptimi me celes public(PUBLIC KEY ENCRYPTION)
FIGURE 8-6 A public key encryption system can be viewed as a series of public and private keys that lock data when they
are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in
a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a
private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt
the data and read the message.


• Siguria ne Cloud Computing
– Pergjegjesia per sigurine I takon kompanise qe
zoteron te dhenat
– Firmat duhet te sigurohen qeprovider-at e Cloud
sigurojne mbrojtje te mjaftueshme
– Marreveshje ne nivel sherbimi (Service level
agreements) (SLAs)
• Siguria per platformat celulare
– Politikat e sigurise duhet te perfshijne dhe te
mbulojne cdo kerkese speciale per pajisjet celulare
P.sh updati-mi I telefonave smart me shtojcat me
te reja te sigurise.

Siguria Ne Sistemet e Informacionit: Managing The Digital Firm, 12 Edition

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Siguria Ne Sistemet e Informacionit: Managing The Digital Firm, 12 Edition

Uploaded by

Copyright:

Available Formats

Management Information Systems

MANAGING THE DIGITAL FIRM, 12TH EDITION

• Pse sist. E inf. Jane delikate ndaj gabimit,

2 © Prentice Hall 2011

System Vulnerability and Abuse

System Vulnerability and Abuse

• Sistemet jane delikate prej:

System Vulnerability and Abuse

5 © Prentice Hall 2011

System Vulnerability and Abuse

• Pikat delikate te Internetit

System Vulnerability and Abuse

• Sfidat e sigurise ne Celulare

– WEP (Wired Equivalent Privacy)

7 © Prentice Hall 2011

System Vulnerability and Abuse

8 © Prentice Hall 2011

System Vulnerability and Abuse

• Malware (softwaret keqberes )

9 © Prentice Hall 2011

System Vulnerability and Abuse

• Ketu mund te permendim:

10 © Prentice Hall 2011

System Vulnerability and Abuse

11 © Prentice Hall 2011

System Vulnerability and Abuse

• Denial-of-service attacks (atake me mohim te

12 © Prentice Hall 2011

System Vulnerability and Abuse

13 © Prentice Hall 2011

System Vulnerability and Abuse

• Kercenim I brendshem : punonjesit

14 © Prentice Hall 2011

System Vulnerability and Abuse

• Diffektet e soft-it (Software vulnerability)

15 © Prentice Hall 2011

Establishing a Framework for Security and Control

• Tipet e kontrolleve te pergjithshme

16 © Prentice Hall 2011

Establishing a Framework for Security and Control

17 © Prentice Hall 2011

Establishing a Framework for Security and Control

18 © Prentice Hall 2011

Pikat e dobeta te sistemit dhe abuzimi

19 © Prentice Hall 2011

Establishing a Framework for Security and Control

• Disaster recovery planning: Devises plans for

20 © Prentice Hall 2011

Establishing a Framework for Security and Control

System Vulnerability and Abuse

22 © Prentice Hall 2011

Technologies and Tools for Protecting Information Resources

• Soft-et qe perdoren per menaxhimin e identitetit

Technologies and Tools for Protecting Information Resources

Technologies and Tools for Protecting Information Resources

25 © Prentice Hall 2011

Technologies and Tools for Protecting Information Resources

• Sigurimi I rrjetave celulare

26 © Prentice Hall 2011

Technologies and Tools for Protecting Information Resources

Technologies and Tools for Protecting Information Resources

Technologies and Tools for Protecting Information Resources

29 © Prentice Hall 2011