【正文】 2022 by Prentice Hall SSL協(xié)議的工作流程 169。 2022 by Prentice Hall 數(shù)字證書應(yīng)用操作實(shí)例 （ 個(gè)人證書在安全電子郵件中的應(yīng)用 ） 用 Outlook Express 5發(fā)送加密電子郵件 ： 1） 獲取收件人數(shù)字證書 2） 發(fā)送加密郵件 169。 2022 by Prentice Hall 下載根 CA下載根證書（ 1） 169。 ?區(qū)域性 CA大多以地方政府為背景，以公司機(jī)制來運(yùn)作，如廣東 CA中心（ CNCA）、上海 CA中心 (SHECA)、深圳 CA中心 (SZCA)等，各地還在繼續(xù)建設(shè)。 例子：廣東省電子商務(wù)認(rèn)證中心 169。 2022 by Prentice Hall 公開密匙 /私有密匙加密 老張 小李的公開 密匙 小李 老張 密文 小李 小李的私有 密匙 老張的私有 密匙 老張的公開 密匙 密文 鑒別 保密 用 RSA鑒別 ,只有老張能發(fā)出該信息 用 RSA保密 ,只有小李能解開該信息 169。 2022 by Prentice Hall ? Two methods of encryption ? Symmetric key encryption（對(duì)稱加密） ? Sender and receiver use single, shared key ? Public key encryption（公鑰加密） ? Uses two, mathematically related keys: Public key and private key ? Sender encrypts message with recipient’s public key ? Recipient decrypts with private key Encryption and Public Key Infrastructure Technologies and Tools for Security Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall ? Firewall: ? Combination of hardware and software that prevents unauthorized users from accessing private works ? Technologies include: ? Static packet filtering ? Network address translation (NAT) ? Application proxy filtering Firewalls, Intrusion Detection Systems, and Antivirus Software Technologies and Tools for Security Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall Establishing a Framework for Security and Control ? Security policy ? Ranks information risks, identifies acceptable security goals, and identifies mechanisms for achieving these goals ? Drives other policies ? Acceptable use policy (AUP) ? Defines acceptable uses of firm’s information resources and puting equipment ? Authorization policies ? Determine differing levels of user access to information assets Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 169。 2022 by Prentice Hall 網(wǎng)絡(luò)釣魚是一種常見的網(wǎng)絡(luò)攻擊或詐騙手法。對(duì)這些人的正確英文叫法是 Cracker，翻譯成“駭客”。 169。 2022 by Prentice Hall System Vulnerability and Abuse ? An unprotected puter connected to Inter may be disabled within seconds ? Security: ? Policies, procedures and technical measures used to prevent unauthorized access, alteration, theft, or physical damage to information systems ? Controls: ? Methods, policies, and anizational procedures that ensure safety of anization’s assets。 2022 by Prentice Hall STUDENT LEARNING OBJECTIVES Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Why are information systems vulnerable to destruction, error, and abuse? ? What is the business value of security and control? ? What are the ponents of an anizational framework for security and control? ? Evaluate the most important tools and technologies for safeguarding information resources. 169。 2022 by Prentice Hall ? Inter vulnerabilities ? Network open to anyone ? Size of Inter means abuses can have wide impact ? Use of fixed Inter addresses with permanent connections to Inter eases identification by hackers ? Email attachments ? Email used for transmitting trade secrets ? IM messages lack security, can be easily intercepted System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems 169。 2022 by Prentice Hall Hackers and Computer Crime System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Hackers (黑客） vs. crackers（駭客） ? Activities include ? System intrusion ? System damage ? Cybervandalism ? Intentional disruption, defacement, destruction of Web site or corporate information system 169。 2022 by Prentice Hall Hackers and Computer Crime System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Denialofservice attacks (DoS) ? Flooding server with thousands of false requests to crash the work. ? Distributed denialofservice attacks (DDoS) ? Use of numerous puters to launch a DoS ? Bots ? Networks of “zombie” PCs infiltrated by bot malware 169。 2022 by Prentice Hall Pharming借由入侵 DNS（ Domain Name Server）的方式，將使用者導(dǎo)引到偽造的網(wǎng)站上，因此又稱為 DNS下毒（ DNS Poisoning）。 2022 by Prentice Hall Legal and Regulatory Requirements for Electronic Records Management Business Value of Security and Control Essentials of Business Information Systems Chapter 7 Securing Information Systems ? Firms face new legal obligations for the retention and storage of electronic records as well as for privacy protection ? HIPAA: Medical security and privacy rules and procedures ? GrammLeachBliley Act: Requires financial institutions to ensure the security and confidentiality of customer data ? SarbanesOxley Act: Imposes responsibility on panies and their management to safeguard the accuracy and integrity of financial information that is used internally and released externally 169。 2022 by Prentice Hall Sample Auditor’s List of Control Weaknesses Figure 74 This chart is a sample page from a list of control weaknesses that an auditor might find in a loan system in a local mercial bank. This form helps auditors record and evaluate control weaknesses and shows the results of discussing those weaknesses with management, as well as any corrective actions taken by management. System Vulnerability and Abuse Essentials of Business Information Systems Chapter 7 Secu