【正文】 ol weaknesses that an auditor might find in a loan system in a local mercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management. System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall Establishing a Framework for Security and Control ? Authorization management systems ? Establish where and when a user is permitted to access certain parts of a Web site or corporate database. ? Allow each user access only to those portions of system that person is permitted to enter, based on information established by set of access rules, profile Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall Legal and Regulatory Requirements for Electronic Records Management Business Value of Security and Control Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection ? HIPAA: Medical security and privacy rules and procedures ? GrammLeachBliley Act: Requires financial institutions to ensure the security and confidentiality of customer data ? SarbanesOxley Act: Imposes responsibility on panies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally 169。 2022 by Prentice Hall Worldwide Damage from Digital Attacks Figure 73 This chart shows estimates of the average worldwide damage from hacking, malware, and spam since 1998. These figures are based on data from mi2G and the authors. System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall Pharming借由入侵 DNS（ Domain Name Server）的方式，將使用者導(dǎo)引到偽造的網(wǎng)站上，因此又稱為 DNS下毒（ DNS Poisoning）。網(wǎng)絡(luò)詐騙分子通常是通過大量發(fā)送聲稱來自于銀行或其他知名機(jī)構(gòu)的欺騙性垃圾郵件，意圖引誘收信人給出敏感信息（如用戶名、口令、賬號 ID 、銀行卡或信用卡詳細(xì)信息等）。 2022 by Prentice Hall Hackers and Computer Crime System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Denialofservice attacks (DoS) ? Flooding server with thousands of false requests to crash the work. ? Distributed denialofservice attacks (DDoS) ? Use of numerous puters to launch a DoS ? Bots ? Networks of “zombie” PCs infiltrated by bot malware 169。駭客是“ cracker”的音譯，就是“破壞者”的意思。 2022 by Prentice Hall Hackers and Computer Crime System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Hackers (黑客） vs. crackers（駭客） ? Activities include ? System intrusion ? System damage ? Cybervandalism ? Intentional disruption, defacement, destruction of Web site or corporate information system 169。 2022 by Prentice Hall WiFi Security Challenges Figure 72 Many WiFi works can be perated easily by intruders using sniffer programs to obtain an address to access the resources of a work without authorization. System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall ? Inter vulnerabilities ? Network open to anyone ? Size of Inter means abuses can have wide impact ? Use of fixed Inter addresses with permanent connections to Inter eases identification by hackers ? Email attachments ? Email used for transmitting trade secrets ? IM messages lack security, can be easily intercepted System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 accuracy and reliability of its accounting records。 2022 by Prentice Hall STUDENT LEARNING OBJECTIVES Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Why are information systems vulnerable to destruction, error, and abuse? ? What is the business value of security and control? ? What are the ponents of an anizational framework for security and control? ? Evaluate the most important tools and technologies for safeguarding information resources. 169。 2022 by Prentice Hall 7 Chapter Securing Information Systems 169。 2022 by Prentice Hall System Vulnerability and Abuse ? An unprotected puter connected to Inter may be disabled within seconds ? Security: ? Policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems ? Controls: ? Methods, policies, and anizational procedures that ensure safety of anization’s assets。 2022 by Prentice Hall Contemporary Security Challenges and Vulnerabilities Figure 71 The architecture of a Webbased application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these ponents presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the work. System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 169。 2022 by Prentice Hall System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems Malware is active throughout the globe. These three charts show the regional distribution of worms and