Professional Documents
Culture Documents
Siguria Ne Sistemet e Informacionit: Managing The Digital Firm, 12 Edition
Siguria Ne Sistemet e Informacionit: Managing The Digital Firm, 12 Edition
Chapter 8
Siguria ne sistemet e
INFORMACIONIT
VIDEO CASES
Case 1: IBM Zone Trusted Information Channel (ZTIC)
Case 2: Open ID and Web Security
Instructional Video 1: The Quest for Identity 2.0
Instructional Video 2: Identity 2.0
Management Information Systems
CHAPTER 8: SECURING INFORMATION SYSTEMS
Learning Objectives
• Siguria:
– Politikat , procedurat dhe masat teknikete perdorura
per te parandaluar acesin e paautorizuar,
ndryshimin, vjedhjen ose demtimin fizik te sistemeve
te inf.
• Kontrollet:
– Metodat, politikat dhe proc. Organizative qe
sigurojne sigurine e pasurive te firmes, saktesisne
dhe besnikerine e reggjistrimeve te finances, dhe
mbeshtetje operacionale te standarteve te
menaxhimit.
3 © Prentice Hall 2011
Management Information Systems
CHAPTER 8: SECURING INFORMATION SYSTEMS
FIGURE 8-1 The architecture of a Web-based application typically includes a Web client, a server, and corporate
information systems linked to databases. Each of these components presents security challenges and
vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point
in the network.
WI-FI SECURITY
CHALLENGES
Many Wi-Fi networks can be
penetrated easily by intruders
using sniffer programs to
obtain an address to access the
resources of a network without
authorization.
FIGURE 8-2
– Spyware
• Programe te vogla qe instalohen vetvetiu ne kompjuter
per te monitoruar Web surfing e perdoruesit dhe ta
perdorin per reklama.
– Pergjues te tasteve
• Regjistrojne cdo goditje te tasteve ne kompjuter per te
vjedhur pasword-e, filluar sulme interneti etj.
• Spoofing (SHPIFJE)
– Prezantim I rreme I vetes duke perdorur e-mail fallco
ose duke u maskuar.
– Ridrejtim I web linkut per tu adresuar ne drejtim
tjeter nga I deshiruari me maskim te site-s.
• Sniffer (pergjues)
– Programe pergjuese qe monitorojne inf. qe udheton
mbi rrjet.
– Aktivizon hackers per te vjedhur informacione te
vecanta si e-mail-e, file te kompanise.
• Vjedhje Identiteti
– Vjedhje e informacionit personal (social security id,
leje automjeti ose numra te kredit-cartave per tu
konsideruar si dikush tjeter.
• Phishing
– Krijim web siti te gabuar.
• Evil twins (binjaket djallezore)
– Rrjeta celulare qe pretend ojne te ofrojne sherbim te
sigurt ne Internet
– Arna
• Copa te vogla soft-I te perdorura per te riparuar
rrjedhjet.
• Poliktikat e sigurise
– Rankon rreziqet e informacionit, identifikon qellimet
e pranueshme te sigurise, identifikon qellimet e
pranueshme te sigurise si dhe mekanizmin per ta
arritue ate.s
• Politikat jane:
-Politika te pranueshme (Acceptable use policy (AUP)
-Politika te autorizuara (Authorization policies)
• Menaxhimi I identitetit
– Proceset dhe mjetet e biznesit qe pedoren per te
identifkuar perdoruesit e vlefshem te sistemit
dhe per te kontrolluar akseset.
• Identifikon dhe autorizon perdoruesit.
• Specifikon ke porcion te sistemit mund te aksesoje
cdo perdorues.
• Autentifikon perdoruesit dhe mbron identitetet e
tyre.
Profilet e sigurise
per nje sistem
personeli
These two examples represent
two security profiles or data
security patterns that might be
found in a personnel system.
Depending on the security
profile, a user would have
certain restrictions on access
to various systems, locations,
or data in an organization.
FIGURE 8-3
• MIS audit
– Examines firm’s overall security environment as well
as controls governing individual information systems
– Reviews technologies, procedures, documentation,
training, and personnel.
– May even simulate disaster to test response of
technology, IS staff, other employees.
– Lists and ranks all control weaknesses and estimates
probability of their occurrence.
– Assesses financial and organizational impact of each
threat
21 © Prentice Hall 2011
Management Information Systems
CHAPTER 8: SECURING INFORMATION SYSTEMS
SAMPLE AUDITOR’S
LIST OF CONTROL
WEAKNESSES
This chart is a sample page
from a list of control
weaknesses that an auditor
might find in a loan system in a
local commercial bank. This
form helps auditors record and
evaluate control weaknesses
and shows the results of
discussing those weaknesses
with management, as well as
any corrective actions taken by
management.
FIGURE 8-4
• Firewall:
– Kombinimi I of hardware dhe software-it
qe parandalon perdoruesit e paautorizuar
te aksesojne rrjetat private.
– Teknologjite perfshijne:
• Filtrimi statik I paketave
• Perkthimi I adreses se rrjetit (Network
address translation) (NAT)
• Filtrimi ne proxin e aplikimit
24 © Prentice Hall 2011
Management Information Systems
CHAPTER 8: SECURING INFORMATION SYSTEMS
FIREWALL-I i nje
Korporate
The firewall is placed between
the firm’s private network and
the public Internet or another
distrusted network to protect
against unauthorized
traffic.
FIGURE 8-5
• Inkriptimi:
– Transformi I tekstit ose te dhenave ne tekst
te shifruar qe s’mund te lexohet nga
marres te huaj.
– Dy metodat e inkriptimit te rrjetave jane:
• Shtresa me soket te sigurt (Secure
Sockets Layer) (SSL) dhe ne vazhdim
Transport Layer Security (TLS)
• Secure Hypertext Transfer Protocol (S-
27
HTTP) © Prentice Hall 2011
Management Information Systems
CHAPTER 8: SECURING INFORMATION SYSTEMS
• Dy metodat e inkriptimit:
– Inkriptimi me celes simetrik
• Si derguesi dhe marresi perdorin celes te vetem
dhe te njejte
– Inkriptimi me celes publik
• Perdor dy celesa te lidhur matematikisht: Celesi
publik(Public key) dhe ai privat
• Derguesi e inkripton mesazhin me celesin
publik te marresit
• Marresi e dekripton mesazhin me celesin privat
28
key © Prentice Hall 2011
Management Information Systems
CHAPTER 8: SECURING INFORMATION SYSTEMS
FIGURE 8-6 A public key encryption system can be viewed as a series of public and private keys that lock data when they
are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in
a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a
private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt
the data and read the message.